One of the most confusing word pairs in cybersecurity is authentication and authorization. Understanding their difference is very important when implementing security in a system.
| Authentication | Authorization |
|---|---|
| Verifies who/what is trying to access a resource | Verifies that the person/system has the permission to complete an action |
| Happens before authorization | Happens after authentication |
| Typically, a set of credentials, such as a password, certificate, security questions, or biometric data, is required. | Typically, an issuer can assign tokens with additional information about the person/system. |
| Example: If you have the keys to your house, you can unlock the front door to enter. | Example: The house keys may unlock some doors in your home, but not all! You may need additional keys for specific rooms and drawers. |
Why is this differentiation important?
Let’s create a scenario where authorization occurs in real life. You are the parent of a 5-year-old child living in an apartment. Would you like your child to be able to do anything while you or your partner are not around? Should your child be able to turn on a gas stove and cook a meal? Should your child be able to open a window or any drawer in the house easily? You would like them to ask for permission to do so. Only if you or your partner approved their request, the action can occur.
This example outlines the act of authorization. Any malicious actor who gains access to a set of credentials or tokens should not be free to read or write anything in your system.
How does ZKX Helix factor in?
ZKX Helix allows you to create users and assign them policies that define what actions they can take. These can include making a phone call, reading from a file, logging into your laptop, or much more. ZKX Helix enforces the policy that is defined for a user and challenges the user for additional security when your resources need even more verification.