Authentication vs. authorization: Which one should you use, and when?
What's the difference between authentication and authorization? Does it matter which you use — or do you need both? Are they the secure app's chicken and egg conundrum? Let's dive in.
What is authentication vs. authorization?
Generally, programmers seem to have subconscious reasoning for applying security and access controls to their applications. They'll describe a simple set of auth codes that protect the app if questioned.
But, I've found that if you keep pushing, things can get a little murkier.
Are you using authentication, authorization or both? What's the difference? Do these get mixed up because they both begin with "auth" and are sometimes referred to in the same way as short-hand? Maybe some of this mix comes from the fact that each seems to allow you to address the other's concerns if you stretch it a bit.
But, authentication and authorization are two separate things. Even if they go hand-in-hand for many applications, it's important to know the difference. Once you fully grasp this, it's clearer how to implement each securely and effectively.
Authentication vs. authorization example
I will be using the terms application and actor as I discuss authentication and authorization. My background is web applications, so I tend to think of people using my web application as visitors. But actor refers to any human or computer accessing your application in any manner. The term application means any piece of software. So, we could be referring to a visitor of your website, a user using a desktop application, or a consumer querying your API.
Authentication refers to identifying the actor using your application. That's it. All authentication is responsible for is saying "I can identify this actor" or "this actor is unidentified." The meaning and description of authentication are simple — that doesn't mean the implementation is. You might have a username and password, tokens, cookies, JWTs, or any number of other ways to authenticate a user. But, after the process is complete, we either can identify the actor or we can't.
Authorization refers to the permission to accomplish a task in your application. Tasks can be simple like listing resources or seeing the details of an object. Advanced ones may be creating or updating data, or moving data through a complex business workflow. Now, this is important: authorization does not require an authenticated actor. It just so happens that most authorization decisions are based on the specific permissions of an identified actor, but that isn't a requirement. We'll touch on this more later. But, the point is authorization is the mechanism that answers the question: "does this actor have permission to do this action."
Both authentication and authorization are necessary
It can be easy to assume that a very simple application does not need layers of complex authorization. That may seem true, but an authorization layer should be applied nevertheless. Let's talk about why.
I think most programmers recognize easily they will need authentication. How do we determine who an actor is? That's authentication. But decisions in the application don't always require an identified user.
Authorization programming can make decisions based on the fact that the actor is unknown or anonymous. Other times, authorization can be tied to outside conditions like location, time of day, business patterns, or anything else that doesn't necessarily require we know which identity is using the application.
Remember, a secure application is configured to give the least amount of access and information. In my opinion, that means that my application should always come from a default state of denying everything. And because of this, some of my authorization will apply to a non-authenticated user.
Let me break this down into a practical example. I have a page that displays a resource from my database to the actor. The business rule is simple: if the user is logged in, show them the resource's phone number and email address. If they're not, show a masked phone and placeholder email address.
So, this means that we need authentication because the decision is based on whether the user is logged in or not. However, the way I see it, I need two authorization requests.
I bet you thought I need one: something like ShouldVisitorSeeContactInformation
Simple — have this authorization return true if the visitor is authenticated. But, because I've decided to come from a root of denying everything, I have two: ShouldVisitorSeeFullContactInformation and ShouldVisitorSeeMaskedContactInformation. If we have an authenticated user, ShouldVisitorSeeFullContactInformation returns true. If we don't have an authenticated user, the other returns true. Then, instead of an if/else, I have two separate if statements. This is how I build in a deny-by-default secure authorization layer coupled with authentication. (That is to say, two independent truth checks, treating both outputs as a 'feature', allow for a deny-by-default configuration.)
Why would I do this, though? Sure it sounds theoretically more secure — but in practice, isn't it a lot of extra work? I'm glad you asked.
Using authorization correctly allows easy wholistic application changes
Let me share a real-world example from my career.
A client had requested that their web application list the resources for any visitor. Multiple pages had this listing shown and an API. They then requested that if visitors click through to the detail page or request details over the API, the visitor must be authenticated. Seems pretty simple.
Now, you might consider just checking for authenticated users at the top of the code that does the details retrieval. The other code needs no checks because it doesn't matter if they're logged in or not. (That is to say, whether the user is authenticated or not, either situation allows access.) There are only two states in this application: user is authenticated or not.
I can tell you, though, that only two states are rarely the case. There's hardly ever a time that an application matures without expanding its access controls beyond these two states. So, with this knowledge in place, I decided to implement authorization on all endpoints.
I implemented an authorization layer that simply returned true all the time on the endpoints that displayed lists of resources (including the API). A simple class that was reused on each endpoint always authorized access to the list of resources. Then, on the endpoint with the details, I created another class that returned true only when I had the visitor's identity. Simple.
Then it happened: business requirements changed! About a week after the web page was launched, the business decided they now wanted the lists of resources to be locked behind authentication.
Guess what? Because I had used authentication correctly, to begin with, it was super simple. I just modified the authorization class to list resources to check for an identified visitor. Done!
I can imagine a scenario where lists require an authenticated user, but details require a user who has a subscription. If that happens, I'm ready! I'm ready for the future changes in the business, too.
Get your free course catalog
Is using authorization over simple authentication checks premature optimization?
I'd be remiss if I didn't address the complexity that is properly implementing both authentication and authorization can inject into a simple project. If my application only needs to check for an authenticated user, am I gaining anything by adding authorization? Am I prematurely optimizing code? Or, is this a case of YAGNI (you ain't gonna need it)?
No, it's not. Rarely does an application last any amount of time with just two simple states. There's always something that gets added on. An admin interface? Now you need levels of authorization. Subscription tiers? Authorization! Even what an authenticated user is allowed to do can change. You can easily unify this by checking in an authorization layer. So, no, it's not premature optimization.
TLDR; What's the point?
Authentication determines an identity of an actor. Authorization decides if an actor has permission to take action. Your application, no matter how simple, should use both hand-in-hand. Authenticate actors when you must. Authorize actors, regardless of their identity, for every action.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Authentication vs. authorization: Which one should you use, and when?
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security