Auth & identity
November 30, 2021
Authentication (authN) and authorization (authZ) have a lot in common. Both play critical roles in identity and access management. Both have a big impact on user experience for a website or app. And, obviously, they look and sound pretty similar.
But the parallels end there. Actually, authentication and authorization serve very different purposes—and they shouldn’t be confused or used interchangeably.
Below, we explore the differences between authN and authZ and explain how they work together (but separately) as part of your application architecture.
Authentication is the process of verifying a user is who they claim to be. A user can prove their identity by providing something they know (such as a password or personal data), something they have (like a mobile device, security token, or digital ID card), or something they are (biometric data including fingerprints, retinal scans, and facial recognition).
Traditionally, authentication has relied on basic passwords and PINs, which come with significant security and UX concerns. As online security evolves and becomes more sophisticated, forward-thinking companies are switching to passwordless authN methods such as SMS one-time passcodes, email magic links, biometrics, and more.
Depending on your business’ requirements and the sensitivity of the user data you work with, you have a range of authentication methods to choose from. Here are three main types, in order from least to most secure:
Once a user is authenticated, the authorization process verifies what they are permitted to do—or not permitted to do—on an app or website. Authorization grants access to specific resources or data within an environment or unlocks actions like viewing, editing, downloading, or deleting data.
User permissions are determined through several authorization models:
There’s a common analogy used to understand the main difference between authN and authZ.
Think of it like an airport. When you go through security, you provide a boarding pass and official identification like a driver’s license or passport. These two factors prove that you are allowed to enter the terminal. That’s authentication.
After that, the details on the boarding pass determine where you can go. You can show your pass to board the plane and take your assigned seat—but if you try using it to get on a different flight or to gain access to an employee-only area, you’ll be denied. That’s authorization.
In addition to having separate functions, authN and authZ are dissimilar in the role a user plays:
Let’s break these differences down into one easy chart for comparison:
Authentication and authorization work in tandem to create a secure environment for both the user and the website or app.
In a standard flow, authN comes first, followed by authZ. One component of authorization is session management which can be used to determine if a user is still logged in or if their session has expired and is often coupled with the permission data about what the user can access.
Session management is the process of storing context around a given logged in user. Session management can store context around a user, even pre authentication. A logged out session might be used to track things such as localization data. Once a logged in session has been established after a user completes authentication; the session is responsible for storing context such as the length of session and the user’s permissions. A session can expire after a set amount of time or after a specific action such as a user logging out.
Now that you can distinguish between authN and authZ, the next step is finding the right passwordless solutions to fit your needs. That’s where Stytch comes in.
Sign up for a free account to get started, or contact email@example.com to discuss all things auth.
Sign up or talk to an auth expert to learn how you can improve conversion, retention, and security with Stytch.