Is there a difference between authentication and authorization?

Question

I see these two terms bandied about quite a bit (specifically in web-based scenarios but I suppose it\'s not limited to that) and I was wondering whether or not there was a

Answer 1

I have tried to create an image to explain this in the most simple words

1) Authentication means "Are you who you say you are?"

2) Authorization means "Should you be able to do what you are trying to do?".

This is also described in the image below.

Answer 2

Authentication:

It is the process of validating if an identity is true or false. In other words, verifying that a user is indeed the one he or she claims himself/herself to be.

Authentication types:

1. Username + password type of authentication
2. Authentication using social accounts
3. Passwordless authentication
4. Multifactor authentication
5. Fingerprint or retina based authentication etc

OpenID is an open standard for authentication.

Authorization

The technique that determines which resources are accessible to a user with a given identity or role.

OAuth is an open standard for authorization.

Answer 3

There is indeed a fundamental difference. Authentication is the mechanism whereby systems may securely identify their users. Authentication systems seek to provide answers to the questions:

• Who is the user?
• Is the user really who they claim / represent to be?

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular (authenticated) user should have to resources controlled by the system. For an example that may or may not be related to a web-based scenario, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

• Is user X authorized to access resource R?
• Is user X authorized to perform operation P?
• Is user X authorized to perform operation P on resource R?

Steve Riley has written a quite good essay on why they must remain distinct.

Answer 4

Authentication refers to verifying an entity's identity. Authorization deals with what an authenticated entity is allowed to do (e.g. file permissions).

Answer 5

If I can log-in, my credentials are verified and I am AUTHENTICATED. If I can perform a particular task I am AUTHORIZED to do so.

Answer 6

Authentication verifies who you are and Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication.