Authentication And Authorization | What Comes First In Security?

Authentication and authorization

Both the terms Authentication and Authorization are often used in conjunction with each other in terms of cyber security. While both terms authentication and authorization are might sound similar, but they are distinct security processes in the identity and access management (IAM). 

Authentication is the process used to authenticate user’s identity, whereas authorization is a way to provide permission to the user to access a particular resource. In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to. These two are the most basic and popular term in cyber security. Authentication is done before the authorization process, whereas authorization process is done after the authentication process.

What Is Authentication ?

Authentication is the process of proving that a person is who they say they are. When someone purchases an item with a credit card, they may be required to show an additional form of identification. This proves that they are the person whose name appears on the card. In this example, the user may show a driver’s license that serves as a form of authentication and proves their ID.

When you want to access a computer or device, you’ll encounter a similar type of authentication. You may get asked to enter a username and password. The username states who you are, but by itself isn’t enough to grant you access. When combined with the password, which only that user should know, it allows access to your systems. The username and password, together, are a form of authentication. Authentication is sometimes shortened to AuthN.

There are total 5 factors of authentication.

  1. Something You Know: In this authentication, users authentication themself by entering their userID, password or pin.
  2. Something You Have: In this type of authentication user have some devices such as security token or RSA token to authenticate himself.
  3. Somewhere You Are: It is the least use authentication, In this user present a specific location or a particular coordinate to authenticate himself. Example user must present Delhi or Mumbai to login this app.
  4. Something You Are: In this, for authentication user uses his biometric to authenticate himself such as finger print, retina scan, face scan etc.
  5. Something You Do: For login to a website or application, user need to do some steps on screen to verify himself.

What are Single factor and Multifactor Authentication Model ?

Single Factor Authentication Model

Single factor authentication model mean authentication with only one factor (mostly password), is the most common type of authentication. However, this model applies to any authentication platform that uses only one factor among above 5 factors.

Single factor authentication model is the weakest of all authentication models because it uses password based authentication to access. We know that passwords can easily be cracked, guessed, or stolen by hackers. You need to always avoid single factor authentication model for good security.

Multifactor Authentication (MFA) Model

Multifactor Authentication (MFA) generally refers to an authentication platform that requires multiple kinds of credentials and verifying information before granting access. Multi-factor authentication involves the combination of two or more layers of authentication to increase the security of authentication.
In this model user uses two or more above authentication factors to verify himself such as userID/password with fingerprint to authentication himself.

MFA works better than any other single factor authentication and provides a significant security from hackers but it makes login process longer.

Remember Multifactor Authentication (MFA) Model is also not 100 percent secure. It just increases your security but does not guarantee to you that you are safe from hacker.  

What Is Authorization?

Once you authenticate a user, you’ll need to decide where they can go, and what they’re allowed to see and access a resource. This process is called authorization. Authorization in system security is the process of giving the user permission to access a specific resource or function.

Suppose you want to spend the night in a hotel. The first thing you’ll do is go to reception to start the “authentication process”. After the receptionist has verified who you are, you’re given a keycard and can go to your room. Think of the keycard as the authorization process. The keycard will only let you open the doors and elevators you’re permitted to access, such as for your hotel room.

In cybersecurity terms, authorization determines the level of access or the permissions an authenticated person has to your data and resources. Authorization is sometimes shortened to AuthZ.

Remember- In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources.

Authorization Methods

Role-based access control (RBAC) and attribute-based access control (ABAC) are the two most popular ways to implement access control.

Role based access control (RBAC)

This authorization method gives users access to information based on their role within the organization. These roles are defined by an administrator who classifies people based on their departments, seniority levels, responsibilities, and/or geographical locations.

For example, a junior developer is only allowed to read information from a database; they can’t add or change anything. However, a senior database developer has maximum privileges on all the databases. He can add or alter anything in database.

Attribute-Based Access Control (ABAC)

In an ABAC environment, when a user logs in, the system grants or rejects access based on different attributes. This may include user attributes such as the user’s name, role, usual responsibilities, organization, ID, seniority levels and security clearance. It may also include environmental attributes such as the time of access, location of the data, user device and current organizational threat levels.

For example, let’s say Nikhil, a HR, tries to access the payroll portal. The system checks their “department,” “designation,” “seniority level,” and “responsibilities” attributes to determine that they should be allowed access. However, if Sadaf from the IT team tries to access the same portal, she won’t be allowed, because she doesn’t have the required attributes to access the portal.

Difference Between Authentication and Authorization

Authentication process verifies who the user is.           Authorization process determines what resources a user can access.
Authentication is done before the authorization process.whereas authorization process is done after the authentication process.
This process requires the login details of the user, such as user name & password, etc.This process requires the user’s privilege or security level.
Authentication credentials can be partially changed by the user as per the requirement.Whereas authorization permissions cannot be changed by the user. The permissions are given to a user by the organisation, and he can only change it.
For example, employees of a particular organization are required to authenticate themselves before accessing the employee link of the organization’s official website. This is called authentication.For example, authorization determines exactly what information the employees are authorized to access on organization website after successful authentication.
In Authentication, Data is provided through the Token Ids.While in authorization, Data is provided through the access tokens.


1 What is an Information Security?
Information Security sometimes called InfoSec, act of protecting data & information from unauthorized access, unlawful modification & disruption, disclosure & destruction. Read more

2 What is AAA in cybersecurity?
AAA (Authentication, Authorization, Accounting) is a system for tracking user activities on IP based network & controlling their access to network. Read more

3 What is Malware?
Malware is malicious software or program designed to infiltrate a computer system/network and possible damage it without the user’s knowledge or consent. Read more

4 What is Cyber Kill Chain?
The cyber kill chain (also referred to as the cyber-attack chain ) is a way to understand the sequence of events involved in an external attack on an organization’s IT environment Read more

5 What is Public Key Cryptography?
Asymmetric Cryptography also popular as public key cryptography, uses two keys to encrypt data. One key is used for data encryption, while the other key is used for data decryption. Read more

6 Difference between Stream & Block Cipher?
Stream Cipher and Block Cipher, both are the techniques used for encryption and decryption of data, i.e. to convert the plaintext to cipher text and cipher text to plaintext. Read more

Leave a Reply

Your email address will not be published. Required fields are marked *