What is authorization and authentication

Authentication, authentication and authorization

In today's IT article, the difference between the terms Authentication, Authentication as Authorization clarified. These terms are particularly used when accessing EDP systems, and they are often used synonymously. In the usual way, the terms are illustrated using a life-like scenario around a football fan.

Confusion in practice

In practice, all three terms are often confused or used synonymously. On the one hand, this may be due to the fact that all three terms superficially appear in the same
Process involved are: verification of identity and access authorization. On the other hand, the differences are so small that the synonymous use of the words has established itself in practice and the distinction is usually not relevant. The differentiation is helpful and important, however, if, for example, IT processes have to be described in detail as part of a documentation requirement.


The authentication provides the Proof of a person represents that she is actually who she claims to be. So a person presents evidence that is supposed to confirm their identity. Depending on the authentication method used, the person can assert their identity in the following ways, among others:

  • she has secret information that only she knows (e.g. password)
  • she has an object of identification (e.g. identity card)
  • it is itself the object of identification (e.g. biometric features such as fingerprints).

In short, authentication is a first step in verifying identity by actively asserting a particular identity.

A football fan, let's call him Thomas, would like to watch the 2016 European Championship final live at the Stade de France in Paris. For this, Thomas bought a personalized ticket from an organizer for a lot of money. On July 10th he stands in line to get into the stadium and hopes that he can even sneak his way into the VIP box. At the stadium entrance, visitors are not only checked to see whether they have a valid ticket, but also randomly to see whether the name printed on the ticket matches the visitor. Thomas is chosen and has to show not only his ticket but also his identity card. By showing his identity card, he initially claims to be "Thomas".


Authentication is a Checking the alleged authentication It is now the turn of the auditor to authenticate. He checks the information for authenticity. In terms of time, an “authentication” takes place after an “authentication”.

To stay with our soccer example: After Thomas has authenticated himself with his identity card, the security service now checks and confirms his identity. The friendly security guard takes a close look at the identity card to see whether Thomas standing in front of him corresponds to the photo on the identity card. The verification of the identity is the authentication here. The result of the authentication is here: either Thomas comes in or he doesn't.


The authorization is the Granting of special rights. If the identification of a person was successful, it does not automatically mean that this person is allowed to use the services provided. The authorization decides on this.

In our soccer example this would mean: The security guard now also checks Thomas' ticket to ensure that he is in possession of a ticket with the addition of a VIP box. Unfortunately, Thomas has a valid ticket for the final game, but no additional rights to enjoy the game in the VIP box. He can enter the stadium but is not authorized to visit the VIP box. He lacks the additional rights for this.

Tl; dr

In summary, all three terms can be clarified using an IT system as follows:

  1. Authentication:
    Entering login data in an IT system (asserting an identity)
  2. Authentication:
    Verification of the assertion by the EDP system including the result of the test (verification of the assertion from 1.)
  3. Authorization:
    Examination of rights and consequences (granting or denial of rights).
Do you like the post? Then we look forward to a recommendation:

About the author

Agnieszka CzernikLawyer

Data protection and IT (security) serve to protect privacy and corporate values. Maintaining these interests and working in two diverse and interesting areas at the same time is my passion. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

IT security advice

Do you have any suggestions for topics or improvements? Contact us anonymously here.