Authentication vs. Authorization
What is authentication?
Authentication is the process of validating who a user claims to be. For example, verifying an employee's identity or user ID to log in to a system.
What is authorization?
Authorization is the process of giving a user specific access. For example, determining what resources or facilities a user will be able to access.
What's the difference between authentication and authorization?
Even though gaining access to resources requires both authentication and authorization, they are two unique steps in the process. Authentication is the key. Authorization is whether or not that key gives you the permission to access.
Authentication is initiated by the user, whereas authorization is determined by a policy and given by the application, system, or resource being accessed.
What comes first – authentication or authorization?
Authentication of the user must occur before authorization is provided to grant specific access.
Both are integral to the process of a user gaining access to a specific application, system, or resource.
What are common authentication methods?
Transparent Authentication
Transparent authenticators that validate users without requiring day-to-day involvement.
- Digital Certificates
- IP-Geolocation
- Device Authentication
Physical Form Factor Authentication
Tangible devices that users carry and use when authenticating.
- One-Time Passcode (OTP) Tokens
- Display Card
- Grid Authentication
- One-Time Passcode List
- Biometrics
Non-Physical Form Factor Authentication
Methods of verifying user identities without requiring them to carry an additional physical device.
- Knowledge-Based Authentication
- Out-of-Band Authentication
- Mobile Smart Credentials
- SMS Soft Tokens
What are common approaches to authorization?
The ultimate approach to authorization is a zero trust framework based on the concept of least privileged access. The common types of authorization that can be used to build such a framework are:
- Token-based, where a user is granted a token that provides specific privileges and access to data.
- Role-based Access Control (RBAC), where users are divided into roles or groups with specific kinds of access and restrictions.
- Access control lists (ACL), where only certain users on a list may be granted access to a particular application, system, or resource.
How can Entrust help me with authentication and authorization?
Entrust’s identity and access management (IAM) platform provides user authentication and authorization for an unparalleled number of use cases including workforce, consumer and citizen.