Authentication and Authorization: Quick notes

By Alireza Alavi

Table of Contents

  1. What Is Authentication?
  2. How is authentication used in a security context?
  3. Authentication vs. Authorization
  4. What is identity in the context of computing?
  5. sources

These are some quick notes I took(read "copy/pasted") for understanding about auth in general and, the difference between Authentication and Authorization.

What Is Authentication?

Authentication Diagram
image credit: Cloudflare
  • You go to the airport, the security guy checks your identification card(ID) which contains an identity. Then, the security guy checks your face or fingerprint to make sure you, are truly the owner of that identity (Authentication)
  • Authentication does not just apply to verifying human users. Computer systems also need to check servers, software, APIs, and other computers to be sure they are who they "say" they are.

How is authentication used in a security context?

  • Authentication is an important part of identity and access management (IAM), which dictates who can view data and what they can do with it. But it
    applies to many other areas of security as well, including:
    • TLS: Almost all major websites today support Transport Layer Security (TLS). TLS, among other functions, authenticates the identity of a web server to ensure user devices do not load fake websites.
    • APIs: Most modern web applications rely on APIs in order to function. Properly secured APIs authenticate both endpoints of the API integration in order to prevent attacks directed at those APIs.
    • Email: Emails are authenticated using a process called DomainKey Identified Mail (DKIM). DKIM helps ensure email messages come from servers that are allowed to
      use the domain (e.g. @cloudflare.com) that the email comes from.
      Non-authenticated email messages are likely to end up in spam folders

Authentication vs. Authorization

  • While authentication is concerned with verifying identity, authorization is concerned with permissions, or what someone is allowed to do once
    they gain access to a protected system or resource.
AuthenticationAuthorization
users or persons are verified.users or persons are validated.
It is done before the authorization process.is done after the authentication process.
It needs usually the user’s login details.While it needs the user’s privilege or security levels.
determines whether the person is user or not.determines What permission does the user have?
Password, Paswordless Authentication, 2FA/MFA (Two-Factor Authentication / Multi-Factor Authentication), Single sign-on (SSO)Role based access control (RBAC), Jason Web Token (JWT), SAML, OpenID, OAuth

What is identity in the context of computing?

  • A person's entire identity cannot be uploaded and stored in a computer, so "identity" in a computing context means a certain set of properties that can be conveniently measured and recorded digitally.
  • To verify identity, a computer system will assess a user for characteristics that are specific to them. (authentication factors)
    • Something the user knows (e.g. a password)
    • Something the user has (e.g. a soft token or hard token)
    • Something the user is (e.g. fingerprint, face, biometrics)

sources