Authentication vs Authorization — Explained with Examples
Authentication (AuthN) verifies who a user is, while authorization (AuthZ) determines what resources that user can access.
Authentication and Authorization are two distinct security concepts that are often confused. Authentication answers “Who are you?” while Authorization answers “What are you allowed to do?”
Authentication (AuthN)
Authentication proves identity. The most common methods are passwords, biometrics (fingerprint, face ID), security keys, or multi-factor authentication (MFA).
// Simple authentication check
function authenticate(username, password) {
const user = findUser(username);
if (!user) return false;
return bcrypt.compareSync(password, user.hashedPassword);
// Returns true/false — "Are you who you say you are?"
}Authorization (AuthZ)
Authorization checks permissions. Once authenticated, what can the user actually do?
// Authorization check
function authorize(user, resource, action) {
// user: { id: 1, role: 'editor' }
// action: 'delete'
// resource: 'article'
if (user.role === 'admin') return true;
if (user.role === 'editor' && action === 'delete' && resource === 'article') {
return false; // Editors can't delete articles
}
return false;
}Real-World Analogy
Authentication is showing your ID at airport security — you prove who you are. Authorization is the boarding pass that determines which gate you can enter. You can have valid ID (authenticated) but no boarding pass for first class (not authorized for that area).
| Step | Question | Method |
|---|---|---|
| Authentication | Who are you? | Password, fingerprint, SSO |
| Authorization | Can you do this? | Roles, permissions, ACLs |
Related Terms
JWT, RBAC, OAuth, SSO, Zero Trust
Related Tutorial
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro