Authentication vs Authorization
When Olivia logs into her bank, two completely different questions get answered one after the other, and almost everyone blurs them into one. The first question is: are you really Olivia? The second is: is Olivia allowed to do this?
These have names. Proving who you are is authentication. Deciding what you're permitted to do is authorization. Who you are, versus what you may do.
Think of an office building. At the front door you scan your badge, and the scanner confirms you are who the badge says you are — that is authentication. Inside, your badge opens some floors and not others; which doors it unlocks is what you're allowed to do — that is authorization. Same badge, two separate jobs. Once you can keep those two jobs apart, most of how access works falls into place.
Authentication: Proving Who You Are
Authentication is the step where you convince the system you are the right person. You do it by showing something only you should have: a password, a one-time code, a fingerprint.
When Olivia types her password, she isn't asking for anything yet. She is answering a single question — are you really the account holder? If the proof checks out, the system now believes it is talking to Olivia. That belief is the whole output of authentication: it ends with a yes or a no on identity, and nothing more.
Authorization: What You're Allowed to Do
Once the system knows who you are, a second question begins: what is this person permitted to do? That is authorization — checking your permissions, the specific list of actions an account is allowed.
Olivia can open her own account and see her own balance. She cannot open her neighbor's account, even though she is fully and correctly logged in. Authentication confirmed she is Olivia; authorization is what stops Olivia from reaching into someone else's data. The two answers are independent — being known is not the same as being allowed.
Why the Order Matters
The two steps always happen in the same order: authenticate first, then authorize. The reason is plain once you say it out loud — the system cannot decide what you're allowed to do until it knows who you are.
So a valid login is the beginning, not a free pass. Olivia can pass authentication perfectly and still be told no, because authorization is a separate gate that each action has to clear. This is exactly why a logged-in person sometimes sees "you don't have permission" — the system knows who they are and has decided this particular action isn't on their list.
Identity Outlives the Login
There's one more piece that makes the split click into place. Who you are tends to stay the same; what you can do can change without you proving who you are all over again.
Picture Olivia at work. She gets promoted, and a manager's permissions are added to her account. She is the same person — her identity didn't change — but the set of things she's allowed to do just grew. Later she changes teams, and some of those permissions are taken away. Through all of it, she is still Olivia. Authentication settled who she is once; authorization is the part that keeps getting adjusted.
- "Authentication and authorization are the same step." They sound alike and happen seconds apart, but they answer different questions. One proves who you are; the other grants permission for a specific action. They are separate decisions.
- "If you're logged in, you can do anything in the system." Being authenticated only means the system knows who you are. Each action still has to pass authorization, and your permissions limit what gets through.
- "Authorization happens first." It can't. The system has to establish who you are before it can look up what that person is allowed to do, so authentication always comes first.
- "A 'you don't have permission' message means the login failed." The opposite — it means the login worked. The system knows exactly who you are; it has just decided this particular action isn't permitted for you.
- These two words turn up constantly in the rest of security. Mixing them up makes a lot of later topics — sessions, roles, access control — much harder to follow.
- It explains why a logged-in person still gets "you don't have permission," and why that message is the system working correctly, not breaking.
- Keeping the two apart shows why a real login can still be tightly limited: who you are and what you may do are protected by two different gates.
Knowledge Check
Olivia types her password and the system confirms she is the account holder. Which step has just happened?
- Authentication
- Authorization
- Neither — checking a password doesn't really matter
- Both at the same time, in one combined step
Why must authentication always come before authorization?
- The system can't decide what you may do until it knows who you are
- Because checking permissions is faster than checking a password, so systems run it first to save time
- Because the order is random and changes from system to system
- Because authorization is optional and usually skipped
Olivia is fully logged in but cannot open her neighbor's account. Which step is stopping her?
- Authorization — her permissions don't cover that account
- Authentication — the system doesn't know who she is, so she must verify her identity before the page loads
- Nothing — once logged in she can open any account
- Her password must have been entered incorrectly
Olivia is promoted and gains a manager's permissions without logging in again. What does this show?
- Who you are can stay fixed while what you're allowed to do changes
- That her identity changed when she was promoted
- That permissions and identity always change together, so she would need to log in again to get the new access
- That she needed a new password to get the new access
You got correct