Authentication vs Authorisation, know the difference

Gavin Johnson-Lynn -

Not so long ago I was somewhat uninitiated in the ways of security, it was a time when a colleague had to explain to me the difference between authentication and authorisation. I’ve come a long way since then and I thought it was worth a brief post to clarify the difference, just in case anyone else needs a little help.

Authentication: “prove or show (something) to be true, genuine, or valid.”

In authentication you are proving who you are to whatever system you’re logging in to. This is typically using your username and password combination, along with any other multi factor authentication requirements.

Multi Factor Authentication (MFA) involves proving who you are using multiple ”factors”, where the factors available are:

  • Something you know (like a password)
  • Something you have (like a mobile phone to receive PIN codes)
  • Something you are (like a finger print or other biometric identification method)

Using more than one factor for authentication is more secure, it provides additional confidence that the user logging on to a system is authentic.

Authorisation: “official permission for something to happen, or the act of giving someone official permission to do something”

Authorisation comes after authentication, once the system knows who you are it then knows what actions you are authorised to perform.

A common example of authorisation is Role Based Access Control (RBAC). In RBAC a user is given one or more roles and those roles determine what that user is allowed to do. A simple system may define only two roles, User and Administrator, where the Administrator is authorised to perform a different set of actions to a User.

That’s it, you authenticate, then you authorise.