While they are often spoken of as if they are the same thing by non-tech types, authorization and authentication are not interchangeable. They are, in fact, two distinct steps in the process of granting access to digital resources. In this post, we'll examine authorization vs authentication and explain how they work both separately and together to ensure that users only have access to resources they need access to.
Authentication is the process of validating that a user is who they claim they are. It is the first step in granting access to digital resources.
Confirming a user’s identity is typically done using one or more of the following authentication factors / credentials:
And what that basically is, is the system challenging that person to identify themselves using some credential information, and in return back, your application gets some sort of token or a signature that verifies they are who they say they are. Along with that, you get some profile information, such as an email address and a profile picture. You can then use all that information inside of your system to make decisions around whether that user can do something.
Whichever approach is used, the goal is to make the user prove they are who they claim to be. If they cannot satisfy the system’s authentication needs, they are denied access, and authorization becomes a moot point.
Once a user’s identity has been verified they are allowed access to the system. Once inside, the system scrutinizes their permissions and decides which resources they will be able to interact with and in what ways. Simply put - are you allowed to do a certain thing inside of a system based on who you are?
Authorization is that business logic, those rules that you may have written up in a spreadsheet, or a Gist, or just in the back of your head as you're building a system, and it's the thing that decides that this type of user can do this certain action inside of the application.
For instance, some users may be authorized to read but not edit or download certain files. While others may be authorized to manipulate or use those same files as they see fit. In other cases, one user may be authorized to create folders and move files around, while another is not.
In any secure system, authentication always precedes authorization. So, using an ATM interaction as an example, the bank customer will always be asked to authenticate their identity via a username and password before they will be authorized to withdraw funds, view balances or transfer money from one account to another.
Understanding the difference between authorization and authentication is vital if you are to protect your organization’s data from breaches and misuse.
Aspect | Authentication | Authorization |
---|---|---|
Definition | Validates that a user is who they claim to be. It is the first step in accessing a system. | Determines what resources a user can access and what actions they can perform once their identity has been authenticated. |
Purpose | To verify identity using credentials like passwords, biometrics, or OTPs. | To grant or deny permissions to perform specific actions within a system based on rules or roles. |
How It Works | Requires users to present evidence of their identity through one or more methods. | Evaluates user permissions based on their authenticated role or attributes within the system. |
Tools Used | Username/password combinations, biometric scans, one-time PINs, digital certificates. | Access control lists (ACLs), role-based access control (RBAC), attribute-based access control (ABAC), and so on. |
Dependency | Independent process usually required at the beginning of a session. | Depends on successful authentication; can't occur unless the user is first authenticated. |
Outcome | Authentication tokens or sessions that signify the user's identity has been verified. | Access to specific resources like files or databases, and permissions to read, edit, or delete data based on user roles and policies. |
Security Focus | Focuses on ensuring that users are who they say they are before gaining any access to the system. | Focuses on ensuring that authenticated users are only able to perform actions that they are permitted to, according to security policies. |
Here are some example scenarios to help further illustrate the difference between authentication and authorization.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team