Authentication vs. Authorization

These two fundamental concepts play a pivotal role in ensuring the integrity and security of digital systems.

While these terms are often used interchangeably, they represent distinct and equally essential aspects in the world of identity and access management (IAM), which safeguards sensitive information and resources .

Executive summary

Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource.

The relationship between authentication and authorization is symbiotic. Authentication precedes authorization, as it’s imperative to confirm an entity’s identity before permitting or denying access.



Authentication: Proving Identity

Authentication is the process of verifying the identity of a user, system, or entity attempting to access a particular resource, system, or network.

It aims to answer the fundamental question: “Who are you?” and “Are you who you say you are?”.

In other words, the purpose of authentication is to ensure that the entity requesting access is indeed who they claim to be.

A successful authentication process provides a digital identity, often represented by a username or user ID, that can be used for subsequent authorization.

For answering these questions, authentication typically relies on one or more factors, categorized as:

  1. Something you know: This factor involves information only the user should know, such as a password, PIN, or passphrase.
  2. Something you have: This includes possession of a physical object like a smart card, token, or mobile device.
  3. Something you are: Also known as biometrics, this factor uses unique physical or behavioral attributes like fingerprints, retinal scans, or voice recognition.


Authorization: Granting Permissions

Authorization takes place after a successful authentication.

Authorization is the process of determining what a user, system, or entity can do after they’ve been authenticated.

It answers the question: “What are you allowed to do?”.

To implement this, authorization is typically implemented through access control policies, which dictate which actions a user is allowed to perform, what data they can access, and the extent of their privileges.

Access control decisions can be based on various factors, including user roles, permissions, and the context in which a request is made.


Have a look for more demystifying terms:

Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust



The post Authentication vs. Authorization first appeared on Sorin Mustaca on Cybersecurity.