We often interchangeably use the terms authentication and authorization. However, they represent fundamentally different functions. In this shot, we will better understand these concepts and use the appropriate one in each situation.
In short, authentication is about the user identity, and authorization is about the user permission.
Simply speaking, authentication is the process of verifying that a user is who they claim to be. To prove our identity in a system, we mostly need to provide them with our valid credentials like the username and password.
Sometimes, login and password are not sufficient to fully authenticate a user. For security purposes, we may need to combine them with other elements called factors which fall into three categories:
Let’s see an analogy for authentication. Let’s say we want to go to Congo, for instance. We arrive at the airport. What do we have to do there? We must first prove our identity to the security agent by showing our ID card to them.
Let’s now learn about the three authentication factors.
Once a system has been able to establish the authentication, we can now talk about authorization. In the bigger picture, authorization deals with granting or denying rights to access resources. It generally occurs after successful authentication, but not all the time. “Anonymous consumers” or “guests” could be authorized to a limited action set without being required to authenticate.
We can use roles to indicate what a user has access to. Let's continue our analogy to understand this better. We want to travel, and we’ve been already authenticated. Now, we are at the gate before the flight attendant. What do we need to do? We present our boarding pass to them, so they can authorize us to board our flight and allow access to the plane
To sum up, authentication and authorization are both common terms in the world of identity and access management (IAM). The first one is the process of verifying a user, while the second is the process of verifying what they have access to.