Difference between Authentication and Authorization in LLD System Design (original) (raw)
Last Updated : 12 Dec, 2024
Two fundamental ideas in system design, particularly in low-level design (LLD), are authentication and authorization. While authorization establishes what resources or actions a user is permitted to access, authentication confirms a person's identity. Both are essential for building secure systems but serve different purposes. This article explains the differences between these two processes.
Table of Content
What is Authentication?
The process of authenticating persons or entities attempting to access a computer system, application, or network is utilized in system design. By limiting access to just authorized people or systems, it guards against unlawful use of resources and sensitive data.
Authentication Methods
- **Password-based Authentication
- **Description: The most common form of authentication, in this users provide a unique password to verify their identity.
- **Considerations: Passwords should be complex, stored securely, and users should be encouraged to use unique passwords.
- **Multi-Factor Authentication (MFA)
- **Description: Requires users to provide multiple forms of identification, such as a password and a temporary code is sent to their mobile device.
- **Advantages: Enhances security by adding an extra layer of verification, even if one factor is compromised.
- **Biometric Authentication
- **Description: Involves using unique physical or behavioral characteristics for identification, like fingerprints, facial recognition, or voice recognition.
- **Considerations: Biometric data should be securely stored and processed to prevent unauthorized access.
- **Token-based Authentication
- **Description: Users are given a physical or digital token (like a security key or smart card) for authentication.
- **Advantages: Provides an additional physical element that needs to be present for authentication.
- **OAuth Connect
- **Description: Protocols used for authentication and authorization in the context of web applications and APIs.
- **Use Cases: Commonly used for delegated authorization, allowing third-party applications to access user data.
Determining what functions or actions a person, system, or other entity is permitted to carry out within a software system or network is known as authorization. Ensuring that only authorized individuals or entities have access to particular resources, functionality, or information is an essential component of security.
Authorization Models
After the authentication step, users want access to specific data to do their tasks. For this, they need authorization. Here are some common authorization methods:
- **Role-Based Access Control (RBAC):
- Assigning roles to users or groups, letting them access only what their role requires.
- **Example: HR personnel can access HR data but not finance information.
- **Security Assertion Markup Language (SAML):
- Using an XML-based protocol for Single Sign-On, allowing admins to control resource access.
- **Example: Access permissions are communicated through digitally signed documents.
- **OpenID Authorization:
- Checking a user's identity through OpenID standards, ensuring consistency across systems.
- **Example: Standardised authorization based on authentication from an authorization server.
- **OAuth Authorization:
- It allows secure access within applications using permission tokens.
- **Example: Users grant access to their information to certain apps without sharing their password.
- **Device Permissions:
- Granting access based on the device trying to connect to a resource.
- **Example: Only approved devices can establish a connection.
Differences between Authentication and Authorization
| Aspect | Authentication | Authorization |
|---|---|---|
| Definition | Verifies the user's identity. | Determines the user's access to resources or actions. |
| Focus | "Who are you?" | "What are you allowed to do?" |
| Process | Typically involves usernames, passwords, or biometrics. | Involves checking permissions or roles assigned to the user. |
| Order | Happens before Authorization. | Happens after Authentication. |
| Scope | Ensures the user is genuine. | Ensures the user has access rights. |
| Implementation | Login pages, OTP, fingerprint scans. | Role-based access control (RBAC), policy checks. |
| Example | Entering a password to log into an account. | Checking if the logged-in user can view or edit a file. |
| Security Purpose | Protects against unauthorized user access. | Protects against unauthorized actions by authenticated users. |
Conclusion
When you're designing a system, it's super important to understand two big things: authentication and authorization.
- **Authentication is like checking someone's ID to make sure they really are who they say they are.
- **Authorization, on the other hand, is making sure that once someone is confirmed to be who they say they are, they only get access to the stuff they're supposed to.
By paying attention to these details when building a system, developers can make sure it's not just good at confirming identities but also good at controlling who gets access to what. This helps a lot in preventing unauthorized actions and keeping data safe.