Glossary

Authentication vs. Authorization: Exploring Differences and Similarities

Authentication and authorization represent two of the three “A’s” in identity and access management (IAM). Along with accounting, they are crucial to an organization’s cybersecurity strategy. Without the ability to verify a user’s identity and privileges, it’s impossible to differentiate between legitimate access to corporate systems and potential attacks.

Authentication verifies a user’s identity, thereby confirming that they indeed are who they claim to be. Once the user is verified, authorization determines and grants the level of access the user has to specific resources. While authentication answers, “Who are you?” authorization answers, “What are you allowed to do?”

How Authentication Works

Authentication involves proving that a user is who they claim to be. This is accomplished by having the user present one or more authentication factors. In most cases, these are drawn from the following three types of factors:

  • Something you know: Knowledge-based factors include passwords, PINs, security questions, and API keys.
  • Something you have: Possession-based factors include one-time passwords (OTPs) generated by or sent to a specific device (smartphone, hardware key, etc.) or digital certificates stored on a device or smart card.
  • Something you are: Biometric authentication systems may identify users based on their face, fingerprint, voice, gait, or other unique physical or behavioral features.

An authentication system will store a copy of the authentication factor or some means of verifying its authenticity. When the user presents the factor(s), the system checks to see if they match. If so, the user’s identity is verified.

Different types of authentication factors offer varying levels of security. For example, knowledge-based factors are generally the weakest due to the threat of weak passwords and phishing attacks. Possession-based factors are vulnerable to loss or theft.

Two means of addressing these weaknesses include:

  • Multi-Factor Authentication (MFA): MFA uses two or more types of authentication factors, like a password and an OTP generated by an authenticator app. This combination of factors makes it more difficult for an attacker to gain access to all factors at once.
  • Passwordless Authentication: Passwordless authentication uses only “something you have” or “something you are” factors for authentication, eliminating weak knowledge-based factors entirely. Passwordless MFA will use both a possession-based and biometric authentication factor.

How Authorization Works

Authorization assumes that the user’s identity has already been verified via authentication. Its role is to determine whether the authenticated user has the right to take a requested action.

This decision is based on the rights and privileges assigned to the user and, potentially, the context of the request. For example, a user may be permitted to view highly sensitive documents due to their role in the organization. However, this privilege may only apply when using a company-owned device with a secure connection to the corporate network (either directly or via a VPN).

The access controls used to make authorization decisions can be managed via different models, such as:

  • Discretionary Access Control (DAC): In DAC, the owner of a resource defines access controls for it. For example, a Google Doc implements DAC, where the creator decides who can read or edit it.
  • Mandatory Access Control (MAC): With MAC, access is centrally managed and defined using classification levels and clearances. The Top Secret/Secret/Classified/Unclassified system is an example of MAC.
  • Role-Based Access Control (RBAC): RBAC creates various roles, assigns privileges to these roles, and assigns each user a role. For example, a developer may be assigned a Developer role, which provides access to the tools and systems they need to do their job.
  • Attribute-Based Access Control (ABAC): ABAC assigns attributes to users and defines access controls based on combinations of attributes. For example, an IT manager would have the IT and manager attributes and could access resources that require one or both of these, such as development environments (IT) and employee records (manager).

Key differences between authentication and authorization

Authentication and authorization play very different roles in the access control process. Authentication’s goal is to determine whether someone is who they claim to be. Authorization assumes that the user’s alleged identity is legitimate and works to determine whether that user should have access to a particular resource.

Key similarities between authentication and authorization

Authentication and authorization are similar in that their end goal is verifying an access request’s legitimacy. First, authentication validates the user’s identity, and then authorization checks that the user has the access and privileges required to make the request.

What are the main security challenges and risks with authentication?

Authentication relies on the assumption that only the owner of an account could present authentication factors for it. Some threats to successful authentication include:

  • Weak Passwords: Weak and reused passwords are a common threat to authentication security. Authentication fails if an attacker can guess a user’s password or use a breached password from one account to access another.
  • Phishing Attacks: Cybercriminals commonly use phishing to trick users into handing over passwords or OTPs. A user directed to a phishing page resembling a legitimate site may enter their password or OTP, enabling the attacker to authenticate to the real site.
  • Malware: Many types of malware attempt to steal a user’s login credentials. For example, infostealers may dump passwords from where they are cached by a system.
  • Stolen Cookies: Cookies store information about a user’s session and implement the “Remember Me” function, allowing users to skip authentication on their next visit. If these files are stolen from a user’s device, the attacker can access their account while bypassing authentication.
  • Lost/Stolen Devices: Smartphones are commonly used to receive/generate OTPs or store digital certificates for authentication. If these devices are stolen, the attacker may be able to access this authentication factor.
  • Weak Authentication: An authentication system may implement a weak algorithm or fail to implement best practices. For example, a default password may be built into a system, or there may be a way to bypass authentication for maintenance purposes.
  • Insecure Credential Storage: Authentication systems commonly need to store sensitive data to verify authentication requests, which can be problematic if that data is improperly stored. For example, historical data breaches have found passwords stored in plaintext, in log files, hashed with weak algorithms, and hashed but unsalted. All of these make it easier for an attacker to steal and crack these passwords to gain access to a user’s account.

What are the main security challenges and risks with authorization?

Successful authorization allows users to only access resources they have a legitimate need. Some ways that this can go wrong include:

  • Excessive Permissions: Users are commonly assigned access and privileges in excess of what is needed for their job. For example, most users don’t need Administrator-level access to their own computer, and granting it introduces additional risk to the business.
  • Insecure Authorization: Authorization schemes may be insecure or vulnerable to bypass. For example, an attacker may be able to modify the access control lists (ACLs) managing access to a resource by exploiting a system vulnerability.

FAQ

Is SSO authentication or authorization?

Single sign-on (SSO) is an authentication mechanism that allows a user to authenticate once to the authentication system and gain access to multiple resources. This system provides proof of the user’s identity to the other systems, enabling them to perform authorization without needing the user to authenticate multiple times.

Is OAuth authentication or authorization?

OAuth is an authorization scheme that permits third-party access to resources without sharing the user’s credentials. Applications are granted permissions and managed using access tokens.

Can authorization be allowed without authentication?

Authorization should always be paired with authentication to validate the user’s identity. Guest accounts, which grant users certain privileges without verifying their identity, are risky and should provide minimal access.

Which comes first, authentication or authorization?

Authentication comes before authorization. Authorization assumes that the user has been authenticated and works to determine the access assigned to that user.

Handle Both Authentication and Authorization with Cato’s SASE Solution

Authentication and authorization are vital to managing access to and control over an organization’s resources. Strong authentication verifies that someone is who they claim to be, and authorization checks that an authenticated user has the right to perform a particular action.

Secure Access Service Edge (SASE) incorporates zero-trust network access (ZTNA) as one of its converged security capabilities. ZTNA enables organizations to implement least-privilege access management — including strong authentication and authorization — across the corporate WAN.
With Cato SASE Cloud, companies can take advantage of strong authentication and authorization as well as various key security capabilities and a world-class private backbone. To learn more about how Cato SASE Cloud can enhance the security and performance of your corporate WAN, sign up for a demo.