Do you know that authentication and authorization do not have a similar meaning? Oh! That's probably why you're here. But think about it; despite the number of articles on this topic out there, many developers still need help distinguishing between the two terms. By the end of this article, you'll be able to differentiate between authentication and authorization and even explain it to others using several day-to-day analogies.

Authentication

As its name implies, it validates the identity of an entity. Authentication proves that a person is who the person claims to be. In technology, you encounter the authentication process when logging in to your favourite application. By entering your email and password in the input box provided, you prove that you are the one trying to access the app and not someone else. In case someone gets your email and tries to access your app's account without your password to show for it, the person is denied entry to your account, meaning the person is unauthenticated. Authorization, conversely, comes from authentication and cannot exist without it.

Authorization

This is the access or permission you get after being authenticated. Still using your favourite app analogy, you can access your dashboard, track your progress, and be permitted to make changes to your account's profile in the settings. All these operations result from the access (authorization) you get after being validated (authenticated).

To understand better, let's use Grammarly as an analogy. Grammarly is an app popular among writers of any kind. It helps you edit, paraphrase, correct grammatical errors, and even adjust the tone of your content to its purpose. Grammarly has free and premium versions. To use the free version, all you need to do is log in (authenticate), and you have access to its free features, such as error correction and a single-tone adjustment. The premium version covers advanced error correction and more tone adjustments. As a free version user, you are not authorized to use the premium version features until you pay. Once you pay, you get permission to use all the features, and once your subscription expires, you lose access again and are back to the free version.

Let's break it up with a simpler analogy. Your friend invites you to his house. When you get there, you hit the doorbell, and through the camera, the security is unable to identify you as a familiar visitor. You are asked to prove your identity and whom you are looking for. You mentioned your friend's name, and security called him to the camera room to identify you, and he did. Voila! You get authenticated, and the gate suddenly opens automatically. Your friend comes outside to meet you, and with his thumb on the thumbprint scanner, you both gain entrance into the sitting room (another level of authentication). In the sitting room, your friend tells you, "Make yourself feel at home." Taking his statement literally, you decide to start moving around and checking out the rooms. Most doors are open, so you enter, look around, take pictures, and move to the next. On the third floor, you come across a room with the tag "Master's Bedroom", and similar to the sitting room door, it's got a fingerprint scanner. While you're marvelling at the aesthetics of the door, you imagine how the room will look, and your curiosity heightens. After looking for you in the sitting room to entertain you for a while, your friend found you in front of the Master's bedroom. Your first request was to see its interior, but your friend denied you. "Its access is limited to family members alone," he tells you (you're unauthorized here) and drags you to his room to play PS5 with you (you're authorized here). After a while, you bid your friend farewell and left.

In this analogy, you encountered two authentications (also known as 2FA in software engineering terms), authorization (to the rooms you entered) and restricted access (the Master's bedroom).

Conclusion

Authentication and authorization operations are not restricted to these analogies as they encompass more complex concepts in programming terms. Authentication includes user identification, credentials verification, biometrics, single-factor authentication, 2FA, and MFA, among many more, while authorization defines access control operations. However, this article aims to present a basic idea of these two terms—authentication and authorization—using familiar analogies to get you started. In a real-world scenario, to implement these concepts in your application, you’ll need a thorough understanding of their inner layers. In my next article, I’ll explore these subconcepts of authentication and authorization mentioned earlier to explain all they entail.

Reach out to me on Twitter if you need help with web development or technical writing.