Generally speaking, the term authentication refers to any process of verification that someone, be it a human being or an automated system, is who (or what) it claims to be. This is also true within the context of the World Wide Web (WWW), where that same word is mostly used to denote any technique used by a website or service to collect a set of login information from a user agent, typically a web browser, and authenticate them using a membership and/or identity service.

Authentication should never be confused with authorization, as it is a different process and is in charge of a very different task. To give a quick definition, we can say that the purpose of authorization is to confirm that the requesting user is allowed to have access to the action they want to perform. In other words, while authentication is about who they are, authorization is about what they're allowed to do.

To better understand the distance between these two apparently similar concepts, we can think of two real-world scenarios:

• A free, yet registered account trying to gain access to a paid or premium only service or feature; this is a common example of authenticated, yet not authorized access; we know who they are, yet they're not allowed to go there
• An anonymous user trying to gain access to a publicly available page or file; this is an example of non-authenticated, yet authorized access; we don't know who they are, yet they can access public resources just like everyone else