8 min read
Authentication vs Authorization
Curious about the difference between authentication and authorization? Discover the key differences between authentication and authorization in this complete guide.

Authentication vs. authorization

Link to this section

In a nutshell, authentication is the process of verifying a user’s identity, while authorization is the process of verifying what the user has access to. Before going deeper into the key differences, it’s important to understand what authentication and authorization are in more depth.

What is authentication?

Link to this section

Think about the first step you take when logging into an app or platform: what do they all have in common? You need to confirm who you are and verify your identity.

Authentication is an integral part of our daily routine. The process involves identifying a user and verifying their credentials, essentially making sure you are who you say you are.

You’re probably familiar with keeping track of passwords, but there are many ways to authenticate access (from one-time passcodes to fingerprint scans and even face ID).

How authentication works

Link to this section

If you’re on the internet, you’re probably very familiar with how authentication works.

You sign up to a platform or an app and you’ll enter your credentials, whether that be an email address or username. You’ll go on to create a password and these details will be saved and stored in a database.

The next time you log in, you’ll be asked to share your credentials which will then be compared to what’s been saved in the database. Once everything matches correctly, you’ll grant access to your account.

The key types of authentication factors

Link to this section

It might sound complex, but authentication factors are essentially different ways to verify a user’s identity.

These factors fall under these core categories:

  • Knowledge factor (a.k.a: Something you know): This factor is the most common. It uses confidential information to authenticate access. This point could be a PIN, username or secret question.
  • Possession factor (a.k.a: Something you have): This is something you would have tangible access to, such as a security token that generates a different code when prompted, a phone to receive a text message or an app that generates a one-time password.
  • Inherence factor (a.k.a: Something you are): The biometric identification layer comes in here, including fingerprint scans, voice or facial recognition and even retina patterns.
  • Location factor (a.k.a: Where you are): This could involve pinging your GPS location or tracking your computer’s network address. This is rarely used as a stand-alone authentication factor but is helpful when it comes to alerting a suspicious log-in.
  • Time factor (a.k.a: When you’re authenticating): Again, this factor will rarely be used as a single means of verification, but will be used in conjunction with other factors to boost security.

Common types of authentication

Link to this section

Authentication works as the most common type of security check online. Whether you enter a password or use a unique one-time code, these both act as a way of confirming your identity and securely accessing your personal information.

There are five common types of authentication:

  • Single-factor authentication (SFA): SFA only requires one set of credentials to access a secure system. This is the most common type of authentication and usually involves a single username and password, making it the weakest form of authentication.
  • Two-factor authentication (2FA): 2FA adds an extra layer of security by requiring two points of authentication. For example, you’ll log in with your usual credentials but will also receive a one-time passcode sent to your phone number.
  • Multi-factor authentication (MFA): MFA provides one of the highest levels of security. You’ll use a combination of multiple authentication factors, from authenticator apps, biometric factors (including fingerprints or face ID scans) and even one-time email codes will be used to verify who you are.
  • One Time Password (OTP): Ever received a randomized code when logging into an app? This is a perfect example of an OTP. By only making these codes valid for a single use, this layer of protection makes it difficult for intruders to slip through the cracks.
  • Passwordless authentication: By bringing MFA together with the security of your personal email address, passwordless authentication allows the user to access their accounts in a simple yet secure way without having to recall a password they’re more than likely forgotten.
  • Single sign-on (SSO): By using your existing credentials to access apps and platforms, you can streamline the login and sign-up experience. For example, you’ll be able to use Facebook, Apple ID or Google credentials to access a multitude of different platforms - no new password or account required.

What is authorization?

Link to this section

So, how does authorization differ from authentication? The two hold two very different and distinct roles. However, they do work hand-in-hand when it comes to different layers of security.

Authorization is all about granting permission. Once you’ve gained access (authentication), you’re authorized to verify access in line with specific policies and tools.

Authentication will always happen before authorization. Once you authenticate your identity, you’ll then be granted authorization to access whatever you might need.

Common types of authorization

Link to this section

There are three common types of different authorization, including:

  • API Keys (a.k.a: Application programming interface): In order to use this type of authorization, you’ll need to sign up for an API key. Essentially, it is a long string of code that is typically included in the URL or header and it is used to identify the person performing the API call.

There are two types of API keys: public and private. A public API key is usually included in the request, whereas a private API key is used for server-to-server communication and is treated like a password.

  • Basic Auth (a.k.a. Basic authorization): Basic Auth is a method for the HTTP user agent to provide a username and password when they’re making a request. This is also known as Base64, which is a coding technique that will turn the login and password into a set of 64 characters to ensure secure transmission.
  • OAuth (a.k.a. Open authorization): OAuth allows third-party services to exchange your information without the user having to provide their credentials. Companies like Facebook, Amazon and Twitter use this type of technology to exchange information about their personal accounts without that added layer of entering their passwords time and time again.

What is the difference between authentication and authorization?

Link to this section
Verifies the identity of the userDetermines what the user can and can’t access
Challenges the user to validate their credentialsVerifies user access through a series of policies and rules
Done before authorizationDone after the user has been successfully verified
Usually transmits through an ID tokenUsually transmits through an access token
Usually governed by Open ID Connect protocolGenerally governed by OAuth framework

To gain a deeper understanding of these two concepts, let’s walk you through how authentication and authorization work in a real-world scenario.

When you’re at the airport, you show your ID to verify your identity (authentication). Then once you’re at the gate you show your boarding pass (authorization) to gain access and board the plane.

What is Identity and Access Management (IAM)?

Link to this section

Identity and access management (IAM) ensures that the right people (identities) can access the tools they need to do their jobs.

Identity management and access systems allow your organization to manage employee apps without the need to log into each app as an administrator. Through this system, you can manage a range of different identities which include people, software and hardware.

IAM relies on authentication and authorization to work hand-in-hand to ensure the right person is granted access to the right resources.

What does IAM do?

Link to this section

Identity management systems generally perform two functions:

  • IAM confirms that the user is who they say they are. This is done by authenticating their credentials against a database. These tools are generally more secure and flexible than the traditional username and password setup.
  • IAM systems grant only the appropriate level of access. IAM allows for a specific amount of access to be granted. For example, it defines which specific documents an employee can access in a shared company drive on the cloud and what level of access they have (such as being an editor vs a viewer of a document).

Authentication at Kinde

Link to this section

At Kinde, we’re making authentication simple and powerful to help companies boost security, drive conversion save money - in just a few minutes.

We’ve made getting set up with Kinde as stress-free and easy as possible. With best-in-class security protocols, an intuitive user-friendly UI that’s built for everyone, and powerful and easy-to-use APIs, we’re here to get you up and running in minutes.

See how Kinde compares to other authentication providers.

Get started now

Boost security, drive conversion and save money — in just a few minutes.