Authorization VS Authentication


What Is Authentication?

Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process.

What Is Authorization?

Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege.

Which Comes First, Authentication or Authorization?

Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization.

Access control vs. Authentication?

People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies.

If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user’s identity, and access control uses this identity to grant or deny access.

AuthenticationAuthorization
Determines whether users are who they claim to beDetermines what users can and cannot access
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition)Verifies whether access is allowed through policies and rules
Usually done before authorizationUsually done after successful authentication
Generally, transmits info through an ID TokenGenerally, transmits info through an Access Token
Generally governed by the OpenID Connect (OIDC) protocolGenerally governed by the OAuth 2.0 framework
Example: Employees in a company are required to authenticate through the network before accessing their company emailExample: After an employee successfully authenticates, the system determines what information the employees are allowed to access