Authentication and Authorization
It’s one of the questions we’ve long wondered about IT security. What is the difference between authorization and authentication? So we asked our U.K. correspondent Mary Branscombe. She came back with a one-sentence answer:
Authentication is verifying that a user is who they say they are; authorization is giving them permission to access a resource or perform a specific function.
But like much in IT, things are more complicated than they first appear.
As Branscome writes, “Authentication and authorization sound similar. They’re often mentioned together, they’re often both implemented with tokens, and the terms are sometimes used almost interchangeably.”
Authorization is something the security or application administrator handles and it’s based on what permissions are available for the system being accessed. “Users can’t change their authorization options and won’t see authorization happening,” she wrote.
An organization uses authentication techniques (passwords, temporary tokens) to set the level of confidence they want to give to their authorizations. Passwords are the perhaps easiest methods for authentication — and the easiest to break. Multifactor authentication ups the confidence level of knowing the person, or machine, is who they say they are, by requiring multiple factors. But it requires more resources — and demands more — from the user.
Yet, as Branscombe herself later tweeted, the question revealed many interesting ways in which the two interrelate in the age of zero-trust security. As organizations start to move their security measures away from centralized services such as firewalls, they need to rethink how and where to authorize and authenticate, their users.
Like so much of IT, what was once simple but brittle is now complex but robust.