Skip to main content

Authentication vs Authorization

If you’re into application development, Authentication and Authorization are two terms that you might have heard often. These two are often used interchangeably which leads to confusion. Well, no more! Let’s clear up this confusion between these two once and for all.
So, what is the difference between the two?
Let’s try to understand this by an example. One of the best ways of learning new concepts is relating them with day-to-day incidents of your life. How about a simple scenario of you going to your office or your institution? You’re an employee/student there.
  1. You enter the gate. You show the guard your ID card and are allowed to enter the building. At this point, you are authenticated to enter the building. Anyone with an ID card of that office/institute is thereby authenticated to enter the building. Similar to this, applications use authentication by allowing users to login.
  2. Now that the guard allows you in, you decide that today should be a holiday and ask the guard to close the gates and go home. Crazy, right? The guard would ask you if you’re even authorized to do this? Only the head/dean is allowed to make such a decision, not an ordinary employee/student like you. Similarly, whenever you perform an operation in an application, it is first checked if you have the right permissions to perform that task.
If you’d maybe gone to the canteen, you’d be allowed to do so because you are authorized to eat at the canteen.
Now that we have a grasp on the basic concept and difference between the two, let’s dive deeper.

What is Authentication?

It is basically the process of the system verifying that you are who you say you are. It is most commonly done using a username-password combination but there are other ways of authentication such as card-based or biometric scanning. It is basically any way of verifying your identity. It can be as simple as a pin or a pattern, like the one you use to unlock your phone.
But there may be multiple factors of authentication. What are factors of authentication though?
Well, did it ever happen to you that you logged into Gmail or any other service using a username-password combination and it asked you for an OTP sent to your mobile number? This method used two factors of authentication to verify you. First, it asked you for your credentials and then to verify it's really you and not someone who somehow stole your credentials, it sent an OTP to your mobile number and asked you to enter it.
Factors of authentication are basically factors that can be used to verify your identity. This factors can broadly be categorized into three categories:-
  1. Something the user knows: credentials, security question, pin
  2. Something the user has: Card, OTP on Phone, Google Authenticator
  3. Something the user is:Biometrics(Fingerprint, Retina, Voice), Signature
Note: A not-so-common factor is Somewhere the user is where the geolocation or IP Address is also used in the Authentication process.
Therefore, as the factors of authentication increase, the security level also increases. There are typically three levels to categorize this:-
  • Single-Factor Authentication: Single-Factor authentication is the simplest among all that uses just one level of authentication, i.e. only your credentials or only a pin. This is most commonly used for simple systems without much need for security.
  • Two-Factor Authentication: This combines two parameters to verify your identity. The most common example of two-factor authentication is a combination of your credentials and OTP received on your phone. Another common example is when you use your ATM card. First, to use the ATM machine, you insert your card and then you also need to enter the ATM pin in order to withdraw money. So two parameters were used: Card and pin.
  • Multi-Factor Authentication(MFA): This is the most advanced form of authentication which implements multiple levels of security. This is most commonly used in banking services due to the need for high security. For example, MFA may use user credentials, ID card, and OTP on phone to verify identity.

What is Authorization?

Authentication verified who you are. Now it’s time to determine what you are allowed to do, this is the process of authorization. In other words, Authorization deals with determining the set of permissions that you are given.
Authorization is done only after a successful authentication.
Authorization is typically done by assigning roles to users. The roles have a specific set of permissions defining the access levels of the user.
For example, let’s again take an office scenario. Assume you’re a software developer, so you’re assigned the role of software developer and the role has your set of permissions defined. There might be other roles such as Team LeadManager, CEO each with different access levels and set of permissions. Meaning that where you might not be able to access certain files in the system with your role, your manager might be able to access it with his role because he is authorized, it's in his set of permissions to be allowed to access that file.

What is OAuth and what has it got to do with Authentication and Authorization?

