Authorization and authentication – what’s it all about?
Authentication and authorization processes
Authentication is a process designed to confirm whether a user has the right to perform a specific operation or access a specific resource (e.g. a file). The purpose of authorization is to control the access, therefore it takes place after authentication, i.e. the operation of establishing user id.
Take the example of an online banking system - where, after logging in, the user can perform certain operations during an active session. When the session expires, the user loses their rights until the next correct login.
What happens inside
During the session, inside the online banking system, the user may perform a number of operations such as:
- preview balance,
- review transaction history,
- review personal data,
- edit personal data,
- declare trusted recipients,
- define new transfer.
Some of these operations require additional activity from the user to certify their identity within the session after logging in. In online banking, authorization may be carried out in various ways:
- SMS codes,
- hardware token,
- one-time password list,
- OTP (OCRA) one-time code generator,
- mobile token.
When a user wants to perform an operation that is considered critical (especially important and risk-prone), the system may ask the user to rewrite the authorization code generated in response to the server's request. Most often this code is sent to the user via a separate channel (SMS), or generated on an external device (e.g. OTP token).
After the code is rewritten and the order accepted, the data together with the signature is sent to the server. The data is verified on the server. If it is correct and the system decides it has not been forged, the operation is sent for execution.
The above scenario aims at ensuring that it’s the user who originates the transfer – as they know the authorization code which was sent to them via a predefined, separate channel (e.g. via SMS). Such a division makes it difficult for a criminal to carry out an attack on the basis of knowing of the user authorization data which is relatively easy to obtain.