Authentication vs. Authorization
Authentication and authorization are distinct security concepts that are frequently confused. Understanding their difference is foundational to designing and auditing access control systems correctly.
The Core Distinction
Authentication (AuthN): WHO are you?
Verifying identity — proving you are who you claim to be
Mechanisms: passwords, biometrics, hardware tokens, certificates
Authorization (AuthZ): WHAT are you allowed to do?
Verifying permissions — determining what an authenticated identity can access
Mechanisms: RBAC, ABAC, ACLs, policies
ORDER MATTERS: Authentication always happens before authorization
If authentication fails → request rejected (unauthorized)
If authentication passes BUT authorization fails → forbidden (403)
Real-world example:
You scan your badge (AuthN — proves you're Alice, an employee)
You try to enter the server room (AuthZ — does Alice have server room access?)
Web application:
Login with username/password (AuthN — verified: you're user ID 42)
Request /admin/panel (AuthZ — is user ID 42 in the 'admin' role? → 403 if not)Access Control Failure Patterns
- Missing authorization: Checking that a user is authenticated, but not whether they are authorized for the specific resource
- IDOR (Insecure Direct Object Reference): Authenticated as user 42, you access /api/orders/9999 — order of user 99. Server checks authentication (logged in) but not authorization (is this your order?)
- Privilege escalation: A regular user finds a way to gain admin privileges — horizontal (same privileges, different user) or vertical (higher privilege level)
- Forced browsing: Accessing pages/endpoints directly by URL that should require specific privileges — /admin, /internal, /debug
Common Mistakes
- Checking authorization only at the UI level — hiding menu items is not authorization; server must check every request
- Using GET requests to pass sensitive parameters — GET parameters appear in server logs, browser history, and Referer headers
- Confusing authentication failure (wrong password) with authorization failure (correct user, wrong permissions) — these need different responses and logging
Tip
Tip
Practice Authentication vs Authorization in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
First authenticate (prove identity), then authorize (check permissions)
Practice Task
Note
Practice Task — (1) Write a working example of Authentication vs Authorization from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with Authentication vs Authorization is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready cybersecurity code.
Key Takeaways
- Authentication and authorization are distinct security concepts that are frequently confused.
- Missing authorization: Checking that a user is authenticated, but not whether they are authorized for the specific resource
- IDOR (Insecure Direct Object Reference): Authenticated as user 42, you access /api/orders/9999 — order of user 99. Server checks authentication (logged in) but not authorization (is this your order?)
- Privilege escalation: A regular user finds a way to gain admin privileges — horizontal (same privileges, different user) or vertical (higher privilege level)