Imagine you’re on your way to Thailand, ready for a fantastic trip. You’ve packed everything you need, including essential documents: your passport and boarding pass. But before you can board the plane, you’ll need to go through two important checks: passport control and a boarding pass check.

At the passport check, your passport is inspected and verified. The passport control officer confirms your identity by scanning the document and comparing your face to the photo. Once you pass this check, you’re allowed into the departure lounge.

Next, you make your way to the boarding gate. Here, the boarding assistant checks your boarding pass to confirm your permission to board a specific flight to Thailand and finds your seat assignment in first class.

By going through both steps, you’re able to board your plane and sit in your designated seat, confident that you’re on your way to your destination. With this analogy, you now have a basic understanding of authentication (confirming identity) and authorization (confirming access).

Why Both Are Necessary

You might wonder why we need both authentication and authorization. Why are they treated as separate concepts, and can they even work without each other? As we saw in the airport example, both are crucial but serve distinct purposes.

Authentication is about confirming identity, not about granting specific permissions. Sometimes, identity verification doesn’t involve access to protected resources at all. For instance, imagine you’re attending a class at school, and the teacher takes attendance. The teacher calls each student’s name and verifies who is present. Here, the teacher is performing authentication by confirming each student’s identity, but there are no specific permissions or access rights involved. This is an example of authentication without authorization.

Authorization is about permissions—determining what someone can do or access. In the airport example, your boarding pass grants you permission to board a specific plane and sit in a designated seat. In many cases, authorization is tied to a person’s identity, so authentication is needed to confirm that the authorized person is accessing the resource.

However, sometimes authorization doesn’t require authentication. For example, if you visit a movie streaming site, you may be able to watch free trailers without logging in. The site authorizes anyone to access these previews, regardless of identity. But to watch a full movie, you’d need a membership, which is tied to a specific user account. In this case, authentication is required to verify your identity before granting access.

In summary, authentication and authorization each play a unique role. Authentication confirms who you are, while authorization determines what you’re allowed to do or access. In many secure systems, both are needed to protect resources effectively.

How Authentication Works

Authentication is the process of proving who you are. But how do you demonstrate your identity, and how does someone verify it? To authenticate, three main types of factors are used:

To confirm your identity, you provide proof from any of these three categories, which the other party verifies to ensure you are who you say you are.

Increasing Security with Multi-Factor Authentication (MFA)

For higher security, you can use Multi-Factor Authentication (MFA). MFA requires that you provide two or more types of evidence from different categories. For example, simply entering a password and a PIN code wouldn’t count as MFA, since both are "something you know". Instead, you could combine a security key (something you have) with a PIN code (something you know).

Consider an ATM as an example of MFA: to access your account, you need both your bank card (something you have) and your PIN code (something you know). This makes it harder for someone to steal from you since they would need both items to succeed. By combining factors from different categories, MFA makes it much more difficult for unauthorized users to access your information.

How Authorization Works

Authorization is the process of determining what you have access to. In the airport example, your boarding pass allowed you to board a specific plane to Thailand and sit in a designated seat in first class. Similarly, in the IT world, permissions are assigned to users to control what they can access or do within a system.

For example, when you log in to a movie streaming service as a paid member, you have permission to watch full movies. Each time you click on a movie to play it, the service checks whether you have the "watch movie" permission. If you do, the movie starts; if you don’t, you’re restricted from viewing it.

Now, imagine you’re working as a writer at a magazine, and your job requires access to several tools. To do your work, you need:

With many permissions needed, assigning each one individually could be time-consuming and error-prone. Instead, companies often use roles. Think of a role as a "bundle" or "bag" of permissions tailored to a specific job. So, if you're hired as a writer, the system administrator simply assigns you the "Writer" role. This role includes all the permissions you need, making it quick and easy to set up access. When you leave the company, they remove your role, ensuring you can no longer access any resources.

Roles make it simpler for system administrators to manage permissions, especially in larger organizations where many employees share similar responsibilities. By organizing permissions into roles, administrators ensure each job has exactly the access needed—no more, no less. It also makes updating permissions easier, as changing the permissions in a single role updates access for everyone assigned to that role.

Summery

In this article, we explored the concepts of authentication and authorization, using a real-world analogy of airport security checks to clarify each process. Authentication is the initial step of confirming identity—ensuring that a person is who they claim to be, like when verifying a passport. Authorization, on the other hand, grants access to specific resources, akin to the boarding pass allowing entry to a particular flight and seat.