Authentication vs Identification vs Authorization

fleeting

There are a few misunderstanding between those terms that lead to difficult discussions.

• authorization deals with accessing data, no matter who or what. There is no universal schema to represent all the kinds of data that were, are and will be, hence defining this schema is not a topic of authorization.
• identification is about accessing a specific kind of data: information about the user identity. There is a consensus about this kind of data, making room for a specific standard, like OpenID Connect.
• authentication is about making sure that the same people connect from one time to another. There are several factors that can be used and have different compromises in the security vs user experience balance.
  • one factor: have a proof that the entity has the same knowledge (like a password),
  • two factor: + have a proof that the entity has the same device (like a personal security device),
  • three factor: + have a proof that the entity has the same properties (like a fingerprint),
  • four factor: + have a proof that the entity is in the same location (like a wifi network),

Therefore, authentication is not at all about knowing the identity of the user and identification is not about finding out whether the same user connected this time.

Most people claim they do authentication with OpenID Connect. That is not totally false, as this is the protocol they used to get the information about the authenticated user. Yet it makes it unclear that a third party actually use a dedicated protocol to perform the authentication.

Notes linking here

• client get proof of authentication by asking for it
• misconcetions
• OAuth Sketch Notes Q&A - PKCE, Scopes, Security, Passwordless
• OpenIDconnect with Mike Jones

Permalink