Difference between Authentication and Authorization

Debarati Ghatak
Last Updated: May 13, 2022

Introduction

We often tend to mix up these two words - Authentication and Authorization. However, to the security of a system, these two terms are fundamentally distinct. So it is essential to understand the differences between them. Let us dig a little deeper into each of these topics and understand what makes them different.

Authentication

Authentication is the process by which the identity of a user is verified for providing access to the system.

In simpler words, during Authentication, the system asks the user, ‘Who are you?’ or ‘Are you the person you claim to be?’.

Authentication techniques

  • Single-factor Authentication

Single-factor Authentication is the simplest method of Authentication where a user is verified with a single factor. The most popular SFA is password authentication, where a user is prompted to enter a password for their particular user id or username. If the password matches the actual password, user verification is successful.

  • Multi-factor Authentication

Multi-factor Authentication provides an extra layer of security over SFA. As its name suggests, MFA, or Multi-factor Authentication, uses two or more factors to verify a user’s identity. Two-factor Authentication  OR 2FA is a subset of MFA.

One example of 2FA can be the Two-factor Authentication used by Google.

Whenever a person signs in to Google, they have to enter their password as usual for the first step of authentication. Then, for the second authentication step, Google sends a code to their phone via text and voice call, which the user has to enter correctly.

  • Biometric verification

Biometric verification like a fingerprint scan, retina scan or facial recognition, and voice recognition give a secure and convenient way to verify a user’s identity.

  • Security questions

Users can choose a security question from the list of security questions given and answer it. Security questions can be used to verify a user when they are trying to change their password.

  • OTP verification

OTP or ‘One Time Password’ is precisely what it says. It is a Password sent to the user’s registered email id or phone number.

Authorization

Authorization is the process of determining whether an authenticated user has the authority to access a particular resource. 

It checks the user’s rights to grant or deny access to resources like files, databases, etc.

Authorization is done only after a user has been successfully authenticated. During the Authorization process, the system asks the user, ‘What are you allowed to do ?’ or, ‘What permissions do you have?’

 

 

Access control

Once user Authentication is done, access control models are used to protect resources from getting into evil hands. Access control techniques define the permissions for a specific resource.
The four types of access control models are:

  1. MAC (Mandatory Access Control)
  2. DAC (Discretionary Access Control)
  3. RBAC (Role-Based Access Control)
  4. ABAC (Attribute-Based Access Control)

Authorization techniques

  1. OAuth: OAuth or Open Authorization is an Authorization protocol that uses access tokens to represent that a client application has been granted permissions to access the resources.
  2. JWT: JWT, which stands for JSON Web Token, is widely used for user authorization today. It is an open standard that enables secure data transmission between two parties in the form of a JSON object.

Note: 

  • Authentication is done before Authorization. 
  • If a user is authenticated, it does not necessarily mean that the user has gained access to every resource. The user can still be denied access to specific resources based on the security policies of the system.

Example

Let us look at a real-life example to understand the differences even better. We as humans are constantly doing Authentication and Authorization in our day-to-day life. 

Consider a scenario when someone knocks at our door. We open the door only after verifying the identity of the visitor.  For verification, we may ask them ‘Who are you?’ or look at their face to see if that person is known to us. If the person is someone we trust, we will let them enter our house. This is how Authentication works.

After the person is inside our house, the person may have access to certain areas of the house like the living room and the bathroom. However, if the person does not have access to the bedroom and tries to enter it, their entry will be denied. This is how Authorization works.

 

 

Differences between Authentication and Authorization

Let us have a look at the key differences between the two:

 

Authentication

Authorization

It is the process by which a user’s identity is verified to provide access to the system.

 

It is the process to determine whether an authenticated user has the authority to access a particular resource.

It is also popularly known as AuthN.

It is also popularly known as AuthZ.

It is done before Authorization.

It can occur only if authentication has successfully been done.

Authentication is the system’s way of asking the user ‘Who are you?’ or, ‘Are you the person you claim to be?’.

Authorization is the system’s way of asking the user, ‘What are you allowed to do ?’ or, ‘What permissions do you have?’

It is commonly done via Password-based authentication.

Authorization is based on the security settings of the system.

Users can partially change authentication credentials.

Users cannot change authorization permissions.

 

 

Frequently Asked Questions

 

Q1. Does Authentication come before Authorization?

Ans: Yes, Authentication always comes before Authorization. Authorization can take place only after the successful authentication of a user.

Q2. Are Authentication and Authorization the same?

Ans: No, they are not the same. With the help of Authentication, we verify the identity of a user, while Authorization determines whether the user has the authority to access a particular resource.

Q3. What are the various techniques used to authenticate users?

Ans: Some of the techniques that are popularly used to authenticate users are - Password-based Authentication, Single-factor Authentication, Multi-factor Authentication, Biometric Authentication, etc.

Q4. What is Authentication?

Ans: Authentication is the process by which the identity of a user is verified for providing access to the system.

Q5. What is Authorization?

Ans: Authorization is the process of determining whether an authenticated user has the authority to access a particular resource. 

Key Takeaways

To summarize what we have learned so far, we went through the basics of Authentication and Authorization and the key differences. We also discussed a few different Authentication and Authorization techniques like SFA, MFA, Access controls.

We hope you have understood the critical conceptual differences between Authentication and Authorization by the end of this blog. Happy Learning Ninja!

Was this article helpful ?
0 upvotes

Comments

No comments yet

Be the first to share what you think