Identity Authorization

Authorization is determining what a user
can and can’t do based on their identity


The process of determining what rights or privileges an individual or entity should be granted.

Simply put

What do you get once we know it’s you?

Not all use cases and service providers require identity verification. For example, many internet services allow users to create pseudonymous accounts without providing any identity attributes. Others will rely on self-asserted information – in other words, information a user or entity has indicated about itself is taken with no further steps to check the accuracy of the data.

Status quo authorization processes

Authorization typically takes a combination of verification and an authentication event to grant a user permission to perform certain actions. For example, after logging into her Netflix account, a customer will be granted access to streaming services based on her status as a paying member. However, if that user travels outside the U.S., she may not be authorized to view certain content based on a change in her location, a core identity attribute in this transaction. From a service provider prospective, effective authorization procedures involve robust internal process flows built on a foundation of accurate verification and authentication processes. A trend in authorization has been to move from role-based (a defined set of static permissions) to attribute-based (a more dynamic set of permissions).

The problem with the status quo

Authorization fundamentally requires flexibility, as both roles and attributes change frequently and users authenticate (or fail to authenticate) into systems on a regular basis. Failure to accurately monitor key identity attributes could lead to illegitimate access to sensitive information or costly services. At the same time, however, it is an untenable burden, in terms of both cost and security, to undergo continuous identity verification for all customers in order to ensure roles and attributes have remained constant for authorization.

As the internet of things expands, authorizing devices to perform actions – be they to initiate a purchase in a consumer-focused setting or initiate a production incident in an industrial setting – will become a key capability to harness the power of the Internet of Things (IoT).

Private & secure



Work with us

OWI is an independent advisory and digital strategy consultancy that can help you generate actionable market and business insights.