Authentication vs Authorization vs Encryption

What We’ll Be Learning

Authentication, authorization, and encryption are all key concepts in web security, but it’s easy to confuse them. In this article, you’ll learn what these concepts are, and what roles they play in web security.

Authentication

Authentication is the verification of who you are. For example, let’s say you’ve gone to a concert. At the front door, the security guard asks to see your ticket and ID in order to verify that the name on your ID matches the name on your ticket. This is an example of authentication.

Authentication relies on one or more factors to verify identity, and these factors come in three main types:

• Knowledge is something you know, like a username and password.
• Possession is something you have, like a security card or mobile device
• Inherence is something you are, which generally refers to biometric data such as fingerprints.

(There are additional factors, such as location and time, that can be used to complement existing factors, but are generally not suitable for authentication on their own)

Authentication that relies on a single factor, such as a simple username/password combo, is called Single-Factor Authentication, and is becoming increasingly insecure.

Authentication that requires multiple factors, such as a username/password combo and a code sent to a mobile device, is known as Multi-Factor Authentication. This is distinct from Multi-Step authentication, which requires multiple types of authentication within a single factor, such as a password and a PIN.

Authorization

Authorization is the verification of what you are allowed to do. Returning to our concert example, once the security guard has authenticated you, you then give your ticket to a different security guard who then only allows you to pass into General Admissions (instead of the VIP section). This is an example of authorization.

Authorization is very important for web security, and it is responsible for everything from preventing users from modifying each other’s accounts, to protecting back-end assets from attackers, to granting limited access to external services.

Good authorization will allow you to limit users and services to the privileges they require; just because a user is authorized to manage one group doesn’t mean they should be able to manage all groups, for example.

Encryption

One of the core tools for enforcing authentication and authorization is encryption. Encryption is the process of transforming data into a format that is unreadable unless you have the correct key to decrypt it. Encryption comes in two main types:

Symmetric encryption uses the same key to encrypt and decrypt data.

Asymmetric encryption uses separate keys for encryption and decryption.

Conclusion

Authentication, authorization, and encryption are distinct but related concepts within cybersecurity, and all three are important for maintaining a secure environment. Authentication determines identity, authorization determines the privileges associated with an identity, and encryption ensures that data can only be accessed by authorized parties.