Authentication and authorization: Differences and methods

Two related yet different components of streamlined account access

Authentication and authorization are two terms used, often interchangeably, to describe the process involved in accessing an account. But though they go hand in hand and often occur sequentially, authentication and authorization are not the same in their purpose and execution. With new technologies emerging that make accessing apps and linking accounts increasingly easier and more convenient, it’s important to differentiate between the two.

Authentication vs. authorization definitions

Authentication is the process of verifying a user’s identity and ability to access a requested account. For instance, entering a password or online banking credentials or answering security questions authenticates a user by identifying her and verifying that she is who she claims to be.

Authorization, on the other hand, establishes which permissions the user has within an app, or, in other words, determines what he is able to do — for instance, request or edit data. The authorization process also grants permission to third parties to access data on behalf of users. For example, a user might authorize a financial services app to access his bank transaction history or log into a third-party app using Facebook or Google (see here for a visual). Such authorization makes for easier interactions and increases conversions.

Authentication vs. authorization methods

Authentication—or the verification of a user’s identity—is commonly done by entering a username and password. Authentication is the cornerstone of online security, because it ensures that the correct user is accessing the requested—often sensitive—information. Other authentication methods include fingerprint scanners, security questions, bank account credentials, and PIN numbers.

Two-factor authentication (2FA) has also become popular as a way to verify identity because it bolsters security and greatly reduces the potential for fraud. For instance, a user may have to enter a password and then confirm receipt of a text message before accessing her account.

Authorization, or permissioning access to data, is particularly important among apps that aim to improve users’ financial lives by allowing them to access their bank data on their platforms of choice and providing streamlined money management solutions. Rather than accessing and interpreting bank account information directly, a user authorizes an app to do it for him.

There are several methods that developers use to seamlessly and securely enable authorization. For instance, tokenization is one authorization method that substitutes a non-sensitive “token” for a sensitive element, such as a user’s bank account credentials. In this situation, tokenization can allow a third-party app to access the bank account without storing or ever seeing the user’s login information, thus keeping it secure. OAuth is a burgeoning tokenization method for financial apps that shares user credentials with neither the third-party app nor any trusted intermediaries, leaving that sensitive data with only the bank and the user. Screenless Exchange is an additional layer that keeps the authorization experience in the app, improving and further simplifying the OAuth process, which can be cumbersome and expensive for institutions.

Authentication vs. authorization bottom line

Authentication and authorization are often confused because they have similar functionalities and they share the “auth” abbreviation. And while they’re usually employed together (i.e., authorization is almost never possible without user authentication first), it’s important not to conflate them. New technologies continue to improve on both authentication and authorization methods separately, with the goal of granting third-party apps simple data access that eliminates friction for the user.

Related Articles

Lessons learned from data access challenges in healthcare and telecomms

Are there useful corollaries to what’s happening in fintech?

3 min read

How KYC might evolve in a post-Equifax world

The 2017 breach was historic for many reasons, not least of which is its potential to transform the practice of KYC as we know it

2 min read

Adjustments, error types, and aggressiveness in fraud modeling

Fraud detection models make two main types of errors: What they are, what they mean, and how adjustments can help to mitigate negative effects

6 min read