Authentication and authorization are two terms used, often interchangeably, to describe the process involved in accessing an account. Though they go hand in hand and often occur sequentially, authentication and authorization are not the same in their purpose and execution. With new technologies emerging that make accessing apps and linking accounts increasingly easier and more convenient, it’s important to differentiate between the two.
Authentication vs. authorization: Defining the terms and differences
Authentication is the process of verifying a user’s identity and their ability to access a requested account. For instance, entering online banking credentials (username/password) or answering security questions authenticates a user by identifying her and verifying that she is who she claims to be.
Authorization, on the other hand, establishes which permissions the user has within an app. In other words, it determines what they’re able to do, such as request or edit data. The authorization process also grants permission to third parties to access data on behalf of users. For example, a user might authorize a financial services app to access his bank transaction history or log into a third-party app using Facebook or Google. Such authorization makes for easier interactions, which can lead to increased conversions.
Authentication vs. authorization: methods to achieve each
Authentication (the verification of a user’s identity) is typically done by entering a username and password. Authentication is the cornerstone of online security because it ensures that the correct user is accessing the requested—often sensitive—information. Other authentication methods include fingerprint scanners, security questions, bank account credentials, and PIN numbers.
Two-factor authentication (2FA) is a popular way to heighten user authentication measures because it bolsters security and greatly reduces the potential for fraud. When using 2FA, a user will enter their username and password, then confirm receipt of a one-time password (OTP) sent to their email or text message before accessing their account.
Authorization (permissioning access to data) is particularly important among apps that aim to improve users’ financial lives. It allows users to access their bank data on any app they choose to share it with, giving them access to financial tools that can help with things like budgeting, investing in the stock market, or making a plan to get out of debt.
→ Need a faster account opening and onboarding flow? Plaid Auth provides instant bank account authentication when users connect with their bank account credentials.
The Fintech Spotlight
Get the latest insights and in-depth analysis on the future of digital finance
There are several methods that developers use to seamlessly and securely enable authorization. Tokenization is an authorization method that substitutes a non-sensitive “token” for sensitive information, such as a user’s bank account credentials. Tokenization allows a third-party app to access a user’s bank account without storing or even seeing the user’s login information, thus keeping it secure.
OAuth is a burgeoning tokenization method for financial apps. It shares user credentials with neither the third-party app nor any trusted intermediaries, instead leaving that sensitive data with only the bank and user. OAuth uses Screenless Exchange—an additional layer that keeps the authorization experience in the app—to improve and simplify a process that can be cumbersome and expensive for institutions.
→ Want to fight fraud while handling KYC requirements? Plaid Identity Verification is the lowest friction identity verification experience available.
Authentication vs. authorization: The bottom line
Authentication and authorization are often confused because they have similar functionalities and they share the “auth” abbreviation. And while they’re usually employed together (i.e., authorization is almost never possible without user authentication first), it’s important not to conflate them. New technologies continue to improve on both authentication and authorization methods separately, with the goal of granting third-party apps access to data that helps them eliminate friction for the user.