OAuth is an industry-standard protocol for authorization. It is quite common and you must have seen it. The protocol has since been updated to OAuth 2.0 and is supported by most media networks.
As you can see in the image, the website allows you to login using your Google or Facebook account. This is convenient for the user too as the user won’t need separate credentials for each application.
But wait… since we are asking the user to login using Facebook/Google, how is this authorization and not authentication?
Well, let’s say you created an application test_app. Now you used OAuth 2.0 in your app and allowed signing up using Facebook or Google. As soon as a new user uses the Sign up with Google option, he/she shall be directed to a dialog or popup asking them to allow the third-party application(test_app) access to his/her personal information.
This is the user authorizing your test_appto access information from Google about you. Therefore, this is an authorization protocol. It is also used for authentication as it does verify your identity.
As stated above, authentication deals with your identity(you are who you say you are). That is taken care of by Google too in the above scenario as you are typically asked to log in at Google to allow access to third-party applications. This way, developers are able to easily implement strong authentication on their platform.

Conclusion

Authentication is "Who are you?"
Authorization is "What are you allowed to do?"
Access to a system is protected by both authentication and authorization. Only upon successful authentication and authorization is access to any resource allowed. Firstly, the user is authenticated to verify the user's identity and upon successful authentication, it is checked if the user is authorized to access/update the resource. Even if the authentication succeeds, if authorization fails, the user won't be allowed to access/update the resource.

Comments

Post a Comment

Popular posts from this blog

How to use Ngx-Charts in Angular ?

Charts helps us to visualize large amount of data in an easy to understand and interactive way. This helps businesses to grow more by taking important decisions from the data. For example, e-commerce can have charts or reports for product sales, with various categories like product type, year, etc. In angular, we have various charting libraries to create charts.  Ngx-charts  is one of them. Check out the list of  best angular chart libraries .  In this article, we will see data visualization with ngx-charts and how to use ngx-charts in angular application ? We will see, How to install ngx-charts in angular ? Create a vertical bar chart Create a pie chart, advanced pie chart and pie chart grid Introduction ngx-charts  is an open-source and declarative charting framework for angular2+. It is maintained by  Swimlane . It is using Angular to render and animate the SVG elements with all of its binding and speed goodness and uses d3 for the excellent math functio...
Post a Comment
Read more

Understand Angular’s forRoot and forChild

  forRoot   /   forChild   is a pattern for singleton services that most of us know from routing. Routing is actually the main use case for it and as it is not commonly used outside of it, I wouldn’t be surprised if most Angular developers haven’t given it a second thought. However, as the official Angular documentation puts it: “Understanding how  forRoot()  works to make sure a service is a singleton will inform your development at a deeper level.” So let’s go. Providers & Injectors Angular comes with a dependency injection (DI) mechanism. When a component depends on a service, you don’t manually create an instance of the service. You  inject  the service and the dependency injection system takes care of providing an instance. import { Component, OnInit } from '@angular/core'; import { TestService } from 'src/app/services/test.service'; @Component({ selector: 'app-test', templateUrl: './test.component.html', styleUrls: ['./test.compon...
Post a Comment
Read more

How to solve Puppeteer TimeoutError: Navigation timeout of 30000 ms exceeded

During the automation of multiple tasks on my job and personal projects, i decided to move on  Puppeteer  instead of the old school PhantomJS. One of the most usual problems with pages that contain a lot of content, because of the ads, images etc. is the load time, an exception is thrown (specifically the TimeoutError) after a page takes more than 30000ms (30 seconds) to load totally. To solve this problem, you will have 2 options, either to increase this timeout in the configuration or remove it at all. Personally, i prefer to remove the limit as i know that the pages that i work with will end up loading someday. In this article, i'll explain you briefly 2 ways to bypass this limitation. A. Globally on the tab The option that i prefer, as i browse multiple pages in the same tab, is to remove the timeout limit on the tab that i use to browse. For example, to remove the limit you should add: await page . setDefaultNavigationTimeout ( 0 ) ;  COPY SNIPPET The setDefaultNav...
Post a Comment
Read more