Authentication, verification and authorization are three closely related terms in IT security. Unfortunately, they are often misunderstood. We will consider the differences between these terms by looking at some examples.
In hardly any other area of IT security is there so much confusion between the meaning of the terms authentication, verification and authorization. Even experienced security experts get them muddled up. That's why we would like to explain the main differences between authentication, verification and authorization and make it clear where the differences are between these terms.
What authentication, verification and authorization mean
Authentication is the proof of identity, verification confirms its authenticity, and authorization grants authenticated entities certain access rights.
Authentication: This term is often used as a synonym for verification, but this is not entirely correct. By authentication we only mean the proof of the identity of something or someone. Generally, such proof of identity is provided by logging in using a username and password. In addition, smart cards, biometric methods or one-time passwords (One Time Passwords) are also used.
- Authentication is about WHO, it is concerned with identity.
Verification: Verification verifies the authenticity of the identity of a person, application, or device. Verification ensures trust and that only authorized entities have access to protected resources. Specific examples from IT security include verifying the authenticity and validity of a certificate, a website or even a digital document.
- Verification confirms the AUTHENTICITY of identity documents.
Authorization: Verification must take place before the authorization to do or receive something is granted. This process specifies in detail what access rights and permissions the authenticated person, application, or device receives for the resources provided. Access control determines the actual rights granted to services, functions and data.
- Authorization determines WHAT someone or something is allowed to do.
Authentication determines the identity of persons, applications or devices and verification ensures that this identity is authentic. Finally, authorization specifies what access rights can be granted by the system.
How authentication and verification are used
Below you will find three practical examples for authentication, verification and authorization.
Examples of authentication
As mentioned earlier, authentication is primarily about verifying the identity of a user, application, or device.
- Login by username and password: This is the most common and well-known type of authentication. For example, when logging in, a user must enter both their username and password. They only gain access to the systems and its resources when they enter the correct password.
- Two-factor authentication: Since usernames and passwords can easily be stolen and misused, additional authentication measures such as two- or multi-factor authentication (2FA or MFA) were introduced. After entering the user name and password combination, users are prompted to enter a code that is usually only valid once and only for a short time. To do this, they need a special device known as a hardware token, or a smartphone app.
- Biometric authentication: This method of authentication uses unique biological characteristics of a person to uniquely identify them. This includes, for example, voice, iris, fingerprint and facial recognition. Most smartphones and business notebooks now support biometric authentication.
Examples of verification
Verification on the other hand checks the authenticity of the identity that an entity has previously provided in the authentication process.
- SSL/TLS Certificates: When visiting a website encrypted with SSL/TLS (Secure Sockets Layer, Transport Layer Security) with a browser, the certificate used is verified. This ensures that the data transmission between the website and the browser is secure and encrypted. It also ensures that the website is trustworthy. Verification takes place when the user’s browser checks the authenticity and validity of the SSL/TLS certificate.
- Digital signatures: Digital keys must also be verified if people send a signed document by e-mail. Verification proves that the message actually originates from the specified sender and is authentic.
- Verification of e-mails: Verification reduces the number of spam and phishing emails that block countless mailboxes worldwide. For this purpose, techniques such as the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) were developed. They can be used to determine whether incoming e-mails actually originate from the specified sender or whether they are fake. In the second case, they can be safely ignored.
Examples of authorization
Authorization determines which resources an already authenticated user, application, or device is allowed to access.
- Role-based access: Companies use authorizations to define roles. This is how they determine who is allowed to access what. For example, a regular employee usually gets fewer access rights than a senior manager or an administrator.
- Access to databases: Authorizations can be used in databases to specify which users are allowed to access which data and functions. It is also possible to define granular permissions, such as only reading, but not writing or modifying certain records.
- Access to business applications: For example, if project management software is used, not every user usually receives all the permissions to create, edit or delete new tasks, for example. In this way, a company ensures that the members of a team can only access the information and functions that are relevant to them and that they need for their current tasks.
Authenticate, verify, and authorize via single sign-on
Unmanageable growth in accounts and passwords affects many companies today. The solution is a single sign-on system. Users then only need to authenticate once to gain secure access to all the resources they need. Verification can be done using a modern VPN solution. Read more about this in our blog post “How SAML Single Sign-On simplifies login”.