What's the difference between "authentication" and "authorization"?

phrase-meaning

Solution 1:

Authentication (in this sense) is the confirmation that the person who is giving a command or placing an order is the person they say they are. In other words, they are making sure that this person is authentic or can be identified.

Authorization means that you are giving permission to do something. So, if you authorize something, you are saying I allow this based upon my authority.

They are related, but different.

For example: An app can ask for your authorization to make a purchase, then it will attempt authentication in the form of a password.

To answer your second question: Authorisation is an accepted secondary spelling of authorization. But, in American English, authorization is the preferred spelling.

Solution 2:

Some idea is is given in the common usage of authenticate, in the sense of identifying the subject as being who/what it claims to be. For example (from the OED):

"To establish the claims of (anything) to a particular character or authorship; to establish the genuineness of; to certify the authorship of."

But in the case you are talking about, these are really specialized uses of the terms, and need to be defined in relation to the technological context in which they are used.

From AAA and Network Security for Mobile Access[1]:

"Authorization is defined as the act of determining whether a particular privilege can be granted to the presenter of a particular credential. [...] The presenter of the credential can be either a device or a user."

The way authentication works is broadly the same as the common English usage.

"Authentication consists of two acts: first, the act of providing proof of authenticity for the information that is being delivered or stored, and second, the act of verifying the proof of authenticity for the information that is being received or retrieved."[1]

Another source, Network Authentication, Authorization, and Accounting[2] gives an overview of the terms:

Authentication asks the question, "Who or what are you?" Authorization asks, "What are you allowed to do?"

and more for authorization :

"At its core, authorization means determining what a client is allowed to do on the network."

(The third piece of AAA, a common technical concept which includes authentication and authorization, is accounting. In the same doc, this is given as "accounting wants to know, 'What did you do?'")

[1] AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility Madjid Nakhjiri, Mahsa Nakhjiri, John Wiley & Sons, Nov 1, 2005

[2] Network Authentication, Authorization, and Accounting: Part One originally from The Internet Protocol Journal - Volume 10, No. 1 (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-1/101_aaa-part1.html)

Related

Are 'rich' and 'cold' relative or absolute terms?
What is the best word to describe an "object of importance" without inquiring about its past? (i.e. not memento)
mysql tinyint(1) vs tinyint(2) vs tinyint(3) vs tinyint(4) [duplicate]
Should I include <xxxx.h> or <cxxxx> in C++ programs?
Using ng-repeat and ng-class on rows inside a table
How to invoke function from external .c file in C?
authority http header - in chrome dev tools
Error in iOS 10 : Unable to copy asset information from https://mesu.apple.com/assets/ for asset type
Sanitising user input using Python
How to switch layout files in Zend Framework?
In vim, is there a way to set "very magic" permanently and globally?
increment map<string, int> using ++ operator