Authentication, Authorization, and Identification. What’s the Difference?
To access any resource or service on the Internet. One must prove who he claims to be by providing appropriate credentials. Identification, authentication, and authorization are fundamental blocks that grant access.
We often refer authentication and authorization to as AuthN & AuthZ. These are quite different principles. People get confused and use them in the wrong context. It’s important to know the difference. To secure websites, databases, custom applications, etc. we use these principles.
Ok, what do they mean?
Identification = Your name (Username or Account number)
Authentication = After Identification prove its you (Username + Password)
Authorization = After authentication, what access/privileges you have (access to resources)
Simple English, please.
Here is a simple room booking example to explain the difference.
When you walk into a hotel to get a hotel room, the following interactions will explain these principles.
The receptionist asks for your name. This is identification.
Then she asks for an id to verify. This is authentication.
You finished payments, and you got the keycard to enter your room. This is the authorization.
They all are independent concepts and play important roles in security design.
How does authentication work in practice?
The common way people authenticate is by providing a username and password.
It is one of the most used authentication factors. The service verifies the provided username and password with the stored credentials. The user gets authenticated if the credentials match.
What is an authentication factor? How many are out there?
An authentication factor is a mechanism for authenticating to services.
There are 3 major types of authentication factors.
- Something you know
- Something you have
- Something you are
“Something you know” factor refers to “authentication by knowledge”. A pin, password, mother’s maiden name, etc. It’s the most common and inexpensive way of authentication.
This authentication is weak. If another person can get that information. They gain unauthorized access to resources.
“Something you have” factor refers to as “authentication by ownership”. A key card, badge, access card, mobile device, etc.
It’s used to provide access to buildings, etc. A lost or stolen card could lead to unauthorized access.
“Something you are” factor refers to as “authentication by characteristic”. It’s based on person biometrics such as a fingerprint, iris, retina, and face.
It’s used to provide access to secure buildings, data centers, etc. The most expensive and safest way to authenticate.
Cool, what is Multi-factor authentication, I hear about it all the time?
Combining 2 or more distinct authentication factors gives you Multi-Factor authentication (MFA). 2 Factor authentication is a special case in MFA that involves only 2 factors. To use a debit card (something you already have) you require a pin (something you know) that provides the second factor.
MFA uses a few more authentication factors.
- Location — It uses the IP address range as an authentication factor.
- Device — Mac Address of the device and browser fingerprint.
If you combine 2 or more authentications from the same factor, it’s no MFA. If we use password and pin code (something you know) for authentication. It’s not MFA its single-factor authentication. We only used 1 distinct authentication factor.
Authorization in action :)
Here are the widely used authorization mechanisms.
Access control list (ACL) and Token-based authorization
ALC not AOC
An access control list (ACL) is a table that tells which user has access to what resources. Operating systems use ACLs to restrict permissions on the files.
On macOS, files have 3 types of privileges. Other OS has similar type of permissions.
Read-only, Read & Write, No Access
The table on the left is a representation of the ACL. It has a list of users and levels of access they have on the file. An authenticated user with the right level of authorization can only access the file.
OAuth aka Open Authorization
OAuth is an open standard for authorization. It’s a token-based authorization system. It’s widely used on the Internet to grant access to services.
What are tokens?
A token is a hexadecimal string. We use tokens for session management, authorization, etc.
Why we need them?
Let's take example of a HTTP protocol. We use HTTP to transfer data between server and browser. HTTP is stateless. It means that request is a unique request and it has no context about previous requests. It doesn’t remember who we are. Every time we reload the page or navigate to a different page, the website asks for a password. This is madness.
To stop this madness, we need to maintain state aka to remember the request. Tokens help solve this problem.
OAuth and OpenID Connect protocols rely heavily on tokens.
Session vs JWT token?
Please, no more tokens.
Server creates a session token and passes to the browser. It’s stored in the browser cookie and passed back and forth between the browser and the server during request/response. The server actively maintains all the session tokens it issued to all the clients.
A successful login server creates a JWT token. JWT is passed between server and client as Session token. The server doesn’t maintain tokens. Instead, the token has all the sufficient information in it to verify itself to server. So, server need not maintain all the tokens it issued. The server decodes the JWT token when presented to it and verifies the request.
JSON Web Tokens comprise three parts. Head, payload, and a signature. Dots separate them (.). Read more about JWT here.
xxxxx.yyyyy.zzzzz (Header.Payload.Signature).
What if someone gets hold of the token?
Tokens are susceptible to replay attacks. Someone can steal a token and use it to gain access. Use secure protocols like HTTPS while exchanging Tokens. It provides the required encryption. Remember, tokens are not designed for authentication, only use them for authorization.