Share to FacebookShare to TwitterShare to LinkedIn

Authentication vs. authorization: Differences and methods

Many assume that authentication and authorization are the same, but they are actually two different components of streamlined account access

June 14, 2018

Tom Sullivan Pic
Tom Sullivan

Tom is a writer at Plaid. He's passionate about the freedom that the union between financial services and technology can create.

Authentication and authorization are two terms used, often interchangeably, to describe the process involved in accessing an account. Though they go hand in hand and often occur sequentially, authentication and authorization are not the same in their purpose and execution. With new technologies emerging that make accessing apps and linking accounts increasingly easier and more convenient, it’s important to differentiate between the two.

Authentication vs. authorization: Defining the terms and differences 

Authentication is the process of verifying a user’s identity and their ability to access a requested account. For instance, entering online banking credentials (username/password) or answering security questions authenticates a user by identifying her and verifying that she is who she claims to be.

Authorization, on the other hand, establishes which permissions the user has within an app. In other words, it determines what they’re able to do, such as request or edit data. The authorization process also grants permission to third parties to access data on behalf of users. For example, a user might authorize a financial services app to access his bank transaction history or log into a third-party app using Facebook or Google. Such authorization makes for easier interactions, which can lead to increased conversions.

Airbnb uses Facebook to validate consumers’ online identities on its platform.

Authentication vs. authorization: methods to achieve each

Authentication (the verification of a user’s identity) is typically done by entering a username and password. Authentication is the cornerstone of online security because it ensures that the correct user is accessing the requested—often sensitive—information. Other authentication methods include fingerprint scanners, security questions, bank account credentials, and PIN numbers.

Two-factor authentication (2FA) is a  popular way to heighten user authentication measures because it bolsters security and greatly reduces the potential for fraud. When using 2FA, a user will enter their username and password, then confirm receipt of a one-time password (OTP) sent to their email or text message before accessing their account.

Authorization (permissioning access to data) is particularly important among apps that aim to improve users’ financial lives. It allows users to access their bank data on any app they choose to share it with, giving them access to financial tools that can help with things like budgeting, investing in the stock market, or making a plan to get out of debt. 

See file name above

Stay informed. Sign up for Plaid's newsletter on the latest in financial services and tech.

There are several methods that developers use to seamlessly and securely enable authorization. Tokenization is an authorization method that substitutes a non-sensitive “token” for sensitive information, such as a user’s bank account credentials. Tokenization allows a third-party app to access a user’s bank account without storing or even seeing the user’s login information, thus keeping it secure. 

OAuth is a burgeoning tokenization method for financial apps. It shares user credentials with neither the third-party app nor any trusted intermediaries, instead leaving that sensitive data with only the bank and user. OAuth uses Screenless Exchange—an additional layer that keeps the authorization experience in the app—to improve and simplify a process that can be cumbersome and expensive for institutions.

A thumbnail image of our COVID report

Learn how consumers' financial behavior has changed as a result of COVID-19

Authentication vs. authorization: The bottom line

Authentication and authorization are often confused because they have similar functionalities and they share the “auth” abbreviation. And while they’re usually employed together (i.e., authorization is almost never possible without user authentication first), it’s important not to conflate them. New technologies continue to improve on both authentication and authorization methods separately, with the goal of granting third-party apps access to data that helps them eliminate friction for the user.

Plaid Sales Team ready to help

Find out how Plaid can help your business grow

By submitting this form, I confirm that I have read and understood Plaid's Privacy Statement, and I authorize Plaid to send me sales and marketing communications at the email address provided