Auth vs Authz: Exploring The Difference

Back to basics, in this piece we'll explore two key parts of Identity and Access Management (IAM) – Authentication and Authorization – and clarify their differences.


The widespread accessibility of applications introduces a significant security challenge - the risk of unauthorized access to the valuable data and resources. Having robust application security in place can help prevent this security challenge.

In this article, we'll cover over two important components of Identity and Access Management (IAM) - Authentication and Authorization and explain the differentiation between them.

These components form the bedrock of Identity and Access Management (IAM), ensuring that users are who they claim to be and controlling their access within the application. We’ll clear out their differences and explaining how they work together to secure an applications.

What is Authentication (authn)?

Authentication is the process of verifying someone’s or something’s identity. It answers the question: “Are you really who you say you are?”.

Users typically provide answers to this question posed by an Identity and Access Management System (IAM) by simply providing credentials shared between the system and the users.

Common Authentication Methods

There are several methods to achieve users credential and identity.

Authentication with passwords

Username and password authentication is the most common authentication method in applications.

This is so common that we have all made use of this authentication method before. To put it into context, anytime you try to access a website or an application you are presented with a screen requesting a username or email address and password.

This username or email address and password are collectively called login credentials. The login credentials are compared with the details stored by the system and if valid you’ll be guaranteed access to the application.

Despite the popularity of this method, it’s not the best authentication method as it’s more prone to security breaches than the other methods. Nevertheless, various approaches can be put in place to avoid security breaches.

Multi-factor Authentication (MFA)

Before we delve into the explanation of Multi-Factor Authentication, let’s get to understand what the term Authentication Factor means.

Authentication factors refer to the various means by which the identity of a user can be proved.

Authentication factors are classified into three:

  1. Something the user knows (Knowledge) - Password, PIN (Personal Identification Number)
  2. Something the user has (Ownership) - Email address, Phone number
  3. Something the user is (Inherence) - Fingerprint, Face, Voice

Based on our knowledge of authentication factors, we can say that Password authentication uses just one factor to perform verification of users' identity - username and password (knowledge).

To increase the strength of this authentication, one or two elements are picked from another authentication factor to verify users' identity. In other words, users are required to provide not only a username and password but also enter an OTP (One Time Pin) sent to their email or phone, or make a facial or biometric entry to prove their identity.

Public Key Certificate

A Public Key Certificate serves as a digital identification card for secure online communication. In this method, a pair of cryptographic keys is used – a public key, known to everyone, and a private key, kept secret. The public key is embedded in a certificate, acting as a unique digital signature.

Biometric Authentication

In this method, users can indicate their identity by providing inherence elements unique to them such as fingerprint, eye scan, voice recognition, etc.

If used alone, this is considered a single-factor authentication and if combined with another authentication method it's considered MFA.

What is Authorization (authz)?

Authorization is the process of determining a user access level. It provides an answer to the question: “Can you do or access this?”. Authorization usually happens after the user's identity has been confirmed or determined.

Having considered the two concepts, authn verifies that users are who they claim to be, like checking your ID at the entrance of a party to ensure you're the invited guest. Authz comes into play once you're inside, determining what areas or rooms you're allowed to access. It's like getting a special pass at the party that lets you into the dance floor but not the backstage.

Access Control Models

Below are some of the access control models.

  1. Role-Based Access Control (RBAC) RBAC is a widely adopted access control model that defines user permissions based on organizational roles. Each role is associated with specific access rights, and users inherit permissions based on their assigned roles. While RBAC simplifies administration, it can lack the granularity needed for fine-grained access control.

  2. Relationship-Based Access Control (ReBAC) ReBAC extends access control by incorporating relationships between users and resources. This model defines access permissions based on the relationships users have with other entities, such as departments, projects, or teams. ReBAC adds another layer of context to access decisions, enhancing the precision of authorization.

  3. Attribute-Based Access Control (ABAC) ABAC is a more flexible access control model considering various attributes when determining user access. Attributes can include user characteristics, environmental conditions, and resource properties. ABAC allows for dynamic and context-aware access decisions, making it well-suited for complex authorization requirements in dynamic environments.

Coarse-Grained Authz vs Fine-Grained Authz

Deciding on the right authorization strategy depends on the unique needs and requirements.

The key factor in making this decision is the level of complexity or scalability desired in your access control needs.

In simpler terms, how granular should the permission settings be?

The complexity of an authorization is determined by the number of properties considered when determining user access. Therefore, for access control to be considered fine-grained, many properties or factors have to be considered when determining user access level.

For example, the most popular and oldest access control model - RBAC is known for being too rigid and not flexible. And why is RBAC coarse-grained? It’s coarse-grained because permissions are usually determined using just one property - Role.

As applications evolve, resources, user types, and features undergo changes. Traditional roles often fall short in effectively evaluating access decisions. This is precisely why companies are inclined to shift towards fine-grained authorization.

In such a setting, fine-grained authorization proves to be more responsive and capable of addressing the evolving needs of businesses, unlike the static nature of coarse-grained authorization, which may struggle to keep pace with the dynamic nature of modern businesses.

Here are two quick real-world cases to solidify the need for fine-grained authorization:

  1. Time or Location Based Permissions - (ABAC) Granting temporary access or permissions to temporary or interim staff during office hours or from different locations.
  2. Relationship Based Access - (ReBAC) Granting an employee access to certain resources not just because of their role but because they belong to a particular project team or organizational unit.

As we conclude our exploration of the transition from Coarse-Grained Authorization to Fine-Grained Authorization, it becomes evident from the real-world use cases that the evolving landscape of modern business demands a more flexible approach to access control.

If you're interested in learning more about why RBAC falls short, see the article: Fine-Grained Access Control Where RBAC falls short

How to Build Fine-Grained Access Control Systems?

Authentication and authorization stand as pillars in Identity and Access Management, each playing a distinct role in securing the data and resources essential to the functionality of modern applications.

Our exploration has not only highlighted the intrinsic importance of these components but has also witnessed a transformative shift from Coarse-Grained Authorization to a more adaptive and flexible Fine-Grained Authorization.

As Permify we're building open source authorization infrastructure to build fine-grained authorization systems at scale. Would love to learn your use case and help ypu to build robust authorization systems. Don't hesitate to reach us from our Discord Channel!