Authentication is simply how a system confirms who you are. Since websites are exposed to anyone with an internet connection, having strong authentication in place is a critical part of keeping them secure.

In practice, authentication is usually based on one or more of these factors:

Something you know – like a password, PIN, or the answer to a security question. This is often called a knowledge factor.

Something you have – a physical item such as your phone, a hardware token, or a one-time code generator. These are known as possession factors.

Something you are or how you behave – things like fingerprints, facial recognition, or behavioral patterns. These fall under inherence factors.

Most authentication systems combine different technologies to check one or more of these factors and confirm a user’s identity.

It’s also important to understand how authentication differs from authorization.

Authentication answers the question: “Who are you?”
Authorization answers the question: “What are you allowed to do?”

For example, when someone logs in using the username Carlos123, authentication confirms that the person trying to log in is actually the owner of that account.

Once Carlos123 is successfully authenticated, authorization kicks in to determine what actions they’re permitted to perform—such as viewing certain data, managing settings, or even deleting another user’s account.

In short, authentication proves identity, while authorization controls access and permissions.