Authentication vs Authorization

Authentication and authorization are confusable because they are related yet distinct concepts and share “auth” and “tion” as a prefix and suffix. Authentication is verifying someone is who they say they are while authorization is checking someone is entitled to do what they are attempting. Consider making withdrawals from a bank as a concrete example and what goes wrong when authentication and authorization are not applied together.

Authentication without authorization:

Rob the robber goes to the teller and says “I’m Rob and I want to withdraw $1,000,000 from rich Richard’s account.” The teller checks Rob’s driver’s license and authenticates that Rob is who he says he is and proceeds to hand Rob Richard’s money. The problem is Rob is not authorized to withdraw money from another person’s account.

Authorization without authentication:

Rob goes to the teller and says “I’m Richard and I want to withdraw $1,000,000 from Richard’s account.” The teller authorizes the withdrawal because Richard is allowed to withdraw from Richard’s account. The problem is Rob is an imposter.

Authentication should happen before authorization because authorizations usually vary depending on who someone is. In the example Richard should be authorized to withdraw from Richard’s account, while Rob should not be.

These concepts become increasingly complicated when people delegate responsibility to others or when a service automatically acts on a user’s behalf. For example, in college my parents were authorized to view and pay my tuition bill on my behalf, but were not authorized by the school to see my grades.

Returning to the example of a bank, consider the difference between the following scenarios:

  1. Every month the bank is authorized to withdraw an account maintenance fee from every account.

  2. Whenever an account is overdrawn, the bank is authorized to withdraw an overdraft fee from the account.

  3. When an account holder asks for an ATM withdrawal, the bank is authorized to withdraw an ATM fee.

In the first two cases the bank acts unilaterally and without the involvement of the account holder. If the account holder were required to authorize each withdrawal independently, they could deny authorization to avoid paying fees. Instead the user authorizes all such withdrawals upfront by signing the bank’s terms and conditions when opening up an account. In the third case the withdrawal is tied to a user request. The user tells the bank they want to use an ATM and their request authorizes a single withdrawal. Without a request to use an ATM the bank is not authorized to make any ATM fee withdrawal. The bank is also not authorized to charge the fee multiple times for a single request.

In the latter two cases, the bank's authorization to perform a withdrawal is tied to a specific account. When Rob overdraws his account, the bank is not authorized to charge the overdraft fee to Richard. A blanket authorization applying to all accounts could be replaced by separate authorizations for each account, however a single broad authorization is less burdensome to administer.