Defining Authentication vs Authorization
In terms of security, authentication and authorization are two extremely important topics. Although both terms may seem similar, they have two very distinct meanings. However, in many cases, they both work in conjunction with one another when it comes to granting a user access to a system and allowing them to perform an action.
In this guide, we'll clear up any confusion about the differences between authentication vs authorization and provide examples of use-cases where you might see each.
Authentication
Authentication is the process of verifying who you are. It is used in content management systems, banking systems, personal computer system, etc. Basically, anything that requires the user to provide login credentials or some sort (e.g. a username and password).
There are also more advanced ways to go about the authentication process. For instance, certain login forms require that you supply a piece of personal information or use two-factor authentication. For example, you may need to answer a question such as, "What city were you born in?". Furthermore, high security authentication methods may require that you provide a physical fingerprint or eye scan in order to gain access.
Example of authentication
Since WordPress is the most used CMS in the world, let's use it to exemplify authentication. If you've ever setup a WordPress site or have been a contributor to a WordPress site, you'll know all about the WordPress admin login page. Basically, most WordPress sites are configured so that when a user goes to https://www.example.com/wp-admin
they'll land on the login page.
From there, the user must provide a username and password in order to gain access to the backend dashboard of that particular site.
If the username or password is not correct, then that user will not be authenticated to have access to the dashboard. This is a basic form of authentication and keeps unauthenticated users from gaining access to your site's backend systems.
Authorization
Authorization is the process of determining whether or not you have the permission to perform a certain action. Assigning certain permissions to certain users based on their experience, area of expertise, etc is crucial in minimizing any unforeseen alterations. In the real world, a bank teller with minimal experience will not have the authorization to transfer large sums of money. Instead, they must request assistance from their manager or supervisor in order to complete the transaction.
Example of authorization
To show an example of how authorization works, let's take another look at the WordPress CMS. When you log in to the WordPress dashboard, you'll see an option on the left-hand sidebar called Users. This feature lets you define which users you want to give access to the backend of your site as well as which permissions they should have.
In the screenshot above you can see that this WordPress site has 2 users: one with the Author role and one with the Administrator role. It is based on the roles they have been assigned that determine what they can do within the dashboard. For instance, an author is only allowed to write posts and add media to those post, they are not allowed to edit backend files, add new plugins, or add new users. Administrator, however, have the authorization to do all of those things and more.
Summary
Although the terms authentication and authorization are sometimes used interchangeably, they do have different meanings. However, both of these concepts are at play whenever it comes to any type of login process. Being clear on what each term means in regards to security is vital to keep your systems running smoothly and without any unforeseen modifications by those who aren't qualified.