Question

This week we look at authorization and authentication as a means of keeping data secure. Security is, of course, essential when accessing or moving data from client side to server-side and back again. Explore the differences between authorization and authentication and the instances in which they would be appropriate to use.

When discussing with peers, look for areas in which you hold a different perspective and explain why.

Answer 1

Answer:

Authentication mechanism determines the user’s identity before revealing the sensitive information. It is very crucial for the system or interfaces where the user’s priority is to protect the confidential information. In the process, the user makes a provable claim about individual identity (his or her) or an entity’s identity.

The credentials or claim could be a username, password, fingerprint etc. The authentication and non-repudiation, kind of issues are handled in the application layer. The inefficient authentication mechanism could significantly affect the availability of the service.

Authorization technique is used to determine the permissions that are granted to an authenticated user. In simple words, it checks whether the user is permitted to access the particular resources or not. Authorization occurs after authentication, where the user’s identity is assured prior then the access list for the user is determined by looking up the entries stored in the tables and databases.

key differences between:

1. The Authentication is used to verify the user’s identity in order to permit access to the system. On the other hand, the authorization determines, who should be able to access what.
2. In the authentication process, the user credentials are verified, whereas in authorization process the authenticated user’s access list is validated.
3. The former process is authentication, then authorization occurs.

instances in which they would be appropriate to use:

Authentication is appropriate to use where user identity, who is going to access the information, needs to be verified.

Authorization is appropriate to use where information needs to be restricted for dedicated users therefore on the basis of that permissions are granted for data access.

For Example:

Lets take the use case of Amazon Website. there are 3 type of users on Amazon Admins, Sellers, Customers.

in the first scenario, to access the website user needs to verified so that amazon could verify who is using the website information so here authentication technique is required to know their users.

In the second scenario, on the basis of user type(seller, customer and admins) some of the content should be restricted to dedicated user type like customer would only see the products which are available and listed and seller will see the service catalog and products they have listed on amazon but this information is only visible to the dedicated seller any customer could not see this information.In this scenario Authorization technique is used in order to restrict or provide particular access to the users