Authentication is the process of identifying a user and is the most visible and fundamental concept in security. From personal identification numbers (PINs) to driver’s licenses to user names and passwords, authentication is a part of everyone’s daily life.Without authentication, restricting access to resources based on a person’s identity would be impossible. Authorization is the process of verifying that a user is allowed to access a requested resource. Authorization generally happens only after authentication. After all, how can you determine whether someone is allowed to do something if you don’t yet know who they are? Figure 12-1 shows how authentication and authorization together provide a user’s identity and validate the user’s permissions.
Whether you’re withdrawing money from a bank, entering a restricted building, or boarding an airplane, gaining access to a restricted resource requires both authentication and authorization. The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver’s license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.
On networks, authentication is often performed by providing a user name and password. The user name identifies you, and the password offers the computer system some assurance that you really are who you claim to be. After you are authenticated,the computer agrees that you are who you claim to be. However, it doesn’t yet know whether you are allowed to access the resource you are requesting. For example, help desk support staff should have the right to reset a user’s password, but members of the accounting department should be able to change only their own passwords. To authorize the user, the computer system typically checks an ACL, which lists users and groups of users who are permitted to access a resource.