Authentication and Authorization — Information Security
Preventing an unauthorized person from gaining access to resources. Ensuring that authorized people have access to the resources they want.
What is the goal of the Authentication Model?
To provide access permissions to resources, specifying which users may and cannot access those resources and under what conditions.
For example, we may want a single user or group of users to have access while signed on from a physically on-site computer but not from a remote dial-up connection.
Access permissions, on the other hand, are only effective if you can authenticate the identity of the person trying to access the resources. This is where authentication enters the scene.
What is Authentication?
Authentication is the process of verifying the identity of a person who is attempting to log in or access resources.
What is Authorization?
Authorization is a security technique for determining user access levels to system resources such as computer programs, files, services, and application features.
Authentication is usually performed before authorization in order to verify the user's identity.Difference between Authentication and Authorization
Authentication checks the user’s identity, whereas authorization confirms that the person in concern has the appropriate permissions and privileges to access the requested resource.
Authentication comes first, followed by authorization.Example of Authentication
When a user from a Windows domain, for example, logs onto the network, his or her identity is validated using one of many authentication mechanisms.The user is then given an access token that contains information about the security groups to which he or she belongs.
When a user attempts to access a network resource (e.g., print to a printer), the access control list (ACL) associated with that resource is compared to the access token.If the ACL indicates that members of the Managers group have permission to access the resource and the user’s access token indicates that he or she is a member of the Managers group, the user will be granted access (unless the user’s account or a group to which the user belongs has explicitly denied access to the resource).
Example of Authorization
Allowing someone to download a certain file from a server.
Types of Authentication
Biometric authentication
Biometric authentication is the automatic recognition of persons based on biological and behavioral characteristics.
Examples of Biometric authentication, fingerprint, face, voice, etc.
CAPTCHAs authentication
CAPTCHA authentication is a test used in computers to determine whether or not a user is human.
Examples of CAPTCHA authentication, identifying pictures, numbers, etc,
Two-factor authentication
Two-factor authentication adds another layer of protection to your online accounts. Using 2 separate factors, such as a password and a one-time passcode given through SMS to a cell phone.
An example of Two-factor authentication is, Withdrawing money from an ATM requires first identifying the bank card and then validating the PIN.
Single sign-on authentication
Single sign-on authentication allows users to securely log in to numerous apps and websites with a single set of credentials.
Examples of Single sign-on authentication, signing in to a Google service like Gmail, which also gives authorization to AdSense, Google Search Console, and Youtube.
Token authentication
Token authentication allows users to prove their identity and obtain a unique access token in exchange.
Examples of Token authentication, Smartcard to log into a system.
Smartcard authentication
Smartcard authentication is the use of smart card devices for authentication. Users link their smart cards to a computer. To authenticate the user, software on the host computer interacts with the keys material and other secrets contained on the smart card.
Examples of Smartcard authentication, credit cards, or SIM cards.
Transaction authentication
Transaction authentication is used to identify a user account and verify that the individual is allowed to use it.
Examples of Transaction authentication, When a user performs a transaction, such as making a one-time, payment to a recipient, they must enter a second one-time passcode to confirm the transaction.
Password authentication
Password authentication allows a user to input their username or email address, as well as a password, to get access to an account or program.
Examples of Password authentication, signing in to the Facebook account using email and password.
How does Authentication work?
A user enters credentials, such as a password or fingerprint, etc that identify the user as the person allowed to access the system.
How does Authorization work?
Authorization is the procedure through which a server determines which resources a user has permission to access. Authentication comes first, followed by authorization so that the server has some idea of who the person is that is requesting access to the resource.
