Authentication: Differences to authorisation

Authentication and authorisation are often confused. We explain the difference between proving and verifying an identity, single- and two-factor methods, and how access rights are granted via RBAC and DAC.

Authentication, authentication and authorisation

Essentials in brief

  • means the proof of identity, for example by presenting an identity card or entering a user name and password. It also refers to the verification of the presented proof of identity, for example by viewing the identity card or checking the user name/password.
  • means – after authentication has been completed – the assignment of certain rights, such as read rights on a network drive.

1. Overview: Authentication vs. Authorisation

Authentication, authentication and authorisation are three technical terms that are frequently used in IT security.

In particular, the terms authentication and authorisation are often used synonymously.

In order to be able to reliably assign (authorise) certain access rights to data and information, we need to know exactly who we are dealing with. Personal auditions are not always realistic. We must therefore be able to digitally identify ourselves to a third party (authenticate). This third party then has the possibility to check our proof of identity (authenticate) and thus give the release for granting further rights (authorisation).

2. Authentication Step 1: Proving User Identity

There are basically three different ways to prove a digital identity.

Knowledge: The user knows something, for example a PIN or password. Possession: The user has something, for example an OTP generator, a debit card or a key. User: The presence of the user himself is proven by a biometric feature, for example a fingerprint.

A proof of identity of some kind, such as an email address combined with a password or PIN, is called single-factor authentication (SFA).

However, the password or PIN required for such proof can easily be stolen and misused for identity theft. Therefore, companies and public organisations have strengthened their identity verification by adding a second way to prove user identity.

For example, after entering an email and password, proof of ownership of the deposited SIM card is expected by sending an SMS TAN. This is then referred to as two-factor authentication (2FA).

In this respect, users must play an active role during authentication to prove that they are who they claim to be.

For comparison: In the analogue world, authentication is usually done by presenting an identity card in person. This is a kind of 2FA procedure, as the possession of a non-falsified ID card is combined with the personal audition of the matching of the biometric feature (image).

Transmission of authentication information to the verifying authority

In the digital world, the identity information provided must be transmitted via networks to a verifying body. If this data can be intercepted, it is possible to misuse it to impersonate a false identity.

Apart from ensuring an encrypted connection, there are two basic approaches to prevent this:

One-time passwords: Only one-time passwords such as an SMS TAN are transmitted. An attacker would not be able to use the connection even if it could be intercepted. Challenge-response method: The information is not transmitted directly, but only data derived from it, which is worthless in the event of an interception.

Strong authentication

The European Central Bank (ECB) has defined strong authentication as ‘a procedure based on two or more of the three authentication factors’. The factors used must be independent of each other and at least one factor must be “non-reusable and non-replicable”, except in the case of an inherence factor, and it must also not be able to be stolen from the Internet.

3. Authentication Step 2: Check and Confirm User Identity.

Authentication follows authentication: In this step, the proof of identity provided is checked by a verifier. From the user’s point of view, this process is passive.

This verifier, usually an IT system or server, must therefore have a certain amount of information at its disposal so that proof of identity can be verified or falsified.

For the sake of completeness, it should be noted that a database of plaintext passwords for password verification should not be part of this treasure trove of information.

Authentication as-a-service

There are a large set of authentication services in the software-as-a-service cloud delivery model. These services can be used by organisations to provide single sign-on functionality for on-prem and cloud services.

4. Authorisation: Granting Access or Access Rights.

After successful authentication, the identity of the user is ensured. The user is now authorised to access certain information or is granted certain access rights.

For example, project staff are granted access to confidential project information of their own project, but not to the other projects of the company or public organisation. The most commonly used authorisation techniques are RBAC and DAC.

Role-based access control (RBAC)

A set of roles is stored in an IT system. Examples could be project member project A, project member project B, system administrator, etc. Each user is assigned a set of roles. This should be done on a need-to-know basis: Users are only given access to the information that is currently needed for their work.

