Authorization (AuthZ) and Authentication (AuthN): A Brief History

Hannah Young
Hannah Young
.
December 23, 2022
5 min
 read

(Almost) Every. Major. Company. In. Identity. has written an article on the difference between authorization and authentication. To summarize: authentication is who you are, and authorization is what you can do. Your time is valuable (and we’re not interested in wasting it!), so this article will not spend much time defining the concepts and will dive into their history instead.

Authentication: From plaintext files to SSO

Initial attempts at authentication were password-based. Fernando Corbató implemented the first computer password in 1961 to secure users’ files on a shared MIT computer (stored via plaintext file… and yes, someone did find the file and print out all the passwords stored on the system). This basic scheme is still often used today; the iconic username:password combination has resulted in many a “lost password” frustration and various technologies implemented to obtain those passwords (see the xkcd comic below).

xkcd Comic

Today, we’ve augmented basic password authentication with Multi-Factor Authentication (MFA), which uses additional factors to supplement something you know, like a password. Some examples of these additional factors include biometrics, single-use codes sent by text message and email, and hardware-based keys (see: anyone who has spent minutes frantically searching for their phone to approve a Duo Push or Okta notification and/or the comic below). Following MFA was the widespread adoption of Single Sign-On (SSO), which concentrates the authentication task into the control of a handful of companies. The most familiar example is Google, where you can use your Google account to sign into many different websites without re-entering a unique username or password.

Authorization: Authentication’s oft-overlooked counterpart

The history of authorization is a bit more difficult to track due to how much we’ve focused on (and written about) trying to “solve” authentication. Even the Wikipedia article on authorization is a pretty quick read, and when we explicitly searched for the history of authorization on Google, the top four results still garnered accounts of authentication (see image below). Authorization is the more junior of the two in terms of standardization and development, and that’s why its history (as well as Crosswire and other authorization-focused enterprises) are where they are today. While authentication has had some records written about it, we’re still writing authorization’s history.

One of the most prominent early examples of authorization implemented in computers is thought to be the file system permissions of early Linux in the 1990s. The model included a basic (but effective) scheme where the file owner, users in the file’s group, and outside users could receive three different permissions: read, write, and execute. This scheme is still in use today by Unix-like operating systems and often takes the form of some variation of read/view, write/edit, and execute/run or comment permissions.

As the world became more Internet-focused, we saw web applications with complex permissions systems. For example, you can’t edit someone else’s Instagram post from your account and certainly can’t view the bank account balance of someone who hasn’t added you. The importance of maintaining these permissions while also making them easy to use was a question everyone was trying to solve, and the main piece of technology that emerged for authorization was OAuth (technically OAuth2.0, but we’ll colloquially refer to it as OAuth, see comic below). This protocol created a way for people to allow applications to have specific permissions (called scopes) on their behalf, granting access to information without giving them their sensitive information (i.e., passwords).

Wiki user Saqibali (improved by Perhelion)

However, OAuth couldn’t fully answer the permission-maintenance question internally, and RBAC (Role-Based Access Control) became the latest authorization approach, used to control access based on the roles of users within an organization. RBAC allows administrators to assign users roles and permissions based on their profiles and job responsibilities and is used in many modern, multi-user operating systems today. However, as we expressed in our blog post “Why RBAC is obsolete,” “where roles were once able to be clearly defined and mapped between each other, modern companies face a tangled mess of permissions and access that are impossible to manage.” Therefore, RBAC causes security departments and business units to spend excessive time granting and auditing permissions once roles (that may have been discrete and useful previously) become outdated and irrelevant, making RBAC nearly impossible to scale efficiently.

The reason it’s so difficult for traditional authorization methods to scale up as organizations develop (what we’re calling authorization’s “scalability problem”) is that these methods require manual input for each user. Accordingly, as the number of users and roles in an organization increases — and as job responsibilities no longer fall into these conventional, discrete roles — this automatically increases the amount of work you must do to keep your authorization measures relevant. This is especially challenging when dealing with fast-paced, dynamic work environments or applications that utilize multiple clouds.

So, where does this leave the future of authorization?

In trying to solve the scalability problem, some organizations have stuck to manually updating every role’s permissions, while others have turned to different identity and access management (IAM) platforms to manage their authorization. IAM platforms allow companies to control who has access to what, all on a single dashboard, making it easier to view and implement security authorization at scale.

Regardless of the method, in order to adapt, authorization must solve the scalability problem. We believe that modern authorization-focused enterprise security companies like Crosswire should lead the charge. Where other authorization processes have become cumbersome and time-consuming, products like Crosswire’s automate the process within minutes. Crosswire gathers permissions across different enterprise applications to implement rule-based access without human intervention. Our engine automatically provisions access and identifies anomalies, providing the infrastructure to manage authorization at scale.

We’re entering a new chapter in the history of authorization. To help write this history, explore our career opportunities here and stay updated with our latest news delivered directly to your inbox below!

More from our blog

UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read