Explore Topics

Authentication vs Authorization

Authentication

Authentication is the process of verifying who someone is. It is the first step in the security process, and it ensures that only legitimate users can access your system. Think of authentication as the “identity check” at the door.

Types of Authentication

Password-Based Authentication: This is the most common form of authentication where users provide a secret password, which the system checks against a stored value.
Multi-Factor Authentication (MFA): This method requires users to provide two or more pieces of evidence to verify their identity. For example:
- Something the user knows (password)
- Something the user has (a phone app that generates a one-time code)
- Something the user is (fingerprint or face recognition)
Single Sign-On (SSO): With SSO, users can authenticate once and gain access to multiple applications or systems without needing to log in repeatedly. It simplifies the user experience but requires strong security measures to protect the single login point.
Social Login: Users can authenticate using their credentials from social platforms (like Facebook, Google, or Twitter). This can save users from having to create a new account but requires a trusted third-party provider.

Working of Authentication

When a user attempts to log in, they send their credentials (username and password, for example) to the server. The server checks these credentials against a database of valid users. If the credentials match, the user is granted access and a session is created.

The session could be represented by a token (like a session ID or a JWT), which the client will send with each subsequent request to prove that they are authenticated.

Authorization

Authorization comes into play once the user is authenticated. After confirming who the user is, the system determines what actions they can perform and what resources they can access. Authorization defines the permissions granted to the authenticated user.

While authentication answers “Who are you?”, authorization answers “What can you do?”

Types of Authorization

Role-Based Access Control (RBAC): This is a common method where users are assigned specific roles (e.g., Admin, User, Moderator) that come with predefined permissions. For example, an admin can create, delete, or modify records, while a regular user can only view records.
Attribute-Based Access Control (ABAC): Permissions are based on attributes (user’s department, position, etc.) rather than roles. This method offers more fine-grained control over who can do what.
Access Control Lists (ACLs): ACLs are lists that define what actions a user or system can perform on a particular resource. For example, an ACL for a file may specify that only the file owner can read/write, while others can only read.
OAuth: This protocol allows an application to access user data stored in another application without exposing the user’s credentials. For example, allowing a calendar application to access Google Calendar after user authentication.

Working of Authorization

After authentication, the server uses the user’s role or other attributes to check if the user has permission to access a particular resource or perform an action. For example:

An authenticated user might try to access a page that is only available to admins. If their role is “Admin,” they are authorized to view the page.
If a regular user tries to access an admin-only page, they would be denied access, even though they are authenticated.

Authorization can be enforced at different levels, such as:

URL-level access: Specific URLs or API endpoints are protected and accessible only by certain roles or users.
Method-level access: Methods within an application’s code are protected to ensure that only users with the correct permissions can trigger them.