Authentication & Authorization: Do You Really Know?

In this article, we will be checking out a few important and basic concepts about authentication and authorizations which will help us make better authentication solutions for our applications in the future.

Important Terms/Concepts

Identity

Identity basically refers to the data which defines who/what is accessing the application/system. Identity can be used for users, devices, services & applications. It is basically a collection of data attributes that contains but not limited to username, email address, first name, last name, application id, client id, API key etc. It is generally managed by databases like SQL or Active Directory. The server which is managing the identities is termed as Identity Server.

Identity Service/ Provider

Although these are a bit confusing terms but for the shake of simplicity, Identity Service or Identity provider can be considered as a software or Web service or platform that authenticates and issues tokens that represent a user or other entity. It uses identity server as a source of truth for authenticating the identity.

Authentication

Authentication is basically proving identity. It is a method to establish whether the user who is claiming who he is, is actually that person who he is claiming to be and is the genuine person. Authentication in the context of web applications is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.

Authorization factors

Authentication methods generally involve three factors to verify your claim.A authentication method is considered strong authentication, if it involves atleast 2 factors out of the below three. When authentication involves 2 factors, its often termed as 2 factor authentication.

Authentication Factors For Users

• What you know, e.g. Secrets like usernames, passwords etc
• What you have, e.g. physical proofs like token, smart card, phone
• What you are, e.g biometrics fingerprint, iris etc

Authentication Factors For Devices/Services

Devices and services will come in the form of API authentication. They can still be thought of as methods of proving identity but it’s not quite as easy to group them the same way that we can with user authentication factors.This is because all of the information that is received for an application is received at what’s called the application layer meaning that all of this information is transmitted virtually as ones and zeros essentially. Whether they are text fields or numeric fields all of the information sent via an API is just information coming from an outside source. That means that identifiers like IMEIs and MAC addresses can only act as identifiers and not necessarily as proof of identity. So, in order for a client that is connecting to an API to prove its identity the application must provide what we refer to as an application secret. And the application secret is the equivalent of a password when a user logs in and the application key can be thought of as the equivalent of a username.So this combination of application key and secret is the same as a username and password but for an application. At the network level you have ways of restricting and allowing access to the API and this would be by blacklisting IP addresses for example and this would restrict IP addresses from accessing an application or you could choose to whitelist IP addresses meaning that’s only the IP addresses or ranges that you have white listed will be allowed to connect to your application. So although not strictly authentication factors you can control access to APIs in multiple ways both at the application and network levels.

• Certificates / Private key / MAC / IP address
• Token / Secret / API Keys
• Serial Number/ OS serials/ Chip IDs

There are other technologies /process which can be involved to make the authentication process a stronger one.

• PKI cryptography,
• Federated Authentication
• Blockchain technology
• Risk-based authentication: If you have observed, most of the bank uses risk base authentication where they keep track of your profile or the parameters mentioned above, and only ask for authentication when there is a deviation in these parameters like if you change your location. Where different parameters are involved in authenticating a device like IP address from where you are authenticating, location, your machine OS, machine physical address etc.
• Behavior-based authentication: Behavioral aspects, such as device, time of access and location of access

Authorization

Authorization is basically permission & access rules for an identity. Conceptually it seems that authorization happens after authentication, but technically authorization always happens before authentication. for example, when you go to any secure area you are denied access until you authenticate. .

Authentication Types/Protocols

Web Authentication

This is the general session based authentication which is implemented in most of the web applications on the internet. Here the user fills in username and password and on validating the details, a session is generated and user can access the members area.

Oauth2

OAuth is an industry-standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This is one of the most widely used standards for access delegation these days. We will write more about this in our future posts.

Security Assertion Markup Language 2.0 (SAML) is an XML based open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP), typically an application or service. With SAML, you can enable a single sign-on experience for your users across many SAML-enabled applications and services.

OpenId Connect

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This article will give you a basic foundation for making better authentication and access systems for your webapps. More and advanced topics will be added in future posts. Happy Authenticating.