Verifying the identity of a user is called authentication. The authentication process includes:
1. Checking the password, token, or some other piece of information that proves their identity and confirms that the user is who they claim to be.
2. Once the authentication is complete, the authenticated user is given access to the resources they are permitted to access.
3. In short, it verifies the user's identity and checks whether they are who they say they are, using their digital identity
For example, your passport, tickets, and other identification documents are checked before you board a plane. Similarly, a computer system checks whether you are who you claim to be before giving the access to digital resources.
How does this work?
The process of authentication requires factors that computer systems can measure. The authenticating factors that are used to verify a user's identity are as follows:
1. Knowledge factor (something the person knows)
Entering a password or answering personal questions is the most common type of knowledge-based authentication factor. In simple terms, only the person who knows the password or answers personal questions correctly can gain access to the resources.
2. Possession factor (something the person has)
This authentication factor requires a mobile phone, OTP authenticator, or hardware security keys such as YubiKey or Titan Security Key. For example, say a user tries to sign in to their account using their username and password, and requests access to that system. A one-time password (OTP) is generated and sent to the user's mobile number. Once the user enters the OTP that was sent to their mobile number, they get access to that particular system. The user must be in possession of the mobile number that gets the OTP in order to access the system.
3. Inherent factor (something the person is)
Inherent authentication factor requires the user's unique qualities that can be accessed only by them, such as biometric information. Computer systems often require users' fingerprints or facial recognition to authenticate the user under inherent authentication.
Once the user is authenticated, the next step is authorization. Authorization is the process of giving someone permission to do or have something. During authorization, a system verifies an authenticated user's access rules, and either grants or denies resource access. It permits access for the right user to use the right resources like systems, applications, files, and more.
Authentication is the process of verifying the user, while authorization is the process of checking what they have access to. It determines what the user can and cannot access. The authorization process is executed only after successful authentication.
If a user is unable to prove their identity, they won't be allowed into resources. Access to a resource is protected by authentication as well as authorization. These are the most important parts of IAM
For example, when you board a plane, say you're allowed to sit in seat number 5A, which is allotted for you. Only you have permission to sit in that seat. Similarly, once the user is authenticated, they gain access to do only the activities they are authorized to do.