Authentication and Authorization
Authentication means confirming your own identity, while authorization means granting access to the system. In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to. Both the terms are often used in conjunction with each other in terms of security. The two concepts are completely orthogonal and independent, but both are central to security design. In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.
Authentication
Authentication is about validating your credentials like User Name, User ID and password to verify your identity. The system determines whether you are what you say you are using your credentials. In public and private networks, the system authenticates the user identity via login passwords. Authentication is usually done by a username, email and password, and sometimes in combination with factors of authentication, which refers to the various ways to be authenticated. A user’s identity can be determined by what he knows, what he has, or what he is. When it comes to security, at least two or all the three authentication factors must be verified in order to grant someone access to the system.
For example, when you enter your ATM card into the ATM machine, the machine asks you to enter your pin. After you enter the pin correctly, the bank then confirms your identity that the card really belongs to you and you’re the rightful owner of the card. By validating your ATM card pin, the bank actually verifies your identity, which is called authentication. It merely identifies who you are, nothing else.
Authorization
Authorization, on the other hand, occurs after your identity is successfully authenticated by the system, which ultimately gives you full permission to access the resources such as information, files, databases, funds, locations, almost anything. In simple terms, authorization determines your ability to access the system and up to what extent. Once your identity is verified by the system after successful authentication, you are then authorized to access the resources of the system.
Authorization usually comes after authentication which confirms your faculty to perform. In simple terms, it’s like giving someone official permission to do something or anything.
For example, the process of verifying and confirming employees ID and passwords in an organization is called authentication, but determining which employee has access to which place is called authorization.
Access to a system is protected by both authentication and authorization. Any attempt to access the system might be authenticated by entering valid credentials, but it can only be accepted after successful authorization. If the attempt is authenticated but not authorized, the system will deny access to the system.
