All guides

Authentication vs Authorization (AuthN vs AuthZ)

If you are studying for CompTIA Security+, authentication vs authorization is a distinction the exam expects you to get right every time — and it is easy to blur because both start with "auth" and both live inside Identity and Access Management (IAM).

The short answer

Authentication (AuthN) proves who you are. Authorization (AuthZ) decides what you are allowed to do. Authentication always happens first; authorization happens second, on top of an identity that has already been verified.

Think of an office building. Authentication is the security guard checking your badge at the front door — confirming you are really you. Authorization is which floors and rooms that badge will actually open once you are inside. Same badge, two completely different checks.

What is authentication (AuthN)?

Authentication is the process of verifying identity. You claim to be someone, and the system makes you prove it before it trusts the claim. Proof comes from one or more authentication factors:

  • Something you know — a password, PIN, or passphrase.
  • Something you have — a phone with an authenticator app, a hardware token, or a smart card.
  • Something you are — biometrics like a fingerprint, face, or iris.

Using two or more different factor types is MFA (Multi-Factor Authentication) — for example, a password plus a one-time code. Two passwords is not MFA, because both are "something you know." Authentication answers exactly one question: are you who you say you are?

What is authorization (AuthZ)?

Authorization is the process of granting or denying access to a verified identity. Once authentication confirms you are user jsmith, authorization decides which files, databases, and actions jsmith is permitted to touch. Common authorization models on the exam:

  • RBAC (Role-Based Access Control) — permissions attach to roles (for example, "HR" or "Admin"), and users inherit a role's permissions.
  • ABAC (Attribute-Based Access Control) — access depends on attributes such as department, location, device, or time of day.
  • Least privilege — the guiding principle: give each identity only the access it needs to do its job, and nothing more.

Authorization answers a different question entirely: now that I know who you are, what can you do?

Authentication vs authorization, side by side

Authentication (AuthN)Authorization (AuthZ)
Question answeredWho are you?What are you allowed to do?
PurposeVerify identityGrant or deny access to resources
HappensFirstSecond (after identity is proven)
Based onFactors: know / have / arePermissions, roles, attributes, policies
ExamplesPasswords, MFA, biometrics, smart cardsRBAC, ABAC, least privilege, ACLs
Visible to userYes — you log inOften invisible — it just allows or blocks
If it failsYou cannot log inYou are logged in but access is denied

The third A: accounting and the AAA model

Security+ frames these two ideas inside the AAA framework: Authentication, Authorization, and Accounting. Accounting is the part people forget — it logs what an authenticated, authorized user actually did: which resources they used, how long they stayed connected, and when. That audit trail is what feeds billing, forensics, and compliance.

The classic AAA protocols are RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus). A frequent exam detail: TACACS+ separates authentication, authorization, and accounting into independent functions and encrypts the entire payload, while RADIUS combines authentication and authorization and only encrypts the password. Both are used to centralize AAA for network devices and remote access.

Which one shows up on the exam?

On Security+, expect this distinction throughout the IAM and access-control objectives. Watch for these traps:

  • MFA is authentication, not authorization. Adding a second factor makes you more sure who someone is; it does not change what they can do.
  • RBAC, ABAC, and least privilege are authorization. They never verify identity — they assume identity is already proven and only decide access.
  • OAuth vs OIDC. OAuth 2.0 is an authorization framework (delegating access to resources), while OpenID Connect (OIDC) is the authentication layer built on top of it. Mixing these up is a common distractor.
  • HTTP 401 vs 403. A 401 Unauthorized response actually signals an authentication failure (you are not logged in), while 403 Forbidden signals an authorization failure (you are logged in but not allowed). The status-code names are historically backwards, and the exam loves that.
  • SSO is about authentication. Single Sign-On lets you authenticate once and access many apps; each app still enforces its own authorization.

Lock it in

AuthN vs AuthZ, the three A's, and the IAM acronyms around them (MFA, RBAC, ABAC, RADIUS, TACACS+, OAuth, OIDC, SSO) only stick when you recall them under pressure, not after one read-through. CompTIA Acronyms+ drills the full Security+ acronym set with active recall, an exam mode, and SM-2 spaced repetition — so the hard pairs resurface right before you would forget them, and "authentication vs authorization" becomes automatic on test day.

Get the App