The authentication vs authorization dichotomy is something every IT person should learn. The two concepts are often confused with one another, likely because they both start with “Auth.” Also because, from an end user perspective, the two work together so seamlessly that it’s hard to tell where one starts and the other stops. The difference is important, though. Why? Well, let me explain. Understand, though, that my background in messaging encourages me to explain through that lens, but the concepts are the same in other contexts.
Authentication ensures that something is, well, authentic. There are three types of authentication (the authentication triad); proof that someone is who they claim to be, proof that information hasn’t been changed, and proof that information hasn’t been intercepted and accessed by a third party. An authentication system defines the processes used to fulfill those three requirements. As an example of a very simple authentication system, you’ve probably heard of signet rings.
In older times, signet rings were part of an authentication technique that used wax seals on messages. A person sending a letter would pour melted wax on an envelope to seal it. A signet, which could be a ring or a larger stamp, would then be pressed into the wax as it dried. The signet had a unique design engraved into it which would be copied into the wax. Once the wax dried, the resulting seal couldn’t be opened and then sealed again without melting the wax again, which would melt the image that was pressed into it by the signet. When the recipient got the message, they would know whether the message was tampered with or intercepted by whether the wax seal was still sticking to the envelope and whether the image in the was was correct. It wasn’t a perfect system, of course, since signets could be reproduced and used to seal a message again after interception. However, it significantly increased the effort required to tamper with official messages.
In the world of computers, the most common authentication you run into is a simple account log in. You provide a username to tell a system who you are, then provide a password to prove that you are the actual person that account belongs to. Like reproducing a signet ring, a password can be obtained and used by someone to impersonate another person, so MFA tools are used to further verify that you are the person you claim to be. Once a login is completed, you have proven that you are who you claim to be.
Another authentication tool we use in IT is called “hashing”. Hashing a piece of information runs an irreversible mathematical process that results in a string of letters and numbers. If the information is changed in any way, the hash value changes. Most authentication systems use some form of hashing for various purposes. For example, when you enter a password into a login prompt, that password is passed through a hash algorithm, the resulting hash is transmitted to the system you are logging into, then compared with the hash value that is stored in the user database for the system you log into. Hashes are also used to validate message content when message signing occurs. The message hash is generated, transmitted along with the message, and the message is hashed again by the recipient and the result compared with what is sent.
The more difficult part of the existing authentication systems we use in message transmission comes when we try to detect interception. We can’t really do it effectively with just authentication systems. As such, we tend to focus more on preventing interception with encryption. If we encrypt a message, we can be reasonably certain it hasn’t been intercepted. Note that we cannot guarantee a message hasn’t been intercepted and read. As a bonus, when we use asymmetric encryption, we can use an even stronger message signing process because the signature hash can be encrypted with the recipient’s public key (rather than the sender’s key), then decrypted with the private key held exclusively by the recipient. That isn’t available with just message signing because in that scenario we are only authenticating the sender. The recipient doesn’t authenticate itself unless asymmetric encryption occurs.
Whew, explaining authentication was a lot more involved than I expected. Authorization, though, is simpler. It’s the process used to ensure that a person has access to a piece of information or a specific location. We use keys and locks to help us authorize people who enter our house, for instance. If a person doesn’t have the key to the house, they cannot easily access the interior of the house (yes, I realize lock picking is a thing). We use Access Control Lists (ACLs) in computers to define who is authorized to open specific files. And that’s pretty much the explanation of what authorization is. If we continue the signet and wax example, the authorization part of the system is provided by a courier, who is instructed to only deliver the message to the intended recipient.
Now, that’s an extremely weak form of authorization. Modern systems are infinitely more robust, but can still be bypassed or overcome. Tools like MFA reduce the likelihood of unauthorized access to data, but there is always a potential for unauthorized access to occur. The stronger the authentication mechanisms that are put in place, the more we can be certain a user is authorized to view a message.
Hand in Hand
As you may be able to tell, authentication and authorization work together very closely. A person authorized to access data must prove they are who they claim to be and that authentication must occur before authorization is determined. So authorization relies on authentication.
In the signet and wax example, authorization was proven by ownership and access to a specific signet, which would then allow a sender to prove who they are by sealing a message with wax with a signet impression. The wax seal acts as proof that the message has not been read by unintended recipients and that the message has not been changed. But the whole system falls apart without some level of authorization. That authorization occurs when a courier hand delivers a message to its intended recipient. The courier ensures that the message is only read by the person it is addressed to. At that point, the courier’s job is done and it was up to the recipient to ensure any additional readers are authorized. In some cases, the recipient would destroy the message to prevent unauthorized access. We try to avoid that in IT, but there are situations where destruction can be recommended and even required based on security policies.
Authentication vs authorization can be confusing, but the easiest way to remember the difference is to remember the following statement. AUTHENTICATION proves who you are, AUTHORIZATION determines if you can access something.