Authentication and Authorization

Code security protects the normal, day-to-day operations of an app, tool, or daemon. But what happens when your code is under siege? It is often essential to know not only what the user is doing but also who the user is and whether the user is allowed to do that. This is where authentication and authorization come into play.

Authentication

“If you know yourself but not your enemy, for every victory gained you will also suffer a defeat.”

—Sun Tzu, The Art of War

When securing software, the first thing you must do is find a way to distinguish friend from foe. This process is called authentication.

In computer security, authentication verifies the identity of a user or service. Authentication usually serves one of two purposes:

Three types of authentication are most common:

Authorization

Authorization is the process by which an entity such as a user or a server gets permission to perform a restricted operation. The term is also often used to refer to the right itself, as in “The soldier has authorization to enter the command bunker.”

The difference between authentication and authorization is somewhat subtle. Often, the mere fact that a user has an account means that the user is authorized to do something, in which case authentication and authorization are the same thing. However, in more complex systems, the difference becomes more obvious.

Consider a computer with two users. Each user is known to the system. Therefore, both users can each log in to the computer, and it authenticates them. However, neither user is authorized to modify the other’s files, and as a result, neither user can do so.

The details of authorization depend on whether you are using iOS or OS X.

In iOS, the user can set a passcode (which by default is a four-digit personal identification number) to prevent unauthorized use of the device. After entering this passcode, the user of the device is presumed to be authorized to use the device. In addition, each app is digitally signed and can therefore be authenticated by the operating system. Therefore, there are no user authentication or authorization APIs in iOS.

In OS X, there are several layers of authorization:

In addition, on both OS X and iOS, some apps may require you to log in to a remote server, which in turn performs authentication and authorization.

To Learn More

For a more detailed conceptual overview of authentication and authorization in OS X, read Authentication, Authorization, and Permissions Guide.

You can also learn about other Apple and third-party security books in “Other Security Resources.”