Authentication vs Authorization
Authentication and authorization are popular terms in modern computer systems that often confuse people. Both of these terms are related to security; often, people think about them (and even use them) interchangeably. However, as you will learn as you read on, authentication and authorization have different meanings and applications.
If you are in a hurry, you can jump right to the Authentication vs. Authorization section at the bottom of this article. But, if you would like to learn more about these subjects, read through the next sections. There, you will briefly touch two topics:
What is Authentication?
What is Authorization?
As well as understanding what it means to authenticate or authorize, you will read about their differences and similarities. In the end, you will also learn how Auth0 manages authentication and authorization.
What is Authentication?
Authentication is the process of confirming the identity of a user or a device (i.e., an entity). During the authentication process, an entity usually relies on some proof to authenticate itself, i.e. an authentication factor. For example, if you go to the bank and try to withdraw money from your account, the clerk might ask you for a user identity document to check who you are. Along the same lines, if you buy a flight ticket, you might need to use a passport to prove you are the person entitled to use that ticket before hopping on the plane. Both examples illustrate real-life situations where authentication processes take place to confirm your identity (authenticated user).
In a digital transaction, for example, when you try to access your Facebook profile or your company webmail client, a similar process happens. In these situations, instead of presenting an ID, a passport, or similar, you usually prove your identity by showing the system that you know something (like a username and password) or that you own a device (like a mobile phone so you can receive an SMS with a code). After presenting this knowledge or proving that you control a particular device, the targeted system recognizes your identity and lets you access it. In this scenario, the authenticated user uses authentication factors to prove their identity. These factors can be single, two-factor authentication, or multi-factor authentication.