A Story of Authentication vs Authorisation

One day Minnie was resting at home when she received a call from Mickey

Mickey – Hey Minnie, where are you?

Minnie – Hi Mickey! I am at home. What happened?

Mickey – I need to talk to you. Can you come to the restaurant across your street?

Minnie – Sure, I am coming

Mickey – Come fast. I am waiting

(Minnie got ready and went to see Mickey)

Minnie – Yes Mickey, tell me.

Mickey – I have got an activity to explain the difference between Authentication and Authorisation tomorrow in the class. And I have no idea.

Minnie – Hey Mickey, don’t worry. Let me tell you a story.

Mickey – Great! And here we go…

Minnie – Okay suppose you hear your doorbell ring and you open the door. You see Goofy standing there. Will you allow him inside?

Mickey – Of course, I will.

Minnie – Why?

Mickey – He is my friend. I know him.

Minnie – Exactly. So you are authenticating him to enter your home

Mickey – Okay!

Minnie – Suppose after coming inside he uses your sofa, watches TV, uses the toilet

Mickey – Yeah! That’s all fine.

Minnie – What if he goes in your kitchen & opens the refrigerator

Mickey – What! He is not supposed to do that.

Minnie – Exactly! Or we can say he is not authorized to do so.

Mickey – Okay, I am getting it

Minnie – So Authentication is like validating a user or service. Like you allowed Goofy to enter the house. You will not allow any stranger, right?

Mickey – So it’s like validating the identity of the user or service.

Minnie – Exactly, and there are ways of validating the identity like using passwords, single-factor authentication, multi-factor authentication, etc.

Mickey – I am now getting it. So getting access to my home using a key is like authentication?

Minnie  Yes, think of the key as the password.

Mickey – Got it

Minnie – And Authorisation is the process of permitting the user or service to access specific resources. e.g. Goofy can use your drawing room but not your bedroom.

Mickey – Okay! Got it.

So when I log in to my school website with my username and password. I am authenticated to access the website if my credentials are correct. But I cannot go to the Admin section as I am not authorized to access that section of the website.

Minnie – Yes or you can say your user does not have the privilege to access that resource.

Mickey – Wow!

Minnie – Now let’s go to the next level

There are different factors or levels of authentication

  • Single-Factor Authentication: A simple way of authentication where a user needs an id and password to get access. So the user or service needs only one step to verify the identity
  • Two-Factor Authentication: Here a user or service needs 2 step verification process. You must have seen some services or apps where you need password + you need to enter an OTP sent to your mobile device to get access. You can set 2-factor authentication on your Gmail from settings.
  • Multi-Factor Authentication: This is a more advanced level where you need 2 or more levels of security. You will find this type of authentication in banks and financial institutions

Mickey – So when I goto my bank ATM, I need to enter my passcode only. Is this single-factor authentication?

Minnie – No, you first need to insert your card and then enter your passcode. So that is two-factor authentication

Mickey – Got it

Minnie – And based on your user roles. You are authorized to access specific sections or menu items.

Mickey – Got it.

Minnie – So how do you feel now.

Mickey – I am all ready to explain this in the class tomorrow.

Minnie – Let’s order pizza.

Mickey – Sure, it’s on me. Thanks for coming and helping me.

Minnie – I am always here for you 🙂

about the author more stories

219