Authentication vs Authorisation: A Simple Guide

TL;DR

Authentication confirms who a user is. Authorisation determines what they can do. Think of authentication as showing your ID, and authorisation as having the right permissions to enter specific rooms in a building.

Understanding Authentication

1. What it is: Authentication verifies a user’s identity. It’s about proving you are who you say you are.
   • Common methods include passwords, multi-factor authentication (MFA), biometrics, and security keys.
   • It answers the question: “Are you really John Smith?”
2. How it works: Typically involves a username/password check against a database or using an external identity provider.

   # Example Python (simplified)

   def authenticate_user(username, password):
     # Check username and password against stored credentials
     if username == 'john.smith' and password == 'securepassword':
       return True
     else:
       return False

3. Technologies: OAuth 2.0, OpenID Connect, SAML are common authentication protocols.

Understanding Authorisation

1. What it is: Authorisation determines what a user is allowed to access or do after they’ve been authenticated.
   • It answers the question: “Now that we know who you are, what can you see/do?”
   • Examples include read-only access, admin privileges, or specific permissions for certain data.
2. How it works: Often uses roles and permissions.

   # Example (simplified role-based authorisation)
   user_role = 'editor'
   if user_role == 'admin':
     allow_full_access()
   elif user_role == 'editor':
     allow_edit_access()
   else:
     allow_read_only_access()

3. Technologies: Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC) are common authorisation models.

Key Differences Summarised

• Authentication: Who you are.
• Authorisation: What you can do.

Practical Example: Online Banking

1. Authentication: You enter your username and password (or use fingerprint ID) to prove you’re the account holder.
2. Authorisation: Once logged in, your access is limited based on your account type.
   • A standard user can view their balance and make transfers.
   • An administrator might be able to approve loans or manage other users’ accounts.

Why Both are Important for cyber security

Authentication without authorisation is useless – anyone could log in and do anything. Authorisation without authentication is even worse – there’s no control over who has access.

Common Mistakes to Avoid

• Storing passwords insecurely: Always hash and salt passwords.
• Overly permissive roles: Grant users only the minimum necessary permissions.
• Failing to implement MFA: Add an extra layer of security.