Authentication Vs Authorization

Last Updated : 18 Sep, 2025

Authentication is the process of verifying the identity of a user or system to ensure they are who they claim to be.

It typically involves credentials such as usernames, passwords, one-time passwords (OTPs), or biometric methods like fingerprints and face recognition.
By validating these credentials, authentication prevents unauthorized access and helps protect sensitive systems and data from security breaches.

Working-of-Authentication-and-Authorisation — Working of Authentication and Authorization

Authorization

Authorization is the process of determining and granting access rights to an authenticated user or system.

It defines what resources a user can access and what actions they are allowed to perform.
Authorization always occurs after authentication and ensures that only permitted users can perform specific tasks, thereby enforcing security policies and protecting sensitive resources.

working of Authentication and Authorization

Difference Between Authentication and Authorization

Here’s a clear difference between Authentication and Authorization in simple words

Authentication	Authorization
In the authentication process, the identity of users is verified before granting access to the system.	During the authorization process, a person's or users's permissions are checked to determine their access to resources.
In the authentication process, a user’s identity is verified to ensure they are who they claim to be.	In this process, a user’s identity is verified to ensure they are who they claim to be.
Authentication is performed before the authorization process	Authorization is performed after the authentication process
It needs usually the user's login details.	It requires the user’s privileges or security levels.
Authentication determines whether the person is user or not.	It determines what permissions the user has.
Generally, transmit information through an ID Token.	Generally, transmit information through an Access Token.
The OpenID Connect (OIDC) protocol is an authentication protocol that is generally in charge of user authentication process.	The OAuth 2.0 protocol governs the overall system of user authorization process.
The authentication credentials can be changed in part as and when required by the user.	The authorization permissions cannot be changed by user as these are granted by the owner of the system and only he/she has the access to change it.
The user authentication is visible at user end.	The user authorization is not visible at the user end.
The user authentication is identified with username, password, face recognition, retina scan, fingerprints, etc.	The user authorization is carried out through the access rights to resources by using roles that have been pre-defined.
Example: Employees in a company are required to authenticate through the network before accessing their company email.	Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access.