Authentication vs Authorization
Although they’re often mentioned together, authentication and authorization serve different purposes in security systems.
Authentication (Who are you?)
Authentication is the process of verifying a user’s identity.
Goal: Confirm that the user is who they claim to be.
Examples
- Logging in with username & password
- OTP sent to your phone/email
- Biometric verification (fingerprint, face ID)
- OAuth login (Google, Facebook, GitHub)
📌 Result:
“Yes, you are Marco” / “Yes, you are this user”
Authorization (What can you do?)
Authorization happens after authentication.
It determines what actions or resources a user is allowed to access.
Goal: Control permissions and access rights.
Examples
- Admin can delete users, regular users cannot
- Editor can publish articles, author can only write drafts
- Access to
/adminpage restricted to admins
📌 Result:
“You are allowed to do this” or “Access denied”
Key Differences (Quick Table)
| Feature | Authentication | Authorization |
|---|---|---|
| Purpose | Verify identity | Grant permissions |
| Question | Who are you? | What can you do? |
| Order | First | After authentication |
| Example | Login with password | Access admin dashboard |
| Controlled by | Credentials | Roles, policies, permissions |
Real-World Example
Bank ATM
- Insert card + enter PIN → Authentication
- Withdraw money / check balance → Authorization
In Simple Words
- Authentication = Login
- Authorization = Access level
No comments:
Post a Comment