Authentication vs Authorization
For some reason, we programmers tend to confuse the concepts of authentication and authorization quite often. Although they are equally important, they are very different. Let’s review each.
While authentication focuses on determining that the user is who she/he claims to be, authorization is in charge of controlling what actions that user can perform.
Authentication
If we think about an application like Facebook and how it handles authentication, we will see that when I log in with my email and password, Facebook is authenticating me.
This means that it is checking that the password entered matches the password that is associated with my email in the database. As long as the password matches, I will be able to access the application. But if it doesn’t match, Facebook won’t let me log in because it can’t ensure that I am who I say I am.
But what if someone steals my password? Well, we shouldn’t rely on passwords [only]. Recently, new authentication methods have arisen like two-factor authentication (2-FA) that give us an extra security layer. 2-FA, as the name implies, adds a second step to verify that the person who is logging in is who says she/he is.
So, it is no longer enough just to know the password, but we must provide some more evidence. The most common way is by sending an email to the email address we used to register or by sending a text message with a code to our cell phone. But there are also apps like Google Authenticator that do the same job.
Although 2-FA is not yet in all applications and its activation is usually optional for the user, we encourage you to enable it always.
Authorization
As said, to authorize is to determine whether we are allowed to do something or not.
For example, Medium offers different functionalities for free users and premium users. A free user is authorized to access a limited set of features and is not authorized to access other features -until she/he pays the subscription and becomes a premium user-.
So, every time a user requests access to a feature, the application checks whether or not she/he can do so. The authorization usually is done in the backend without the user even noticing it.
As long as the user accesses resources for which she/he has permission, access will be granted. On the other hand, when the user tries to access resources for which she/he doesn’t have permission, she/he will be informed, either with an error message or with an invitation to subscribe to the premium service.
Understanding these two concepts is essential for developers who are just entering the industry (or have been here for a while!). Usually, they are confused, so we hope that now they are slightly clearer.
Did you like this article? We would love to hear from you.
If you have any questions, suggestions, or criticisms, feel free to leave a comment below.
