Scribd
Upload
22 views3 pages

Aswin Ts Decoded Notes Unit 3 Authorisation & Authentication

Distributed systems

Uploaded by

tejeswarkomara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views3 pages

Aswin Ts Decoded Notes Unit 3 Authorisation & Authentication

Distributed systems

Uploaded by

tejeswarkomara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Authentication and Authorization

Authentication and Authorization are two essential security concepts used to protect data systems,
especially on the internet, and although they work together, they serve different purposes.

• Authentication is the process of verifying who someone is. It ensures that the user is who they
claim to be. This is usually done through usernames and passwords, biometric data (like
fingerprints), or two-factor authentication (2FA). The goal is to confirm the identity of the user
before granting access to the system.

• Authorization comes after authentication. It determines what an authenticated user can do


within the system, i.e., what resources they can access or actions they can perform. For example,
a system may allow an authenticated user to read files but not modify them. This is usually
controlled by setting permissions, roles, or access control lists.

In simple terms:
• Authentication = Who are you?
• Authorization = What can you do?
While authentication ensures that only valid users can log in, authorization ensures that those
users only have access to what they are permitted to. Both are essential to maintaining data
security.

What is Authentication?
Authentication is the method of verifying the identity of a consumer or system to ensure
they’re who they claim to be. It involves checking credentials which include usernames,
passwords, or biometric information like fingerprints or facial recognition. This step is vital
for securing access to systems, programs, and sensitive records. By confirming identities,
authentication saves you from unauthorized entry and protects you against safety breaches.

Steps in Authentication:
1. Credential Submission: The user provides credentials (e.g., username and password).
2. Validation: The system compares the submitted credentials against stored data (e.g., in
adatabase or directory).
3. Verification Outcome: Access is granted or denied based on whether the
credentialsmatch.

Types of Authentication:
1. Something You Know:
• Passwords, PINs, or answers to security questions.
• Example: Logging into an email account with a password.
2. Something You Have:
• Smartcards, tokens, or one-time passwords (OTP).
• Example: Using an OTP sent to a mobile device.
3. Something You Are:
• Biometrics like fingerprints, facial recognition, or retinal scans.
• Example: Unlocking a smartphone with a fingerprint.
4. Location-Based:
• Validating based on geographic location or IP address.
5. Behavioral-Based:
• Monitoring typing patterns or mouse movements.

Advanced Methods:
• Multi-Factor Authentication (MFA): Combines two or more factors (e.g., password
+OTP).
• Single Sign-On (SSO): A user logs in once to access multiple systems.
• Biometric Authentication: Uses physiological traits for verification (e.g.,
fingerprints,facial recognition).

What is Authorization?

Authorization is the method of figuring out and granting permissions to a demonstrated user
or system, specifying what assets they can access and what actions they’re allowed to carry
out. It comes after authentication and guarantees that the authenticated entity has the proper
rights to use certain data, applications, or services. This step is important for implementing
protection guidelines and controlling access within the system, thereby stopping
unauthorized activities.

Key Components of Authorization:

1. Access Control:
• Rules governing user permissions on resources.
• Examples: Read, write, execute, delete.
2. Policy Enforcement:
• Applying security policies to determine access rights.
• Example: A user may only access files they own or those explicitly shared with
them.
3. Role Assignment:
• Based on the user's role or group membership (e.g., Admin, User, Guest).

Types of Authorization Models:

1. Role-Based Access Control (RBAC):


o Access is given based on roles, not individuals.
o Example: A manager can see project reports, but a team member cannot.
2. Mandatory Access Control (MAC):
o Access is restricted by system rules and sensitivity levels.
o Example: A confidential file can only be accessed by someone with a high-level
clearance.
3. Discretionary Access Control (DAC):
o The owner of a resource decides who can access it.
o Example: A person shares a document with specific people.
4. Attribute-Based Access Control (ABAC):
o Access is granted based on certain conditions like time or location.
o Example: Allow access only during office hours.

Authentication verifies the identity of a person or device, at the same time as authorization
determines their access rights and permissions within a device. Together, they make sure that
users aren’t only who they claim to be but also have the permissions to perform certain
actions or access certain sources.

You might also like