Skip to content

Authz vs. Authn

Key points

  • Authn stands for authentication, the process of verifying a user’s identity
  • Authz is short for authorization, which determines what an authenticated user is permitted to do.

⇒ You cannot have authorization without authentication. A system must first know who a user is before it can decide what they are allowed to do. Together, authentication and authorization form the bedrock of a secure digital environment, ensuring that only the right people have access to the right information at the right time.

Methaphor: Think of it like attending a concert. Showing your ticket at the entrance to prove you have a valid entry is authentication. Once inside, your ticket type (e.g., general admission, VIP, backstage pass) dictates which areas you can access. This is authorization.

Authentication (Authn): “Who are you?”

Authentication is the first step in any secure access process. It’s all about confirming that a user is who they claim to be. This is typically achieved through various methods, including:

  • Something you know: Such as a password or a PIN.
  • Something you have: Like a smartphone (for receiving a one-time code) or a physical security key.
  • Something you are: Biometric data like a fingerprint or facial recognition.

Multi-factor authentication (MFA) strengthens this process by requiring a user to provide two or more of these verification methods.

Authorization (Authz): “What are you allowed to do?”

Once a user’s identity has been successfully authenticated, authorization comes into play. This process involves checking the user’s permissions to determine what specific resources, files, or actions they are allowed to access or perform.

For example, on a project management platform:

  • An authenticated user might be authorized to view and comment on tasks.
  • Another user, perhaps a project manager, might be authorized to create new tasks, assign them to others, and delete them.
  • An administrator would have the highest level of authorization, with the ability to manage users and billing information.

Authorization is often managed through models like:

  • Role-Based Access Control (RBAC): Permissions are assigned based on a user’s role within the organization.
  • Attribute-Based Access Control (ABAC): Access is granted based on a combination of user attributes, resource attributes, and environmental conditions.
  • Etc.

See more in this note: AuthZ models.

Page last modified: 2025-09-09 11:27:08