Authentication vs Authorization: What’s the Difference?
They sound similar, but they’re fundamentally different.
So, what’s the difference between the two? Consider boarding a flight. In order to board a plane, you’ll need to successfully make it through the gauntlet of the airport’s authentication and authorization procedures. It’s worth noting that the processes in an airport often combine both authorization and authentication together, but we’ll do our best to illustrate the difference through two specific examples.
The first part of the process is to enter a queue for the security line. After entering the correct airport terminal building, you’d locate your gate, walk to it and begin the first of the two steps:
Authentication
The very first step that occurs, just before going through security at an airport, is authentication. You furnish your identification and boarding pass and present it to the line attendant. The attendant scans your boarding pass and your identification and ensures that you are who you are.
At this point, the agent is checking to ensure that your boarding pass is valid and that your form of identification is valid, both of which are are required to prove that you’re the same person that is on your identification and boarding pass.
The goal of this step is to ensure that you are who you say you are, and the TSA uses multi-factor authentication to perform this task; they inspect your supplied form of identification combined with your boarding pass. At this point, the folks at the airport don’t know whether you’re able to sit in economy class, business class, or first class, or whether you’re able to access the executive lounge – but they know that you are who you are and that you’re able to be in the airport.
This step is like logging in to an application – submitting your boarding pass and identification is like submitting your username and password – once submitted and verified, the application can know that you are indeed who you say you are. The application doesn’t know what you’re able to do yet – if you’re able to simply make posts or if you can also access an admin area – but it knows that you’re a valid user.
Once through the authentication step and through security, you walk over to your gate until the airline employees begin to announce over the loudspeaker, “now boarding for flight 123 to Honolulu….”
Authorization
At your gate, you listen to the announcer begin to call the passengers by group. “Those in first class can now begin boarding.” This process can be thought of as authorization. For example, if you stand in that line and don’t have a first-class ticket, you’ll be denied entry until it is your turn. You’re authorized for one seat, and that seat does not grant you the ability to enter the line for the plane at that point. The attendant doesn’t need to know who you are at that point – they can simply look at your boarding pass, which also has your seat row and number on it – the required information for this step.
The seat number indicated on your boarding pass also does not allow you to sit in the front of the plane. If you try to sit in a different seat, especially if you don’t have a first-class ticket and you try to sit in first class, you’ll be asked to leave and to sit in your seat. This can also be thought of as the process of authorization. The flight attendants are ensuring that those with authorization to do so can sit in the upgraded seats.
Similarly, your application might have the concept of upgraded seats, or perhaps an admin area, which would be akin to an airplane’s cockpit. Only authorized users should be able to access those areas. Furthermore, let’s consider a situation where you have a highly privileged account for Service A and want to use that account to log into Service B. You probably would not want to give Service B permission to perform the highly privileged functions from Service A. You might want to only give Service B access to your email address. That would be authorization’s concern. This would be like a pilot boarding a plane as a civilian – they wouldn’t have access to the cockpit because they wouldn’t be there in a formal capacity and wouldn’t have authorization to enter.
Why is Authorization and Authentication Important?
A web application, when faced with a request, needs to answer the question “what is the true identity of the actor making this request?” This question is arguably the most important question that a web application has to answer and drives the authentication process.
Similarly, modern web applications demand granular access to resources. Our modern culture encourages sharing and sharing demands limits to sensitive resources. for example, if you use facebook to sign into another site, you probably wouldn’t want to authorize that site to read your DMs. The OAuth protocol allows applications to define those permissions in a way that’s clear to everyone involved – the application developers and the users. OAuth is the web’s version of the TSA – but far more effective.
It’s worth noting that the processes of authentication and authorization in web apps, like the same processes in an airport, are often deeply connected. Authorization often doesn’t make sense without authentication. Authentication is useless without authorization. Both are concepts that must work in concert to deliver a functional application.
want to learn more?
i stream on twitch @malgasm and i tweet at @malgasmtv
come say hi!
updated 4.18.2022
Application Security, Software Engineering