Identification, Authentication & Authorization
Identification, Authentication & Authorization are important pillars of every IT implementation. During my last IT projects, I noticed that the three terms are often interchanged, confused, or thrown together even though they describe different concerns.
There is a clear separation between Identification, Authentication & Authorization. With the guide below and the provided examples you will never confuse those terms again — promised.
In the context of Identification, a person provides proof that he/she is who he/she claims to be. An everyday life example is presenting an ID card at the airport or at the border to a different country.
In the IT world, Identification describes the same: telling the system who you are. This can be done by entering a user name & password combination into a login formula or inserting your ATM card into the cash machine.
Authentication describes the process of proving if you are who you say you are. It is the actual verification of the user’s claimed identity and is usually performed by a trusted entity. A real-world example is a police officer checking your ID card for forgery and comparing it with the person in front of him/her.
The result of Authentication is either positive or negative. It verifies or falsifies the user’s identity based on the characteristics provided.
In IT there are several examples for Authentication. Think of a server checking whether the combination of user name and password exists in the system or a browser verifying the authenticity of a website with a digital certificate. Another example is your mobile phone verifying your fingerprint.
There are different categories of Authentication which are often used in combination. You can be authenticated based on…
- Something that only you know — e.g. a password or personal questions like the name of your first dog.
- Something that only you own — e.g. your smartphone or a specific token.
- Something that only you are — e.g. your fingerprint or your face recognized by facial recognition.
- Where you are?— e.g. based on a Geolocation or your IP Adress — an example is a university that provides access to an online library only to IP addresses from within the university IP address range.
Authorization describes granting access to certain privileges due to the successfully proven identity. For example, you are getting access to a certain seat in the first class of a flight based on your ticket & passport. Or you are getting authorized to access a company building based on your company id card — but only to the office building 1A and not to the factory.
In IT, Authorization means the system applying the limits of the actions you are allowed to perform. An example is your user account is being authorized to create new database entries, but changing the database schema is forbidden.
I hope this small guide and the provided examples are giving you a good overview and a precise differentiation between Identification, Authentication & Authorization. Memorize this to never confuse it anymore in one of your next IT projects and shine in front of your coworkers.