Authentication vs. Authorization: What’s the Difference?

by Jake Wengroff

Authentication and authorization seem very similar and are often used interchangeably. Unfortunately, these two terms are quite different, and it’s important to understand this distinction when setting up and administering access control systems within an enterprise.

What Is Authentication?

Authentication is the process by which a system or application confirms the identity of a user. As the initial step in the identity verification and access control process, the user typically presents physical or nonphysical evidence (information) to the authentication platform. These can be divided broadly among the following types of information:

What the User Has: The possession of a physical object, such as a key, keycard, key fob, or swipe card.

What the User Knows: Information that only the user would know, including a password, passcode, personal identification number (PIN), date of birth, Social Security number or other personally identifiable information (PII).

Who the User Is: Biometrics, or the use of an index finger, thumb, hand, voice, retina, face or another unique physical identifier to gain access to a resource. The physical attribute must match what was used at the time of the user’s enrollment in the system.

Passwords are generally the most common — and oldest — authentication factor. If the password exactly matches the password created by either the user or the system, the system assumes validity and grants access.

Other information-based authentication processes are also gaining in popularity. One is the one-time PIN or temporary password generated by the system. It gives a user access to a single or temporary session that expires after a set amount of time.

Another way to confirm user identity is through an authentication application, usually on the user’s mobile device, that generates temporary security codes that grant access to another website or service.

Two-factor authentication (2FA) and multi-factor authentication (MFA) are also increasingly being deployed across enterprises to increase security beyond the level provided by passwords alone. These processes require the successful verification of at least one modality before granting access to a system. For example, 2FA could ask a user to provide both a password and the temporary PIN sent to the user’s mobile device.

What Is Authorization?

Authorization is the process of giving a user permission to access a physical location or information-based resource (e.g., a document, database, application or website).

Though authorization is used synonymously with authentication, doing so is erroneous: Authentication occurs first, followed by authorization. Users need to prove their identities first before a system can permit them to enter.

However, “permission” is a broad term. A user may pass authentication procedures and be granted access to a system, but that does not mean that that user can access all the components of an application or service.

Specific permissions must be defined by the organization that allowed them access. Permissions are what a user is able to see or do on a website or inside an application. Without these specific permissions, every user would have access to the same information or features.

As such, permissions and restrictions — and their proper administration — are critical to an organization’s security, and even profitability, for several reasons, including the following:

Preventing a User From Accessing Another Customer’s Account

This is perhaps the most important reason why permissions and authorization are necessary. For example, a customer can log in to their bank account via the bank’s website or mobile application. Although the bank has allowed the user to enter the system, the bank also needs to authorize the user’s permissions. Otherwise, the user would have access not only to their own account but also to every other account in the system. Permissions ensure users can access only the information they need.

Blocking Free Accounts From Receiving Premium Features and Benefits

Permission levels restrict free users of a software-as-a-service (SaaS) site, such as a newspaper with gated content or an online collaboration platform, from gaining access to premium features. Permissions need to be implemented so that users only have access to the features they paid for. Without restrictions in place, there would be revenue loss for the organization.

Ensuring Zero Crossover Between External Client Accounts and Internal Employee Accounts

Permissions also separate internal users from external ones. While both employees and customers can be allowed to use a company’s website, employees should have access to data and systems that customers should not. In the same vein, certain employees should not have access to important client information. As such, the organization must create different levels of authorization for each employee.

Setting the right permission and authorization levels is as equally important as selecting the right combination of authentication factors. In fact, proper authorization can reduce the damage that can occur in a data breach. For example, if a cybercriminal successfully gains access to an employee’s account — i.e., the hacker has been authenticated based on the employee’s credentials — but the employee is not authorized to access customers’ banking or credit card information, then the harmful effects of the breach could be lessened.

Further, authorizations make employees more productive. If employees have the correct level of access to the files and programs they need to carry out their work, they do not have to constantly ask their managers or IT for access. They will also not be distracted or overwhelmed by files and programs they do not need.

The Solution to Your Access Control Needs

Authentication and authorization are separate but related steps in the user access provision process. The Migus Group can help you implement or redesign the privileged access management (PAM) policies within your organization. Whether you’re just starting out or your PAM has been in place for years, The Migus Group can advise on strategies to strengthen your organization’s security posture while reducing complexity.


Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.