Authentication vs. Authorization
Authentication and authorization are terms that refer to processes often used in the field of fraud prevention. Although they may look similar, each one involves different methods and serves different purposes. While authentication is the process of verifying a person's identity, authorization verifies the types of access a person has after having already been authenticated by a system.
To illustrate this difference, it is possible to compare it with the operation of a commercial building, for example. When a visitor arrives at the site, the first step is to present an identification document at the reception so that their access to the building is granted, which would correspond to the authentication step. Once the visitor's identity is confirmed, the person could gain access to only one or a few specific floors or rooms according to their profile and the purpose of the visit. That limited access represents the authorization process.
Authentication and authorization, therefore, act in a complementary way, being crucial methods for any company's security and fraud prevention strategy. To understand how authentication differs from authorization, however, it is necessary to analyze other factors involved in the two processes in addition to the purpose of each.
How is authentication different from authorization?
As mentioned above, the main difference between authentication and authorization is the fact that the first confirms that a person really is who they say they are and the second grants access to different levels of information and allows certain actions to be performed according to the rules established for each user.
This means that authentication will always be the first layer of protection, while authorization will only take place after a person has been authenticated. A practical example of the difference between authentication vs. authorization is when a user tries to access their bank account via a mobile app. The first step will be authentication, in which certain techniques are used to recognize an already registered user. Once logged in, the authorization process ensures the user has access to certain areas of the application and specific transactions. It is common for bank applications to authorize the user to see their balance and statement after the first authentication, but if the user tries to register a new recipient account for bank transfer, authentication with an MFA may be required.
Another common example of authentication vs. authorization is when a person visits a website or application that offers paid service options. To join the platform, the user needs to provide their credentials, regardless of the type of plan each individual has. While all users go through the same authentication process, a customer using the free plan will not be allowed to use the same features as a premium customer.
Another difference is that the authentication credentials can be partially changed according to the user, such as passwords, for example. Authorization permissions are assigned to users by the system owner or manager, who are the only ones who can change them.
Regarding the techniques used for both authentication and authorization, the list below brings some of the most common examples:
While the method of authentication may differ for each institution, the objective is the same: to put in place a security process that successfully authenticates users with multiple authentication factors. Some of the many possible authentication methods are:
- Password: usernames and passwords are around for a while. A password is the combination of letters, numbers and alphanumeric characters. While it is today the most commonly used authentication method it also offers the least security and the most friction.
- Security Questions: pre-defined questions set by the administrator, in which the user has to set answers when creating a new account. Security questions are a form of knowledge-based authentication (KBA), and are usually prompted when a user forgets a password.
- Magiclink: the user is identified by clicking on a link sent by SMS or previously registered email.
- One-time password (OTP): A temporary password that expires in a few minutes, which is usually sent by SMS or email.
- Physical biometrics: use of a user's physical characteristics for recognition based on matching with stored data. It includes technologies such as facial recognition, fingerprint reading and retina scanning.
- Behavioral biometrics: recognition of user behavior characteristics, such as location patterns, gait, mouse use, and typing rhythm, among others.
- Recognition signals: Signals from sensors on mobile devices that can be used to recognize users and reveal anomalies in user behavior.
- Role-Based Access Controls (RBAC): Grants access to certain information according to an individual's role in the organization.
- JSON web token (JWT): is an open standard used for data transfer where users are authorized via a public or private key.
- SAML: refers to a standard Single Sign-on (SSO) format where authentication information is shared through digitally signed XML documents.
- OpenID: Verifies a user's identity based on the authentication performed by the authorization server.
- OAuth: is an authorization protocol that allows the API to perform authentication and access a certain system or resource.
The similarities between authentication and authorization, therefore, are the fact that both are used during the process of granting access to a user and that they are implemented to work in a complementary way as part of a fraud prevention strategy.