Process that verifies that a user is who they say they are.
- something you know (password, secret question)
- something you own (2FA, yubikey)
- something you are (biometrics)
Authorization is about checking if a user is allowed to do something.
System that allows authorizations to be applied (cookies, JWT token).
The fact that a user can access features or data that they are not authorized to access (example: a user who accesses a feature reserved for administrators).
The fact that user A can access functionalities or data reserved for user B (example: within a banking application, Alice accesses Bob's data even though she does not have authorization to do so ).