draft: falsein this .mdx file once ready to be published.
Authentication and authorization sound very similar yet they are two completely different concepts. Authentication is confirming a user's identity while authorization is granting a user different permissions. In this article, I will cover the main differences between them and some of their best practices. Let's dive right into it!
As I stated before, authentication is confirming a user's identity but what does that really mean? For most applications, this means logging in/registering a user. For example, to be able to post on Twitter you need to be logged in. Logging in is the authentication part. How does this work? Have you heard of cookies, sessions, or JWTs? This is exactly how the system checks whether you are what you say you are. Let's look at some common examples used when implementing authentication in your applications.
1. Single-Factor Authentication
Single-factor authentication is the simplest form of authentication as the name suggests. This type of authentication requires a password. The application uses the user's credentials (in this case their password) to confirm their identity. Single-factor authentication is the simplest to implement but is the least secure authentication method. Think of single-factor authentication as like seeing a login form with just a password, no username/email needed. As you can imagine, this kind of authentication is prone to many different types of attacks. In fact, this is the case. Google reported that over 65% use the same password for multiple or all accounts. This is where two-factor authentication comes in.
2. Two-Factor Authentication
Two-factor authentication is the most common way of implementing authentication nowadays. Think of two-factor authentication of authorizing a user based on two credentials. Usually, this is a user's email/username and password. This way, having two credentials makes it 2x harder for a malicious hacker to hack your account.
3. Multi-Factor Authentication
Multi-factor authentication is (as you might have guessed) authorizing a user based on multiple (two or more) credentials. These credentials good be anything. Usually, it's a user's email/username, password, generated codes, Captcha tests, and possibly more. Naturally, this way of authentication is very secure and is likely to be close to 100% secure (if implemented properly). Even though this is much more secure than two-factor and single-factor authentication, multi-factor authentication comes with its own downfalls. For example, having multiple credentials needed to log in/register could be a worse experience for the user. Imagine putting in your email, username, password (twice), doing some Captcha tests, looking for your generated code, and in some cases, even more. Also, what would happen if a user loses their generated code or fails a Captcha test. This would mean that the user would be prevented from using the application or would have to be authorized with different credentials before generating another code. As you can see, it's quite an extensive process. Although multi-factor authentication is secure, it's not the most ideal form of authentication. Let's explore some more possibilities.
4. Biometric authentication
Biometric authentication is very popular with smartphones in today's world. Biometric authentication uses a user's unique biological characteristics to confirm their identity. Examples of this include facial recognition (Face ID), fingerprint scanners, eye scanners, or even voice recognition. This way of authentication is quite secure. Also, this form of authentication is very easy for the user, hence why they use it in quick-access applications like smartphones. Although this method seems perfect, it's not the easiest to implement. And if you implement this form of authentication incorrectly, it's as easy to hack this form of authentication as the single-factor authentication method.
5. Generated code authentication
Generated code authentication allows for a user to generate a unique and encrypted string of characters when they first sign in. This method is very popular in the development world (API keys). Even though this method is simple to implement, if the users expose their key, then anyone can access their account. This is why I would recommend using this method in multi-factor authentication applications.
To conclude, authentication is confirming a user's identity. We have looked at five different methods of authentication: single-Factor, two-factor, multi-factor, biometric, and generated code authentication. Each of these methods has its pros and cons and different use cases. It's up to you which one you implement!
To put it simply, authorization is granting a user different permissions. Remember our Twitter example? Let's go over that in more detail. To be able to post on Twitter, you have to be logged in. As we have learned previously, the logging in part is the authentication. The posting on Twitter privilege is an authorization. Being able to post on Twitter is a permission that only people who are logged in can do hence why this is an authorization. Another example is that a certain application has authorized users and regular users. The regular users can post articles while the authorized users can delete them (if they're not following the code on conduct, etc). Being an authorized admin means that you have the privilege/permission to be able to delete those articles. For an application to understand if a user is authorized to do certain things, it usually comes does to their credentials. A simple version of this is an
if statement. Let's go back to our regular user, authorized user example. Let's implement this in some pseudocode.
if user.email in authorized_emails:provide_user_with_delete_permission(user)
In this pseudocode, we are checking whether the current user's email is an authorized email. If it is, we grant them with the delete permission. This is a very simple example which is hopefully helpful.
In conclusion, authorization is granting a user different permissions based on their credentials. Authorization is an essential part of any application. Let's look at some authentication and authorization project ideas for some inspiration!
1. Online Classroom
Create an application that is similar to Google Classroom. This application will have two different types of users: teachers, and students. The teachers are authorized with the permission to post assignments and grade them while the students can only view their grades and communicate with their teacher.
2. Ranked-Choice Voting System
Ranked-choice voting, is a very popular form of voting which is commonly used for elections (Wikipedia article). Create an application that will allow users to vote for a specific topic. To ensure that users only vote once, they will have to log in using multi-factor authentication which in this case will be phone number, fingerprint scan, and password. There will be two types of users: admins and regular users. The regular users get to vote while the admin users get to put out the topics to vote on.
3. Online Postage System
Create an application that will allow users to send post to other users online. This app will use multi-factor authentication: email, name, and password. To be able to send post to other users, that user needs to have a specific stamp which expresses that they are authorized to do so. If their post is authorized, they may send it through the app. You could extend this project by being able to send money through the app using a payment provider like Stripe or PayPal.
4. Content Management System (CMS)
Create a CMS which will have two different types of users: admins and regular users. The admins will be able to control the content the regular users have and could report their content. The users will be able to post content to the application. To become an admin, you have to have a specially generated code that you use to log in.
5. Online Auction System
Create an online an online auction system using the tools of your choice. This auction system will allow users to put up biddings and have other users bid on them. Whoever is the highest bidder at the end of the auction wins. As you can imagine, different users have different permissions. If you put up bidding, you can't vote on your own bidding. Any authentication method is suitable for this project.
I hope you learned about authentication and authorization and some of their differences. I would highly recommend tackling one of the projects I mentioned in the section above to get familiar with authentication and authorization in the real world. Thanks for reading!