Difference Between Authentication and Authorization(Authentication vs Authorization)

What is the main difference between Authentication and Authorization(Authentication vs Authorization)?

The main difference authentication and authorization is authentication asks Who is the user? whereas authorization asks what can you do?

Whether you're withdrawing money from a bank, entering a restricted building, or boarding an airplane, gaining access to a restricted resource requires both authentication and authorization. The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver's license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.

Comparision Chart for difference between Authentication and Authorization(Authentication vs Authorization)

Difference Between Authentication and Authorization(Authentication vs Authorization)
Basis Authentication Authorization
Definition Authentication is the process of identifying the users. Authentication is usually done by requesting a username-password pair, or a certificate to verify the authenticity of the user. (Who is the user? Can you identify him as a staff in your system?) Authorization happens after authentication. Authorization addresses the question, what does the user have access to after the authentication? Therefore, the user is already known, but what can the user access in the system? For example, does the user have delete access for a purchase order if the user logs in as a Manager role?
Process

Authentication is a process for a system such as a computer, a web server and a

smartphone to verify the identity of a claimed user and to authorize the user to access

the system.

Authorization is process of assigning role to users after they are authenticated.
Determines

Authentication determines whether user is what he claims to be.

It determines what user can and cannot access.

Authorization happens afterward and determines what you can do after you authenticate

yourself. If you have proper authorization, then once you have properly authenticated yourself,

you can get access to shares on a server, the room door unlocks, and you can access your bank

account.

Priority Authentication is the first step of authorization. Authorization happens after authentication.
Example Swiping a key card to gain access to a room, inserting your ATM card, and entering a PIN are all examples of authentication.

Verifying that you are allowed to board the plane is the authorization process.

Verifying that the user is allowed to delete entire system if the user logs in as admin is authorization process.

     
     

Authentication

Authentication is the process of identifying a user against a service. OpenID was the first standard that aimed at providing a decentralized protocol for identifying users across multiple sites. The idea behind this was very simple: avoiding the tedious task of re-entering information over and over. Basically the log-in process is being delega- ted to another site. OpenID got introduced in 2005 and saw enormous growth with totaling over 1 bil- lion user accounts in 2009 1 . Recent development showed less demand for OpenID and central identity platforms. Instead hybrid approaches were being introduced that offered both user authentication and authorization at the same time.

Authorization

While authentication aims at user identity, authorization tries to solve the issue of providing access to a user’s protected resources. This can involve providing access to user profiles - which blurs the line between authentication and authorization - or simple anomynous access to data. Authorization standards like OAuth are often used as a more convenient and more secure way of handling sign-in than regular basic authentication flows using user- names and passwords. The idea behind this concept is relying on a third-parties’ authentication system. This concept is heavily leveraged for various social login sce- narios using Service Providers like Facebook, Google Plus or Twitter.

Authorization is the process of determining whether an authenticated user is allowed to perform a requested action. Each time you open a file, Windows Server 2003 verifies that you are authorized to open that file. Each time you print, Windows Server 2003 verifies that you have Print permissions to that printer. In fact, Windows Server 2003 verifies your authorization to access just about every object you can imagine: files and folders, shared folders, printers, services, Active Directory directory service objects, Terminal Services connections, Windows Management Interface objects, and registry keys and values.

Authentication in .NET

Authentication is mainly performed by API calls to Active Directory. Active Directory will return with a confirmation of the identity or deny the access to the system. The authorization details in most cases have to be explicitly coded. Authorization in .NET is based on roles. (For example, the SeniorManager role can delete the purchase orders as opposed to the Manager role, which is not entitled for the same privilege.) Therefore, before you delete a purchase order, you need to check whether the currently logged in user has the SeniorManager role attached to his profile. You do this by utilizing the IsInRole function.

Authentication in File Systems

Authentication is the process where you prove who you are. Entering a username and password at a prompt, swiping a key card to gain access to a room, inserting your ATM card, and entering a PIN are all examples of authentication. You’re proving you are who you say you are. Authorization happens afterward and determines what you can do after you authenticate yourself. If you have proper authorization, then once you have properly authenticated yourself, you can get access to shares on a server, the room door unlocks, and you can access your bank account. If you are not authorized to do those things, then they will still fail, even though you properly authenticated yourself. Wrapping your head around the differences between those two concepts can take a bit of work, but knowing the difference is critical in running a server.

Authorization in Windows Server 2003

Authorization is the process of determining whether an authenticated user is allowed to perform a requested action. Each time you open a file, Windows Server 2003 verifies that you are authorized to open that file. Each time you print, Windows Server 2003 verifies that you have Print permissions to that printer. In fact, Windows Server 2003 verifies your authorization to access just about every object you can imagine: files and folders, shared folders, printers, services, Active Directory directory service objects, Terminal Services connections, Windows Management Interface objects, and registry keys and values.