Authentication versus Authorization

Question

What s the difference in context of web applications  I see the abbreviation  auth  a lot  Does it stand for auth-entication or auth-orization  Or is it both

User · Answer

Authentication is a process of verification   user identity in a system username  login  phone number  email     by providing a proof  secret key  biometrics  sms      Multi-factor authentication as an extension  email checking using digital signature About  checksum  Authorization is the next step after Authentication  It is about permissions roles privileges to resources  OAuth  Open Authorization  is an example of Authorization

User · Answer

Imagine that you have registered for a tech conference  You arrive and walk up to the registration table outside to get your conference badge  You have to first show some form of identification  such as a driver s license  Your driver s license identifies you  with your picture  for example  and is distributed by a trusted entity  the DMV   This is authentication  The person hands you your badge  which is red  blue  or green  Walking around inside the conference  some of the exhibits are color-coded  With a green badge  you can enter the green exhibits  but not the blue or red exhibits  The badge is not distributed by the DMV -- rather  it is distributed by the conference itself  to access conference resources inside the conference hall  There is not necessarily anything about the badge that identifies you  it may have your name printed on it  but you can easily borrow your friend s blue badge to visit a blue exhibit -- nobody is going to check your name  just the color blue   The color of your badge grants you access to exhibits  This is authorization

User · Answer

I found the analogy from this article really help me   Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation  That person needs   Authentication is in the form of a key  The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials  Authorization is in the form of permissions  Once inside  the person has the authorization to access the kitchen and open the cupboard that holds the pet food  The person may not have permission to go into the bedroom for a quick nap    So in short  authentication is about user identity while authorization is about user permission

User · Answer

I prefer Verification and Permissions to Authentication and Authorization   It is easier in my head and in my code to think of  verification  and  permissions  because the two words    don t sound alike don t have the same abbreviation   Authentication is verification and Authorization is checking permission s    Auth can mean either  but is used more often as  User Auth  i e   User Authentication

User · Answer

Adding to  Kerrek s answer   Authentication is Generalized form  All employees can login in to the machine    Authorization is Specialized form  But admin only can install uninstall the application in Machine

User · Answer

Authentication is the process of verifying the proclaimed identity    e g  username password   Usually followed by authorization  which is the approval that you can do this and that     e g  permissions

User · Answer

The confusion is understandable  since the two words sound similar  and since the concepts are often closely related and used together  Also  as mentioned  the commonly used abbreviation Auth doesn t help    Others have already described well what authentication and authorization mean  Here s a simple rule to help keep the two clearly apart         Authentication validates your Identity  or authenticity  if you prefer that    Authorization validates your authority  i e  your right to access and possibly change something

User · Answer

Definitions     Authentication - Are you the person you claim to be       Authorization - Are you authorized to do whatever it is you re trying to do    Example  A web app uses Google Sign-In  After a user successfully signs in  Google sends back    A JWT token  This can be validated and decoded to get authentication information  Is the token signed by Google  What is the user s name and email  An access token  This authorizes the web app to access Google APIs on behalf of the user  For example  can the app access the user s Google Calendar events  These permissions depend on the scopes that were requested  and whether or not the user allowed it    Additionally   The company may have an admin dashboard that allows customer support to manage the company s users  Instead of providing a custom signup solution that would allow customer support to access this dashboard  the company uses Google Sign-In   The JWT token  received from the Google sign in process  is sent to the company s authorization server to figure out if the user has a G Suite account with the organization s hosted domain  email company com   And if they do  are they a member of the company s Google Group that was created for customer support  If yes to all of the above  we can consider them authenticated   The company s authorization server then sends the dashboard app an access token  This access token can be used to make authorized requests to the company s resource server  e g  ability to make a GET request to an endpoint that sends back all of the company s users

User · Answer

In short  please   -      Authentication   login   password  who you are       Authorization   permissions  what you are allowed to do    Short  auth  is most likely to refer either to the first one or to both

User · Answer

Authentication is the process of verifying your log in username and password   Authorization is the process of verifying that you can access to something

User · Answer

As Authentication vs Authorization puts it      Authentication is the mechanism   whereby systems may securely identify   their users  Authentication systems   provide an answers to the questions          Who is the user    Is the user really who he she represents himself to be          Authorization  by contrast  is the   mechanism by which a system determines   what level of access a particular   authenticated user should have to   secured resources controlled by the   system  For example  a database   management system might be designed so   as to provide certain specified   individuals with the ability to   retrieve information from a database   but not the ability to change data   stored in the datbase  while giving   other individuals the ability to   change data  Authorization systems   provide answers to the questions          Is user X authorized to access   resource R    Is user X authorized to   perform operation P    Is user X   authorized to perform operation P on   resource R       See also    Authentication vs  authorization on Wikipedia

User · Answer

Authentication is the process of ascertaining that somebody really is who they claim to be       Authorization refers to rules that determine who is allowed to do what  E g  Adam may be authorized to create and delete databases    while Usama is only authorised to read    The two concepts are completely orthogonal and independent  but both are central to security design  and the failure to get either one correct opens up the avenue to compromise   In terms of web apps  very crudely speaking  authentication is when you check login credentials to see if you recognize a user as logged in  and authorization is when you look up in your access control whether you allow the user to view  edit  delete or create content

User · Answer

I have tried to create an image to explain this in the most simple words  1  Authentication means  Are you who you say you are    2  Authorization means  Should you be able to do what you are trying to do     This is also described in the image below     I have tried to explain it in the best terms possible  and created an image of the same

[security] Authentication versus Authorization

Examples related to security

Examples related to authorization

Examples related to authentication