Authentication vs. Authorization

Authentication 

Basic authentication processes should be familiar to most people: Inputting passwords, answering security questions, and scanning a fingerprint to access your smartphone are all authentication methods of proving that you are who you claim to be. Local authentication applications traditionally store credentials, which must be entered and validated in order for a user to be granted access. Passwordless authentication techniques, such as WebAuthn, multi-factor authentication (MFA) such as U2F, one-time passcodes sent via SMS, and single sign-on are increasingly popular and generally more secure than passwords alone.

Most cryptocurrency exchanges use two-factor authentication (2FA), which requires a password followed by a second form of identifying information, like a fingerprint, a code sent to a smartphone, or a PIN, in order to sign on to a platform.

Biometric authentication is becoming a more commonplace method of authentication. This security process relies on a user’s unique physical or biological markers, like a fingerprint, which is then compared with data stored in a database. If a user inputs a facial scan or fingerprint that matches the stored biometric data for that approved user, authentication is confirmed. Because these biological markers are hard to fake and can’t be forgotten or lost like a password, biometric authentication has become a powerful and convenient tool in secure authorization for consumer smartphones, computers, and applications.

Hardware-backed authentication relies on a physical device to grant user access to computer and network resources. Typically, a hardware authenticator like a USB security key or security token can be inserted into a computer’s USB port or wireless connection to the device the user is trying to access to verify the identity of a user for access. Together with the user’s login credentials, the device can provide protection, even if you lose access to a phone or are subject to a SIM swap attack.

Authorization 

As it relates to authorization vs. authentication, authorization generally comes after successful authentication. Authorization procedures verify whether you have the authority to access the content or resources you have requested access to. Some of these procedures occur via access tokens. These tokens contain security credentialing information concerning a user’s level of privilege and the extent of their access rights. For example, when a user provides credentials to log into a system and that login information is authenticated, an access token, which indicates what access is permitted, is generated. When a user tries to access a specific resource, the contents of that token are then checked to determine if the action is authorized.

In addition to token-based authorization, Role-Based Access Control identifies users with a specific role and the access privileges associated with that role. For example, in a business setting, an HR manager may be authorized to access sensitive employee records, whereas an intern might be restricted. Alternately, Access Control Lists (ACLs) can specify which users or processes are authorized to access specific objects or data, and which operations can be performed. On a shared Google doc, for example, specific users might be allowed to view but not edit, while others may perform any function. Both authentication and authorization procedures are central components not only for keeping cryptocurrency wallets and transactions secure, but also in how modern communication on the internet works.