Discretionary Access Control (DAC)

In contrast to the role-based concept RBAC, DAC is user-centred. Access rights are set directly for each user and are not organised and managed via roles.

Frequently asked questions: authentication & authorisation

Authentication verifies who a user is by checking a proof of identity such as a username and password. Authorisation happens afterwards and determines what that verified user is allowed to do – for example granting read access to a network drive.

Authorisation is the assignment of specific access or admission rights once a user’s identity has been successfully authenticated, such as read rights on a network drive. It defines what an already identified user may do.

Two-factor authentication combines two independent proofs from the categories knowledge, possession and inherence – for example a password (knowledge) plus an SMS TAN sent to a registered SIM card (possession). This significantly reduces the risk of identity theft.

RBAC (role-based access control) grants rights through roles assigned to a user. DAC (discretionary access control) is user-centred and sets access rights directly for each individual user rather than via roles.

According to the European Central Bank, strong authentication is a procedure based on two or more of the three authentication factors knowledge, possession and inherence. The factors must be independent of each other and at least one must be non-reusable and non-replicable.

Have we sparked your interest?

Just give us a call or write us a message!

or use our contact form. We look forward to your enquiry!

Your request

Data protection

Related content

What is data security? Standards & Technologies

What is data security? Standards & Technologies

Data security is an important topic for all companies and authorities. Learn more about threats, measures and the legal framework here.

Attack Vector and Attack Surface)

Attack Vector and Attack Surface)

An attack vector is a way for attackers to penetrate a network or IT system. Typical attack vectors include …,

Buffer Overflow

Buffer Overflow

A buffer overflow is a programming error that can be exploited by hackers to gain unauthorized access to IT systems. It is one of the best-known…

Cybersecurity concept in 8 steps

Cybersecurity concept in 8 steps

A cybersecurity security concept refers to guidelines that are intended to ensure IT security in the company. It is about ensuring the availability,…

Proxy Server

Proxy Server

A proxy server works as an intermediary between two IT systems. Proxy servers offer different functionalities, improved security and optimised data…

What is MITRE ATT&CK?

What is MITRE ATT&CK?

The MITRE ATT&CK Framework is a continuously updated knowledge base consisting of cyber attacker tactics and techniques across the attack lifecycle.

Endpoint Security

Endpoint Security

A proxy server works as an intermediary between two IT systems. Proxy servers offer different functionalities, improved security and optimised data…

Need to Know Principle

Need to Know Principle

The need-to-know principle describes a security objective for confidential information. Access should only be granted to a user if the information is…

Top 10 Vulnerability Scanners for 2026

Top 10 Vulnerability Scanners for 2026

Vulnerability scanners are automated tools that organisations can use to monitor their networks, systems and applications for security weaknesses….

NTLM Authentication

NTLM Authentication

In this article, we explain what NTLM authentication is, how it works, and how it can be exploited by attackers.

Information Security Management Systems (ISMS)

Information Security Management Systems (ISMS)

An Information Security Management System (ISMS) defines methods to ensure information security in an organisation.

CVSS (Common Vulnerability Scoring System)

CVSS (Common Vulnerability Scoring System)

The CVSS Score provides a numerical representation (0.0 to 10.0) of the severity of a security vulnerability in IT. We explain how the Common…

What is Information Security?

What is Information Security?

Information security is intended to ensure the confidentiality, integrity and availability of information. The information can be available on IT…

CIS Controls - A Quick Overview of CIS Controls

CIS Controls – A Quick Overview of CIS Controls

The CIS Critical Security Controls (CIS Controls) are a prioritized list of protective measures to defend against the most common cyber attacks on IT…

Penetration Tester Career Guide

Penetration Tester Career Guide

How does one actually become a pentester? What does a pentester earn? Do career changers also have a chance? And what does a penetration tester do all…

Firewalls & Firewall-Architecture

Firewalls & Firewall-Architecture

How does a firewall actually work? What does a good enterprise firewall architecture look like? To what extent does appropriate network segmentation…