IAM Concept of the Week: Authentication versus Authorization

Introducing our new Concept of the Week blog series – Each week we’ll define and explain the significance of a concept in the world of Identity and Access Management.

This week’s post is short but involves two critical and related terms: authentication and authorization. These terms are frequently confused mainly because they are so closely connected and the fact that the two words are so similar.

Simply stated authentication is verifying that someone is who they claim to be while authorization is deciding which resources a user should be able to access, and what they should be allowed to do with those resources. (Note not to be too pedantic but technically authentication is really validating the credential that has previously been created rather than the actual “identity” of the person. We’ll explore this idea in a later post.) Obviously before we can authorize a user access to certain resources we first need to be sure that they are who they say they are. Therefore authentication and authorization are inextricably linked.  

An often used analogy to explain the difference between authentication and authorization involves a traveler arriving at passport control in a foreign country. The traveler presents their passport hoping to gain access to the country. The border control agent reviews the document and accepts that the traveller is who they say they are. Once the traveler has been “authenticated” he is then “authorized” access to the foreign country. 

Finally, there are a number of important protocols to understand in the world of authentication and authorization. Be sure to read a previous post in our IAM Concept of the Week blog series entitled SAML, OAuth2 and OpenID Connect.

Further reading

Other blogs in the IAM Concept of the Week series: