What is the difference between 'authentication' and 'authorization' in online security?

Authentication and authorization are two distinct but related concepts in online security. 'Authentication' is the process of verifying the identity of a user, device, or other entity. It answers the question, 'Who are you?' This is typically achieved by requiring the user to provide credentials, such as a username and password, a digital certificate, or biometric data, to prove their identity. 'Authorization', on the other hand, is the process of determining what actions or resources an authenticated user is permitted to access. It answers the question, 'What are you allowed to do?' Once a user has been authenticated, the system checks their authorization level to determine which resources they can access and what actions they can perform. For example, when you log into your bank account online (authentication), the system verifies your username and password. Once authenticated, the system then checks your authorization level, which determines whether you can view your account balance, transfer funds, or access other features. An administrator might have higher authorization levels than a regular user, allowing them to manage user accounts or change system settings. Authentication confirms who you are; authorization determines what you can do.