Explain by Analogy Series: Authentication v/s Authorization

Let’s finally end this AuthN & AuthZ confusion, once and for all!

SecurityGOAT
2 min readJul 29, 2021

TL;DR

Authentication: Are you who you say you are?!

Authorization: What you can do?!

The Analogy

Authentication

Consider an office. It has a main entrance and then once inside the office the there are different cabins.

So the typical flow of entering into any cabin would be:

Show your ID card at the entrance and if all is good, then you get the entry to the office premise.

Doesn’t this sounds like an API or a webapp checking your token/cookie? Yes it does!

So that’s authentication or AuthN, as the cool infosec people say!

Authorization

Once you are inside the office, there are different cabins. To enter to a cabin, you need to swipe your ID card and if you have the clearance to enter that cabin, the door opens up and lets you in. Straight forward right!

And that’s authorization or AuthZ as the cool infosec people say…

The webapp or the API also checks if you have the clearance to call the specific functionality like changing password of another user or getting the details of another user (classic IDOR stuff yeah!)

So, if you don’t check who is coming into the office premise — that is no ID check, then this is broken authentication!

And if you check the ID card properly but once in, anyone can go to any cabin without any restrictions at all (even to the restricted areas), then this is broken authorization!

So there are 2 things here — verification of who you admin in and verification of what the admitted people are allowed to do (based on who they are!) — AuthN and AuthZ respectively!

Conclusion

I hope this analogy clears things up for you and makes you understand this important and often confused concept of AuthN and AuthZ!

Let me know your feedback in the comments below and feel free to connect on twitter: @_SecurityGOAT

Lastly, if you have been enjoying my work and would love to support me, consider checking my Patreon page or you can even Buy Me a Coffee :)

See ya!
Until next time, keep learning and happy hacking.

--

--

SecurityGOAT
SecurityGOAT

Written by SecurityGOAT

Wannabe Hacker! Teaching Infosec in my own insightful ways :) Twitter: twitter.com/_SecurityGOAT | Support: buymeacoffee.com/SecurityGOAT

No responses yet