person logging into laptop

User Authentication and User Authorization Explained

The difference between authentication and authorization isn't always straightforward because the functions are intertwined when part of an organization's IAM (identity and access management) platform. It also doesn't help that the words sound similar. Nonetheless, the applications are distinct, even when used in conjunction with network security.

What Is Authentication?

Authentication's only task is to confirm a user's identity. Authentication verifies that you are who you say you are by checking to see if the credentials you present match the credentials in an authentication platform backend. You prove your identity by providing one or more factors from the following:

  • Something you know (i.e., a password)
  • Something you have (i.e., a mobile phone or one-time password token)
  • Something you are (i.e., biometrics)

The type of authentication method you use may vary based on the level of authorization required. For example, you may be able to authenticate using a user-ID and password to view your account balance, but performing a higher risk function (such as making a money transfer) would require a stronger authentication method.

What Is Authorization?

Only after successful authentication does the authorization process begin. First, it determines whether that verified individual is allowed access. Secondly, it determines what that person may access by evaluating their role and permissions for which they are approved. The authorization process looks at access controls for URLs, secure objects and methods and access control lists (ACLs). 

For example, a banking customer with a joint and personal bank account may perform transactions from both, but only in their name and not in the name of the joint account holder.

Biometrics, AI and Other Disruptive Technologies Are Changing the IAM Landscape 

An important issue is what type of evidence or authentication factors a system uses to verify users and provide the proper access privileges. The risks of relying primarily on passwords are now widely known, as well as, the potentially disastrous consequences of a data breach and the penalties of not complying with a growing body of privacy regulations. 

These trends and others contribute to advances in IAM, such as 2FA (two-factor authentication), where two factors are used to increase the security around the authentication journey. Examples of two-factor authentication are:

OTP delivered by SMS or email may also be used, but in this case they are considered as proof of possession rather than knowledge. 

MFA (multi-factor authentication) takes this a step further by requiring a combination of the following three factors:

  • Something you know (i.e., a password)
  • Something you have (i.e., a mobile phone or OTP token)
  • Something you are (i.e., biometrics)

This authentication approach may seem cumbersome. In practice, the correct implementation of this technology has led to massive improvements in the user experience, delivering a frictionless authentication journey while also enhancing your security. Authentication methods can include:

Biometrics: Biometric authentication is more convenient than passwords, but not necessarily always more secure – quality matters, devices with a lower resolution and quality can be easily fooled. The quality of biometric systems can also be impacted by technical issues such as lighting conditions interfering with face recognition applications. Biometrics is best used in combination with other factors.

AI-Enhanced and Adaptive Biometrics: Apple's Face ID is a perfect example of biometric advances. Face ID technology creates a complex 3D model of the user's face with infrared sensors and an on-device neural network processor to correlate patterns between different data points. Deep learning algorithms adapt to facial changes such as a hat or growing a beard.

Risk-Based Authentication: Device fingerprinting, location, IP Address HTTP header information and other contextual factors support creating a risk profile, that in turn enables us to create a risk score. This risk score is used to determine if access can be granted or if an additional factor is required to prove the user is who he or she claims to be. Risk-based authentication can be used – even after a user has been authenticated – to detect man-in-the-middle, man-in-the-browser or device hijacking attempts. 

Behavioral Biometrics: Algorithms, machine learning and statistical analysis work together to establish a baseline of how users interact with a platform – such as typing speed, mouse movements, pressure on a mobile device screen, angle of the device and gait. This information is used to identify the person positively. As with risk-based authentication, behavioral biometrics can be used continually in a session to determine if the user has changed, allowing a system to take preventative measures such as logging the customer out or requesting the user to re-authenticate themselves.

The Dual Process of Identity and Access Management (IAM)

In summary, access to a system is protected by both authentication and authorization working together – having only one of these processes is not sufficient. Any attempt to access the system might be authenticated using valid credentials, but can only be accepted after successful authorization.

Explore HID’s approach to adaptive authentication or download an infographic that explores a swift, secure user experience.