Businesses use authentication and authorization solutions to positively identify users and control access to applications and IT systems. Authentication refers to the process of validating a user’s identity. Usernames and passwords are the most basic and familiar forms of authentication.
Authorization refers to the process of granting a user permission to access specific resources or capabilities once their identity is verified. For example, a system administrator might be granted root-level or superuser privileges to a resource, while an ordinary business user might be granted restricted access or no access at all to the same resource.
Most identity and access management (IAM) solutions provide both authentication and authorization functionality and can be used to tightly control access to on-premises and cloud-based applications, services and IT infrastructure. Access management solutions help ensure the right users have access to the right resources at the right times for the right reasons.
Basic authentication methods that require only username and password combinations are inherently vulnerable. Threat actors can carry out phishing attacks or other schemes to harvest credentials and pose as legitimate users to steal data or perpetrate attacks.
Most IAM solutions support Multi-Factor Authentication (MFA) functionality to protect against credential theft and user impersonation. With MFA, a user must present multiple forms of evidence to gain access to an application or system—for example, a password and a one-time, short-lived SMS code.
Authentication factors include:
- Knowledge factors – something the user knows, such as a password or an answer to a security question
- Possession factors – something the user has, such as a mobile device or proximity badge
- Inherence factors – something biologically unique to the user, such as a fingerprint or facial characteristics
- Location factors – the user’s geographic position
Many modern IAM solutions support adaptive authentication methods, using contextual information (location, time-of-day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation. Adaptive authentication balances security with user experience.
Many IAM solutions support Single Sign-On (SSO) capabilities that allow users to access all their applications and services with a single set of credentials. SSO improves user experiences by eliminating password fatigue and strengthens security by eliminating risky user behaviors like writing passwords on paper or using the same password for all applications. Many IAM solutions support standards-based identity management protocols such as SAML, Oauth and OpenID Connect to enable SSO federation and peering.
Most IAM solutions provide administrative tools for onboarding employees and managing access privileges throughout the employee lifecycle, including separation and the offboarding process. Many of these solutions support role-based access controls (RBACs) to align a user’s privileges with their job duties. RBACs help prevent privilege creep and simplify administration when employees change jobs or leave an organization. Many IAM solutions also support self-service portals and automated approval workflows that let employees request access rights and update account information without help desk intervention.