What is the difference between authentication and authorization?

Question

Accepted Answer

**Authentication** verifies **who you are** (identity), while **authorization** determines **what you're allowed to do** (permissions). They're distinct but related — authentication comes first (prove identity), then authorization (check permissions). Confusing them is a common mistake.

## Authentication — who are you?

```text
AUTHENTICATION (AuthN) verifies IDENTITY — confirming you are who you claim to be:
  → login with credentials (password), tokens, biometrics, multi-factor (MFA)
  → "Prove you are Ann" → the system confirms your identity
→ answers: WHO are you?
```

## Authorization — what can you do?

```text
AUTHORIZATION (AuthZ) determines PERMISSIONS — what an authenticated user is allowed to do:
  → can this user access this resource? perform this action? (roles, permissions)
  → "Ann is authenticated, but is she allowed to delete this record?"
→ answers: what are you ALLOWED to do?
```

## The relationship and order

```text
1. AUTHENTICATION first → establish WHO you are (log in)
2. AUTHORIZATION next → check what you're ALLOWED to do (per request/action)
→ You must be authenticated before authorization is meaningful (know who, then what they can do).
→ Both are needed: authenticated but unauthorized (logged in, but can't do X) is common.
```

## Common mistakes

```text
⚠️ Confusing the two (they're different concerns)
⚠️ BROKEN ACCESS CONTROL (authorization flaws) → a TOP vulnerability (OWASP #1):
   → not checking authorization properly → users access/modify what they shouldn't
   → e.g. changing an ID in a URL to access another user's data (IDOR)
→ Always enforce authorization on the SERVER for every protected action.
```

## Why it matters

Understanding the difference between authentication and authorization is fundamental because they're **core security concepts central to access control**, and confusing them is a common, consequential mistake, so it's essential security knowledge.

The distinction — **authentication verifies who you are** (identity, via login/credentials/MFA) while **authorization determines what you're allowed to do** (permissions, checking access to resources and actions) — is fundamental to how applications control access, and understanding it clearly is necessary for building secure systems.

Understanding the **relationship and order** (authentication first to establish identity, then authorization to check permissions per action, with both needed — an authenticated user can still be unauthorized for specific actions) clarifies how they work together in access control.

Critically, understanding the **common mistakes** is important: confusing the two concepts, and especially **broken access control** (authorization flaws — OWASP's #1 risk) where authorization isn't properly checked, letting users access or modify what they shouldn't (like the IDOR vulnerability of changing an ID in a URL to access another user's data).

The guidance to **always enforce authorization on the server for every protected action** is essential security practice — a common real vulnerability is failing to properly check authorization, or relying on the client to enforce it.

Since access control (authentication + authorization) is fundamental to application security and confusing or mishandling these concepts leads to serious vulnerabilities (especially broken access control, the top risk), and since understanding the distinction, their order, and the common authorization mistakes is essential for building secure systems, understanding authentication vs authorization is essential, foundational security knowledge — core concepts for access control that every developer must understand clearly, central to building secure applications and to avoiding the broken-access-control vulnerabilities that are among the most common and serious security flaws.