What is the difference between authentication and authorization?

Authentication and authorization are fundamental security concepts that work together to control system access.\n\n**Authentication - "Who are you?"**\n• **Purpose** - Verifies the identity of a user or system\n• **Process** - User provides credentials to prove their identity\n• **Methods** - Username/password, biometrics, smart cards, tokens\n• **Example** - Entering your username and password to log into email\n\n**Authorization - "What can you do?"**\n• **Purpose** - Determines what resources an authenticated user can access\n• **Process** - System checks user permissions against requested resources\n• **Methods** - Role-based access control (RBAC), access control lists (ACLs)\n• **Example** - Admin can delete files, regular user can only read them\n\n**Key differences:**\n\n| Aspect | Authentication | Authorization |\n|--------|---------------|---------------|\n| **Question** | Who are you? | What can you access? |\n| **When** | First step | After authentication |\n| **Verifies** | Identity | Permissions |\n| **Methods** | Passwords, biometrics | Roles, policies |\n| **Failure** | Access denied | Limited access |\n\n**Real-world example:**\n1. **Authentication** - Employee badges into office building (proves identity)\n2. **Authorization** - Badge allows access to specific floors/rooms (defines permissions)\n\n**Multi-factor authentication (MFA):**\nCombines multiple authentication factors:\n• **Something you know** - Password, PIN\n• **Something you have** - Phone, token, smart card\n• **Something you are** - Fingerprint, face recognition\n\n**Best practices:**\n• Implement strong authentication (MFA)\n• Follow principle of least privilege\n• Regular access reviews and updates\n• Separate admin and user accounts\n• Monitor and log access attempts