Authentication and Authorization

Authentication and Authorization is the identification and access control of a user within a service. It is a way to provide security and privacy to users.

1. Authentication

Authentication is the process of validating or identifying a user.

Example: We keep an ID card to identify ourself as member of a company and as proof, A security will identify us using that ID card (this identification process is authentication).

The identification can mainly be classified into,

  • Possession-based Authentication
  • Knowledge-based Authentication

1.1 Possession based Authentication

Consider a personal locker

  • A key is required to open that locker, and it’s assumed that only the owner will have that key.
  • Anyone with the key can open that locker or the locker thinks the one with the key is always the owner.
  • The access is allowed to anyone who uses that key.

In digital technologies, OTPs work with this idea

  • It assumes the owner of a phone or email is the corresponding user in that system.
  • Anyone who has the owner’s phone can see the OTP and use it to gain access.

This is why you shouldn’t share OTP if someone asks for it.

1.2 Knowledge-based Authentication

Consider a hotel with reservations

  • Reception asks for your name and reservations details, to validate if you are the owner of a reservation in the reservation list.
  • It is assumed that anyone who knows the name and details of a reservation is the owner of that reservation.

In digital technologies, Passwords work with this idea

  • It assumes that anyone who knows the combination of a username and password is the corresponding user in that system.

There can be a 3rd one for biometrics called inherence, which can be similar to Possession-based Authentication

2. Authorization

Authorization is the process of managing access control. Is an entity (say a person for simplicity) X allowed to perform this action?

Once a person has identified themselves, there is one more thing to consider. Is the person allowed to access or perform something?

These kind of restrictions are generally in the form of Rules and Policies.

There are mainly two types of access controls.

  1. Role-based access control
  2. Attribute-based access control

2.1 Role Based Access Control

Consider a hotel with reservation and policies such as

  1. Only reserved guests to enter the premises.
  2. Only kitchen staff is allowed in the kitchen.

A guest walks in, He has the proof of reservation and he has identified himself as the person on the booking list

  • His role in that hotel is as a reserved guest and he is allowed inside the premises.
  • But he is not a kitchen staff so when he tries to enter the kitchen, permission will be denied by the security.

In digital systems, A record is kept against all identity

  • When a user verifies themselves, their corresponding role is cross-referenced
  • A logical statement can be used to decide if that user is allowed access to a feature

2.2 Attribute Based Access Control

It is not very different from role( if you consider a role as an attribute ), But its more granular rule which depends on dynamic attributes

Consider the same hotel with reservation and same member checking in,

  • At the door before the room there is a policy that states No pets are allowed inside the room
  • The guest has a puppy in hand therefore, he is denied access to enter the room
  • But, the guest can find a safe keep for his dog and come back to get inside the room
  • The attribute here, is the possession of a pet, which can change

In digital systems, these are also stored in records similar to the role

  • But the need for frequency of lookup to determine what’s the current status can be more compared to the role.
  • Therefore, this logic is mostly written at granular levels of functions.