Authentication vs. Authorization

A quick take on these two oft-confused words by budding engineers.

Authentication vs. Authorization

First off, welcome to my first ever post. Hooray! I'd like to go through the letters of the English alphabet with each of my posts and naturally, we start with "A". And I got not one, but two of them for ya. Double hooray!

If you're just starting, these two "A" words may sound about the same to you.

They're related but are in fact two distinct stages in getting access to any system.

Authentication (authn for short) comes before authorization (authz for short), even in the English dictionary, so that one's easy to remember.

Authentication is the process of checking whether the user is really who they claim to be. This is usually with a password that may be accompanied by one or more other forms of identification, including biometrics, such as your fingerprint or your face, or a text sent to your mobile phone.

You may have heard of 2FA, which stands for two-factor authentication, where "factor" refers to the form of identification. If you have exactly one other factor besides the password, then that's 2FA (because the password is counted as one).

2FA is a subset of MFA (multi-factor authentication), which really just means 2 or more factors. For the life of me, I can't remember having encountered a system that required more than two. Maybe it's just because I've never had to access super-critical highly confidential systems. Thankfully.

Once users pass authentication, their permissions, usually defined by the role assigned to them (admin, regular user, developer, etc.), are checked to make sure that they can indeed access the system.

It's usually more granular than that, especially for bigger applications. A role can dictate which parts of the system they can access and/or which actions they can take. Some users will have read-only access on certain pages of a Web application, for example.

Authn and authz are just two little concepts in the big world of security. Stay tuned for other security-related topics in the future.