Identity Vs Authentication Vs Authorization: Biggest Dilemma
In our day to day life, proving our identity and doing activities with the awarded privileges are very common circumstances that we all face. For example, it could be a scenario where we provide our identity card at the entrance of our university to enter the premises. Also, can you remember the days where even if you have the student identity card and got the permission to enter the university premises, you were never allowed to park your vehicle in the staff parking area? If you can relate yourself to the above-mentioned example, then this entire blog post is going to be a piece of cake for you…🍰
Security world terminologies
The software industry is rapidly growing and adapting numerous technologies to cater to its users’ needs in various aspects. One such important aspect is security. In a nutshell, allowing the right user with the right privileges to access the right resources by considering the users’ privacy and keeping the system out of risk is known as security in the (Information Technology)IT or software world.
When discussing software security, we cannot avoid some prime focused terminologies. They are,
As the term implies “Identity” is a piece of information that proves who you are. In a general context, it could be your national identity card no, passport no, your fingerprint, etc. Moving a step forward if we are to discuss identity in the context of secure software or IT, we normally refer to digital identity which can be a single body of information or a collection of various factors combined together to provide a unique value to identify a person/an organization/government or any type of an entity.
Username and password, biometric identifiers such as fingerprints, facial patterns and voice can be listed as examples for individual user’s digital identity or can be combined together to generate a unique identifier.
An IP address, domain names are examples for an organization or government’s digital identity.
The digital identity is also exposed to privacy and security risks such as identity theft. Identity theft is a fraudulent activity in which an imposter tries to posses the identities of someone else and pretend to be that person. Cross-Site Request Forgery (CSRF) is a well-known example of identity theft(this can be an example of data theft as well). Mechanisms such as Double Submit Cookie pattern, Synchronizer Token pattern are well-known prevention mechanisms to overcome CSRF attacks.
We have an object/element to uniquely describe an entity known as Identity. But how does that validates the right entity? Where does it lead us? The term identity leads us to the process of Authentication, which makes use of the identity to prove whether the entity is being validated as the right one. Let’s deep dive into authentication.
Authentication is the process of proving/ensuring an entity to be what it is claiming to be. For example, the process of ensuring that the intended user is accessing the system by validating the user’s credentials. In the following discussion, we will be concentrating on the scenarios among users and systems to explain the concepts in a less complexed manner.
In a username-password protected system, the user is expected to provide valid credentials in order to enter into the system. This is not only to protect the system from unknown third party attacks but also to maintain user privacy which can even lead to legal problems.
Levels of Authentications
Identity or authentication factors can be any of the following.
1.Knowledge:- something the user knows
E.g: username, password, pin number
2.Possession:- something the user has/possesses
E.g: debit card, QR cards
3.Inherence:- some physical characteristic of the user
E.g: Biometric authentication factors such as fingerprint, iris
Based on the number of identity or the authentication factors the user provides for the authentication process, it can be categorized into the following levels.
- Single Factor Authentication
- Two Factor Authentication
- Multi-Factor Authentication
Single Factor Authentication - Uses a single authentication factor to authenticate the user
E.g: Logging into the Gmail using username/password
Two Factor Authentication - Uses any of the 2 factors to authenticate the users to enter the system
E.g: Logging into your Facebook account using your password and a code sent to you through SMS
Multi-Factor Authentication - Uses at least 2 or all 3 types of authentication factors to allow the user to enter into the system
E.g: Entering password, secret code sent through SMS and providing the fingerprint to enter into the system
Two-Factor Authentication or Multi-Factor Authentication provides an extra layer of security to the system. OpenID and OpenID Connect (OIDC) are 2 well-known authentication protocols that use tokens to proceed with the authentication process. We’ll have a separate discussion on this topic in another blog post.
Let’s revise the steps we have completed so far. Initially, we had an authentication factor. So as the next step using that authentication factor we authenticated in order to enter into the system. What’s next? Next, we should know what are the tasks we are eligible to perform in the system. So let’s take a look at the Authorization process.
Authorization is the security mechanism of validating the privileges or eligibilities a user possesses in order to perform certain tasks in a system. In brief what you can do in a system. Once a user is authenticated as an eligible candidate for the system, the authorization process determines the powers the user can have in the system. Based on the user access levels/roles these privileges are defined for each user.
For example, let’s take a hospital management system where an admin and doctor are the only users of that system. Imagine what happens if the admin gets permission to change the patients’ prescriptions. It would be the end of everything!
Just to make sure that the right person gets the right access in the system we use Authorization mechanisms. One of the very known and widely used authorization mechanism is OAuth 2.0.
OAuth 2.0: A brief introduction
OAuth is a framework to give permission to 3rd party applications to access protected data on behalf of the user. In simple terms, “A framework for delegated authorization”.
OAuth 2.0 provides 2 main services to the end-users as well as the 3rd party applications. The services are,
- Federated Identity — Allowing users to log in to an application with another existing account that the user owns. (End-users)
- Delegated Authority — Allowing another service to access resources in a controlled manner on another service on behalf of the user. (3rd Party Applications)
For comprehensive details on OAuth 2.0 and the related grant types please refer to my blog on OAuth 2.0.
Let’s wind up folks
At the beginning of the post, we discussed the main 3 terminologies that we’ll be going through in the entire post. They are Identity, Authentication, and Authorization. We also analyzed certain real-life examples to easily understand these geeky terms. Next upon, we analyzed each of these terms and the mechanisms used to achieve these concepts. Also, I have attached my previous blogs to give you further explanations on CSRF attacks, Synchronizer token pattern, Double submit cookie pattern and OAuth 2.0. I hope this post made you guys get a basic understanding of the topic and get practical experience in trying out these concepts…!!! Happy learning folks…!!!