Authentication vs Authorization vs Encryption
What We’ll Be Learning
Authentication, authorization, and encryption are all key concepts in web security, but it’s easy to confuse them. In this article, you’ll learn what these concepts are, and what roles they play in web security.
Authentication is the verification of who you are. For example, let’s say you’ve gone to a concert. At the front door, the security guard asks to see your ticket and ID in order to verify that the name on your ID matches the name on your ticket. This is an example of authentication.
Authentication relies on one or more factors to verify identity, and these factors come in three main types:
- Knowledge is something you know, like a username and password.
- Possession is something you have, like a security card or mobile device
- Inherence is something you are, which generally refers to biometric data such as fingerprints.
(There are additional factors, such as location and time, that can be used to complement existing factors, but are generally not suitable for authentication on their own)
Authentication that relies on a single factor, such as a simple username/password combo, is called Single-Factor Authentication, and is becoming increasingly insecure.
Authentication that requires multiple factors, such as a username/password combo and a code sent to a mobile device, is known as Multi-Factor Authentication. This is distinct from Multi-Step authentication, which requires multiple types of authentication within a single factor, such as a password and a PIN.