Authenticate, authenticating, and authorizing: terms that are used frequently – but are they used correctly? The words “authenticate” and “authenticate” are often used synonymously. However, the processes involved are different. Therefore we use today’s contribution to clarification: What is behind the terms “authenticate, authenticate and authorize,” and what do these technical terms have to do with IT security? For this purpose, we also give examples from the analog world to better classify the terms.
Authenticate, authenticating & authorize: parts of the registration
The terms “authenticate,” “authenticating” and “authorize” are closely related and are part of login processes: Proof of identity is authentication. During authentication, the proof of identity is checked for authenticity. And authorization is granting access after successfully proving identity. But let’s go into more detail:
Authenticate: prove identity
Users who want to register with an IT system first authenticate themselves, i.e., they present proof of identity. Proof of identity can take place in several different forms:
- Information that is only known to the user, e.g., in the form of a password, a pattern, a passphrase, or a PIN.
- Information is an inimitable part of the user (s), such as biometric data such as the fingerprint or the iris.
- The user (s) owns news, such as digital identities, tokens, badges, smart cards, or certificates.
- Information combining all of the above.
Users have to act actively during authentication: they prove their identity in various ways. Users provide proof of really being who they claim to be. In the analog world, this is usually done through identification documents, while the methods mentioned above are possible in the digital world.
Authenticating: verification of proof of identity
Authentication is followed by authentication: The proof of identity that users provided during authentication is checked in this step. Transferred to analog life, the identity document of a person to be authenticated would be examined for authenticity in this step. A trustworthy entity thus verifies or falsifies the data that the user presented as proof of identity when establishing.
The methods already presented in the above paragraph can be used again for this purpose. For example, authentication in IT using the knowledge factor would be conceivable: passwords, PINs, passphrases, patterns, or other secret information. Digital authentications via ownership (tokens, digital identity, etc.) and via biometrics (iris, fingerprint, voice, etc.) are also conceivable.
The more factors that are used for authentication, the more secure a login process can be. It is conceivable that criminals could crack an element such as a password. However, criminals have a challenging time if one or more different factors are added – such as iris scans and tokens.
Authorization: granting certain rights
The registration process does not end with the authentication: The authorization is still missing, i.e., granting access to those resources that can be accessed after the identity has been successfully verified. Successful authentication is not synonymous with access to all resources in the network. Let’s look at this again with an example from the analog world to clarify:
You are at a cash machine and want to withdraw money. First, you authenticate yourself using your EC card, something you only have, and your PIN, i.e., something that ideally only you know. The ATM now checks whether the PIN matches the EC card so that you can be authenticated as a legitimate: r user: in the account. That is the authorization. After successful authentication, you can withdraw cash – but not infinitely, only the financial resources your budget allows.
If we transfer our example back to IT, this means: You log in with your e-mail address, a password, and a biometric factor – that is, authentication, i.e., your proof of identity. The system checks whether your e-mail address, password, and biometric factor match – it authenticates you with the help of your entries. Then you are authorized to access specific data. However, due to the rights management, you cannot access employee data – the authorization is missing here.
Authenticate, authenticating & authorize: New series starts
As you can see, it is pretty understandable that the terms authenticate, authenticate and authorize are used synonymously in everyday life – they belong to a process. Nevertheless, it is essential to separate these terms from one another to understand the login processes with all the existing security mechanisms. We will go into even more depth in this regard: You can look forward to a new series on our blog in which we will report in detail on the topics of passwords, biometrics, and multi-factor authentication.
Also Read: What Is A Hypertext Transfer Protocol?