What do authorization and authentication actually mean?

Perhaps you are not comfortable or don’t know much about either of these two terms other than they start with the same four letters “auth”. Well, were you aware that the prefix “auth” is actually Greek for “self”? Both operations refer to being able to do things on one’s own behalf, but there are important distinctions between them that I will break down in plain English.

In the context of programming, authorization refers to checking that a user or entity has the ability to access specific resources based on their permissions.

Authorization is not the same thing as authentication. Authentication refers to a user or entity being able to prove their identity in order to access specific resources.

In as few words as possible:

Authorization — having permission to do something

Authentication—verifying identity in order to do something

What does this mean in terms of authorization? It means that when admin Adrian at Company A tries to look at Bryn’s Social Security number at Company B, then Adrian should be prevented from doing so. She is unauthorized to perform this action. Adrian can look at Anoushka’s SSN, though, because Anoushka works at Company A as an employee. Only Bryn and admins at Bryn’s company can look at her SSN because that is how the app’s authorization scheme is structured.

When you’re in line to get into the club and have to pull out your driver’s license to verify that you are old enough to enter, that’s a form of authentication.

When a user logs in to Gmail or any other site with a username and password, they are authenticating their identity by entering the correct combination of these fields. This type of authentication is established on the premise that only the user themselves should know their own unique set of inputs and therefore providing the proper information is sufficient enough to allow them to access their profile. Two-factor authentication (or 2FA) is the practice of reproving identity by entering a code received as a text message or some other means of doubly confirming an individual’s credentials to access their account.

With authorization, a user is simply either allowed do something or not. With authentication, the user has to prove that they can do something in order to do it. When developing applications, it’s important to ensure that both of these processes are accounted for in order for data to be safely accessible. Users need to confirm that they have access to their accounts before being let in and should not be able to retrieve or edit data that is off limits to them.

Related posts:

By the time you are reading this you are probably in the car or on the plane I am back at home missing you like a mad crazy person we just said our goodbyes but it’s not really goodbye it is hello…

The most prevalent mutual interest at our studio is technology. Designing interactive installations and web experiences inherently involves that interest. Designing brand identities, not so much…

The sliver of the life trickles down the cold bars, slides down and blinds me to the point where I see clearly. I the sun stifled and perspiring in the muddy palms of the village-lad. I the pebble…