3 Min

A security-critical question

The difference between authentication and authorization is fundamental but crucial for security and access in IT systems:

1. Authentication

  • Definition: Authentication is the process of verifying the identity of a user or entity. The goal is to ensure that the user is actually who they claim to be.
  • Question to be answered: “Who are you?”
  • Example: A user enters their username and a password to log in to a website. The server checks that the combination is correct and that the user is authentic.

Methods of authentication:

  • Passwords: The user enters a known password.
  • Biometric features: Fingerprint, facial recognition, iris scan.
  • Two-factor authentication (2FA): An additional factor such as an SMS code or app-based confirmation.

2. Authorization

  • Definition: Authorization is the process of determining what permissions or access rights an authenticated user has. It regulates what the user is allowed to do or what resources he is allowed to access.
  • Question that is answered: “What are you allowed to do?”
  • Example: After a user has been successfully authenticated, the server can decide whether the user is allowed to read, write or delete files, for example, or access certain functions of the application.

Forms of authorization:

  • Access rights: Determine whether the user has access to a file or folder.
  • Role-based access control (RBAC): Permissions are determined based on the user’s role in a system (e.g. admin, user, guest).
  • Token-based permissions: OAuth uses access tokens to manage authorization between systems.

This means:

  • Authentication is the step of determining who the user is (e.g. by entering a username and password).
  • Authorization is the step of determining what the authenticated user is allowed to do (e.g. whether they can access a specific file or function).

In practice, authentication usually happens first (the user’s identity is verified), followed by authorization, which determines what the user is allowed to do.

A concrete example - Amazon Web Services

Accessing AWS (Amazon Web Services) is a good example to explain the difference between authentication and authorization in the context of cloud services. Let’s go through a concrete use case:

Use case: An AWS administrator grants a developer access to an S3 bucket.

1. Authentication (Who are you?)

First, the developer must authenticate with AWS to confirm that they are who they say they are. There are several ways authentication works in AWS:

  • AWS Management Console: The developer enters their username and password.

  • MFA (Multi-Factor Authentication): In addition to the password, the developer may need to enter a one-time code (via an authenticator app or SMS).

  • AWS CLI or API: The developer could access the systems via the AWS Command Line Interface (CLI) or an API, using access keys (access keys and secret keys).

Through this authentication process, AWS confirms that the developer is indeed the person who is supposed to have access to the AWS account.

2. Authorization (What are you allowed to do?)

After the developer is authenticated, AWS checks what permissions this developer has, i.e. what he is allowed to do. This is regulated by IAM (Identity and Access Management). In AWS, authorization is done through roles and permissions assigned to a user or role.

  • The developer has an IAM role or an IAM user account that is provided with specific permissions. These permissions are defined in IAM policies that grant or restrict access to certain services and actions.

For example, the administrator could assign the following IAM policy to the developer:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::example-bucket/*"
    }]
}

This policy authorizes the developer to read (GetObject) and upload (PutObject) objects (files) in a specific S3 bucket named example-bucket, but not to delete or manage the bucket itself.

Summary of the use case:

  • Authentication: The developer logs into AWS, either via the console or via the CLI, and proves that he is the authorized person using a password or access key (possibly together with MFA).

  • Authorization: AWS checks the IAM policies assigned to him, which specify that he can only access the S3 bucket example-bucket and read and upload files there. He is not allowed to perform other actions, such as deleting the bucket, because his authorization policy does not allow this.

Conclusion:

In this AWS use case, authentication ensures that AWS knows who the developer is, and authorization regulates what this authenticated developer is allowed to do within the system. Authentication and authorization therefore work hand in hand to control and protect access.

Updated:

Similar Content