Authentication vs Authorisation, know the difference

Authentication vs Authorisation is one of the real basics of security, we've all got to start somewhere!


Not so long ago I was somewhat uninitiated in the ways of security, it was a time when a colleague had to explain to me the difference between authentication and authorisation. I’ve come a long way since then and I thought it was worth a brief post to clarify the difference, just in case anyone else needs a little help.

Authentication: “prove or show (something) to be true, genuine, or valid.”

In authentication you are proving who you are to whatever system you’re logging in to. This is typically using your username and password combination, along with any other multi factor authentication requirements.

Multi Factor Authentication (MFA) involves proving who you are using multiple ”factors”, where the factors available are:

  • Something you know (like a password)
  • Something you have (like a mobile phone to receive PIN codes)
  • Something you are (like a finger print or other biometric identification method)

Using more than one factor for authentication is more secure, it provides additional confidence that the user logging on to a system is authentic.

Authorisation: “official permission for something to happen, or the act of giving someone official permission to do something”

Authorisation comes after authentication, once the system knows who you are it then knows what actions you are authorised to perform.

A common example of authorisation is Role Based Access Control (RBAC). In RBAC a user is given one or more roles and those roles determine what that user is allowed to do. A simple system may define only two roles, User and Administrator, where the Administrator is authorised to perform a different set of actions to a User.

That’s it, you authenticate, then you authorise.

Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.

My Pluralsight Courses: (Get a free Pluaralsight trial)

API Security with the OWASP API Security Top 10

OWASP Top 10: What's New

API Security with the OWASP API Security Top 10

Secure Coding in ASP.NET Core

Secure Coding: Broken Access Control

Python Secure Coding Playbook

You've successfully subscribed to Gavin Johnson-Lynn!