Other issues in this category (25)
Identification, authentication, and authorisation — what’s responsible for what?
Wednesday, June 15, 2022
Let's find out what the terms “identification”, “authentication” and “authorisation” mean and how these procedures differ from one another.
Identification: “Halt! Who goes there?”»
When a visitor comes to Doctor Web's office, at the door, they introduce themselves to the security guard. Thus, the person identifies himself/herself — says who he/she is. The security guard doesn't care why the person came — whether to work, pick up a parcel or join a meeting. The guard just needs to make sure that this person is on the “allow list”.
In the exact same way, you must first introduce yourself if, for example, you want to sign in to your online bank account, email, or social-networking account. The system requests the ID (the login), you enter it, and the system recognises it as existing. This is identification: checking whether a specified user/login/email exists.
The system knows a limited set of identifiers. If you entered any sequence of characters, and it found a record in its database about a user with such a login, identification is complete. This means that the first step to accessing an information resource (email, social-networking account, etc.) has been taken.
Authentication: “Show your pass”
Now you need to enter a password to prove that you aren’t faking someone else’s identity. When a system makes sure that the person who knows a login also knows the password, it will agree that this person is the true account owner. This is authentication: checking whether the password matches the user.
Remember the person who wants to get into our office? Suppose the security guard found (identified) this person in the list. After this, the security guard must check the visitor's documents to authenticate the visitor.
To prevent hackers who’ve managed to spy on or crack your account password from accessing it, the system may need to take an extra security measure and ask for information that only you would know: for example, a one-time SMS code to confirm your login. If you enter it correctly, the system will be convinced that you are the person you say you are. This is two-factor authentication (2FA).
For "serious" services, two-factor authentication is mandatory. This is usually a token (a one-time code with a limited validity period) that is sent to the user's mobile phone via SMS message. But not necessarily. There are other 2FA options — in the form of USB flash drives, Bluetooth devices, biometric scanners, etc. Even if a cybercriminal gets your login and password (by using a malicious program, stealing your notebook of passwords or employing social engineering techniques and phishing), without this token, they will not be able to sign in to the account.
Authorisation: "Passage permitted"
After authentication, the system will allow you to read the emails in your mailbox. And secretaries will receive the visitor who was allowed in by the security guard. If this person has come to apply for a job, they will invite the HR manager; if the person has come to pick up a parcel, they will hand it over; if the person has come to join a meeting, they will lead him/her to the meeting room, etc. This is authorisation: granting a user the rights to access certain resources.
Authorisation not only gives you the opportunity to sign in, but also allows you to perform certain operations there: read documents, send emails, and change data—under the same ID that you presented at the beginning.
The Anti-virus Times recommends
- Use strong and unique passwords. They must consist of 8 or more characters and contain numbers, uppercase and lowercase letters, and special characters (!, @, #, $, etc.). If only letters and numbers and no special characters are available to create a password, it is better to make it longer in order to at least somehow compensate for this limitation and increase security.
- The security of password managers, which generate passwords themselves and then store them and automatically enter them during authentication, is a topic for another day. In short: Doctor Web’s specialists believe that the best password manager is our brain.
- If it is too difficult to remember complex passwords consisting of characters, you can use long meaningful phrases. It is more difficult to crack such a password than a short set of characters, and it is much easier to remember it.
- Don't forget to regularly update your passwords. Ideally, you should do this every 3-6 months. If that's not possible, update them at least once a year.
- Be sure to enable two-factor authentication for all services that allow it. Ideally, this requires two different devices. 2FA is useless if in order to enter your Internet bank via your phone’s browser, you need to enter a code from an SMS message that will come to that very same phone.
- Don't share logins and passwords with anyone: this increases the risk of a compromise and data leakage.
So, is everything clear about the differences between authentication, identification and authorisation? If you still have questions, you can ask them in the comments.