Security

【Security】Identity and Access Management (IAM) - Authentication(身份认证)和 Authorization(授权)

Posted by 西维蜀黍 on 2025-05-22, Last Modified on 2025-06-02

Identity and Access Management (IAM)

Identity and access management (IAM or IdAM for short) is a way to tell who a user is and what they are allowed to do. IAM is like the bouncer at the door of a nightclub with a list of who is allowed in, who isn’t allowed in, and who is able to access the VIP area. IAM is also called identity management (IdM).

“Authentication”(身份认证)和 “Authorization”(授权)

While authentication is concerned with verifying identity, authorization is concerned with permissions, or what someone is allowed to do once they gain access to a protected system or resource.

Suppose Bob works in his company’s marketing department. Bob enters his password, scans his face, and inserts his hard token to log in to his company’s network. At this point, authentication is complete.

After logging in, Bob does not have access to every data file in the company’s possession. Authorization determines what Bob can and cannot see. As a marketer, he is authorized to see some data, like a list of potential customers to whom the company will send marketing messages, but not other data, like the company’s main codebase or its list of employee salaries.

  • Authentication: Who are you?
    • 作用:
      • 验证用户的身份是否合法。
      • 通常通过用户名+密码、指纹、短信验证码、OAuth 登录等方式实现。
    • 举例
      • 登录页面输入账号密码。
      • 使用 Google 登录某个网站。
  • Authorization: what are you allowed to do?
    • 作用
      • 判断用户是否有访问某资源或执行某操作的权限
      • 通常发生在认证之后。
    • 比如:张三只能查看报告,但李四能修改报告。

Authentication(身份认证)

In cyber security, authentication is the process of verifying someone’s or something’s identity. Authentication usually takes place by checking a password, a hardware token, or some other piece of information that proves identity. Just as an airline worker checks a passport or an identification card to verify a person’s identity when they board a plane, computer systems need to be sure a person really is who they say they are. At an airport, this authentication process ensures only people with a ticket get on the plane; for digital systems, this ensures data is viewed and used by the right people.

Authentication does not just apply to verifying human users. Computer systems also need to check servers, software, APIs, and other computers to be sure they are who they “say” they are.

Verifying identity

Verifying identity via authentication factors

This type of authentication involves checking a measurable characteristic of identity against a corresponding digital record. The characteristics that an authentication system will check are called “factors.” Three common authentication factors are widely used today:

1. Something the person knows

This authentication factor checks a piece of secret knowledge that only the real person should have. A username-and-password combination is the classic example of this factor. Security questions and PIN codes also are examples.

2. Something the person has

This authentication factor checks if the person possesses a physical item they were issued or are known to have. Many people use this authentication factor every day: they live in a house or an apartment that they can unlock with a metal key. Possession of this key, therefore, proves they are authorized to enter the premises, and enables them to do so.

In digital systems, this authentication factor does not rely on an old-fashioned lock and key. But it uses a similar principle by checking for a physical token. There are two types of tokens: soft tokens and hard tokens.

Soft tokens: A soft token involves verifying possession of a device, like a smartphone, by sending a code to that device and asking the user to enter it. The code may be sent as a text message or through an app that generates random codes.

Hard tokens: A hard token is a small physical item that connects to a computer or mobile device via Bluetooth, a USB port, or some other port. Users must plug this token into their device to verify their identity.

Some security experts consider hard tokens more secure than soft tokens. An attacker could remotely intercept a code on its way to a user’s phone and use that code to impersonate the user. But it is much harder to steal a hard token: the attacker needs to physically access the token in order to do so.

3. Something the person is

This authentication factor assesses a person’s inherent qualities. In real life, people do this all the time — two friends may recognize each other by their appearance or manner of speaking, for instance. A computer could do the same by scanning a person’s face or retina, verifying their thumbprint, measuring the frequencies of their voice, or checking the results of a blood test (although this last one is more rare).

Additional authentication factors

Some members of the security industry have proposed or used additional authentication factors besides the three main ones listed above. Two of these additional factors are location (where a user is) and time (when they are accessing the system).

Verifying identity via digital certificates In addition to using the authentication factors described above, known and trusted entities can also be issued digital certificates. A digital certificate is a small digital file that contains information for verifying identity, just as an ID card contains information that verifies a person’s identity in real life.

Digital certificates receive a digital signature to prove their authenticity from the authority that issues them, like how a passport, ID card, or piece of paper currency may have a watermark proving it is not counterfeit.

A digital certificate also contains a string of random values called a public key. The public key corresponds to a private key that is stored separately. The entity that has the certificate can digitally sign data with these keys to prove that it possesses the private key and is therefore authentic.

Currently, digital certificates are not often used to verify the identity of individual people. But most people rely on digital certificates every day without realizing it.

Whenever someone loads a website that uses HTTPS, the secure version of HTTP, the TLS protocol uses the website’s digital certificate (called an SSL certificate or TLS certificate) to authenticate the website. DKIM, which authenticates email senders, is another example of a technology that uses this method instead of checking authentication factors. DKIM helps email providers sort and block spam emails.

Common Authentication Methods

Username and password combination

One of the most common methods for authentication is prompting a user to enter their username and password. When Jessica loads her email account in her browser, the email service does not know who she is yet — but once she enters her username and password in the login form, the service is able to check those credentials, authenticate her as Jessica, and log her in to her account.

While most people are familiar with this type of authentication, usernames and passwords can be used for more than just authenticating users. API endpoints can be authenticated in this fashion, for example.

Multi-factor authentication (MFA)

The problem with username-password authentication is that passwords can often be guessed or stolen by malicious parties. Requiring additional factors of authentication increases security for users; this concept is called multi-factor authentication (MFA). When MFA is used, an attacker needs more than a password to falsely authenticate as a legitimate user.

MFA is most often implemented as two-factor authentication (2FA). Today many services implement 2FA by asking users to prove they have a token they were issued. There are two types of tokens: “soft” tokens, like a code sent to a user via SMS or through a mobile app, and “hard” tokens, like USB keys. 2FA and MFA can also use biometric authentication factors (described below).

Public key certificate

Public key authentication is slightly more complex than these other forms of authentication, but when implemented properly, it can be more secure. It uses public key encryption to verify whether or not the authenticated party has the right private key.

(See How does public key encryption work? to learn how public keys and private keys work.)

The most common usage of public key authentication is in Transport Layer Security (TLS), in which it is used to authenticate a web server. User devices perform this type of authentication every time they load a website that uses HTTPS.

Public key authentication is also used for mutual authentication, which is when both sides of a communication authenticate each other, instead of just a client authenticating a server or a web service authenticating a user. Internet of Things (IoT) devices and API endpoints sometimes use this type of authentication.

Biometric authentication

Only usable for authenticating humans, biometric authentication involves verifying someone’s identity by checking one of their physical characteristics against a database of their known physical characteristics. Face scanning or a retina scan are examples of this type of authentication.

Approaches

Session-based Authentication

  • separate storage required for storing session information
  • invalidation of seesion is easy
  • scaling slao involves the session store

JSON Web Token (JWT)

Ref https://swsmile.info/post/authentication-jwt/

OpenID Connect (OIDC)

Ref https://swsmile.info/post/authentication-openid-connect"

Authorization(授权)

Authorization determines what an authenticated user can see and do. Think of what happens when a bank customer logs in to their account online. Because their identity has been authenticated, they can see their own account balance and transaction history — but they are not authorized to see anyone else’s. A manager at the bank, conversely, could be authorized to see any customer’s financial data.

Similarly, a person may be a legitimate employee of a business, and they may have verified their identity, but that does not mean they should have access to all of that business’s files and data. An employee from outside the HR or accounting departments should not be able to see everyone’s compensation, for instance.

A user’s authorization level determines what they have permission to do; therefore, a common term for authorized actions is “permissions.” Another term for this concept is “privileges.”

How to Work

Organizations use some kind of authorization solution for allowing or blocking user actions. The solution usually knows which actions to allow or to block based on who the user is; for this reason, authentication is closely intertwined with authorization. There are several different ways of determining user permissions, including the following:

In role-based access control (RBAC), every user is assigned one or more predetermined roles, and each role comes with a specified set of permissions.

In attribute-based access control (ABAC), users are assigned permissions based on their attributes or the attributes of the action they are trying to perform.

In rule-based access control (also abbreviated as RBAC), actions are allowed or denied based on a set of rules that apply to all users, irrespective of their role.

Oauth 2 (Open Authorization 2)

Ref https://swsmile.info/post/authorization-oauth2/

Reference

FEATURED TAGS
algorithm algorithmproblem architecturalpattern architecture aws blockchain c# cachesystem codis compile concurrentcontrol database dataformat datastructure debug design designpattern distributedsystem django docker domain engineering freebsd git golang grafana hackintosh hadoop hardware hexo http hugo ios iot java javaee javascript kafka kubernetes linux linuxcommand linuxio lock macos markdown microservices mysql nas network networkprogramming nginx node.js npm oop openwrt operatingsystem padavan performance programming prometheus protobuf python redis router security shell software testing spring sql systemdesign truenas ubuntu vmware vpn windows wmware wordpress xml zookeeper
FRIENDS

TOC