Jason Parms

Technical terminology can be confusing. There are so many words batted around that describe different aspects of computer networking and security, and sometimes it’s hard to tell them apart. Take authentication and authorization, for instance. They sound similar, but they refer to two totally different processes.

The Triple-A (AAA) Framework

You might have heard these words before without realizing that two of them are part of a special framework in the field of network security. The triple-A is spelled AAA and is an abbreviation for three keywords:

  • Authentication
  • Authorization
  • Accounting

The definition from TechTarget gives us a clearer picture of the AAA framework:

“Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.”

Let’s have a closer look at the difference between the first two words – Authentication and Authorization.

authentication vs authorization

Authentication Confirms Identity

The standard greeting in polite society has always been a handshake. You shake someone’s hand when you’re being introduced for the first time, or when you see someone again after a long time. This traditional form of touching hands is a way of connecting, and it represents a certain level of trust. This same imagery is also used in the world of networking.

Along with the handshake, humans interact with each other in spoken conversation. Getting back to the idea of an introduction, one person might say, “Hello, my name is John” as he extends his hand. “I’m a salesman for XYZ company.” When Sally takes his hand to shake it, she might say, “Hi, I’m Sally. I’m the store manager here.” Both John and Sally are clearly identifying who they are.

Now consider how people identify themselves on the internet. Authentication confirms the right person is accessing a system. One method of authentication that everyone uses is the combination of user ID and password. You probably do this every day, and maybe even on many different applications or websites. What you are doing is clearly identifying who you are by using a secret password that only you know. No one else could log into this service unless you have shared your password with them — which really defeats the purpose.

Another method of authentication is the public key infrastructure (PKI). This method includes more layers of security than a simple user ID and password combination. PKI uses both public and private keys to authenticate users, devices, and software. It depends on a certificate authority (CA) that uses cryptographic messages to create digital security.

When two devices in different locations communicate together and create a level of trust, we call that authentication. And sometimes we call that process a “handshake”. Now that the handshake has taken place, the two devices can safely transact business.

Authorization Gives Permission

Once the line of communication is secured through an authentic handshake, the next issue to deal with is authorization. As you know, not everyone has permission to do everything. If you visit a department store, you have permission to walk into the store and peruse the merchandise, you might handle it or try it on. But you don’t have permission to go behind the counter or to the back of the store. That’s for employees only. And you surely don’t have permission to open the cash register.

Authorization defines exactly what permission a user has on a particular system. For instance, on your workstation at the office, you may have permission to use different applications. But administrative tasks might be restricted to IT personnel. A website where you have registered may have different levels of permission based on the service plan that you purchased. Authorization tells you what you are allowed to do or use.

Authentication vs Authorization

Authentication Authorization
Conforming the user’s identity. Verifying user’s permissions to access resources.
Ways of Authentication:

  1. Passwords.
  2. Two-factor authentication.
  3. Captcha test.
  4. Biometric authentication.

 

Techniques used in Authorization:

  1. OAuth (Open Authorization).
  2. Permissions –
    1. Read-write access to files.
    2. Allowing to access of the database.
  3. Specifying user roles to access data.
Controlled by a server to know who is accessing their data or site. The server decides that the client has authority to access a resource.

Understanding terms like authentication and authorization will give us a greater idea of how the internet works and how it is made secure. And these are common concepts in any study of the workings of the internet. Without the implementation of these processes throughout the network infrastructure, the internet would be a much less safe place to conduct business.