Blog / Authentication and Authorization: What’s the Difference?
As pretty much every anyone who speaks English, either natively or as a second language, ours is a messy language. In fact, it’s got so many rules, exceptions, and homonyms that many consider it one of the most difficult languages in the entire world. We also have a bad habit of letting words that are related but different become synonyms. For example, many of us use continuously and continually interchangeably, whereas the former means uninterrupted while the latter means regularly but intermittently. This problem is even worse for outsiders looking in on specialized industries, and that’s what happened to the words authentication and authorization when it comes to IT.
Fortunately, the difference is easy to remember, even for users who aren’t technically inclined. Simply put, authentication is about making sure the person logging in is the user they claim to be, whereas authorization is about what permissions/privileges that user has. That sounds pretty straightforward, and it is, so if that’s all you learn from this post is that information then we’ve already done our job today. However, as usual, there’s more to each term than just a simplified definition.
Authentication is about verifying the identity of the person trying to log in as a legitimate user. The most common form features two components, a public username and a secret password. This simple process, known as single-factor authentication, confirms the legitimacy of your identity, but is heavily dependent on the secrecy and strength of the users’ passwords. It’s the least secure option for authenticating users and is rapidly being replaced by one of the three main alternatives:
- Multifactor authentication (MFA) is pretty much the same as single-factor authentication, but adds an extra level of security. Oftentimes this second security factor is a numeric code that is emailed or texted to your phone, although some services will use an app linked to your phone instead (like Microsoft’s Authenticator).
- Single-sign on is an authentication tactic that allows users to authenticate only once on a specific page to gain access to a suite of services or programs. This way users don’t have to sign in multiple times (a waste of time and productivity). However, this is still only a single-factor authentication method, so that initial single-sign on process is often an MFA process as well.
- Biometric authentication, on the other hand, ignores passwords altogether and relies on unique biological measurements, which is a fancy way of saying it uses fingerprints or facial recognition. This authentication method is straightforward and reliable. For example, casual criminals will rarely get past an iPhone’s facial recognition software, so even if your phone is stolen, it will likely just be reset and sold. Only dedicated hackers are likely to try and bypass it. However, it does require additional hardware like a camera or fingerprint reader.
Once a computer/network/website knows you are who you say you are, then it’s time to start looking at what you as a user are actually authorized to do. The authorization process usually involves associating specific permissions (sometimes known as privileges) with you as a user. You’ll often hear about “admin-level permissions” or the right to view as opposed to actually edit a document or file. These are common examples, though depending on the software you’re using, there can be substantially more granularity. Additionally, sometimes users need entire sets of permissions depending on their duties. When permissions are grouped into sets meant for specific purposes, they can be referred to as roles. For example, your main salespeople could have one set of permissions relating to customers, while your human resources personnel could have another set meant only for them.
The relationship between authentication and authorization is close, but the easiest way to understand it is to remember that authentication verifies who’s trying to get into a system, whereas authorization determines what they can do once inside. Both are important to seamless but secure login experience; robust authentication denies hackers an easy way into your system, while authorization gives employees access to the tools they need for their job.
Hopefully that helps clear the air about some of the commonly misunderstood jargon surrounding information technology. However, if you still have questions, or would like to discuss setting up stronger authentication measures for your business, contact a TRINUS account manager today!
The TRINUS team