Authentication and Authorization

What is Authentication and Authorization?

Authentication is the process of verifying an entity’s identity – for example, confirming a user is who they claim to be via passwords, tokens, biometrics, etc. Authorization, by contrast, determines what an authenticated entity is allowed to do or access. In other words, authentication asks “Who are you?”, and authorization asks “What are you allowed to do?”. Historically, these concepts form two pillars of the AAA (Authentication, Authorization, Accounting) security framework​. 

Technically, authentication mechanisms include passwords, one-time codes, cryptographic keys, or biometrics that prove identity. Authorization is enforced through access control models and policies (roles, permissions, ACLs) that grant or deny specific actions. 

For example, when you log in to an email service, authentication verifies your credentials, and then authorization ensures you can only access your own mailbox and not someone else’s. Authentication establishes identityand generates credentials or tokens; authorization uses those credentials to decide if a request (like reading a record or performing an admin function) should be approved​.

In cybersecurity, these functions are often closely linked – a strong authentication system keeps imposters out, and a robust authorization system limits each identity to appropriate access.

How does it affect identity security?

Authentication and authorization are fundamental to identity security. If either is weak or misconfigured, attackers can impersonate users or access sensitive resources improperly. Compromised authentication is a common attack vector – 81% of hacking-related breaches involve stolen or weak passwords​. This highlights the need for strong authentication (including multi-factor methods) to protect identities. 

Even once a user is authenticated, authorization controls are the gatekeepers that ensure a user (or process) cannot exceed their permitted scope. In fact, improper authorization (excessive privileges or lack of access checks) is a leading cause of data breaches. The OWASP Top 10 list of web application risks now ranks Broken Access Control as the #1 vulnerability, underscoring how critical proper authorization is​. 

Effective identity security requires both: authentication mitigates impersonation and unauthorized logins, while authorization mitigates over-access and enforces least privilege. For example, a system might strongly authenticate a user via MFA, but if a broken authorization logic lets that user retrieve someone else’s records, a breach will occur. Robust authN/authZ practices mitigate risks like account takeovers, data leakage, and privilege abuse. They ensure that even if credentials are stolen, attackers are limited by additional checks (such as 2FA and well-defined authorizations). 

Case studies

A notable breach illustrating authentication and authorization failures was the 2015 U.S. Office of Personnel Management (OPM) breach. Attackers first obtained network access (likely by stealing a contractor’s VPN credentials – an authentication lapse) and then moved laterally to databases containing millions of security clearance records. Critically, the attackers were able to reuse valid user credentials and lack of multifactor authentication to log in to OPM systems, and then exploit weak authorization controls to dump entire databases. 

Essentially, once they authenticated as a valid user, there were insufficient authorization checks to stop them from accessing massive amounts of data beyond that user’s normal scope. This breach led OPM and other agencies to implement two-factor authentication for remote access and stricter internal authorization partitions. 

Another example is the 2014 eBay breach: attackers obtained credentials of several employees (through phishing, i.e. broken authentication processes) and used those to access eBay’s user database. eBay had strong password encryption, but the breach occurred because the attackers were authenticated as privileged users. Moreover, it appeared those credentials gave broad access (perhaps over-privileged accounts), an authorization issue. The result was exposure of 145 million user records. This prompted eBay to improve employee authentication (rolling out hardware token MFA) and to review employee privileges. 

‍