The problem of authorization is often thought to be identical to that of authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes are based on this assumption.

However, more precise usage describes authentication as the process of verifying a claim made by a subject that it should be treated as acting on behalf of a given principal (person, computer, smart card, etc.), while authorization is the process of verifying that an authenticated subject has the authority to perform a certain operation. Authentication, therefore, must precede authorization.

For example, when you show proper identification to a bank teller, you could be authenticated by the teller as acting on behalf of a particular account holder, and you would be authorized to access information about the accounts of that account holder. You would not be authorized to access the accounts of other account holders.

Since authorization cannot occur without authentication, the former term is sometimes used to mean the combination of authentication and authorization.