Both golden words of security and authority, authentication and authorization differ greatly in their meaning and applications, despite them also being conflated as one and the same. In many circumstances, authorization and authentication are required in tandem to issue orders and accomplish tasks, but the two words are subtly, yet firmly, differentiated.
Authentication is, quite simply, verification of who or what someone is. Authentication is required in systems all across the commerce and business in order to verify the identity of someone issuing a command, placing an order, or inquiring about information.
Authentication is necessary in almost all interactions of importance in day-to-day life, whether one is attempting to withdraw money from a bank account, find information about their personal records, place an order with a credit card, or pay off a student loan.
Authentication can take many forms, depending on the importance of the actions being taken. In day-to-day life, every time a person enters their pin when making a purchase is passing an authentication test to verify that they are the credit cardholder or someone with the power to make purchases with that credit card. Every time a person logs into their personal email account, they are authenticating themselves as the owner of that account by providing a password. Authentication can be rather simple – as easy as entering four digits to prove identity – or incredibly complex, necessitating verifying detailed personal information (such as when requesting a credit report) or even requiring biometric identification (such as needing fingerprints to authentic identity to launch nuclear missiles).
Authorization is when a party or entity is given the permission or has the power, to perform a certain task. In complex organizations and structures, authorization is often painstakingly delegated to make sure that very specific people have the authority to decide important tasks or actions. One may ask a low-level bank teller to completely empty a bank account, asking for $150,000 cash on the spot. That low-level bank teller, however, most likely would need permission, or authorization, by the bank manager to be able to withdraw that money. If the amount is great enough, that manager may have to go even higher up the chain of command – asking the bank’s president – if they can hand out that much cash on the spot.
Authorization is also used heavily in computer systems, to ensure that people accessing certain files are both competent and trusted enough to access sensitive information. Computer networks often don’t allow a random user to log in and begin changing the coding of an operating system, as that authorization is withheld for system administrators who have the tech-savvy not to send the entire network into chaos. Security systems dictate that most employees of a company can’t access sensitive account information – they often can’t see passwords, full social security numbers, or other information that is kept private. Instead, only certain departments, with heavily vetted employees, have the authorization to access information that needs to be kept safe or secret.
Authorization and Authentication Positively Correlate
Often, the more authorization an entity has to decide on matters of importance, the more authentication is required to take those actions. Signing on to your account at your favorite baking website may require just an email and a simple password, while logging into a secure government website (such as, say, in a CIA system) would require a username, a complicated 15-20 character password that includes letters, numbers, and symbols, and additional verification in to prove that person’s identity. While the two are very separate, they often appear in similar contexts, which is probably a very good thing. It may be a hassle to provide your best friends name, your pets name, and your mother’s maiden name when taking out an online credit card, but it definitely beats out having someone authorizing themselves to take out $100,000 in credit card debt in your name.