Authentication is the process of verifying a claim that a subject made to act on behalf of a given principal. Authentication attacks target a Web site’s method of validating the identity of a user, service, or application,
including Brute Force, Insufficient Authentication, and Weak Password Recovery Validation. Authorization is used to verify if an authenticated subject can perform a certain operation. Authentication must precede authorization. For example, only certain users are allowed to access specific content or functionality.