Which statement best describes authentication and authorization?

The key idea here is that authentication and authorization are two distinct steps in controlling access. Authentication is the process of verifying who you are—proving your identity with something you know (password), something you have (token), or something you are (biometrics). Authorization comes after authentication and decides what you’re allowed to do or which resources you can access based on your identity and granted permissions. That’s why the statement that authentication proves identity while authorization determines what resources the user can access is the best description. It reflects the sequence and the separation: first confirm who someone is, then determine what they’re allowed to do. The other options mix up these roles or claim they’re the same. For example, saying authentication determines resources reverses the roles, and saying they’re the same ignores that access controls depend on permissions assigned after identity is verified.