How to distinguish authentication vs authorization

Question

QA Hub Editorial · Accepted Answer

Short answer

Authentication verifies who you are. Authorization determines what you are allowed to do. Both are essential but serve different roles in access control.

Key differences

Authentication: Confirms identity through passwords, biometrics, tokens, or certificates. Answers the question, "Are you who you claim to be?"
Authorization: Grants or denies access to resources based on policies and roles. Answers the question, "What are you permitted to do?"

Authentication always precedes authorization. You cannot decide what someone can do until you know who they are.

When to use each

Authentication: Login pages, MFA prompts, smart card readers, and SSO portals.
Authorization: Role-based access control (RBAC), permission checks in APIs, and file system ACLs.

Why it matters

Confusing the two leads to security gaps. Strong authentication with weak authorization can allow authenticated users to access resources they should not. Both must be hardened for defense in depth.