Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

1.3.1. Authentication vs. Authorization

šŸ’” First Principle: Authentication answers "Who are you?" ā€” it verifies identity. Authorization answers "What are you allowed to do?" ā€” it grants permissions. They are separate processes that must happen in sequence: you authenticate first, then the system authorizes based on the verified identity. Confusing these two is one of the most common exam mistakes.

Authentication uses factors ā€” evidence that proves identity:

  • Something you know ā€” passwords, PINs, security questions
  • Something you have ā€” smart card, security token, phone (for push notifications)
  • Something you are ā€” fingerprint, facial recognition, iris scan (biometrics)
  • Somewhere you are ā€” GPS location, IP address geolocation

Single-factor authentication uses one factor (just a password). Multifactor authentication (MFA) combines two or more different factors ā€” a password (know) plus a phone code (have). Using two passwords is NOT MFA because both are the same factor type.

Authorization happens after authentication and determines what the authenticated identity can access. Authorization models include role-based access (RBAC), attribute-based access (ABAC), mandatory access (MAC), and discretionary access (DAC). Each model answers "who gets access to what" differently, and the exam tests when to use each. Authorization is enforced at every resource boundary ā€” the file system checks permissions before granting file access, the database checks roles before allowing queries, and the API checks tokens before returning data.

The separation matters operationally: a user might authenticate successfully (valid credentials) but still be denied access to a specific resource (insufficient authorization). Help desk calls saying "I can log in but can't access the file share" indicate an authorization problem, not an authentication problem.

Accounting (the third A in AAA) records what happened ā€” who logged in, what they accessed, when they left. Without accounting, you can't audit, investigate incidents, or prove compliance.

āš ļø Exam Trap: Two passwords ā‰  MFA. A password plus a security question is still single-factor (both are "something you know"). True MFA requires different factor categories.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications