Difference between Authentication and Authorization

Difference between Authentication and Authorization

Authentication

“If you know yourself but not your enemy, for every victory gained you will also suffer a defeat.” — Sun Tzu, The Art of War

When securing software, the first thing you must do is find a way to distinguish friend from foe. This process is called authentication.

In computer security, authentication verifies the identity of a user or service. Authentication usually serves one of two purposes:

  • As a precursor to authorization, identifying the requesting entity to determine whether that entity should have permission to perform an operation
  • For producing an audit trail by logging who performed an operation so that blame can be cast when something breaks

Three types of authentication are most common:

  • Local user authentication. Verifying a user’s identity is usually performed by the operating system as the first step in the authorization. If your code is running as a normal user, the operating system limits what your code can do based on that user’s permissions. Your code can also ask the operating system for the identity of the user for auditing purposes.
  • Network host authentication. Verifying the authenticity of a remote server is often necessary—for example, to determine whether it is safe to send the credit card information to a specific website.
  • Remote user authentication. Users are often authenticated by remote servers when performing certain tasks. Authenticating a user remotely requires that your code send credentials in some form, such as a password, a cookie, or a digital certificate.

Authorization

Authorization is the process by which an entity such as a user or a server gets permission to perform a restricted operation. The term is also often used to refer to the right itself, as in “The soldier has the authorization to enter the command bunker.”

The difference between authentication and authorization is somewhat subtle. Often, the mere fact that a user has an account means that the user is authorized to do something, in which case authentication and authorization are the same things. However, in more complex systems, the difference becomes more obvious.

Conclusion

Consider a computer with two users. Each user is known to the system. Therefore, both users can each log in to the computer, and it authenticates them. However, neither user is authorized to modify the other’s files, and as a result, neither user can do so.