There are three frequently used concepts (Identification, Authentication, Authorization) to explain access control in cyber security. Though closely related, these terms have specific differences that need to be clarified in order to have a good grasp of correct terminology in cyber security. It is also important to understand these concepts clearly before taking cyber security certification exams like CompTIA Security +, CISSP (Certified Information Systems Security Professional), etc.
Before explaining what Identification, Authentication and Authorization is, first two other fundamental access control terminology, i.e., subject and object should be defined.
- A subject is the active entity that access an object. In the example of a user accessing a file, subject is the user. However, a subject does not have to be a live entity, it could also be a program or a process accessing an object.
- An object is the passive component that is being accessed by a subject. Files, printers, computers, databases are some examples of objects in an access control mechanism.
What is Identification, Authentication and Authorization?
What is Identification?
Identification is the claim of a subject of its identity. This could be achieved by a user id, process ID, a smart card etc. It is critical that the asserted credentials be unique to be able to differentiate among different subjects in a system.
What is Authentication?
After a subject identifies itself, it needs to be authenticated, that is, the subject needs to prove who it claims to be. This proof of identity is achieved through providing credentials to the access control mechanism. The access control mechanisms then checks the validity of the provided credentials before approving an authentication request. In other words, authentication establishes with a confidence level that the subject both possesses and in control of the provided credentials (authenticators). Some examples of credentials that can be used to prove identities are passwords, PINs, digital signatures, biometric data etc.
The credentials being used for authentication can be categorized in four different groups, that are also called authentication methods/types. In short they are:
- Something you know, (also known as Type 1 authentication factor) such as a password, personal identification number (PIN) or passphrase.
- Something you have, (also known as Type 2 authentication factor) such as a smart card, memory card or a token.
- Something you are (biometrics) (also known as Type 3 authentication factor), such as a finger print, palm topology, hand geometry, iris/retina scan or phase recognition.
- Something you do (behavioral biometrics) (also known as Type 3 authentication factor), such as a typing pattern (keystroke dynamics), signature pattern (signature dynamics) or voice pattern.
If an authentication system requires at least two credentials that are in different authentication categories, this is called multi-factor authentication. For instance, using both a password (something you know) and a finger print (something you are) for authentication is considered a multi-factor authentication, while using both a password and a PIN is not (since both passwords and PINs belong to the same authentication category).
What is Authorization?
Once a subject is authenticated, the authentication mechanism knows who the subject is that wants to access to the object. Authorization then determines the access level(s) of the subject to the object. In other words, authorization determines what the privileges of the subject are and how can a subject interact with an object.
For instance, in a multi-level security system where objects have been labeled with different classification labels (such as Top Secret, Secret, Restricted, Unclassified), the fact that a subject has been authenticated does not necessarily mean the subject can have full access over any object (or full privileges over an object.) In such a system, subjects are granted access according to their clearance levels. Another example is the read, write and execute privileges assigned to subjects in file system management in operating systems.
To sum up what identification, authentication and authorization is: Identification occurs when a subject claims an identity and authentication occurs when that subject further provides a credential(s). Once a subject is authorized, access levels and privileges of that subject is managed through the authorization mechanism.
If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.Bruce Schneier
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
To learn more about authentication, you could also read our article What is Multi-Factor Authentication?