Metaphors for Authentication & Authorization

Authentication and authorization are two concepts that are often misinterpreted when designing and integrating systems. Fortunately, there are a couple of relatable metaphors to use in discussions.

The Nightclub & Jay-Z

We’re going to a popular nightclub. The bouncer at the door checks our drivers license to confirm we are who we say we are, which is authentication. Once we’re inside, we’re able to walk around, awkwardly dance (in my case, maybe you have better moves), and notice there’s a private balcony with Jay-Z. Heading to this balcony, the security checks whether we’re on the special guest list, which is authorization.

Hotel Pools & Gyms

We’re checking into a hotel. The receptionist checks our passport to confirm we are who we say we are and asks for a credit card, which is authentication. We have a hotel keycard that provides access to the elevator and rooms, along with the pool and gym. Overnight, the pool and gym are not available when we try to train for a triathlon at midnight. However, the keycard still allows use of the elevator and getting back into the room.

The hotel metaphor can be extended a bit to talk about a few other topics.

  • Multi-factor authentication: if the receptionist checks that the names on the passport and credit card match, this is an example of multi-factor authentication

  • Compromised identity & breaches: if we lose or give the hotel keycard to someone else, this is similar to having our identity compromised or breached by bad actors

  • Revoking access: if the hotel has a strict policy to get a new hotel keycard every 7 days, this forces us to authenticate again with the receptionist

  • Threat monitoring: if the hotel notices that we are entering the pool and gym more than usual, they might take a variety of actions (including revoking access) to determine whether this atypical usage is normal

TLDR: Authentication verifies who you are. Authorization defines what you can do.

Only Done Right Daily

A free, daily email newsletter with practical insights into digital strategy and transformation, designed for both practitioners and executives looking to make processes and technology work better.

Each email is a two minute read packed with content on how to continually drive digital transformation in your organization.

    I will not send you spam nor share your email address with anyone else.

    If you're still not sure, you can browse the archive.

    Previous
    Previous

    Using the 5Ws Framework

    Next
    Next

    Deferring Digital Transformation Increases Costs