AUTHENTICATION

Authentication vs authorization

Authentication and authorization are different processes that can be used in tandem to approve user access, protect your business against unauthorized access and establish an identity and access management (IAM) solution.

No credit card required for trial. After the trial, LastPass Business is $7 per user/month.

What is user authentication?

Authentication is one of many cybersecurity processes a company uses to protect themselves against unauthorized access. User authentication is a means of verifying a user's identity before granting them access to an app, workstation, on-premises tool, or VPN. The user verifies their identity by providing a security token to the provider’s server or client.

Types of user authentication methods

  1. Two-factor authentication: A form of user authentication that comes after a user successfully signs in with a username-password combo or via single sign-on. Two-factor authentication involves methods like one-time passwords (OTP), SMS messages, mobile phone push notifications, and access token (hardware devices like YubiKey) authentication.
  2. Multifactor authentication (MFA): MFA is two-factor authentication with additional steps of authentication on top of it. It requires multiple steps of the authentication methods discussed above, such as inputting a password, an access token like an OTP, and then an additional factor like a hardware token (like a YubiKey).
  3. Biometric authentication: Biometric MFA which verifies the identity of a user based on their physical attributes. Users authenticate themselves through facial recognition or fingerprint scans.
  4. Contextual MFA: an advanced authentication method which verifies the identity of a user based on identifiers relative to them, including geolocation, the IP address requesting access, and time-based factors. For instance, with geolocation, if you’re company knows you live and work from Boston, MA, but someone based in San Diego is requesting access from your account, the client will deny access – as the system will recognize it as unauthorized access.
  5. Single sign-on (SSO): SSO is, technically, a type of authentication. We talk about MFA and SSO as separate processes because they are just that: different. SSO is a type of authentication related to a federated identity provider. It works by establishing the identity of a user – usually via an ID token like a JSON Web Token (JWT), generated by the identity provider – which is passed on to the client to approve access. Because the user is already logged in to their identity provider (the central domain), their identity is authenticated by their ID token and the application grants access.

What is authorization?

While authentication is the key that grants access to a web application or tool, the authorization process contains multiple levels of access which decide whether a user is allowed to sensitive information. Cloud storage is a common instance where authorization is implemented, where account admins can secure access requirements that limit access and allowable actions with respect to documents.  

A common example is with Microsoft’s OneDrive: file admins can share documents with fellow users, but they can control:

  • Who can access a document.
  • Whether the document read-only or editable.
  • Who in the organization can receive editing rights.
  • Whether it can be shared with others.
  • Whether the document can be shared in a team, with the organization, or outside the organization.

The four types of authorization

  1. Attribute-based Access Control (ABAC): ABAC is best described as policy-based user access authorization. It will identify a user’s permissions prior to approving authorization, often checking a user’s identity, the resource they want to access, the action they wish to complete, and the environment in which they’re requesting access. Access is granted if the user meets all permissions.
  2. Discretionary Access Control (DAC): DAC checks a group’s or user’s access permissions. DAC is a fast, secure way of authorizing users based on group affiliation or the identity of a user.
  3. Mandatory Access Control (MAC): Rather than evaluating a user’s group affiliation or identity, MAC authorizes a user at the level of their operating system. MAC defines whether further access is gained into a system to protect against serious data breaches.
  4. Role-based Access Control (RBAC): RBAC is a type of authorization that combines the qualities of DAC and MAC. It configures access to files and systems based on a user's role and permissions, limiting access to specific organizational roles.

In LastPass Business, access to specific vault items or shared folders can be based on user attributes like department, job role, or seniority. For instance, financial records might be accessible only to users in the finance department, while IT credentials are accessible only to IT staff.


Authentication vs. authorization

There are many authentication systems available on the market, just as there are many types of authorization available for businesses. Yet, company leaders often believe they must pick one of two options: authentication vs authorization.  

However, you don’t have to choose: you can leverage a combination of authorization and authentication, allowing them to work in tandem. Authentication confirms users are who they say they are, validating a user's identity. Authorization gives those authenticated users permission to gain access to a resource. When combined, they fortify every entry point of your business, ensuring all data remains protected.

With LastPass, your business can leverage authentication and authorization policies to create a thorough identity solution.  

Difference Authentication Authorization
Focus
Authentication focuses on verifying identity.
Authorization focuses on granting or denying access to resources based on verified identity and permissions.
Sequence Authentication occurs before authorization.
You must be authenticated before you can be authorized to access resources.
Questions answered
“Who are you?”
“What are you allowed to do?”
Examples in LastPass
  • Username and password combination.
  • Multifactor policies.
  • Face ID, Touch ID, security tokens.
  • Contextual policies.
  • Single sign-on.
  • Password rules.
  • Account restriction policies.
  • Shared folders.
  • User and group types.

