Authentication: Differences to authorisation ⏵ Redlings

Author Dr. Ewan Fleischmann 27.09.2022

Essentials in brief

Authentication means the proof of identity, for example by presenting an identity card or entering a user name and password. It also refers to the verification of the presented proof of identity, for example by viewing the identity card or checking the user name/password.
Authorisation means - after authentication has been completed - the assignment of certain rights, such as read rights on a network drive.

Beitrag teilen

Reading time 3 minutes

1. Overview: Authentication vs. Authorisation

Authentication, authentication and authorisation are three technical terms that are frequently used in IT security.

In particular, the terms authentication and authorisation are often used synonymously.

In order to be able to reliably assign (authorise) certain access rights to data and information, we need to know exactly who we are dealing with. Personal auditions are not always realistic. We must therefore be able to digitally identify ourselves to a third party (authenticate). This third party then has the possibility to check our proof of identity (authenticate) and thus give the release for granting further rights (authorisation).

2. Authentication Step 1: Proving User Identity

There are basically three different ways to prove a digital identity.

Knowledge: The user knows something, for example a PIN or password.
Possession: The user has something, for example an OTP generator, a debit card or a key.
User: The presence of the user himself is proven by a biometric feature, for example a fingerprint.

A proof of identity of some kind, such as an email address combined with a password or PIN, is called single-factor authentication (SFA).

However, the password or PIN required for such proof can easily be stolen and misused for identity theft. Therefore, companies and public organisations have strengthened their identity verification by adding a second way to prove user identity.

For example, after entering an email and password, proof of ownership of the deposited SIM card is expected by sending an SMS TAN. This is then referred to as two-factor authentication (2FA).

In this respect, users must play an active role during authentication to prove that they are who they claim to be.

For comparison: In the analogue world, authentication is usually done by presenting an identity card in person. This is a kind of 2FA procedure, as the possession of a non-falsified ID card is combined with the personal audition of the matching of the biometric feature (image).

Transmission of authentication information to the verifying authority

In the digital world, the identity information provided must be transmitted via networks to a verifying body. If this data can be intercepted, it is possible to misuse it to impersonate a false identity.

Apart from ensuring an encrypted connection, there are two basic approaches to prevent this:

One-time passwords: Only one-time passwords such as an SMS TAN are transmitted. An attacker would not be able to use the connection even if it could be intercepted.
Challenge-response method: The information is not transmitted directly, but only data derived from it, which is worthless in the event of an interception.

Strong authentication

The European Central Bank (ECB) has defined strong authentication as 'a procedure based on two or more of the three authentication factors'. The factors used must be independent of each other and at least one factor must be "non-reusable and non-replicable", except in the case of an inherence factor, and it must also not be able to be stolen from the Internet.

3. Authentication Step 2: Check and Confirm User Identity.

Authentication follows authentication: In this step, the proof of identity provided is checked by a verifier. From the user's point of view, this process is passive.

This verifier, usually an IT system or server, must therefore have a certain amount of information at its disposal so that proof of identity can be verified or falsified.

For the sake of completeness, it should be noted that a database of plaintext passwords for password verification should not be part of this treasure trove of information.

Authentication as-a-service

There are a large set of authentication services in the software-as-a-service cloud delivery model. These services can be used by organisations to provide single sign-on functionality for on-prem and cloud services.

4. Authorisation: Granting Access or Access Rights.

After successful authentication, the identity of the user is ensured. The user is now authorised to access certain information or is granted certain access rights.

For example, project staff are granted access to confidential project information of their own project, but not to the other projects of the company or public organisation. The most commonly used authorisation techniques are RBAC and DAC.

Role-based access control (RBAC)

A set of roles is stored in an IT system. Examples could be project member project A, project member project B, system administrator, etc. Each user is assigned a set of roles. This should be done on a need-to-know basis: Users are only given access to the information that is currently needed for their work.

Discretionary Access Control (DAC)

In contrast to the role-based concept RBAC, DAC is user-centred. Access rights are set directly for each user and are not organised and managed via roles.