Authentication
Authentication is a process of verifying the user by proving his identity before allowing him to access a system. User proving his identity by providing his authentication factor.
Authentication factors usually are separated in 3 categories:
- Something what you know
- Something what you have
- Something who you are
Something What You Know: It requires a user to provide what they know. Usually, it will be a credentials that has a combination of his email/username and password.
Something What You Have: It requires a user to prove what they have. For example, a user need to provide an OTP which system already sent to user’s mobile phone number to prove that his mobile phone number is valid.
Something Who You Are: It requires a user to provide his physical characteristics e.g. fingerprint, face, and voice.
Multi-Factor Authentication
When user authenticate with only using one factor (e.g using email and password), it’s called single-factor authentication. But user can also authenticate with multiple factor to increase the security. It’s called multi-factor authentication.
For example, when a user want to authenticate:
- He need to provide his email and password (something what you know).
- After that, he need to provide an OTP that already sent to his email (something what you have).
This will prevent attacker to authenticate easily. So even if he can pass the first factor by knowing user email and password, but he can’t pass the second factor because he can’t access the user email to get the OTP.
Authorization
Authorization is a process of verifying the user permissions before allowing him to access a specific resources in the system. It ensures only authorized users that are allowed to access and operate the resources. Also, It protects the resources from unauthorized operations that can damage the company business. Usually, authorization process happens after the authentication process.
In an authorization process, it usually has 3 parts involved:
- Resource
- Permissions Giver
- Authorized User
Resource is something in the system that user want to access and operate. Permissions Giver is a user that can provide permissions for another user to access and operate specific resources. Authorized User is a user that are allowed to access and operate the resources.
For example, in this case:
User A gives User B permissions to allow him to create, update and delete products data. User C which is not have that permissions are unable to create, update and delete products data.
- Resource: The products data.
- Permissions Giver: User A, he has permissions to give another user permissions to access and operate the resource.
- Authorized User: User B, he has permissions to allow him to access and operate the resource.
How It Can Be Different
Authentication and authorization has different purposes. Authentication is used to verify the user that want to access the system, while authorization is used to verify what kind of resources that authenticated user are allowed to access and operate.
So authorization is usually implemented together with authentication. After a user apply his credentials and then considered authenticated, the system usually will show only resources that he can access and operate.
Conclusion
In summary, authentication and authorization are distinct yet complementary processes critical to securing access to systems and resources. Understanding the difference between authentication and authorization is essential for implementing good security practices.