Authentication vs Authorization vs Encryption

In this article, you’ll get an overview of three key concepts in web security: Authentication, Authorization, & Encryption.

What We’ll Be Learning

Authentication, authorization, and encryption are all key concepts in web security, but it’s easy to confuse them. In this article, you’ll learn what these concepts are, and what roles they play in web security.


Authentication is the verification of who you are. For example, let’s say you’ve gone to a concert. At the front door, the security guard asks to see your ticket and ID in order to verify that the name on your ID matches the name on your ticket. This is an example of authentication.

Authentication relies on one or more factors to verify identity, and these factors come in three main types:

  • Knowledge is something you know, like a username and password.
  • Possession is something you have, like a security card or mobile device
  • Inherence is something you are, which generally refers to biometric data such as fingerprints.

(There are additional factors, such as location and time, that can be used to complement existing factors, but are generally not suitable for authentication on their own)

Authentication that relies on a single factor, such as a simple username/password combo, is called Single-Factor Authentication, and is becoming increasingly insecure.

An image showing that the user only needs a password to log in to the website.

Authentication that requires multiple factors, such as a username/password combo and a code sent to a mobile device, is known as Multi-Factor Authentication. This is distinct from Multi-Step authentication, which requires multiple types of authentication within a single factor, such as a password and a PIN.

An image showing that the user needs a password, a code sent to their phone, and that same code inputted into the website before they can gain access.