Home/Glossary/Authentication vs Authorization

Authentication vs Authorization

Authentication verifies who you are, while authorization determines what you can do.

Identity & Access ManagementAlso called: "authn authz", "authentication authorization"

These two security concepts work together but serve different purposes.

Authentication (AuthN)

  • Question: Who are you?
  • Methods: Passwords, biometrics, tokens, certificates.
  • Result: Verified identity (you are User123).
  • Examples: Login, SSO, MFA.

Authorization (AuthZ)

  • Question: What can you do?
  • Methods: Roles, permissions, ACLs, policies.
  • Result: Access decision (you can read but not write).
  • Examples: RBAC, ABAC, OAuth scopes.

Flow

  1. User requests access.
  2. System authenticates user (login).
  3. System checks authorization (permissions).
  4. Grant or deny access.

Real-world analogy

  • Authentication: Showing ID at airport security.
  • Authorization: Boarding pass determines which gate/seat.

Common mistakes

  • Confusing the two terms.
  • Authorization without authentication.
  • Hardcoding permissions (should be dynamic).
  • Insufficient access controls.

Standards

  • OAuth 2.0: Authorization framework.
  • OpenID Connect: Authentication layer on OAuth.
  • SAML: Enterprise SSO.
  • JWT: Token-based auth/authz.

Related Tools

Explore More Identity & Access Management

View all terms

FIDO2

An open authentication standard that enables passwordless and phishing-resistant login using hardware security keys or platform authenticators.

Read more →

Identity and Access Management (IAM)

The policies and technologies used to verify identities, govern permissions, and log access across systems.

Read more →

Kerberos

A network authentication protocol that uses secret-key cryptography and trusted third parties to verify user and service identities without transmitting passwords.

Read more →

LDAP (Lightweight Directory Access Protocol)

An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.

Read more →

Multi-Factor Authentication (MFA)

An authentication method that requires users to provide two or more verification factors to gain access.

Read more →

OAuth (Open Authorization)

An open standard for delegated access authorization that allows applications to access user resources without exposing credentials.

Read more →
Back to glossary