Authentication and authorization are core pillars of IAM (identity and access management). These two terms are often used interchangeably; however, they have different but complementary roles. Cybercriminals take advantage of inadequate authentication and authorization mechanisms. Understanding how these elements work will help you build robust identity-based systems.

This article explains what authentication and authorization are and why they’re used together.

What are authentication and authorization?

Simply put, user authentication verifies that a user is who they say they are, and authorization determines what they can (or can’t) access once they’re authenticated. When a user attempts to access a resource, the system first authenticates the user’s identity and then checks the access rights during the authorization phase. Authorization follows successful authentication.

What is the purpose of authentication?

The authentication process verifies that a person is who they say they are. Once they’re verified, access is allowed. Access control is vital to the security of apps, devices, files, and data. Authentication is applied to people and devices. Enforcing authentication ensures that unauthorized access is prevented. This reduces the risk of a security breach.

What is the purpose of authorization?

After a user or device has been authenticated, the type of access needs to be decided. This is known as authorization. An authorization decision may be based on an individual or a role. Access privileges will restrict access to certain network areas and determine what actions are allowed after access. Authorization is part of privileged access management (PAM).

Similarities between authentication and authorization

Authentication and authorization are complementary. Authorization occurs after a successful authentication event. Authentication and authorization work together to protect corporate resources. Together, these controls ensure that employees can work productively and securely.

Which comes first, authentication or authorization?

Authentication happens before authorization. A person (or device) supplies the login credentials. If the login is successful, authorization is next. An authorization scheme decides what the user can do with the resource. For example, the user may be able to access an app but not edit documents. Authorization reduces data breaches and leaks.

Common types of authentication

Username and password combos are a form of single-factor authentication. However, phishing and spear phishing have made passwords vulnerable. To resolve this, different types of user credentials have been developed. Authentication can be split into three main parts:

Something you know, such as a password. Other similar methods include security questions and one-time PINs that work for a single session.

Something you possess is usually a mobile device, app, or a digital ID card, or even something like a boarding pass.

Something you are can be a biometric — this includes facial recognition and fingerprints.

Multiple authentication methods are used to generate robust identity verification and control access.

Multifactor authentication (MFA)

Robust security combines multiple authentication methods. This means users are asked to supply additional authentication factors in order to log in. An example of an additional factor is a code from a mobile authenticator app.

Using MFA reduces the chance of successful phishing based on single-factor security. Multiple authentication factors reduce the risk of cyberattack and accidental data exposure. MFA is a best practice access control measure. Multiple authentication credentials are called MFA. Two factors of authentication are called two-factor authentication (2FA).

Requiring additional credentials for resource access makes it harder for hackers to access data and resources. Strong authentication is a must-have to reduce successful phishing attacks.

Risk-based authentication

Rules add more security to the user authentication process, This is known as risk-based authentication, step-up authentication, or risk-based access control. For example, a rule could require further authentication factors if a user logs in outside the corporate firewall.

Single-Sign-On (SSO)

SSO is an authentication scheme. SSO allows employees to sign in once to access multiple federated apps securely. SSO schemes are based on federated identity.

Common types of authorization systems

There are many authorization mechanisms. The types of authorization process you can choose from include:

Role-based access control (RBAC): Access permissions and privileges are set according to specific roles in an organization. For example, accounts payable employees may be allowed full edit access to accounting software, whereas HR staff may have read-only access. Sensitive data is protected using least-rights privileges to apps and files while ensuring uninterrupted access for work.

Attribute-based access control (ABAC): Uses attributes to set access privileges and access restrictions. These attributes are based on:

• The subject

• Environment

• Action

• The objects

Access control list (ACL): An ACL is a list of access permissions assigned on a per-user basis. ACLs prevent unauthorized users from accessing corporate resources. ACLs authorize access to files, directories, apps, or the network. An ACL can allocate user read and write privileges.

Other types of authorization methods include Discretionary Access Control (DAC), a form of distributed, resource owner-controlled authorization, and Mandatory Access Control (MAC), which is based on security labels.

Protocols and standards used in authentication and authorization

Authentication protocols and authorization protocols are an essential part of an IAM system:

SAML (Security Assertion Markup Language)

SAML is an open federation standard that became an OASIS standard in November 2002. SAML 2.0 is the latest version. Many IdPs continue to use SAML, including enterprise applications and government online services. SAML is used for cross-domain SSO.

Open Authorization (OAuth) 2.0

OAuth is a framework that allows a person to authorize access to digital resources without revealing their identity. For example, federated social login systems such as Google and Facebook use OAuth federation to provide access to third-party websites.

OpenID Connect (OIDC)

OIDC is an identity authentication protocol. OIDC is built on the OAuth 2.0 protocol. OIDC was released in 2014, but mass uptake took several years. OIDC is now used across the internet to authenticate and authorize users. OIDC creates an access token and ID token when users sign in, to control user access.

System for Cross-domain Identity Management (SCIM)

SCIM is an HTTP-based protocol that standardizes identity exchange across multiple domains. Uses offered by the Internet Engineering Task Force (IETF) community, which developed the protocol, include enterprise-to-cloud service providers and inter-cloud scenarios.

Why authorization is important for security and automation

Security and usability have always been two sides of a balancing act. However, an automated authorization scheme can maintain this balance. Authorization systems provide the critical components of enterprise cybersecurity: orchestration and automation of access rights privileges. While authentication controls access, authorization controls privilege. Organizations can set privileges and permissions based on a predefined role or individual level, using the principle of least privilege. NIST defines least privilege as “the principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” When least-privilege rights are enforced, security risks are reduced and regulatory compliance is met.

How Google handles authentication and authorization through Sign in with Google

Google SSO can be used to sign in to all Google Workspace apps using a single login (SSO) session. This same SSO service can also be used for other non-Google web apps or websites. Apps or websites that use Sign in with Google allow Google to handle their identity management. Whenever a user attempts a log in to the integrated app or website, an authentication request is sent to Google’s authentication service. On login, a user is asked to enter their Sign-in credentials. If this is the first time they’ve used Google to sign in to this app or website, the user will see an OAuth consent screen. This screen allows the user to grant permission to share data, such as their email address. Once consent is received, an access token is generated, which provides access rights to the application or website.