Authentication vs Authorisation
I recently talked a teammate through a map of our project’s architecture, and she pointed out that I’d labelled some connections as authentication and others as authorisation1. She was surprised that they were separate things.
I totally grok her surprise. The terms show up together often enough for the lines to be blurred. I’m not going to embarrass anyone for not knowing where the line is drawn between them.
But if you don’t know the difference, then I bet you’re curious. Right?
I thought so. I can tell you’re awesome.
Let’s dive in!
We make claims about ourselves every day. For example, every time I want to post a tweet via @getcodelove, I make a claim to Twitter that I own that account.
Naturally our claims are tested, otherwise any liar could get away with anything.
|Claim||Testing the claim||Assumption|
|When posting a tweet:
“I own @getcodelove.”
|Twitter compares the password you enter with the password on the account.||Only you know the password on your account, so the person entering that password is likely to be you.|
|When paying for groceries:
“I own this bank account.”
|The terminal wirelessly reads the account details from your credit card.||Only you have access to your credit card, so the person presenting it is likely to be you.|
|When boarding an airplane:
“I am Guybrush Threepwood.”
|Security officers compare you to your passport.||Only you match the details in your passport, so the person matching the details is likely to be you.|
Other “things” can make claims too. A painting might be offered for sale to you as an original Van Gogh, but you’d be smart to test that claim before handing over your cash.
|Claim||Testing the claim||Assumption|
“I was painted by Van Gogh.”
|The customer checks the Certificate of Authenticity.||The certificate was issued by a trusted authority, so its claim of history can likely be trusted.|
“I am owned by Amazon.”
|The visitor checks the certificate in their browser.||The certificate was issued by a trusted authority, so its claim of ownership can likely be trusted.|
“I was manufactured by HP.”
|The printer checks the cartridge’s serial number against the manufacturer’s list online.||The serial number was signed by the manufacturer, so its claim of origin can likely be trusted.|
As you can see, it’s not enough to simply make a claim. The claim has to be tested. Authentication is the act of figuring out if a claim is truthful.
The method of authentication depends on the claim. Sometimes authentication is a test of something you know (i.e. a password), something that you have (i.e. a contactless credit card) or something that you are (i.e. your fingerprint). If there’s a test of a claim, then that’s authentication.
Notice that authentication doesn’t care why you’re authenticating. Authentication doesn’t ask what you intend to do.
Authentication only asks, “Am I confident that this claim is true?”
Authentication doesn’t deal in absolutes
No authentication system can ever be absolutely certain that a claim is true.
Think of a method of authentication. Any you like. It can be an existing one, or you can make up a super futuristic method if you’re feeling creative. How many ways can you think of to fool it? I guarantee, there’s at least one.
Let’s say you log into a website with a username and password. How could the website ever be absolutely certain that you are who you say you are, based on just that?
- What if you’re letting a friend use your Netflix account? They know your password, but they’re not you.
- What if hackers have cracked your Facebook password? They know your password, but they’re not you.
- What if a bug in the website has leaked your password? Now everyone knows your password, but they’re not you.
Not even biometric authentication – which reads characteristics of your body to authenticate your identity – can be absolutely certain. Your fingerprint can be copied. Your voice can be mimicked.
There are ways that authentication systems can increase their confidence in your claim. For example, multi-factor authentication requires you to provide multiple forms of proof, each of which adds more confidence to the overall result.
An authentication system might also passively gather additional information about the person claiming to be you, and use it for or against their authentication attempt. For example, it could look-up your geographic location based on your IP address, then reduce its confidence if the person claiming to be you is logging in from a different country than you normally log in from.
Every authentication system will have its own confidence threshold. Some will care more than others. Some will have legal obligations to care more than others. The important thing is, an authenticated claim isn’t guaranteed to be truthful; it’s just likely to be.
So, you’ve been authenticated! You proved your identity and you’re logged into Twitter. Now you can tweet whatever you want, read whatever you want, and do whatever you want… right?
Well, not necessarily.
|Yes||Post a tweet.||No. Your account has been suspended.|
|Yes||Read your mum’s tweets.||No. She’s blocked you.|
|Yes||Follow your favourite author.||No. You’ve reached the limit of the number of accounts you can follow today.|
See how you were successfully authenticated in all of those examples, but you couldn’t perform the action that you wanted to? This is the difference between authentication and authorisation. Authorisation is the act of figuring out if an entity is allowed to do what it wants to do.
- Just because you authenticated your identity via your passport, doesn’t mean you’re authorised to fly. Maybe you were a drunken asshole at the airport bar and got locked up.
- Just because you authenticated your ownership of your bank account by swiping your card, doesn’t mean you’re authorised to take funds from the account. Maybe it’s an unusually large transaction, and your bank is blocking it as potential fraud.
- Just because you authenticated your ownership of your phone by scanning your fingerprint, doesn’t mean you’re authorised to install the game you want. Maybe it’s age-restricted, and your account records you as being a child.
Things to remember
Authentication is the act of figuring out if a claim is truthful.
Authorisation is the act of figuring out if an action is allowed.
You can’t assume that an authenticated identity is an authorised identity.
More often than not, authentication blurs seamlessly into authorisation. Most Facebook users, for example, wouldn’t consider any difference between “logging in” and “being allowed to post”. One follows the other, and they’re each part of the same thing.
But as a software developer – which I’m assuming you are – understanding the difference between the two, the different methods of implementing the two, the problems you should expect and the assumptions that you… well, shouldn’t, will serve you well.
“Star Wars: Episode III Revenge of the Sith” and all elements associated thereto are the sole and exclusive property of Lucasfilm Limited, and elements are reused in this article with a hope and a prayer that Disney doesn’t sue my ass.
“The Starry Night” by Vincent van Gogh is understood to be in the public domain, and is reused from Wikimedia Commons with thanks.