Early on in security courses one of the key lessons is around authentication, authorization and access control.  The first two are fairly straight forward.  They then roll into the last of the concepts – access control which I’ll cover last.

Authentication

Authentication is verifying that you are who you claim to be. That proof can be grouped into three categories.  The first is something you have.  Items like an ATM card, key, or key card fulfil this part of that bucket.  The second way to authenticate could be something you know.  Like the pin code on your ATM card or the password to your email account is an example of something you know.  The third item is something you are.  These are items typically related to biometrics, or an item that includes a photo.  For years some data centers had a device that measures the shape of the fingers on your right hand as part of their authenticating who you are.  And of course SciFi movies have had retinal scans as part of proving identity.

2FA and MFA

When you get into combining multiples of these categories you are then into the arena of MultiFactor Authentication, or MFA.  For your bank card you need the card as well as the pin.  Something you have and something you know.  If you go up to the counter to do a large withdrawal then they might ask to see your drivers license, ATM card and have you swipe the card and enter your pin.  All three items there – you possess the ATM card and the drivers license, you know the pin for the ATM card and the photo on the drivers license matches something you are – your physical appearance.

Authorization

Authorization covers the different items that you are allowed to do.  Are you authorized to view certain information?  If so, are you then allowed to alter or delete that data?  With physical items it becomes more complex.  Several hundred people have a key card that will get them into the office.  But in theory, each employee has the “only” key to their locking file pedestal.  I say “only” because the locks are not all that unique, and in theory a master key could exist.

Access Control

The last item can take a bit more to understand.  Access control takes the combination of authenticating who you are with what you are authorized to do.  It is the piece of the puzzle that enforces the authorization.  The nondescript white key cards that so many of us in tech use authenticate us because we have it in our possession.  When we scan it at the front door to our office building there is a table of information somewhere in the system that says if we are allowed to use that door at that time.  If so, there will be the “click” of a solenoid (well, a Linear Solenoid Actuator) and the door will unlock.

So my keycard will get me into any office of the company I work for.  But the office data center, should one exist, has a list of a handful of IT people that have access to this room.  When we enter the digital world it can get quite complex.  When I log into Salesforce, there is a complex table that lists what reports I can run, what data I can see.  Even more to track where I can edit data or add data.  It is not uncommon to see conversations on Slack where a salesperson is asking someone in SalesOps to change the owner or status of an opportunity in SalesForce.

In Summary

Authentication is fairly clear and distills down to one or more of those 3 key points.  Something you have, something you know or something you are.  After that Authorization distills down to what you are allowed to do.  And Access Control is how that Authorization is enforced.  Understanding and being able to differentiate these three items is critical if you get deep into a digital transformation or selling solutions to digital platforms.