Insights • Blogs/Articles

Identity, Authorisation and Authentication, what’s the difference?

As we’ve established in previous Sekura blog articles, the explosion in digital and mobile service adoption has resulted in unprecedented data and cybersecurity threats, meaning that businesses must constantly seek ways to better secure their digital assets. Modern authentication and identity management tools are promoted as an easy way to protect against data breaches, but what exactly is the difference between these two concepts?

Identity Access Management (IAM), Identity Management, Authentication, Authorisation, Password Management – are these all the same thing?

Well, yes and no – in reality authentication is a subset of identity management, and platforms that support the delivery of identity management and authentication processes are known as identity and access management (IAM) platforms.

Identity Management

In short, the framework, information and processes by which a device, organization, person or application can be ‘identified’ as unique and different from all others is known as digital identity.

Identity proofing – the method to establish an identity without doubt – is critical in order to properly apply access levels for the user or device to applications, services and data. This assignment of access based on a digital identity is known as identity management. Controlling access to sensitive information to allow access to only those that need it will significantly reduce the risk of data loss or theft, thus effective identity management is critical to the data security of a business.

Identity management typically consists of a number of component processes, including network and application access control, authentication rules and methods, identity governance and password management, and much of what identity management provides is critically important in the verification of true user identities. This is known as authorization.


Using an established identity, the controls that can then be put in place to allow a person or device to access company data or applications is known as authorisation. Rules are established to enable different levels of access (e.g. to allow only certain users to access privileged information or systems), and authorisation rules are set and applied to each user according to their access rights.

In order to authorise people and/or devices, it’s critical that the tools and processes used to authorise the digital identities within an identity management platform are able to ‘trust’ that the  information underpinning the identity is verified and valid. Trust is the key enabling component giving the identity management process a critical underlying confidence in the processing of access controls.


The process of proving the digital identity of a person, device or other entity in order to enable access to services is known as authentication. Until recently, this has been synonymous with username and password.

In order for a user or device to successfully authenticate, the service administrator can employ one or more control methods to enable access to the service. In addition to the username and user-controlled password, other examples include PIN, biometric data such as fingerprint, voice, face or retina recognition, or hardware- or software-based access tokens.

Authentication methods utilise one or more ‘factors’ to validate that the user or device is who or what it claims to be. These factors are commonly described as follows:

  • Something you have: a ‘possession’ factor – something you have at the point of access request into a service. This could be your mobile phone or a hardware access token such as a bank Secure Key
  • Something you know: a ‘knowledge’ factor – something only you should know, such as your secret password, access PIN, or a temporary One-Time Passcode (OTP)
  • Something you are: the biometric factor – something that is unique to you like a fingerprint, voice profile or facial recognition scan

Single-factor authentication (SFA) is the use of one of these factors to access a service (for example a username and password), while two-factor authentication (2FA) requires the use of two separate authentication methods, such as username/password followed by entry of an OTP or confirmation of a biometric factor. Any form of authentication that utilizes two or more distinct methods is referred to as multifactor authentication (MFA).

For additional information on this topic try the Gov.UK guidance on using authenticators to protect an online service.

Identity Access Management (IAM)

Finally, any platform that supports identity management tools and authentication of users and devices can be categorised as an identity and access management (IAM) platform.

These platforms are made up of tools, policies and a structured framework that helps security administrators allocate the appropriate access level to digital resources based on a successful authentication. Using IAM platforms with MFA, businesses and application owners can feel safe that only those that need access to sensitive data and applications will be able to obtain that access.

To learn more about how we work, or to discuss the Sekura approach with any of our team, Contact Us.