Dan Schnau dot com

Authentication vs Authorization

Authentication and Authorization (AuthN and AuthZ) are terms that refer to discrete, specific concepts that can easily be confused.

Authentication is the process of proving that someone is who they claim to be.

Authorization is the process of granting access to a resource.

For instance, to buy alcohol, I must be at least 21 years old, as per legal requirements. When I try to make the purchase, the sales clerk will likely request my driver's license. By examining the photo on the license and confirming it to be of me, the sales clerk is performing Authentication. I have presented evidence that I am Dan Schnau, and provided a government-issued document with a photograph and other relevant facts, verifying my identity.

However, at this moment, the sales clerk has not allowed me access to the resource- alcohol. After proving my identity, the sales clerk will perform Authorization. The clerk will verify my date of birth on the driver's license, which will enable them to grant access, knowing that I have already proved who I am (via photo ID) and that I am authorized based on my age.

In summary, Authentication verifies identities, and Authorization grants access to resources based on those identities. It is critical to implement both measures for safe systems.