There are two terms namely “authentication” and “authorization” and people are often curious and confused between the two. Yes, of course they are related to security and in today’s world of distributed computing, cloud computing and Service Oriented architecture, these two necessitate and coupled with each other to provide a secure access to the resources. Let’s understand the difference by taking some real world examples first with our classical legends Alice and Bob.
Authentication that simply means – “Who (the hell) are you?”
Authorization means – “Ok I know who you are but I need to check if you are allowed to do this or not.”
Let’s take some real world example:
Consider a college campus where the students, teachers other staff members etc. having an identity card that have some information printed on it like name, section etc. Let’s take a student case.
Once the student reaches the college gate the security guard asks to produce his identity card to make sure who he is and allows entering. This is called authentication.
Now the authenticated student enters into the campus but to which department and class can he attend or join is based on other information printed on card like department, section etc. The lecturer or instructor knows that only an authenticated person can enter the campus and now he/she may check the additional information before allowing the person to enter the class. This one is called authorization and the information associated may call as attributes of the identity.
Now in the world of web, let’s say if an organization has exposed some SOAP based web services :
- Service ‘X’ to be accessed only by external users or say customers.
- Service ‘Y’ to be accessed only by its internal users.
Let’s take classical legends Alice and Bob. Alice belong to user type customer and Bob as internal user type. These services may require authentications to know the user who is trying to access the services based on type of authentication e.g. username password based, certificate based, biometric etc.
But in case of absence of authorization any authenticated user can access any service irrespective of its type. Alice can access Service X and Y both after authentication and same as with Bob. Here in addition to authentication we need to know more about the user based on its attributes or roles to grant the access to the authorized service.
Different authentication methodologies are in place today e.g.
- Username password based
- X.509 certificate based
- Security codes etc.
- Knowledge based authentication (KBA)
And additionally having multiple schemes merged to form multi factor authentication which I will discuss in my upcoming posts.
Authorization too has gained the dimensions started from ACL (Access Control Lists) to RBAC (Role Based Access Control) and then today’s ABAC (Attribute based access control) and that too I will elaborate in my future posts.