The Difference between Identification and Authentication
This is a guest post by Michael Austin, who writes his blog at www.mikazo.com.
Identification and authentication are concepts that appear very often when discussing the subject of information security. Each has a different meaning, and both are often confused with one another. Identification and authentication usually both take place at the same time, for example when an individual requests permission to perform an action or when an individual wishes to know that something he or she received is really what and who it says it is from.
This leads to the true questions identification and authentication are meant to answer. Identification implies questions of “Who is someone?” and “How do I know they really are who they say they are?”. Authentication implies questions such as “Is something genuine?” and “Is someone allowed to have access to something?”. There are various ways of proving each of these questions, which are based on both fundamental concepts and technology.
Perhaps an example would better illustrate the difference between authentication and identification. Imagine you walk up to an Automatic Teller Machine, insert your bank card, enter your PIN, and withdraw $20. Both identification and authentication took place to allow you to complete the transaction, but which steps satisfied which requirements?
Identification can be assured to a system by something you have, something you know, something you are, or any combination or multiple of these concepts. In our ATM example, you are using something you have (your bank card) and something you know (your PIN) to identify you. An example of something you are that could be used would be your fingerprints or your eyes (both used with biometric scanners). Ways of adding further assurance that the identification is difficult to circumvent could include having several things you know, have or are, and making use of all three categories.
When the authentication takes place in our ATM example, the bank system will use various checks and verifications to make sure that you are allowed to withdraw $20. The machine will most likely determine that your bank card is authentic, and not a copy or a fake. This could be accomplished with digital signatures and cryptography. The network also has to check your account to verify that you have $20 available for withdrawal in your account. Also, as part of the authentication process, the identification must succeed.
Hopefully this example illustrates the difference between the two ideas of authentication and identification. There are many other examples in use in many types of physical and technological security situations, such as online transactions, access card systems in buildings, checking your email, and so on.
I’d like to thank Stuart Marsh for allowing me to write a guest post for BeardyGeek. If you enjoyed this article, there are more interesting posts to read at my blog about technology: Mikazo Tech Blog