In today’s blog post we’re going to shed some light on two often mixed up technical terms. Although authentication and authorization sound somewhat similar with both being integral to online security processes, that’s where the similarities end. As it turns out, they serve quite different functions.
Let’s dive in.
Authentication is the process of verifying someone or something to be genuine or valid. In computing terms, this could be a person, process, or device.
Some real-life examples of authentication in action include going through passport control at an airport, showing a state-issued to prove your age, or sharing your driver’s license to confirm that you can drive.
Digitally, authentication can involve entering your username and password in a login form or accessing your smartphone via pin code or fingerprint sensor. These are examples of single-factor authentication. These days two-factor authentication (or 2FA) is commonly used for heightened security.
2FA provides an extra layer of verification beyond simply entering a password before you are permitted to enter an online account. This is especially important when logging into an account that deals with sensitive information, such as online banking. A common 2FA method involves a one-time code being sent to your smartphone either by SMS or through an app. This code is usually entered after you enter your usual username and password.
Authorization is the process of permitting someone to access something and specifying the type of access privileges and permissions they have.
A real-world example of authorization in action is showing your boarding pass before boarding a plane. Your place ticket would specify the type of access privileges you have. So, if you have an economy ticket, you are authorized to access the plane, but you are not authorized to enter first class.
In a digital environment, authorization can take many forms. Take, for example, a WordPress site with many users. There are multiple user roles you can assign, such as Super Admin, Administrator, Editor, and Author. Someone in an “Author” role would not have the same kind of permissions to change things on the site as an “Administrator”. A more everyday example is uploading photos to Facebook. You can change the privacy settings so that only your “Friends” or certain friends can see them. Those not on your Friends list are not authorized to see them. Another example is sharing a Google Doc with permissions set to “Read Only”, so that nobody else but the owner is authorized to edit the document.
The difference summed up
Simply put, authentication is about validating your identity, while authorization is concerned with whether or not you’re allowed to have access to something or if you’re permitted to take a certain action. In online security environments, authentication is almost always followed by authorization. Strong implementation methods of both are integral to the overall security of the Internet.