Authentication, authorization and access control are three paramounts in cyber security concepts that are often confused and used interchangeably.
Authentication
In authentication process, identities of the users are verified. Most of the time this verification process includes a username and a password but other methods such as PIN number, fingerprint scan, smart card and such are adapted as well.In order to conduct the process of authentication, it is essential that the user has an account in the system so that the authentication mechanism can interrogate that account. Or an account has to be created during the process.
A user is either who they claim to be or someone else. Authentication technologies are mainly used with two types of authorization processes: Two factor authentication Multi-factor authentication In the past, multi-factor authentication was vastly popular but due to its difficulties in use, password authentication prevailed.
Two factor authentication, on the other hand, is still a widely used security process that involves two methods of verification. One of them is password verification most of the time. Frequently used types of authentication technology are username/password, one-time password and biometric authentication.
Authorization
In authorization process, it is established if the user (who is already authenticated) is allowed to have access to a resource. In other words, authorization determines what a user is and is not permitted to do. The level of authorization that is to be given to a user is determined by the metadata concerning the user’s account. Such data can indicate if the user is a member of the ‘Administrators’ or ‘Customers,’ or it can indicate if the user has paid-subscription for some content.
The processes of authorization also encompass Authorization Management which denotes creating authorization rules.
We create authorization policies while using social media: Facebook, LinkedIn, Twitter or Instagram have millions of users but we can authorize (to an extent) which of those users can interact with us.
Access Control
In the process of access control, the required security for a particular resource is enforced.
Once we establish who the user is and what they can access to, we need to actively prevent that user from accessing anything they should not. Thus we can see access control as the merger of authentication and authorization plus some additional measures like IP-based restrictions.
Main types of access control are DAC (discretionary access control), RBAC (role-based access control), ABAC (attribute based access control) and MAC (mandatory access control).
