Authentication and authorization are some of the first processes a user encounters in an application, but they are often confused.
To log in to a personal account, social network or email, we need to enter a username and password, after which we gain access to the page. This process is called by most users with one word — authorization. But from a technical point of view — this is wrong.
Today we will thoroughly discuss the concepts of authorization and authentication, their types and key differences from each other.
Definition and authentication process
Authentication is the process of checking the authenticity of the credentials: the user ID (e-mail address, name, phone number) and password, which are stored in the server database. The authentication meaning is to control user access to services and network resources.
For a simpler understanding, here's an authentication example at the Google account login. When a user wants to sign in to his Google account, the first thing the system does is ask for a username. The user specifies it, and then the system identifies the user as either registered or new.
The system then asks the user to enter a password for their login. The user enters the password and if it matches the information that is available about the user's account, the system agrees and the user is authenticated.
How does authentication work?
The scheme of authentication operation depends largely on the type and method chosen. Let's look at the main types and methods of authentication.
Let's start with methods.
- Password methods. Implemented by allowing users to enter one-time or reusable passwords and is the most common method. Users enter one-time passwords and then the system stores them in a database. One-time passwords are different values for each user session. As a rule, this is an SMS with a code that comes to the user's mail or phone, and then you must enter it into a form on the site.
- Combined. Authentication using this method is done by using several methods. For example, entering a password and providing cryptographic certificates.
- Biometric. Authentication is based on the user's physiological characteristics: fingerprint, retina, voice timbre, etc. This method is considered the most expensive, but ensures maximum protection against data leakage.
- Information about a user. When registering, a user enters personal data: phone number, mother's maiden name, year of birth, pet's name, place of residence. In case of password recovery or two-step authentication, the system can request the specified user data to authenticate the user.
To increase the security of the application, different types of authentication are used in development.
- Single Factor Authentication (SFA). Implies the use of a single authentication method. As a rule, it is a single entry of the password and username.
- Two-factor authentication (2FA). Two-step verification process that considers two different types of user data. Besides the login and password, the system requests a code sent by SMS, email or, generated in a special authenticator application, to provide an extra level of security.
- Multi factor authentication (MFA). This is a login process that consists of several steps and requires the user to provide more information than just a password. For example, the system may ask the user to provide a code sent to an email, answer a secret question, or scan their fingerprints.
Financial technology applications typically use two-factor or multifactor authentication.
Authorization purpose and process definition
Authorization is the process of confirming rights to perform certain actions and the process of verifying (validating) those rights when attempting to perform those actions.
Let's give an example of authorization and go back to logging into a Google account. After a user successfully authenticates: enters a password, a login, and passes 2FA, the authorization process begins. It is necessary to ensure the security of actions, to delimit user rights and to protect against intruders.
When developing a product, in the fintech direction, implementing authorization is quite a complex task that requires several sources of requirements. Typically, business and information security.
But the requirements may change, their implementation can affect all levels and performance.
To solve this problem, we are supported by developed developed access control models:
- MAC (Mandatory Access Control) — Mandatory access control model. In this model, administrators manage the access control elements. They create strategies and users cannot change them. At the same time, the strategy determines which subject can access which object. With this access control model, the level of security can be increased. MAC is implemented in systems that most emphasize privacy.
- DAC (Discretionary Access Control) is direct access control. Access to an object is performed by a subject that is in the object's access list (ACL, Access Control List).
- RBAC (Role Based Access Control) — a role-based model of access control. Each subject has an available list of roles, where the role in turn can provide access to a list of objects.
- Attribute-Based Access Control (ABAC) — an attribute-based access control model. This is the most flexible approach with a large number of possible combinations that allows decisions to be made based on parameters such as employee title, time of request, location, etc., but also requires more detailed policy planning to prevent unauthorized access. These authorization controls are recommended to be used as is. Some systems use a combination of models, most commonly found when a role is included in an access list.
Non-interchangeable processes: authentication and authorization
Now you know the difference between authentication and access authorization. These are very important processes, worthy of separate attention, both on the development and testing side. But, always remember that these are two different, consistent processes. It's important to distinguish this in order to understand at what stage a failure occurred.
Stay tuned and follow the development of the RVA blog. There are many interesting articles and guides on the most trending and technological topics ahead.