What is the difference between authentication and authorization?

Overview

We often interchangeably use the terms authentication and authorization. However, they represent fundamentally different functions. In this shot, we will better understand these concepts and use the appropriate one in each situation.

In short, authentication is about the user identity, and authorization is about the user permission.

Authentication

Simply speaking, authentication is the process of verifying that a user is who they claim to be. To prove our identity in a system, we mostly need to provide them with our valid credentials like the username and password.

Sometimes, login and password are not sufficient to fully authenticate a user. For security purposes, we may need to combine them with other elements called factors which fall into three categories:

  1. What the user knows
  2. What they have
  3. What they are

Let’s see an analogy for authentication. Let’s say we want to go to Congo, for instance. We arrive at the airport. What do we have to do there? We must first prove our identity to the security agent by showing our ID card to them.

Three authentication factors

Let’s now learn about the three authentication factors.

  • Single-Factor Authentication: This is the basic form of authentication method. It only relies on a password.
    • Example: A college website that only requires validating a password against a login.
  • Two-Factor Authentication: In addition to the preceding factor, the user must provide a piece of confidential information.
    • Examples:
      • A banking website validates a password against the login and then requires the user to enter a PIN known to only the user.
      • We use two-factor authentication with my Gmail account. After we enter our login and password, Google sends us a code via SMS. We can’t access my emails until we provide that code.
  • Multi-Factor Authentication (MFA): This is the advanced form of authentication method. It requires at least two security factors from independent categories.
    • Example: A hospital system that requires a login and password, a security code sent to the user’s smartphone, and a fingerprint.
Authentication using username and password

Authorization

Once a system has been able to establish the authentication, we can now talk about authorization. In the bigger picture, authorization deals with granting or denying rights to access resources. It generally occurs after successful authentication, but not all the time. “Anonymous consumers” or “guests” could be authorized to a limited action set without being required to authenticate.

We can use roles to indicate what a user has access to. Let's continue our analogy to understand this better. We want to travel, and we’ve been already authenticated. Now, we are at the gate before the flight attendant. What do we need to do? We present our boarding pass to them, so they can authorize us to board our flight and allow access to the plane

Summary

To sum up, authentication and authorization are both common terms in the world of identity and access management (IAM). The first one is the process of verifying a user, while the second is the process of verifying what they have access to.