DEV Community

Khalif AL Mahmud
Khalif AL Mahmud

Posted on

Authentication vs Authorization — "Who Are You?" vs "What Can You Do?"

If you've ever built a login system, or even just used one as a regular internet user, you've interacted with authentication and authorization dozens of times without necessarily separating the two in your head. They usually happen back to back, which is probably why people mix them up so often. But they're solving two completely different problems.

Authentication: confirming who you are

Authentication is the process of confirming who a user actually is. It verifies the identity of the person trying to access a system, before anything else happens.

Common examples of authentication:

  • Usernames and passwords
  • Fingerprints
  • Face recognition
  • One-Time Passwords (OTP)

Whenever you type in a password or scan your face to unlock an app, that's authentication doing its job — proving that you are, in fact, who you claim to be.

Authorization: deciding what you're allowed to do

Authorization happens after authentication. Once the system knows who you are, authorization determines what resources or actions you're actually allowed to access.

A good example: after logging into a university portal, a student can view their grades but cannot modify them. An administrator, on the other hand, can manage student records entirely. Both the student and the administrator went through the same authentication process — logging in — but what they're allowed to do afterward is governed entirely by authorization.

The order matters

This is the part that trips people up: authentication always comes first, and authorization comes second. A system needs to know who you are before it can decide what you're permitted to do. You can't authorize an unknown identity.

A simple way to remember it

  • Authentication answers: "Who are you?"
  • Authorization answers: "What are you allowed to do?"

Why this distinction matters in real security work

A lot of real-world security incidents happen because these two get conflated or implemented sloppily. A system might correctly verify who someone is (strong authentication) but fail to properly restrict what they can do afterward (weak authorization) — which is how a regular logged-in user sometimes ends up able to access admin-level functions just by guessing a URL or manipulating a request.

Strong security needs both pieces working correctly, and independently. Nailing authentication but neglecting authorization (or vice versa) leaves a gap that attackers actively look for.

Top comments (0)