Authentication vs Authorization
These terms are often used interchangeably. However, they do mean different things.
Authentication
- Related to verifying identity.
- Before letting someone use a service, you want to verify that their identity is authentic
- It’s common to offer a challenge to an entity to verify their identity:
- For example, require an entity to provide a username/password combination that matches your records
Methods of Authentication
- Email/Username
- Cryptographic token/key
- Biometric data
Authorization
- The act of determining whether an entity has the “right” or “privilege” to do something.
- Authorization is usually performed after an entity has been authenticated.
Role Based Access Control
- Common method of authorizing an entities rights/privileges.
- Various rights and privileges are assigned to roles.
- Roles can be assigned to entities directly or to a group of entities.
- When authenticating an entity, check if the entity’s assigned roles or groups permit it to complete the requested action.