Authentication vs Authorisation
The process of securely identifying its users by a system is called authentication. Authentication tries to identify the identity of the user and whether the user is actually the person he/she is representing to be. Determining the level of access (what resources are made accessible to the user) of an authenticated user is done by authorisation.
What is Authentication?
Authentication is used to establish the identity of a user who is trying to use a system. Establishing the identity is done by testing a unique piece of information that is known only by the user being authenticated and the authentication system. This unique piece of information could be a password, or a physical property that is unique to the user such as a fingerprint or other bio metric, etc. Authentication systems work by challenging the user to provide the unique piece of information, and if the system can verify that information the user is considered as authenticated. Authentication systems could range from simple password challenging systems to complicated systems such as Kerberos. Local authentication methods are the simplest and most common authentication systems used. In this kind of a system, the usernames and password of authenticated users are stored on the local server system. When a user wants to login, he/she sends his/her username and password in plaintext to the server. It compares the received information with the database and if it is a match, the user will be authenticated. Advanced authentication systems like Kerberos uses trusted authentication servers to provide authentication services.
What is Authorisation?
The method that is used to determine the resourses that are accessible to an authenticated user is called authorisation (authorization). For example, in a database, set of users are allowed to update/ modify the database, while some users can only read the data. So, when a user logs in to the database, the authorisation scheme determines whether that user should be given the ability to modify the database or just the ability to read the data. So in general, an authorisation scheme determines whether an authenticated user should be able to perform a particular operation on a particular resource. In addition, authorisation schemes can use factors like the time of day, physical location, number of accesses to the system, etc. when authorising users to access some resources in the system.
What is the difference between Authentication and Authorization?
Authentication is the process of verifying the identity of a user who is trying to gain access to a system, whereas authorisation is a method that is used to determine the recourses that are accessible to an authenticated user. Even though authentication and authorization performs two different tasks, they are closely related. In fact, in most of the host-based and client/ server systems, theses two mechanisms are implemented using the same hardware/ software systems. The authorization scheme actually depends on the authentication scheme to ensure the identities of the users who enter in to the system and get access to the resources.