Authentication is a process by which a human user or computing device verifies his, her, or its identity. Authorization is a process by which a sensitive piece of software allows access and operations that depend on the identity of the requesting user. These two concepts go hand-in-hand. Without authorization, there is little need to know the user's identity. Without authentication, it is impossible to distinguish between trusted and untrusted users, which makes it impossible to safely authorize access to many parts of the system.

It isn't always necessary to identify or authenticate individual entities; in some cases you can authenticate by group, granting certain authorization to all entities within a given group. In other cases, individual authentication is essential to the security of the system.

Another interesting aspect of authentication and authorization is that a single entity can have several roles in a system. For example, a human user could be both an employee of a company, which means he would need access to corporate e-mail, and an accountant within the company, which means he would need access to the company accounting system.