loading...

AUTHeNtication VS AUTHoriZation

caffiendkitten profile image DaNeil Coulthard Updated on ・2 min read

I decided to write this small post up because I get AUTHeNtication and AUTHoriZyr ation confused a lot and want to help make it more clear for anyone else struggling.


Authentication and authorization are two related words that are often used interchangeably, but mean different things and have very functionality within a system.

Alt Text(4)

Authentication (Auth-N)

Authentication is the act of validating that users are who they claim to be.

Validating authenticity can be accomplished by having something physical like a key card, by having a user login with passwords or 2FA, utilizing Captcha tests, or even biometrics for a user.

Authentication is used in conjunction with authorization usually as it is important to authenticate that a user is who they say they are before giving the authorization.

Authorization (Auth-Z)

Authorization is a process of giving a user permission to access a specific resource(s) or function(s).

Authorization levels are the difference between a general user and an admin user. An admin user will have more abilities that a general user and it is important to authorize the rolls properly to ensure general users don't accidently, or intentionally, harm a system.

Keep in mind that authentication is not 100% needed to gain authorization. This depends on the system and what information/abilities the systems has if it needs different levels of authorization and where authentication is needed.

Think about a blogging platform...
-Everyone should have access to read public posts.
-Users should need to authenticate themselves as users to post a blog and not post as someone else.
-Admins should need a different level of authorization, after they authentication themselves, to monitor the platform, the associated database, and its users activity.
In this case authentication is needed before authorization is given to ensure users can't post a blog as a different user and users can't modify things like admins.


Happy Hacking

References

  1. Security+ cert book
  2. Web Application Hackers Handbook
  3. https://auth0.com/docs/authorization/concepts/authz-and-authn
  4. https://www.ssl2buy.com/wiki/authentication-vs-authorization-whats-the-difference
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Discussion

pic
Editor guide
Collapse
talldad profile image
John Angelico

Good, clear distinction - well said.

On authorization, I suggest thinking about admins and support people being NOT authorized to change data or transactions posted by regular users.

In some situations, that level of permission may be appropriate but it's worth thinking about.

I have worked in financial services (as lead user, primary on-site support person, and liaison with software techs) where internally changing data is a serious business. Therefore, the system/s we worked with deliberately precluded making data changes other than via the normal user-facing software.

Collapse
sirseanofloxley profile image
Sean Allin Newell

+1 for bepop gif. #classic

The Authentication + Authorization confusion happens to me too, because a lot of people throw around auth and it can be impossible to know which one they mean.

👏👏

Collapse
wparad profile image
Warren Parad

I thought it could be valuable to link an analogy to authn versus authz. I pulled it from this article

When speaking about authentication (also called AuthN), think about identity. Authentication tries to answer “is this person who they say they are?” It’s a software equivalent of a passport or national ID check. Or to put it in more realistic terms, authentication is a similar process to that moment when you look at another person’s face to recognize that this is your friend from college and not your annoying second floor neighbor.


On the other hand, authorization (also called AuthZ) is all about permissions. Authorization answers a question “what is this person allowed to do in this space?” You can think of it as your house key or office badge. Can you open your front door? Can your annoying neighbor enter your apartment at will? And more, once in your apartment, who can use the toilet? Who can eat from your secret stash of cookies tucked away in your kitchen cupboard?

Collapse
sxync profile image
SaiKumar Immadi

Simple yet useful

Collapse
learttmorina profile image
Leart Morina

So useful content, I was struggling with this.

Collapse
mhsangar profile image
Mario Sánchez García

Always cool to see something simple and useful!