DEV Community

Cover image for Authentication vs Authorization
Toby
Toby

Posted on • Edited on • Originally published at Medium

Authentication vs Authorization

Authentication and Authorization are very important concepts in our words that sound alike outside the programming world, but they mean and serve different purposes. While a lot of non-tech-savvy individuals refer to them interchangeably, developers, programmers, coders and experts in the cyber-security space can write a book on the differences between these two concepts. Going by the high spate of cyber-attacks and data breaches, the need for authentication and authorization has increased in recent times by organizations and individuals protecting access to their data. I am sure we have all heard about one incident or the other about hackers and scammers who use other people’s identities to siphon their victim’s bank accounts or access their credit cards for a shopping spree, without these victims knowing about it in real time. Some of us have also experienced it, or know family or friends who have. It’s a common occurrence in our recent reality.  

In time past, it usually was the responsibility of cyber-security experts to set these layers of protections on bank accounts, organizational and government data, applications et al, but now developers and cloud engineers have taken up the task as well because of the rate at which these attacks hit has become worrisome. Different tools such as passwords, fingerprints, one-time passwords (OTP), facial recognition systems etc, have come forth to help reduce the success rate of these cyber-attacks and identity theft and help mitigate the risks posed to victims. Here we will talk about Authentication and Authorization, and the roles they play in the web development space.

Authentication: As much as it sounds like its buddy Authorization, Authentication is the first of the two processes that must be passed through to reach the other. Authentication is the process of verifying a user through their previously set credentials. The previously set credentials usually come as an email or username, and a password. Some applications and websites go further in asking security questions as another level of security before granting access to the said user. If the user fails to provide the correct email or username and password, the application can refer them to their previously set security questions which usually are more personal. In web development, there are several auth() tools used by developers depending on the type of security they want to set on the application or website. A very popular and efficient means of identifying a user is token-based authentication. Token-based authentication is the process where the user sends a request to the authentication provider, which then verifies or denies the user’s identity. If the user’s identity is confirmed, it issues them a token that is used by the user to get into the application or website, if it doesn’t confirm the user, they will have no access to the application.

Several Authentication methods can be used to confirm a user’s identity. Let’s take a look at a few of them.

  1. Token-based authentications: This is a typical developer’s way of securing an application. Here the user is sent an access token after their identity has been verified. The access token allows them entry into the application. A popular tool used for this is the JSON Web Token (JWT).

  2. Username and password: The user requires a correct username and password to access the application.

  3.  Two-Factor Authentication: Like the example of the security questions and answers I gave above, if the user’s username and password are not confirmed, or if there are suspicions that there is some form of irregularity in the sign-in process, the user may be asked to use their security questions as a means of accessing the application.

  4. One-Time Password (OTP): This is usually linked to the email or phone number of the user. A one-time PIN or CODE is sent to the user at the attempt of accessing the application. If the PIN or Code is correct, they would be allowed entry into the application.

In a nutshell, Authentication confirms the identity of a user and then grants them access to the application.

Authorization: This process can only take place after the Authentication process. After the user’s identity has been confirmed, and they have been granted access to the application, Authorization helps monitor the accesses and permissions the user has in the application. For example, In some organizations, it’s usually boldly written at the door of some offices “Only Admin Staffs allowed”. As much as a driver is a staff of the company, they do not have the access to the said office. The driver may have been cleared and allowed entry at the gate of the company, but they do not have the access to enter into the “Only Admin Staffs allowed” office. The same applies to the users of applications, where they are not allowed access to every part of the application. Another example is an office application where some staff is given read-only access. Depending on the level of other staff, they can be given read-write access.

There are several Authorization methods used for granting permissions to users. Here are a few of them.

1 . 0Auth Authorization: 0Auth uses authorization tokens to verify identities between users and their service providers. Just like an access card works in a more automated organization.

  1. Role-based Access Controls:  This is a tool that gives users permission and access to information based on their roles in an organization.

I hope this article is able to help clear the confusion and differences between these two concepts.

If you think this was helpful, you can Follow me and like the article. It will encourage me to write more articles like this.

Ciao.

Top comments (0)