A simple explanation of these very commonly used terms “Authentication” (or “AuthN”) and “Authorization” (or “AuthZ”)

Authentication, or AuthN, is the process of identifying a person (or system). This is typically done by a password, company ID or a driver’s license.

Authorization, or AuthZ, is either granting (or denying) access to a system based on being authenticated. Badging into your office by using your company ID is an example of authorization.

Types of Authentication (AuthN)

As noted above, authentication applies to both people and systems.

For people, it is usually a shared secret, e.g., password, PIN, etc., or it could be some form of biometric, e.g., facial recognition.

For computers, it is typically a shared secret. These are usually long strings of hexadecimal, or token, in a specific format which is sent by the requester. The system receiving the token validates it and then knows the identity of the calling system.

There is also single factor and multi-factor authentication (MFA). MFA is used for added security. The first factor is something you know and the second factor is something you have.

An example of single factor authentication is your password. The system does not differentiate who is accessing it as long as the password is valid.

An example of MFA is your bank ATM card. In order to access the ATM know the PIN (first factor) and you must have the ATM card (second factor). Most MFA systems stop at two factors, but it is possible to have three (or more) for very secure system.

As a side note, computers only have one factor: the shared secret (or token).

This is one of the reasons cybersecurity is challenging: making sure the tokens are valid and coming from a known system!

Authorization Process

Once a user (or system) has authenticated, two pieces of information are know: the Identity of the Caller and that their Identity is verified.

Once the Identity of the Caller is known and verified, the system being accessed can decide if the caller should be allowed to access resources or services.

Authorization systems can be very simple, e.g., every authenticated caller can access all services, or very complex. A common example of a complex authentication systems is Microsoft Active Directory.

Pulling it Together

Authentication and authorization are two distinct steps necessary to access a sensitive system. Authentication verifies the Identity of the caller and Authorization decides what services, if any, the caller is allowed to access.