Authentication v/s Authorization — What’s the difference?
In the realm of back-end and API development, it is necessary to know if the client that we are serving, or going to serve, is someone who has the privilege of seeing or modifying any resource on our server. For this reason, we have security mechanisms, where, if someone makes a request, help us identify who we are communicating with and if we should be doing so.
Authentication
If you’ve ever tried to sign into a website, it asks for a few details, one of which is sure to be your password. This is done to make sure that it is indeed *you* that is trying to sign in and not an impersonator. This is pretty much what authentication is. The server is authenticating if it really is you to grant you the access to your account.
Now, a server may have multiple layers and authentication checks before simply handing an account access to you. Let’s go over them.
2FA (2-Factor Authentication)
2FA is a type of authentication, where, in addition to providing your password, you need another piece of evidence in order to prove ownership of an account. You may set an email or phone number when you create your account, and every time you try to authenticate, the API will try and verify that it is really you using your email or phone number, either by sending you a one-time-password that you would need to enter, or an authentication link that you will need to go to.
Multi-factor authentication
2FA is a type of authentication, where, in addition to providing your password, you need another piece of evidence in order to prove ownership of an account. You may set an email or phone number when you create your account, and every time you try to authenticate, the API will try and verify that it is really you using your email or phone number, either by sending you a one-time-password that you would need to enter, or an authentication link that you will need to go to.
Authorization
After successfully authentication we still need to make sure if a user is allowed to perform a certain action or not. By definition:
Authorization is the process of assigning access rights and privileges to someone.
For example, in most countries, its civilians are not allowed to get on a military base without proper authorization; They simply don’t have the privilege to do so. In other words, they are unauthorized to perform the action of entering a military base.
Role-based authorization
Role-based authorization is the most basic method of authorization. We assign a role to every user in our system, and depending on those roles, we permit or deny a particular request. For example, in an e-commerce application, we may have three roles: User, Seller and Admin.
A User would have the authority to browse and buy products, save them to their wish-lists, share products, etc.
A Seller would have the authority of doing everything a User can do, with the added privileges of adding and removing products, etc.
And finally, the Admin could be someone who’d have the authority to do many other things such as remove products that are offensive, ban users, etc.
Authentication vs. Authorization — Conclusion
Many a times, the terms authentication and authorization are confused with each other and used interchangeably, but they’re two very different terms.
Authentication is the process of determining if a person is the one he claims to be.
Authorization is the process of determining if a person is allowed to perform a particular action or not.
We can ask ourselves these questions to help understand them better:
Authentication: Q. Are you really X? Prove it.
Authorization: Q. Are you allowed to do X?
