Picture this: You're invited to a party at a posh, exclusive club.
You spend hours getting ready and preparing just to make sure you make the right impression. You get an Uber, and they say your name to make sure it's you. You make it to the club, you see a loong line, but it's okay: You were invited. There's got to be some perks that come along with that. You walk right up to the front of the line and tell the doorman, "Hey, I'm supposed to be here." He looks you up and down, and the next few moments will be a real-life version of what servers do millions of times a day, all over the internet. I.A.M.
What is IAM?
I.A.M stands for Identity and Access Management, and this is precisely what our bouncer/server is about to practice with you. First, he'll either ask for your name, or an ID. This is known as Authentication. Let's break down what that would mean in our digital world.
Website Authentication
Website authentication is the security process that allows users to verify their identities in order to gain access to their personal accounts on a website2. Authentication, as swoopnow states, is a*huge component involved in keeping user accounts safe and accessible2.* It's a very important factor in maintaining security on websites. Back to the bouncer, what kind of club would it be if he just took everybody's word for it and let them in if they said what you did? Authentication normally takes the form of Matching someone’s login information like their username and password with their identity in the database,1 essentially checking your ID. There are other methods, of course. Different websites have contrasting needs depending on what the site accesses and what the user will tolerate. There are two key factors to consider when creating or updating your website authentication systems— user experience (or UX) and security2. And, based on that delicate dance, there are a few methods of authentication you'll see all over our digital landscape.
Username/password:
Of course, the most prominent form of authentication to date is the Username/password combination. It's an extra boost for security to have both a name you've made for yourself and a password of your choice to access your information, however, oftentimes a username is replaced by the user’s email address, such as in the example to the right. This is often more convenient for the user, although not as secure. It's not too difficult to track down a user's email address, but it is quite easy for you to remember yours, so it means less of a hassle to get you to your information. It's more like the Uber driver that checked your name before getting you where you needed to go. Easy for you, but relatively easy for others.
Multi-factor authentication
There are, of course other ways to prove yourself. Some sites opt to use Multi-factor authorization. Multi-factor authorization will oftentimes ask for the customary username/password combo, but they'll also want another piece of information.This “piece of information” can be anything from a one-time passcode to a physical token that acts as a second confirmation to verify users are who they say they are.4
It's more secure, but more of a hassle. Speaking as someone who needed to get into their email after my phone was stolen, it can sometimes be difficult to make up for that second factor. Which is a good thing, when it works. Kind of like the bouncer who asks for your name, then checks your ID. It's a great idea-- kind of bad for you if you forgot your ID at home, though.
Inheritance
The third form of authentication we'll discuss is called inheritance authentication. Inheritance factors are often referred to as biometric factors, which allow the user to verify their identity using physical characteristics that are unique to each individual. Popular methods include fingerprint scanning or facial recognition.This is a great improvement over the last issue we just spoke about, as you're not too likely to forget your thumb at home, but everything has pros and cons.
According to Swooop, some cybercriminals have found ways to get around these factors using a “master fingerprint” or a high-quality image. And in the case that someone else does get a hold of your biometric markers, that method will never be secure again. You can’t just change your fingerprint!2
Authorization
We've now talked about a few forms of confirming identity, but there's another part to verification, both on the internet and in real life. Take our example from above. There are many ways that bouncer could have confirmed our identity, but there's still one more thing to do: Check the list for your name!
Yes, you're you, but should you be here?
Authorization should be used whenever you want to control viewer access of certain pages.1 If we didn't have that, either no one would have access, or everyone would.. equally frightening concepts. Though authorization is much more cut and dry than authentication issues, it's no less important, and often, they're arm-in-arm. Authentication and Authorization are often used together. For example, students at Boston University are required to authenticate before accessing the Student Link. The authentication they provide determines what data they are authorized to see. The authorization step prevents students from seeing data of other students.1
Come on in!
Once your identity and your credentials have been verified, you're free to head to the party safe in the knowledge that all or most guests there have been properly vetted, and that's really what's at the heart and soul of IAM. Of course, there are many other things we can discuss when it comes to the wide wide world of verity, like tokens, and cookies (cookies are like when you leave the club for a minute and they just let you right back in), but we'll save these for another time. Party safe, and I'll see you next time. Don't forget your ID!
references:
1 https://www.bu.edu/tech/about/security-resources/bestpractice/auth/
Top comments (0)