Authorization and Authentication both play a crucial role in securing our digital identities. The two measures go hand-in-hand in terms of allowing individuals access to an environment and permitting access to specific resources within that environment. In the article below, we aim to distinguish the two and explain how they work in tandem to safeguard our digital identities and environments. We also aim to explain the difference between modern and legacy authentication and authorization practices.
What is Authentication?
Authentication is the practice of approving or disapproving an individual user the access to enter an environment. It works as a process to prove a user is genuinely who they claim to be before allowing entrance to resources.
Authentication works by leveraging access controls to confirm an end-user’s credentials match those stored in an organization’s identity provider, such as Active Directory or Azure Active Directory. The authentication process functions by the following two steps:
What is Authorization?
Authorization is the next step to securing identity in an environment. Authorization occurs after a user is approved to enter an environment via authentication but then takes security a step further. Through access controls and group settings, authorization determines the unique resources a user is permitted to access and the resources that are restricted.
Here’s a good example of authorization working in a business to secure sensitive areas of your environment:
Suppose a member of your business’ marketing team was determined to access secured HR documents. Anecdotally, a member of a marketing team would have no business or reason to view this sensitive data – in other words, they are not authorized. Nonetheless they proceed in attempting to access this secure data.
The marketing team member successfully authenticated and logged into your environment using their unique credentials. However, when they search for these aforementioned HR documents, their set of unique permissions established from a predefined group prevents them from accessing or even seeing that these documents exist – while allowing the individual access to resources only necessary for the individual to perform their marketing duties. They’ve effectively been obstructed from entering the portion of your environment specifically dedicated to the eyes of the HR team. That’s authorization in action.
Basic Authentication vs. Modern Authentication
Basic authentication (sometimes referred to as basic auth) provides a single tier of security when it comes to granting and receiving access to an environment. It predominately relies on a single username and password to authenticate.
The disadvantage to the basic authentication principle is that credentials are easily compromised. For instance, credentials like a username and password can be easily guessed or access tokens can be compromised.
Often, we’ll see basic auth protocols used for email. For example, POP, SMTP, MAPI and IMAP are all protocols of basic authorization. The issue that stems from these forms of basic authentication is that there are no additional layers of verification when you are leveraging these protocols. This makes it easy for an attacker to log in – and although it may not allow for authorization to resources to occur, it opens the door for lateral movement in your environment to less protected resources.
Modern Authentication uses multiple components to authenticate. It adds additional steps for authentication in addition to username and passwords and requires a second layer of approval for a user to authenticate (access) to an environment - commonly referred as multi-factor authentication. This additional layer of verification is often a prompt from a tool such as the Microsoft Authenticator app, Windows Hello for Business (biometrics), a FIDO key (security key), or a certificate. The extra step needed to authenticate provides a more secure authentication process as prompts from tools like Windows Hello for Business are very difficult to compromise.
From an administrative standpoint, modern authentication allows IT teams to create the same credentials for end-users as in basic authentication, but then prompt the end-user to create an alternative form of authentication. These end-user-created types of authentication often come in the form of text message, Authenticator App, FIDO key, etc.
In most environments, the end-user will take these steps on their own but in certain situations, administrators are able to step in. For example, adding a phone number for text-based multi-factor authentication.
Legacy Authorization Models vs. Modern Authorization
Modern authorization models are far more sophisticated than legacy authorization techniques. Legacy models simply involve assigning a user to a group or resource directly in Active Directory.
There are various issues with legacy authorization models. The first is that legacy models are difficult to administer. For many organizations, depending on the resource, a higher tier of permissions are required to manage the groups associated with the resource. Continuously requesting these permissions to administer these groups becomes a cumbersome task when a large number of users require access to the resource. Even worse, allowing standing admin permissions to manage these groups creates vulnerabilities within an environment.
The second and most important issue with the legacy authorization models is due to the manual management of these resources, users and admins are given more permissions than are required. For IT teams with less mature identity governance processes and policies, auditing of these permissions happens less frequently, if ever, leaving environments open to attack.
These issues related to legacy authorization are relegated by embracing modern authorization models, Attribute based access control (ABAC) and Role based access control (RBAC).
Role based access control (RBAC)
Role-based access controls (RBAC) can be defined as the methodology used to restrict or grant unique permissions to groups or individuals within an identity provider such as Active Directory (on-premises) or Azure AD. The idea is to limit access to highly sensitive areas of your environment while giving certain employees just enough access to sufficiently perform the duties of their job. RBAC can either restrict or permit access to your environment based on a group or user’s scope role assigned by an administrator. For further information on RBAC, check out this piece written by my colleague: Getting to Know Role Based Access Controls (RBAC) — Mobile Mentor (mobile-mentor.com)
Attribute based access control (ABAC)
Attribute based access control leverages leveraging specific attributes of an object or record to grant access to resources. Often used in conjunction with RBAC, ABAC takes user information and compares it to resource data to decipher whether a user is permitted to access a resource.
For example, an organization may have a department called finance. All members of the finance department will have a common “Department” attribute in an identity store, such as Active Directory or Azure AD, with a value of “Finance”. With modern authorization software, the identity provider can automatically assign finance department members to group or rules at the moment the user is onboarded into the organization, allowing the appropriate access from day 1.
At Mobile Mentor we recommend the modern approach to authorization and authentication. The extra tiers of invisible security that accompany the modern approach are crucial to securing digital identities for the modern, hybrid workforce. By leveraging cloud-based directory services like Azure Active Directory for authentication and authorization, you can ensure a safer environment for your employees and business at large.
Demetrius Cooper is Moblie Mentor’s Digital Identity lead. He has over 11 years of industry experience with a predominant focus on digital identity. A Chicago native, Demetrius lives and works in Atlanta, GA.
Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system. You cannot have a secure solution unless you have configured both authentication and authorization correctly.
Authentication (AuthN) is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access an online site or service, you usually have to enter your username and password. Then, behind the scenes, it compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. System authentication in this example presumes that only you would know the correct username and password. It, therefore, authenticates you by using the principle of something only you would know.
The purpose of authentication is to verify that someone or something is who or what they claim to be. There are many forms of authentication. For example, the art world has processes and institutions that confirm a painting or sculpture is the work of a particular artist. Likewise, governments use different authentication techniques to protect their currency from counterfeiting. Typically, authentication protects items of value, and in the information age, it protects systems and data.
Systems can use several mechanisms to authenticate a user. Typically, to verify your identity, authentication processes use: - something you know - something you have - or something you are
Passwords and security questions are two authentication factors that fall under the something-you-know category. As only you would know your password or the answer to a particular set of security questions, systems use this assumption to grant you access.
Another common type of authentication factor uses something you have. Physical devices such as USB security tokens and mobile phones fall under this category. For example, when you access a system, and it sends you a One Time Pin (OTP) via SMS or an app, it can verify your identity because it is your device.
The last type of authentication factor uses something you are. Biometric authentication mechanisms fall under this category. Since individual physical characteristics such as fingerprints are unique, verifying individuals by using these factors is a secure authentication mechanism.
People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies.
If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user's identity, and access control uses this identity to grant or deny access.