CyberPathBlogAuthentication vs Authorization: What's the Difference?

Security Concepts

Authentication vs Authorization: Understanding the Critical Difference

Authentication and authorization are often confused, but they serve completely different purposes. Authentication verifies who you are; authorization determines what you can do. Learn how they work together in the AAA framework.

CyberPath Team·2026-06-29·8 min

Authentication: Verifying Identity

Authentication answers the question: 'Who are you?' It's the process of verifying that someone or something is who they claim to be. Authentication happens first — before any authorization decisions.

Authentication factors (the three As of security): Something you know — password, PIN, security question answer. Something you have — smart card, security token, phone (for OTP), hardware key (YubiKey). Something you are — biometrics (fingerprint, facial recognition, iris scan, voice recognition).

Multi-Factor Authentication (MFA) requires two or more DIFFERENT factors. Example: password (something you know) + TOTP from your phone (something you have). Two passwords from the same category don't count as MFA.

Common authentication protocols: Kerberos (ticket-based, Active Directory), LDAP (directory-based), RADIUS (network device authentication), and SAML (browser-based SSO).

Authorization: Determining Access

Authorization answers the question: 'What are you allowed to do?' It determines access rights and permissions for an already-authenticated user. Authorization happens AFTER authentication.

Access control models: RBAC (Role-Based Access Control) — permissions are assigned to roles, users are assigned to roles. Most common enterprise model. ABAC (Attribute-Based Access Control) — policies evaluate user attributes, resource attributes, and environment. More granular. MAC (Mandatory Access Control) — central authority sets security labels, users cannot override. Used in government/military. DAC (Discretionary Access Control) — resource owner sets permissions. Common in file systems.

Authorization can grant read, write, execute, delete, or admin access. It can also restrict access based on time, location, device, or other context.

Real-World Examples

Example 1 — Email: You enter your email password (authentication). The system checks your mailbox permissions and shows you your inbox, not someone else's (authorization).

Example 2 — Corporate network: You swipe your badge at the door (authentication). The system checks your clearance level and allows you into the office but not the server room (authorization).

Example 3 — Cloud app: You log in with Google SSO (authentication via OIDC). The app checks your role and shows you only the features your subscription level allows (authorization via OAuth scopes).

Example 4 — Failed auth vs failed authz: If you type the wrong password, that's an authentication failure. If you log in correctly but try to access an admin panel you don't have permissions for, that's an authorization failure.

The AAA Framework

Authentication, Authorization, and Accounting (AAA) together form the complete access control framework. Accounting tracks what authenticated and authorized users do — logging actions for audit, billing, and non-repudiation.

AAA protocols: RADIUS (centralized AAA for network access — VPN, Wi-Fi, 802.1X), TACACS+ (Cisco protocol, used for device administration), and DIAMETER (evolved RADIUS for 4G/5G networks).

Exam tip: Authentication always comes before authorization. You cannot be authorized without being authenticated first. Accounting is the logging that ties it all together.