There are two parts to granting secure access to an organization’s resources: Identity management and access management.
Identity management checks a login attempt against an identity management database, which is an ongoing record of everyone who should have access. This information must be constantly updated as people join or leave the organization, their roles and projects change, and the organization’s scope evolves.
Examples of the kind of information that’s stored in an identity management database include employee names, job titles, managers, direct reports, mobile phone numbers, and personal email addresses. Matching someone’s login information like their username and password with their identity in the database is called authentication.
For added security, many organizations require users to verify their identities with something called multifactor authentication (MFA). Also known as two-way verification or two-factor authentication (2FA), MFA is more secure than using a username and password alone. It adds a step to the login process where the user must verify their identity with an alternate verification method. These verification methods can include mobile phone numbers and personal email addresses. The IAM system usually sends a one-time code to the alternate verification method, which the user must enter into the login portal within a set time period.
Access management is the second half of IAM. After the IAM system has verified that the person or thing that’s attempting to access a resource matches their identity, access management keeps track of which resources the person or thing has permission to access. Most organizations grant varying levels of access to resources and data and these levels are determined by factors like job title, tenure, security clearance, and project.
Granting the correct level of access after a user’s identity is authenticated is called authorization. The goal of IAM systems is to make sure that authentication and authorization happen correctly and securely at every access attempt.