This is a short article on the differences between three important and fundamental security concepts that are often confused. The difference between authentication, authorisation and access control is often not understood properly, and sometimes they are thought to be the same thing or the terms are used interchangeably.
Perhaps this is because the processes of authentication, authorisation and access control often appear to happen at the same time from an end user’s perspective, and as one single process. But it can be critically important to understand the distinction when designing the security framework for a software application, so here we provide a clarification of these distinct concepts and provide an explanation of how they would be applied to a typical software application or website.
Authentication is a process by which you verify that someone is who they claim they are.
This usually involves asking the user for a username and a password, but it can include any other method of demonstrating identity, for example a smart card, a PIN number, a secret code sent in a letter in the post, a fingerprint scan, and so on.
In order to perform authentication, a user must already have an account created in a system which can be interrogated by the authentication mechanism, or an account must be created as part of the process of the very first authentication.
The output of the authentication process is usually a binary “yes or no” results – either the user is who they say they are, or they are not (a “maybe” would be treated as a “no”).
Note that the “someone” may not be a real person. For example, an application that is trying to use a web services API may need to use authentication to prove that it is the application in question, and could do this in exactly the same way as a real human user would prove their identity (excluding of course biometrics like fingerprints).
Authorisation is the process of establishing if the user (who is already authenticated), is permitted to have access to a resource. Authorisation determines what a user is and is not allowed to do.
The level of authorisation to give a user is determined by examining the additional properties (metadata) associated with the user’s account. For example, data associated with a user may indicate if they are a member of a given group such as “Administrators” or “Customers”, or it may indicate if they have paid a subscription for some paid-for content, or it may indicate that they are still within the 90 day period of a free trial.
Authorisation also includes an Authorisation Management component, which is a system that provides the functionality to create the authorisation rules. For example, it may allow an administrator to create a rule to allow another user to edit or publish content to a website. Authorisation Management often uses Groups, Roles, Privileges and Permissions (the difference between each of these four concepts is for another blog article!) to define these rules.
Access Control is the process of enforcing the required security for a particular resource.
Once we know who a user is, and we know what authorisation level they have and what we should and should not give them access to, we need to physically prevent that user from accessing anything that they should not be able to. Access Control can be seen as the combination of Authentication and Authorisation plus additional measures, such as clock- or IP-based restrictions.
In the context of a web or software application, access control may be implemented using bespoke logic, security features of the development framework being used, file permissions, URL access lists, or many other mechanisms.
Note that lack of adequate access control is more often the cause of security vulnerabilities in applications than faulty authentication or authorisation mechanicms, simply because access control is more complex to implement and becomes more complex as the application being secured becomes more complex itself.
The following articles are worth reading for further details on the subject. In particular, Authentication and Authorisation and often combined with Accounting (that is, the logging of information relating to Authentication and Authorisation) to form “AAA” – Authentication, Authorisation and Accounting.
- AAA Protocol (Wikipedia)
- Authentication, Authorization, and Identities in WCF (Microsoft MSDN)
- Authentication, Authorization, and Access Control (Apache HTTP Server)
- Authentication and Authorization for Google APIs (Google)