Authenticate and authorize without passwords

Identity and access management (IAM) administrators must understand how to use everything from multifactor authentication to single sign-on to role-based access controls when developing their security infrastructure. Although this process seems complex, LastPass can help by offering a smart and simple cybersecurity solution.

  • Incorporate biometric and contextual authentication factors to better protect your company.
  • Provide employees, remote workers, and clients with a passwordless authentication user experience.
  • Authenticate users seamlessly across all devices to maintain workflow and productivity.
  • Secure every access point – from cloud and on-premises applications to VPNs and workstations – for successful authentication.
  • Ensure biometric data is encrypted at the device level and remains on the user’s device for greater privacy and security.
  • Offer customization to leverage numerous MFA methods for user- or group-level access control.
  • Deliver a centralized list of granular policies to control access rights at individual, group, and organizational levels.
  • Save time and money with a simple deployment process that doesn’t require professional services.
  • Automate provisioning with user directories like Microsoft AD and Microsoft Entra ID, for simple setup and minimal management.
  • Provides multiple authentication protocols and authorization plans to fit a company's size, security needs, and budget.

See LastPass Business in action

illustration100largecardbusinessplanarticle1svg

Explore other LastPass features

icon-xs-light_illustrative_password-generator-svg

Business password sharing

Safely share business passwords with team members, freelancers, and vendors.


User management

Control your company’s security, accounts, and policies from one platform.


icon-xs-light_illustrative_dark-web-monitoring-radar-svg

Multifactor authentication (MFA)

Enhance security by requiring extra verification methods after your login credentials.

Frequently asked questions

What is the difference between authentication and authorization?

Authentication and authorization are different processes, that can be used in tandem, to approve user access and protect your business against unauthorized access.

Authentication is a process that verifies whether a user – requesting access – is who they claim to be. Common authentication methods involve completing a security question only the user would know or providing their biometric data (fingerprint scan) to verify their identity.

Authorization determines whether a user can complete an action – access a resource, edit data, see a document. Think of it as a checkpoint: even if you’ve gotten past security at a private event (authentication), it’s another question whether you’ll be allowed to enter the VIP room (authorization).

By using LastPass, your business gets a third-party SaaS tool that can integrate with your existing tech to both authenticate and authorize users.

What is identification vs authentication vs authorization?

Identification is the part of a process in which you literally identify yourself: your name, your email address, your government ID, etc.

Authentication is the process in which you verify your identity. This is completed by providing something only someone with your identity would know or have: a password, a fingerprint scan, access to your mobile device.

Authorization is the process which determines whether you’re approved for access to a resource or system – e.g. whether an admin/owner has granted you the right to see, access, or edit a document.

How do identification, authentication, and authorization work together?

Usually a person provides identification, is authenticated, then authorized. For instance, when logging in to a system to access a resource:

  • You provide your username (identification) and password (first step of authentication).
  • You provide a fingerprint scan (a step of multifactor authentication to prove your identity).
  • Lastly, the client will authorize you relative to your identity, the document you’re trying to access, and the action you wish to complete. If user permissions are approved in all cases, user access is granted.

Is OAuth for authentication or authorization?

There’s various means of supporting a method of authentication like SSO plus the authorization process that comes after. These include methods like OpenID Connect, SAML, and others.

OAuth is a common phrase heard in the world of cybersecurity. SAML is like OAuth, in that both can be used for web SSO, but they serve different purposes: SAML is usually used per user, in relation to a user directory, whereas OAuth is usually used for specific applications and devices.

In this sense, OAuth is usually used for authorization, with OAuth 2.0 being the current industry-standard protocol for authorization. OAuth 2.0 provides clear, specific authorization for desktop applications, mobile phones, native apps, and web applications, usually completed through the assignment and management of access tokens.

Why is user authentication important?

Enabling user authentication is important for any business as it’s a simple way to protect yourself against unauthorized access and potential data breaches. When combined with user authorization, user authentication establishes access rights that ensure only verified users can access protected resources.

The authentication process allows admins to verify a user’s identity when attempting to gain access to internal systems, work applications, documentation, and more. Types of authentication, like one-time pins, SMS codes, and biometric authentication, will ensure only authenticated users are granted access, thus ensuring secure access at all business endpoints.

Don't see your questions here? Visit Support Center.

Get started with LastPass Business

No credit card required for trial. After the trial, Business is $7 per user/month.