Authentication, authorization, and identification: how not to confuse

There are three concepts to explain access control in cybersecurity: identification, authentication, and authorization. Although these terms are closely related, they have differences that need to be clarified in order to have a good understanding of the correct terminology.

Before explaining what identification, authentication, and authorization mean, we should first define two other fundamental access control terminologies: subject and object.

A subject is an active entity that has access to an object. In the example of user access to a file, the subject is the user. However, the subject does not have to be a living entity, it can also be a program or process that accesses the object.

An object is a passive component that a subject has access to. Files, printers, computers, and databases are examples of objects in an access control mechanism.

What is identification?

Identification is the procedure of recognizing the subject. This can be achieved using a user ID (e.g. login), a process ID, etc. It is very important that the claimed credentials are unique so that different entities in the system can be distinguished. That is two identical identifiers, two identical phone numbers, two identical e-mails, and so on cannot be registered in the system. For example, when trying to register, the user enters his data in the login field, and the system highlights the field with the message «Such a user is already registered in the system.» This is an example of identification.

In the authorization form shown in the screenshot, the identifier is the phone number.

What is authentication?

Once a subject identifies itself, it must be authenticated, meaning the subject must prove that it is who it claims to be. This proof of identity is achieved by providing credentials to an access control mechanism. Next, the validity of the provided credentials is checked before the authentication request is approved. In other words, authentication determines that the subject both owns and controls the provided credentials (authenticators). Some examples of credentials that can be used to verify identity are passwords, PINs, digital signatures, biometrics, etc.

Credentials used for authentication can be divided into three different groups, also called authentication factors:

• Something you know (the knowledge factor), such as a password, personal identification number (PIN), or passphrase. However, this type is weakly protected. Criminals find ways to learn the password, and the answers to the security questions can be known to the general public.

For example, the screenshot shows the type 1 authentication method, i.e. by a password.

• Something you have (possession factor) such as a smart card, memory card, smart card, or token. This method is more secure, but its cost is high.
• Something you are (biometrics) (property factor) such as a fingerprint, palm topology, hand geometry, iris/retina scan, or phase recognition. This factor is quite promising, but also expensive since the biometric system must be highly sensitive.
• Something you do (behavioral biometrics) (property factor), such as a typing pattern (keystroke dynamics), a signature pattern (signature dynamics), or a voice pattern.

If an authentication system requires at least two types of credentials that belong to different authentication categories, this is called multi-factor authentication (MFA). For example, using a password (something you know) and a fingerprint (something you are) to authenticate is considered multi-factor authentication, while using a password and PIN is not (because both passwords and PINs belong to the same factor authentication).

As an example:

1. The user is on the system authorization form.
2. The user enters his name and password (knowledge factor).
3. When the system recognizes the user, they will be prompted to start the second step of the account login process. At this stage, you need to confirm the presence of an item, such as an ID card or a smartphone, that is, to confirm the ownership factor. Usually, a one-time access code is used, sent to the corresponding phone number, then used for identity verification.
4. Finally, the user enters the access code and after the site authenticates him, he is granted access.

What is authorization?

After authentication, the system knows who the subject is that wants to access the object. Next, authorization determines the subject's access level to the object. In other words, authorization checks the availability of rights to interact with the object.

For example, in a multi-level security system where objects are marked with different classification labels (such as Top Secret, Secret, Restricted, Unclassified), the fact that a subject is authenticated does not necessarily mean that it can have full access to (or full privileges on) any object. In such a system, subjects are granted access according to their access levels. Another example is the read, write, and execute privileges assigned to file system control subjects in operating systems.

For example, you logged in as a regular user, but the system may have authorized you as an administrator. In this case, the system granted the right, for example, to edit or delete information.

This is very important from the point of view of security - how correctly the system behaves at the identification stage, then at the authentication stage, and as a result of authorization.

The tester checks that everything is going according to the requirements and that there are no errors because bugs in the identification/authentication/authorization steps can be critical.

To summarize what identification, authentication, and authorization are: identification occurs when a subject declares its identity, and authentication occurs when that subject additionally provides credentials. Once a subject is authorized, that subject's access levels and privileges are managed through an authorization mechanism.