Authentication or authorization? The terms are often used interchangeably to describe the process of connecting a financial account to an app or service. While related, they represent distinctly different concepts. In this article, we take a closer look at both components and how they’re carried out.
Authentication versus authorization: What’s the difference?
Broadly speaking, authentication is the process by which a user’s account ownership and/or ability to access a requested account are verified. This is typically achieved by having the user enter their account information, such as their email login credentials (username and password). For financial account authentication, this could be their bank account login credentials.
Some non-financial apps may use third parties such as Facebook or Gmail to authenticate account ownership since they’re already linked to an associated email address and the user is already logged in.
Authorization, on the other hand, establishes which permissions the user has within an app or service once they’ve been authenticated. Authorization can also refer to granting permission to third parties to access data on behalf of the user (more on this below)—something that’s rarely possible without authentication first.
In other words, authentication is the security check that gets you into the building, while authorization is the key card that allows you to access one area of the building over another.
Plaid's 2023 Fintech Effect Survey
Navigate the latest consumer trends, create lifetime customers, and grow your business
Banking authentication vs. authorization
When it comes to financial services, authentication and authorization typically come into play when a user connects their bank account to an app or service. Authentication means verifying the existence of the account and the ability of the user to access it.
Traditionally, this would have involved the user providing their account and routing numbers and then verifying their access to the account via micro-deposits. Today, instant authentication technology such as Plaid Auth enables users to achieve the same result by simply entering the login credentials associated with their financial account.
In financial services, authorization means granting an app or service permission to perform a specific action relating to the connected bank account. For example, a user might authorize a budgeting app to access their account’s transaction history in order to create a budget and track spending. Or they might authorize a lending platform to access their income data to better assess their creditworthiness and make a lending decision.
Authentication and authorization methods
There are several methods that developers use to seamlessly and securely authenticate an account and enable authorization. As mentioned above, Plaid’s Auth product instantly authenticates an account by retrieving the associated account and routing numbers when the user connects it to an app or service.
This is done either in Plaid Link, where the user enters the account credentials associated with the account they’re connecting, or through OAuth, in which the user temporarily leaves Link to enter their credentials (or log in biometrically) via the financial institution's website or mobile app instead.
If a user doesn’t want to provide their credentials or other authentication methods are unavailable, they also have the option to authenticate their account via micro-deposits. Plaid sends micro-deposits within seconds via instant payment rails like FedNow and RTP, or with same-day ACH as a fallback option. This provides 100% authentication coverage for all accounts while also giving users the choice to continue without providing a username and password.
Auth then enables the user to authorize the app or service to access their financial account information through a process known as tokenization. If the correct account credentials are entered, a “token” is created that allows access between the app and the user’s account. Because the token enables access, the app doesn’t have to store the user’s account credentials, thus creating a secure connection without storing sensitive information.
Auth is commonly paired with other Plaid products that require authorization to access specific information. Plaid Balance, for example, verifies real-time account balances to protect payments against overdrafts and NSF fees. Plaid Transactions, on the other hand, accesses up to 24 months of detailed transaction data, including enhanced merchant, category, and location information.
Beyond authentication and authorization: Enhancing security
Authentication and authorization are the minimum requirements when connecting an account to a third-party app or service. To reduce the risk of fraud and support compliance, additional measures can be taken when onboarding new users to ensure they are who they claim.
Plaid Identity Verification (IDV), for example, can verify good users and stop bad actors in as little as 10 seconds. It does so by verifying identity information against regulated data sources, as well as by using ID documents and a liveness or selfie check to confirm the user’s identity. It also allows businesses to manage their KYC compliance obligations, an important piece of the onboarding process for many types of financial services.
The bottom line
Though they may share an abbreviation in “auth”, authentication and authorization are two distinct yet closely linked components. It’s important for both to be carried out through secure means and—better yet—be paired with additional security measures to protect against bad actors. When done right, the user is left with a fast, seamless experience—and ready to start making the most of the connected app or service.
→ Learn more about how Plaid Auth makes account authentication and authorization seamless.