Authentication vs. authorization: What’s the difference?

Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.

The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be.

The authorization process relies on user permissions that outline what each user can do within a particular resource or network. For example, permissions in a file system might dictate whether a user can create, read, update or delete files.

Authentication and authorization processes apply to both human and nonhuman users, such as devices, automated workloads and web apps. A single IAM system might handle both authentication and authorization, or the processes might be handled by separate systems working in concert.

Authentication is usually a prerequisite for authorization. A system must know who a user is before it can grant that user access to anything.

Identity-based attacks, in which hackers hijack valid user accounts and abuse their access rights, are on the rise. According to the IBM X-Force® Threat Intelligence Index, these attacks are one of the most common ways that threat actors sneak into networks, accounting for 30% of all cyberattacks.

Authentication and authorization work together to enforce secure access controls and thwart data breaches. Strong authentication processes make it harder for hackers to take over user accounts. Strong authorization limits the damage hackers can do with those accounts.

Authentication, sometimes abbreviated as “authn,” is based on the exchange of user credentials, also called authentication factors. Authentication factors are pieces of evidence that prove the identity of a user.

When a user registers with a system for the first time, they establish a set of authentication factors. When the user logs in, they present these factors. The system checks the presented factors against the factors on file. If they match, the system trusts that the user is who they claim to be.

Common types of authentication factors include:

• Knowledge factors: Something only the user knows, such as a password, PIN or the answer to a security question.
  
• Possession factors: Something only the user has, such as a one-time PIN (OTP) sent to their personal mobile phone through SMS text message or a physical security token.
  
• Inherent factors: Biometrics, such as facial recognition and fingerprint scans.

Individual apps and resources can have their own authentication systems. Many organizations use one integrated system, such as a single sign-on (SSO) solution, where users can authenticate once to access multiple resources in a secure domain.

Common authentication standards include Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). SAML uses XML messages to share authentication information between systems, while OIDC uses JSON Web Tokens (JWTs) called “ID tokens.”

• Single-factor authentication (SFA) requires one authentication factor to prove a user’s identity. Supplying a username and password to log in to a social media site is a typical example of SFA.
  
• Multifactor authentication (MFA) requires at least two authentication factors of two different types, such as a password (knowledge factor) and a fingerprint scan (inherent factor).
  
• Two-factor authentication (2FA) is a specific type of MFA that requires exactly two factors. Most internet users have experienced 2FA, such as when a banking app requires both a password and a one-time code sent to the user’s phone.
  
• Passwordless authentication methods do not use passwords, or any knowledge factors for that matter. Passwordless systems have become popular as a defense against credential thieves, who target knowledge factors because they’re the easiest to steal.
  
• Adaptive authentication systems use artificial intelligence and machine learning to adjust authentication requirements based on how risky a user’s behavior is. For example, a user trying to access confidential data might need to supply multiple authentication factors before the system verifies them.

Learn how IBM’s identity and security experts can help streamline IAM efforts, manage solutions across hybrid cloud environments and transform governance workflows.

• Using a fingerprint scan and PIN code to unlock a smartphone.
  
• Showing ID to open a new bank account.
  
• A web browser verifies that a website is legitimate by checking its digital certificate.
  
• An app verifies itself to an application programming interface (API) by including its secret API key in every call that it makes.

Authorization, sometimes abbreviated as “authz,” is based on user permissions. Permissions are policies that detail what a user can access and what they can do with that access in a system.

Administrators and security leaders typically define user permissions, which are then enforced by authorization systems. When a user attempts to access a resource or perform an action, the authorization system checks their permissions before allowing them to proceed.

Consider a sensitive database containing customer records. Authorization determines whether a user can even see this database. If they can, authorization also determines what they can do within the database. Can they just read entries, or can they also create, delete and update entries?

OAuth 2.0, which uses access tokens to delegate permissions to users, is one example of a common authorization protocol. OAuth allows apps to share data with each other. For example, OAuth enables a social media site to scan a user’s email contacts for people the user might know—provided the user consents.

• Role-based access control (RBAC) methods determine user access permissions based on their roles. For example, a junior-level security analyst might be able to view firewall configurations but not change them, while the head of network security might have full administrative access.
  
• Attribute-based access control (ABAC) methods use the attributes of users, objects and actions—such as a user’s name, a resource’s type and the time of day—to determine access levels. When a user tries to access a resource, an ABAC system analyzes all the relevant attributes and only grants access if they meet certain predefined criteria. For example, in an ABAC system, users might be able to access sensitive data only during work hours and only if they hold a certain level of seniority.
  
• Mandatory access control (MAC) systems enforce centrally defined access control policies across all users. MAC systems are less granular than RBAC and ABAC, and access is typically based on set clearance levels or trust scores. Many operating systems use MAC to control program access to sensitive system resources.
  
• Discretionary access control (DAC) systems enable the owners of resources to set their own access control rules for those resources. DAC is more flexible than the blanket policies of MAC.

• When a user logs in to their email account, they can only see their emails. They’re not authorized to view anyone else’s messages.
  
• In a healthcare records system, a patient’s data can only be viewed by providers to whom the patient has explicitly given their consent.
  
• A user creates a document in a shared file system. They set the access permissions to “read only” so that other users can view the document but cannot edit it.
  
• A laptop’s operating system prevents an unknown program from changing system settings.

User authentication and authorization play complementary roles in protecting sensitive information and network resources from insider threats and external attackers. In short, authentication helps organizations defend user accounts, while authorization helps defend the systems those accounts can access.

Comprehensive identity and access management (IAM) systems help track user activity, block unauthorized access to network assets and enforce granular permissions so that only the right users can access the right resources.

Authentication and authorization address two critical questions that organizations need to answer to enforce meaningful access controls: 

• Who are you? (Authentication)
  
• What are you allowed to do in this system? (Authorization)

An organization needs to know who a user is before it can enable the right level of access. For example, when a network administrator logs in, that user must prove they are an admin by supplying the right authentication factors. Only then will the IAM system authorize the user to perform administrative actions such as adding and removing other users.

As organizational security controls grow more effective, more attackers are getting around them by stealing user accounts and abusing their privileges to wreak havoc. These attacks are easy for cybercriminals to pull off. Hackers can crack passwords through brute-force attacks, use infostealer malware or buy credentials from other hackers. 

Phishing is another common credential theft tactic, and generative AI tools now enable hackers to develop more effective phishing attacks in less time.

While they might be seen as basic security measures, authentication and authorization are important defenses against identity theft and account abuse, including AI-powered attacks.

Authentication can make it harder to steal accounts by replacing or reinforcing passwords with other factors that are more difficult to crack, such as biometrics.

Granular authorization systems can curtail lateral movement by restricting user privileges to solely the resources and actions they need. This helps limit the damage that both malicious hackers and insider threats can do by misusing access rights.