banner

Thales Blog

The Difference Between Authorization and Authentication – and Why You Should Care

March 14, 2020

                                

When it comes to software licensing, not knowing the difference between authentication and authorization can lead to missed revenue opportunities. In this article, we will attempt to clear up the confusion once and for all.    

It’s easy to conflate authentication with authorization. The two are frequently used interchangeably in conversation and are often tightly associated as key pieces of web service infrastructure. In reality, however, they are different concepts that are usually completely divorced from one another.

Authentication is the process by which an individual’s identity is confirmed.  Authorization, on the other hand, is the association of that identity with rights and permissions. Put it another way, when you hand your driver’s license over to a police officer, the officer can confirm that you are authorized to drive a car, motorcycle, or commercial vehicle. When selling a car, the same license is used to authenticate that you are the rightful owner of said vehicle. In the enterprise, there is a frequent decoupling of authentication and authorization, entirely hidden from the end user.

For example, the Windows Active Directory service authenticates the user when they login and that identity confirmation is then used by various licensing systems to authorize access to applications. In the web services space, there have been several attempts over the years to provide authentication services that require a single login across your Internet accounts. The high-profile failure of Microsoft Passport eclipsed a number of other lesser-known companies that also tried and failed.  Today, Google, Facebook, and Twitter all provide federated authentication services that any website or application can use to verify someone’s identity. Additionally, OAuth is an open standard for authentication that promises ease of integration and strong authentication services. None of these solutions, however, provide an answer to authorization.

Authentication Is Key to Software Monetization

 

While some big players have stepped into the authentication space, developers of web applications are often left to their own devices. As a result, the rights and permissions of the authenticated user across an entire web application are reduced to a simple “yes” or “no”. This is usually sufficient early on in the development cycle or for basic applications. But as applications grow in complexity and features are added, there is an opportunity to better monetize and control who has access to those features.            

Attempting to Build Your Own Solution?

 

Attempting to graft on feature-level permissions after the fact can be time-consuming, cost prohibitive, and take time away from developing the core of your application. So what’s the answer? Sentinel cloud-based solutions provide feature-level licensing as a service. With simplified calls to either a runtime library or secure REST API, the developer can easily connect the features you wish to control with the service. This means the developer is no longer encumbered with creating a licensing infrastructure and can focus on getting your application to market faster, with more features and greater maturity.

This blog post is part of our Software Monetization 101 series, which examines commonly misunderstood terminology in the software protection, licensing, and entitlement management space.