Interview › Security & DevSecOps
What is the difference between authentication and authorization? [Advanced]
Answer
Authentication verifies who or what the caller is. Authorization decides what that authenticated identity is allowed to do. Authentication answers 'are you really this identity?'; authorization answers 'can this identity perform this action on this resource?'.
Technical explanation
Examples of authentication include passwords, MFA, client certificates, OIDC tokens, or workload identity tokens.
Examples of authorization include RBAC permissions, IAM policies, ABAC conditions, and application-level access checks.
Strong systems need both; a valid identity with excessive permissions is still a security risk.
Hands-on example
Example: a developer authenticates to Kubernetes with SSO. Kubernetes RBAC then authorizes whether they can get pods in dev, deploy to staging, or delete secrets in production. The user may authenticate successfully but still be denied a production action.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]