Essentials in brief
Reading time 3 minutes
1. Overview: Authentication vs. Authorisation
Authentication, authentication and authorisation are three technical terms that are frequently used in IT security.
In particular, the terms authentication and authorisation are often used synonymously.
In order to be able to reliably assign (authorise) certain access rights to data and information, we need to know exactly who we are dealing with. Personal auditions are not always realistic. We must therefore be able to digitally identify ourselves to a third party (authenticate). This third party then has the possibility to check our proof of identity (authenticate) and thus give the release for granting further rights (authorisation).
2. Authentication Step 1: Proving User Identity
There are basically three different ways to prove a digital identity.
A proof of identity of some kind, such as an email address combined with a password or PIN, is called single-factor authentication (SFA).
However, the password or PIN required for such proof can easily be stolen and misused for identity theft. Therefore, companies and public organisations have strengthened their identity verification by adding a second way to prove user identity.
For example, after entering an email and password, proof of ownership of the deposited SIM card is expected by sending an SMS TAN. This is then referred to as two-factor authentication (2FA).
In this respect, users must play an active role during authentication to prove that they are who they claim to be.
For comparison: In the analogue world, authentication is usually done by presenting an identity card in person. This is a kind of 2FA procedure, as the possession of a non-falsified ID card is combined with the personal audition of the matching of the biometric feature (image).
Transmission of authentication information to the verifying authority
In the digital world, the identity information provided must be transmitted via networks to a verifying body. If this data can be intercepted, it is possible to misuse it to impersonate a false identity.
Apart from ensuring an encrypted connection, there are two basic approaches to prevent this:
- One-time passwords: Only one-time passwords such as an SMS TAN are transmitted. An attacker would not be able to use the connection even if it could be intercepted.
- Challenge-response method: The information is not transmitted directly, but only data derived from it, which is worthless in the event of an interception.
The European Central Bank (ECB) has defined strong authentication as 'a procedure based on two or more of the three authentication factors'. The factors used must be independent of each other and at least one factor must be "non-reusable and non-replicable", except in the case of an inherence factor, and it must also not be able to be stolen from the Internet.
3. Authentication Step 2: Check and Confirm User Identity.
Authentication follows authentication: In this step, the proof of identity provided is checked by a verifier. From the user's point of view, this process is passive.
This verifier, usually an IT system or server, must therefore have a certain amount of information at its disposal so that proof of identity can be verified or falsified.
For the sake of completeness, it should be noted that a database of plaintext passwords for password verification should not be part of this treasure trove of information.
There are a large set of authentication services in the software-as-a-service cloud delivery model. These services can be used by organisations to provide single sign-on functionality for on-prem and cloud services.
4. Authorisation: Granting Access or Access Rights.
After successful authentication, the identity of the user is ensured. The user is now authorised to access certain information or is granted certain access rights.
For example, project staff are granted access to confidential project information of their own project, but not to the other projects of the company or public organisation. The most commonly used authorisation techniques are RBAC and DAC.
Role-based access control (RBAC)
A set of roles is stored in an IT system. Examples could be project member project A, project member project B, system administrator, etc. Each user is assigned a set of roles. This should be done on a need-to-know basis: Users are only given access to the information that is currently needed for their work.
Discretionary Access Control (DAC)
In contrast to the role-based concept RBAC, DAC is user-centred. Access rights are set directly for each user and are not organised and managed via roles.
Have we sparked your interest?
Just give us a call or write us a message!