Authorization vs authentication | How they differ

Published by Alex Olivier on April 01, 2024
Authorization vs authentication | How they differ

While they are often spoken of as if they are the same thing by non-tech types, authorization and authentication are not interchangeable. They are, in fact, two distinct steps in the process of granting access to digital resources. In this post, we'll examine authorization vs authentication and explain how they work both separately and together to ensure that users only have access to resources they need access to.

What is authentication?

Authentication is the process of validating that a user is who they claim they are. It is the first step in granting access to digital resources.

Confirming a user’s identity is typically done using one or more of the following authentication factors / credentials:

  • Password & username: Everyone is familiar with this as it is by far the most common method of authenticating someone’s identity. 
  • Biometrics: This is becoming an increasingly common method of authenticating a person’s identity. Common biometrics include fingerprints and retinal scans.
  • On time PIN or OTPs: If you’ve ever forgotten your password and tried to access an email or other account the provider will typically send a one time PIN, usually something like a unique 6 digit code, to your mobile phone which you then use to verify your identity.

And what that basically is, is the system challenging that person to identify themselves using some credential information, and in return back, your application gets some sort of token or a signature that verifies they are who they say they are. Along with that, you get some profile information, such as an email address and a profile picture. You can then use all that information inside of your system to make decisions around whether that user can do something.

Whichever approach is used, the goal is to make the user prove they are who they claim to be. If they cannot satisfy the system’s authentication needs, they are denied access, and authorization becomes a moot point.

What is authorization?

Once a user’s identity has been verified they are allowed access to the system. Once inside, the system scrutinizes their permissions and decides which resources they will be able to interact with and in what ways. Simply put - are you allowed to do a certain thing inside of a system based on who you are?

Authorization is that business logic, those rules that you may have written up in a spreadsheet, or a Gist, or just in the back of your head as you're building a system, and it's the thing that decides that this type of user can do this certain action inside of the application.

For instance, some users may be authorized to read but not edit or download certain files. While others may be authorized to manipulate or use those same files as they see fit. In other cases, one user may be authorized to create folders and move files around, while another is not.

Authentication before authorization

In any secure system, authentication always precedes authorization. So, using an ATM interaction as an example, the bank customer will always be asked to authenticate their identity via a username and password before they will be authorized to withdraw funds, view balances or transfer money from one account to another.

Understanding the difference between authorization and authentication is vital if you are to protect your organization’s data from breaches and misuse.

Authentication vs authorization examples

Authentication vs Authorization
Aspect Authentication Authorization
Definition Validates that a user is who they claim to be. It is the first step in accessing a system. Determines what resources a user can access and what actions they can perform once their identity has been authenticated.
Purpose To verify identity using credentials like passwords, biometrics, or OTPs. To grant or deny permissions to perform specific actions within a system based on rules or roles.
How It Works Requires users to present evidence of their identity through one or more methods. Evaluates user permissions based on their authenticated role or attributes within the system.
Tools Used Username/password combinations, biometric scans, one-time PINs, digital certificates. Access control lists (ACLs), role-based access control (RBAC), attribute-based access control (ABAC), and so on.
Dependency Independent process usually required at the beginning of a session. Depends on successful authentication; can't occur unless the user is first authenticated.
Outcome Authentication tokens or sessions that signify the user's identity has been verified. Access to specific resources like files or databases, and permissions to read, edit, or delete data based on user roles and policies.
Security Focus Focuses on ensuring that users are who they say they are before gaining any access to the system. Focuses on ensuring that authenticated users are only able to perform actions that they are permitted to, according to security policies.

Here are some example scenarios to help further illustrate the difference between authentication and authorization.

Online banking

  • Authentication: A user logs in using their username and password, or perhaps through a biometric fingerprint scan.
  • Authorization: Once logged in, the user can only view account balances and transaction history, but cannot transfer funds unless specifically granted the privilege.

Work email

  • Authentication: An employee accesses their email using a one-time PIN sent to their mobile device.
  • Authorization: Depending on their role, the employee might have the authority to send emails on behalf of a department, or only view and send emails from their personal account.

Cloud storage service

  • Authentication: Users sign in with a username and password combination. Second-factor authentication might be required for new devices.
  • Authorization: Some users are authorized to upload and delete files, while others can only view and download them based on their assigned roles.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team