Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.
The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be.
The authorization process relies on user permissions that outline what each user can do within a particular resource or network. For example, permissions in a file system might dictate whether a user can create, read, update or delete files.
Authentication and authorization processes apply to both human and nonhuman users, such as devices, automated workloads and web apps. A single IAM system might handle both authentication and authorization, or the processes might be handled by separate systems working in concert.
Authentication is usually a prerequisite for authorization. A system must know who a user is before it can grant that user access to anything.
Identity-based attacks, in which hackers hijack valid user accounts and abuse their access rights, are on the rise. According to the IBM X-Force® Threat Intelligence Index, these attacks are the most common way that threat actors sneak into networks, accounting for 30% of all cyberattacks.
Authentication and authorization work together to enforce secure access controls and thwart data breaches. Strong authentication processes make it harder for hackers to take over user accounts. Strong authorization limits the damage hackers can do with those accounts.
Authentication, sometimes abbreviated as “authn,” is based on the exchange of user credentials, also called authentication factors. Authentication factors are pieces of evidence that prove the identity of a user.
When a user registers with a system for the first time, they establish a set of authentication factors. When the user logs in, they present these factors. The system checks the presented factors against the factors on file. If they match, the system trusts that the user is who they claim to be.
Common types of authentication factors include:
Individual apps and resources can have their own authentication systems. Many organizations use one integrated system, such as a single sign-on (SSO) solution, where users can authenticate once to access multiple resources in a secure domain.
Common authentication standards include Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). SAML uses XML messages to share authentication information between systems, while OIDC uses JSON Web Tokens (JWTs) called “ID tokens.”
Authorization, sometimes abbreviated as “authz,” is based on user permissions. Permissions are policies that detail what a user can access and what they can do with that access in a system.
Administrators and security leaders typically define user permissions, which are then enforced by authorization systems. When a user attempts to access a resource or perform an action, the authorization system checks their permissions before allowing them to proceed.
Consider a sensitive database containing customer records. Authorization determines whether a user can even see this database. If they can, authorization also determines what they can do within the database. Can they just read entries, or can they also create, delete and update entries?
OAuth 2.0, which uses access tokens to delegate permissions to users, is one example of a common authorization protocol. OAuth allows apps to share data with each other. For example, OAuth enables a social media site to scan a user’s email contacts for people the user might know—provided the user consents.
User authentication and authorization play complementary roles in protecting sensitive information and network resources from insider threats and external attackers. In short, authentication helps organizations defend user accounts, while authorization helps defend the systems those accounts can access.
Comprehensive identity and access management (IAM) systems help track user activity, block unauthorized access to network assets and enforce granular permissions so that only the right users can access the right resources.
Authentication and authorization address two critical questions that organizations need to answer to enforce meaningful access controls:
An organization needs to know who a user is before it can enable the right level of access. For example, when a network administrator logs in, that user must prove they are an admin by supplying the right authentication factors. Only then will the IAM system authorize the user to perform administrative actions such as adding and removing other users.
As organizational security controls grow more effective, more attackers are getting around them by stealing user accounts and abusing their privileges to wreak havoc. According to the IBM X-Force Threat Intelligence Index, identity-based attacks increased in frequency by 71% between 2022 and 2023.
These attacks are easy for cybercriminals to pull off. Hackers can crack passwords through brute-force attacks, use infostealer malware or buy credentials from other hackers. In fact, the X-Force Threat Intelligence Index found that cloud account credentials make up 90% of the cloud assets sold on the dark web.
Phishing is another common credential theft tactic, and generative AI tools now enable hackers to develop more effective phishing attacks in less time.
While they might be seen as basic security measures, authentication and authorization are important defenses against identity theft and account abuse, including AI-powered attacks.
Authentication can make it harder to steal accounts by replacing or reinforcing passwords with other factors that are more difficult to crack, such as biometrics.
Granular authorization systems can curtail lateral movement by restricting user privileges to solely the resources and actions they need. This helps limit the damage that both malicious hackers and insider threats can do by misusing access rights.
With IBM Verify, organizations can go beyond basic authentication and authorization. Verify can help protect accounts with passwordless and multifactor authentication options, and it can help control applications with granular, contextual access policies.
Learn about the customer identity and access management (CIAM) landscape and current trends in the market.
Discover how to reduce the complexity of identity management with IBM's product-agnostic approach to identity fabric orchestration.
Get a clear definition of identity fabric and learn how an identity fabric enables continuous control and visibility.
Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Find out how IBM Verify enables organizations to simplify IAM with the flow designer.
Stay up to date with the latest trends and news about identity and access management.