Skip to content
System Design

Authentication vs. Authorization

One-Liner

Authentication verifies who you are, while authorization determines what you can do.

What It Is

  • Authentication: The process of verifying the identity of a user, system, or service. It answers the question, “Are you who you say you are?”
  • Authorization: The process of determining what an authenticated entity is permitted to do or access. It answers the question, “What are you allowed to do?”

Why It Exists

To control access to resources and ensure that only legitimate and permitted actions are performed within a system.

How It Works

  • Authentication: Typically involves credentials (e.g., username/password, tokens, biometric data).
  • Authorization: Typically involves roles (e.g., admin, user), permissions (e.g., read, write), or policies (e.g., “only manager can approve expenses over $1000”).

Tradeoffs

Pros

  • Essential for securing any system that handles sensitive data or actions.

Cons

  • Can add complexity to system design and implementation, especially fine-grained authorization.

Failure Modes

  • Weak Authentication: Easy to guess passwords, lack of multi-factor authentication, leading to account takeovers.
  • Broken Access Control: Users gaining unauthorized access to resources or performing actions they shouldn’t be able to (e.g., horizontal or vertical privilege escalation).

Interview Traps

  • Confusing the two terms or using them interchangeably.
  • Not being able to give clear examples of each.

Real-World Usage

  • Logging into a website (authentication) and then being able to access certain pages based on your user role (authorization).

Anti-Patterns

  • Performing authorization without prior authentication.
  • Hardcoding permissions within application logic instead of using a flexible authorization system.
  • Principle of Least Privilege
  • OAuth
  • Role-Based Access Control (RBAC)