Authentication vs Authorization

Authentication and authorization are popular terms in modern computer systems that often confuse people. Both of these terms are related to security; often, people think about them (and even use them) interchangeably. However, as you will learn as you read on, authentication and authorization have different meanings and applications.

If you are in a hurry, you can jump right to the Authentication vs. Authorization section at the bottom of this article. But, if you would like to learn more about these subjects, read through the next sections. There, you will briefly touch two topics:

• What is Authentication?

• What is Authorization?

As well as understanding what it means to authenticate or authorize, you will read about their differences and similarities. In the end, you will also learn how Auth0 manages authentication and authorization.

What is Authentication?

Authentication is the process of confirming the identity of a user or a device (i.e., an entity). During the authentication process, an entity usually relies on some proof to authenticate itself, i.e. an authentication factor. For example, if you go to the bank and try to withdraw money from your account, the clerk might ask you for a user identity document to check who you are. Along the same lines, if you buy a flight ticket, you might need to use a passport to prove you are the person entitled to use that ticket before hopping on the plane. Both examples illustrate real-life situations where authentication processes take place to confirm your identity (authenticated user).

In a digital transaction, for example, when you try to access your Facebook profile or your company webmail client, a similar process happens. In these situations, instead of presenting an ID, a passport, or similar, you usually prove your identity by showing the system that you know something (like a username and password) or that you own a device (like a mobile phone so you can receive an SMS with a code). After presenting this knowledge or proving that you control a particular device, the targeted system recognizes your identity and lets you access it. In this scenario, the authenticated user uses authentication factors to prove their identity. These factors can be single, two-factor authentication, or multi-factor authentication.

What is Authorization?

In contrast to authentication, authorization refers to the process of verifying what resources entities (users or devices) can access, or what actions they can perform, i.e., their access rights. 

For a concrete example, imagine a situation where you buy a ticket for a show. In this case, more often than not, the establishment will not be interested in your identity (i.e., who you are). What they care about is whether you are authorized or not to attend the show. To prove that you have the right to be there, instead of using an ID or a passport, you would use a ticket.

Often, the ticket that authorizes you to attend the show does not contain any information about your identity. However, even if it includes information about your identity, it is not what is verified in the authorization process.

In internet-based software applications, a common approach is to use artifacts called tokens to handle authorization. Typically, once a user is signed in, applications start caring about what they can do. In this scenario, this leads to the creation of a token that carries authorization details based on the user identity. The system uses this authorization token to make authorization decisions; this grants or prevents a request to access resources.

Authentication vs. Authorization

Although the sections above can shed light on what authentication and authorization stand for, the definition and usage of these terms may frequently overlap (which may be the root cause of the overall confusion about them). For example, in the bank scenario, the user identity presented to the clerk is also used to authorize access to the funds in your account. 

In a similar scenario, a company that requires badges to control access between rooms uses these badges to both authenticate the person (name and picture) and to authorize access.

So you see, authentication and authorization are topics that seem to be interchangeable in certain scenarios; it is this that causes confusion. 

However, the important point is that authentication leads to authorization, but authorization does not lead to authentication.

Whilst proof of identity may be enough to grant access rights (i.e., to be authorized to achieve something), having authorization not always can be used to identify an entity.

For example, a boarding pass authorizes you to get on the plane, and it also contains data about your identity. So, it allows the crew to know your name. However, a ticket to attend a show might not include identity details. It simply proves that you have the right to join the show, nothing else.

In summary:

• Authentication is the act of identifying a user or a device.

• Authorization is the act of allowing or denying users and devices access rights.

• Authentication can be used as a factor in authorization decisions.

• Authorization artifacts might not be useful to identify users or devices.