Authentication & Authorization
How apps know who you are and what you can do
Introduction
Every time you log into an app, two things happen behind the scenes. First, the app figures out who you are — that is authentication. Then it checks what you are allowed to do — that is authorization. These two concepts are the foundation of security in every modern application.
Without authentication, anyone could access any account. Without authorization, every user would have the same power as an administrator. Apps use a combination of techniques — passwords, biometrics, tokens, and OAuth — to make sure the right people get the right access.
In this chapter, you will learn the difference between authentication and authorization, explore the most common methods apps use to verify identity, and understand how sessions and tokens keep you logged in seamlessly.
How It Works
When you log in, your app sends your credentials (username and password) to a server. The server verifies them against its database. If they match, the server creates a token or session cookie and sends it back to your device. Your app then sends that token with every subsequent request so the server knows it is still you.
Keycard Analogy
Authentication is like showing your ID at the door of a secure building. The security guard checks your face matches the photo and that the ID is valid. Authorization is like swiping your keycard to enter specific rooms. Your keycard might open the lobby and your office, but not the server room or the CEO's office. Authentication proves who you are; authorization proves what you can access.
Deeper Dive
Apps use several different methods to verify your identity. Each has its own trade-offs between security and convenience:
Passwords
The most common method. A secret string of characters you create. Best practice is to use long, unique passwords stored in a password manager.
Biometrics
Uses your unique physical characteristics — fingerprint, face, or iris. Very convenient and hard to fake, but cannot be changed if compromised.
OAuth
"Login with Google/Apple/Facebook." An open standard that lets you grant one app access to your data on another app without sharing your password.
2FA (Two-Factor Auth)
Adds a second layer of security. Even if someone has your password, they also need a temporary code from your phone or a hardware key to log in.
Sessions and Tokens
Once you are authenticated, the app needs a way to remember you. Two common approaches are session-based authentication (the server stores your session and gives you a cookie) and token-based authentication (the server gives you a JWT or similar token that your app sends with each request). Tokens are more common in modern APIs because they are stateless and work well across different devices.
Key Insight
Authentication and authorization are often confused, but the difference is simple: authentication answers "Who are you?" while authorization answers "What are you allowed to do?" You can be authenticated (logged in) but not authorized (you cannot access the admin panel).
Advanced
At a deeper level, authentication & authorization involves rules and patterns that engineers use worldwide. Authentication follows standards so different brands and devices can still work together. That is why your phone, school laptop, and game console can all connect to the same network or use the same apps.
Authorization does not happen in a straight line. Systems often use backup paths, error checking, and retries so information arrives correctly. When something fails, smart Password design helps the system recover instead of shutting down completely.
Scientists and engineers keep improving these systems every year — making them faster, safer, and more energy-efficient. The ideas you learn in this chapter are the same building blocks used in real data centers, robots, apps, and websites around the world.
Vocabulary Table
| Term | Definition |
|---|---|
| Authentication | The process of verifying who a user is |
| Authorization | The process of determining what a user is allowed to do |
| Password | A secret string of characters used to verify identity |
| Token | A digital key issued by a server after successful login, sent with requests to prove identity |
| OAuth | An open standard for token-based authentication and authorization |
| 2FA | Two-Factor Authentication — an extra layer of security beyond a password |
| Session | A server-side record of a user's logged-in state, often tracked via a cookie |
| Cookie | A small piece of data stored by the browser to remember information between requests |
Fun Facts
The most common password in 2024 was still "123456." It takes a computer less than one second to crack it.
Cookies were invented in 1994 by Lou Montulli, a Netscape employee. They were originally created to solve the problem of shopping carts remembering what you added.
Face ID on iPhone creates a mathematical model of your face using over 30,000 infrared dots. The probability of a false match is about 1 in 1,000,000.
OAuth 2.0 is used by almost every major tech company. When you click "Login with Google," you are using OAuth 2.0 under the hood.
The first known computer password was used at MIT in 1961. The system was hacked within weeks because someone printed the password file.
Interactive Diagram
Launch the interactive diagram to see authentication and authorization in action.
Open Interactive DiagramThe interactive diagram for this chapter demonstrates Authentication. It shows the authentication flow: login form → credentials → token → access granted.
What to explore:
- type a username and password; watch the credentials get verified; see a token be issued; try accessing a protected resource
- authentication verifies who you are (usually via passwords or tokens) and authorization determines what you can access
Knowledge Check
1. What is the difference between authentication and authorization?
Answer: Authentication = who you are, Authorization = what you can do
2. What does 2FA stand for?
Answer: Two-Factor Authentication
3. Which standard allows you to "Login with Google" on a third-party app?
Answer: OAuth
