sábado, 3 de febrero de 2018

Authorization vs Authentication, TC2027

I think these concepts are sometimes used incorrectly, or used one meaning the other, but these two concepts are closely related which is why it can cause some confusion to some.

Today I will try to explain these concepts.

Authentication

It is a way to prove that you are who you say you are. Outside the tech environment, if an officer pulls you over and asks for your ID, is a way for him to know who are you. If he asked your name, you could come up with a fake name, but an official ID will let him know your name, and other accurate information about you, proving that you are you. 

In the tech world, authentication is used by a server to know who is trying to access the information, and it is used by a client to know if the server is who it claims to be. 

There are different types of Authentication:
  • Single-factor: it is giving access to a system by using only one category or credentials. An example could be passwords. 
  • Two-factor: it is giving access to a system by using two categories or credentials, in order to add an "extra layer" of security. It's usually added to the username - password authentication but adding information that only the user knows or has, this can be a token, an SMS they send to your phone number.
  • Multi-factor: it is giving access to a system by using two or more categories or credentials. 
  • Strong: it is combining two mutually-independent factors of authentication so if one is compromised, the other isn't automatically compromised. Usually, a category or credential is non-reusable, like a specific token for only one transaction, to add even more security.
______________________________________________________________________________
Authorization

Simply put, are you allowed to do that? Whenever we go to a building, there are always certain doors or areas that not everyone is authorized to go in. For example, ITESM students can access the campus with their ID, but there are certain rooms that, even if you're a student, you're not allowed (authorized) to go in (only authorized personnel). 

But it can also mean of giving specific access rights or privileges to resources related to information security and computer security in general and to access control in particular (Wikipedida). And this is usally implemented as a role in the user to specify and limit the actions they can perform within the system. 
______________________________________________________________________________

In the beginning I said these two concepts are closely related, why? Take the following example, my 
User in my computer has administrator rights, but in order for me to use them and access every right on my computer, I have to login and verify that it is actually me, Sebastián, who is trying to get access. I am authorized to do any changes to my computer, however, only after I've authenticated myself, is that I am granted the access.

In conclusion, these two concepts are really important for Computer and Information Security, to prevent damages, unauthorized access, loss of data and bad stuff like that.

No hay comentarios:

Publicar un comentario