Security: Identification, Authentication, and Authorization
Many grapple with the concept of authentication in information security. What tends to happen is that they confuse authentication with identification or authorization. They are in fact all distinct concepts, and should be thought of as such. Let’s go over each and give an example or two:
Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.
In the information security world, this is analogous to entering a username. It’s not analogous to entering a password. Entering a password is a method for verifying that you are who you identified yourself as, and that’s the next one on our list.
Authentication is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as “jsmith”, it’s most likely going to ask you for a password. You’ve claimed to be that person by entering the name into the username field (that’s the identification part), but now you have to prove that you are really that person. Most systems use a password for this, which is based on “something you know”, i.e. a secret between you and the system.
Another form of authentication is presenting something you have, such as a driver’s license, an RSA token, or a smart card. You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication.
Once you’ve successfully authenticated, you have now done two things: you’ve claimed to be someone, and you’ve proven that you are that person. The only thing that’s left is for the system to determine what you’re allowed to do.
Authorization is what takes place after a person has been both identified and authenticated; it’s the step determines what a person can then do on the system.
An example in people terms would be someone knocking on your door at night. You say, “Who is it?”, and wait for a response. They say, “It’s John.” in order to identify themselves. You ask them to back up into the light so you can see them through the peephole. They do so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house.
If they had said they were someone you didn’t want in your house (identification), and you then verified that it was that person (authentication), the authorization phase would not include access to the inside of the house.
It’s interesting to note that these three steps take place every day in a very transparent fashion. When your boss calls you at work and asks to meet you across town for lunch, two things happen instantly — usually at the exact same time: just by hearing the boss’s voice you have both identified and authenticated them. Identification doesn’t have to be done by the person being identified; it can be done by the person doing the identifying as well.
Another interesting hybrid is trying to get into a night club. When you get to the door and present your I.D., you’re not just claiming you are that person, but you’re presenting the I.D. as proof — that’s both steps in one. The result of whether or not your authentication was accepted as authentic is what determines whether or not you will be given authorization to get into the club.
Adding a bit of authorization to that analogy, it may be a club where you’re allowed to get in once you prove who you are, but you only get a wrist band that allows you to consume alcohol if you’re over 21, and otherwise you’re not allowed to. This would be authorization because it’s assigning you privileges based on some attribute of your identity.