Authentication and Authorisation

In the world of IT, information security is something you can’t go past, having the basic understanding is a must. One building block of it is authentication and authorisation; to know what do they mean, how they effect the users and what they provide for them.

Authentication

Authentication is identifying yourself. In the real world, you have your ID card that carries your unique, personally identifiable information like name, birth day and place, mother’s name, etc. But you can’t use your ID card on a computer, so there must be an other identifier. The most common one is a username, and to protect the account, a unique password. The goal is to prove you are who you say you are.

Authorisation

After you are successfully authenticated, you gain access to different things; you have the authority to use resources. The system where you identified yourself provide you permission for example to print documents, browse a shared directory on the company’s network, read and answer your e-mails, send a post on a forum. If you don’t have the permission, you get an “Access denied”, “Permission denied” or similar message. Authorisation is about what permissions you have, what can you do.

Authentication methods

Without listing every option, I would like to list the most used ones.

• Password: I think everybody knows it. You have a username and either a self- or a system generated password.
• Biometric authentication: nowadays it’s the 2nd most used method, smartphones allow access after recognising the user’s recorded fingerprint or face.
• Token: Usually companies use this method where a purpose-built physical device shows a random string or -numbers, it must be provided by the user after entering the username.