Authentication vs. Authorization with Real Example
Authentication vs. Authorization with Real Example
hamna Siddiqui Learn the difference between authentication and authorization, how they work in cybersecurity, and why both are essential for secure systems.
Table of Contents
- Introduction
- What is Authentication?
- Common Authentication Methods
- Example
- Common Authentication Methods
- What is Authorization?
- Example
- Simple Real-Life Example
- Key Differences Between Authentication and Authorization
- How Does Authentication Works
- Example of JWT (JSON Web Token) Usage
- How Does Authorization Work?
- Common Approaches for Authorization
- Example
- Common Approaches for Authorization
- Authentication and Authorization in Web Development
- Responsibilities of Frontend Applications
- Example
- Responsibilities of Backend
- Example
- Responsibilities of Frontend Applications
- Popular Technologies Used
- Authentication Tools
- Authorization Tools
- Significance of Authentication and Authorization
- Advantages
- Typical Errors Developers Commit
- Mixing up Authentication and Authorization
- Improper Password Storage
- Sole Reliance on Frontend Security
- Weak Session Management
- Real-World Examples
- Example 1: Social Media App
- Authentication
- Authorization
- Example 2: Banking App
- Authentication
- Authorization
- Example 1: Social Media App
- Security Measures
- Conclusion
Introduction
Security becomes crucial when dealing with web applications and software development. The main goals of security are user data protection and resource access control. The two main words that are always associated with security and risks are “authentication” and “authorization.” As these two concepts are highly related to each other and mainly refer to the same terms, they are totally different things. Many newcomers confuse these two words.
Let’s discuss authentication and authorization in our blog and see what distinguishes them from each other.
What is Authentication?
Authentication is a process of identifying the user’s credentials. In other words, authentication asks the question:
Who are you? During the login process in any application, the application verifies whether the provided information from the user matches the stored credentials
Common Authentication Methods:
- Username & Password
- Email Confirmation
- OTP
- Fingerprint Check
- Face Recognition
- Social Login: Google, Facebook, GitHub
Example
When you log into your Instagram or Facebook account using your email and password, the application verifies your identity. If the credentials you entered are correct, you are logged into your account.
What is Authorization?
Authorization is the process through which access and actions that can be performed by an authenticated user are determined.
It is concerned with the question:
“What are you allowed to do?”
Following successful authentication, the access rights of the user are evaluated by the system.
Example:
In a university website:
• Students have permission to see their results
• Teachers can upload marks
• Admins can control everything in the portal
Users might be authenticated, yet authorization would be different for each user.
Simple Real-Life Example
Let us consider we visit an airport.
Authentication:
We show our ID/passport to security guards as an identity proof.
Authorization:
Once we get the boarding pass, it helps us know:
• The flight that we can board
• The lounge that we can use
• Access to certain restricted areas
Authentication checks and verifies identity, while authorization gives the access.
Key Differences Between Authentication and Authorization:
| Authentication | Authorization |
| Verifies identity | Determines permissions |
| Happens first | Happens after authentication |
| Answers “Who are you?” | Answers “What can you do?” |
| Uses credentials | Uses roles and permissions |
| Example: Login system | Example: Admin access |
How Does Authentication Works?
The following sequence of actions is typical for authentication:
1. User provides login credentials
2. The credentials are passed to the server
3. The server authenticates the credentials
4. Access is granted if credentials are verified correctly
5. Session or token creation for the user updates.
Example of JWT (JSON Web Token) Usage:
After you log in, a token will be generated by the server:
The server will authenticate the token.
After that, users can provide a token on any further request.
DevOps is not only about using modern tools. It also requires a shift in workplace culture. Teams must be willing to collaborate, share responsibilities, and learn from failures. Organizations that successfully adopt this mindset often achieve better long-term results.
How Does Authorization Work?
When authentication ends, authorization will limit the user’s access.
Common Approaches for Authorization:
- Role-Based Access Control (RBAC)
- Permission-Based Access
- Access Control List (ACL)
- OAuth permissions
Example:
A dashboard can include:
- Admin panel
- Editor panel
- User panel
The system will check the user’s role before presenting specific content or actions.
Authentication and Authorization in Web Development
Both authentication and authorization are required in frontend and backend web application development.
Responsibilities of Frontend Applications:
Examples of frontend applications:
- Login forms
- Storing authentication tokens
- Hiding unauthorized parts of the interface
Example:
Normal users should not be able to see the button “Admin Dashboard.”
Responsibilities of Backend:
Backend systems:
- Verify user credentials
- Create authentication tokens
- Verify permissions prior to processing requests
Example:
Even if someone manually types the admin route URL, the backend will reject any unauthorized access attempt.
Popular Technologies Used
Authentication Tools:
- – JWT (JSON Web Token)
- – OAuth
- – Firebase Authentication
- – Passport.js
- – Auth0
Authorization Tools:
Permission systems
RBAC (Role-Based Access Control)
Middleware authorization verification
Significance of Authentication and Authorization:
In the absence of proper authentication and authorization:
- Critical information could be compromised
- Unapproved users might access the system
- Security threats arise for the system
Advantages:
- Enhanced security measures
- Efficient user administration
- Information safety
Restricted access to resources
Typical Errors Developers Commit:
1. Mixing up Authentication and Authorization
Novices often believe that just logging in ensures security.
2. Improper Password Storage
Password storage must be encrypted and hashed.
3. Sole Reliance on Frontend Security
Frontend controls alone cannot guarantee security. Backend verification is a necessity.
4. Weak Session Management
Leaked or expired tokens can cause security at risks.
Real-World Examples
Example 1: Social Media App
Authentication:
The user logs in using email and password.
Authorization:
Only the owner of the account can change profile settings.
Example 2: Banking App
Authentication:
User authentication via OTP and password.
Authorization:
Users access their accounts only; admins control the banking system.
Security Measures:
For Authorization:
- Deploy role-based access controls
- Server-side permission verification
- Restricting sensitive operations
- Least privilege principle
For Authentication:
- Use robust passwords
- Implement Two-Factor Authentication (2FA)
- Protect passwords by encryption
- Deploy robust tokenization systems
Concluding Note:
Authentication and authorization are critical concepts for any software engineer and cybersecurity professional. Both of these terms are important for cybersecurity, but also these two play different role. Authentication asks for the validation of the user’s identity, while authorization makes sure to give permission for accessing the data in the application.
Understanding both of these concepts is very important in your area of designing applications that use the authentication and authorization processes.
In easy and simple terms:
Authentication = Who are you?
Authorization = What can you do?on
Reference links:
For more coding series:
Power of Microservices Observability
No-Code & Low-Code
Learning to Code: How to Think Like a Programmer
Written By Reeshaiel Shah
