Identification, authentication & authorization: what’s the difference?

Digital Identification - Blogpost Connective

When talking about digital identity, we often use terms such as identification, authentication and authorization. But we can imagine that for companies investigating a solution to identify their customers digitally, the difference between these distinct terms might not always be clear.

That is why we care to explain to you in detail what each of those terms actually mean and elaborate on the differences between them regarding their meaning, security and so on. Let’s jump right in!

Identification

The first one is the most straightforward one. A digital identification refers to a person claiming to be somebody. This is mostly done by entering a username or email, reading out an eID, BankID, Smart Card or anything else that has the ability to uniquely identify a subject. When it comes to information security, you can sort of compare it to entering a username or personal information such as name & birth date, because this reflects who you are (or are claiming to be).

In this phase it is NOT required to enter a password or pin code, because that is a method for verifying that you are who you claim to be, which is next on our list. The process of identification is often seen in face-to-face situations in banks or hospitals, where they need your identification data and you simply insert your eID to read out the information stored on the microchip. In this process no password is asked.

Authentication

Like we mentioned above, this signifies the process of you proving that you are who you say you are. If you claim to be someone by entering a username, filling in the name field, basically whatever process you are going through, the next step of the process will be to prove that you are really the person who is trying to gain access. This is authentication, which can be done in different levels.

Something you know

Most systems base their authentication on ‘something you know’, such as a password or a pin code. It is basically a secret between you and the system, and it will authenticate you as the person you’re claiming to be if you succeed in entering the password or pin code correctly.

Something you have

Another form of authentication is presenting ‘something you have’. This can be a smart card, driver’s license or USB token for example. A smart card is actually a combination of both, since it is a card with a microchip and one or more certificates (something you have), but often requires a pin code (something you know) to complete the process. This is what we call multifactor authentication, which we further explain below.

Something you are

The last form of authentication is via ‘something you are’. This can sound strange, but is yet one of the most common ways of authentication in a consumer’s daily life. How do you open your phone? Our guess is that 95% of the people that read this open their phones with their fingerprint or a face scan. There you have it! Something you are is the foundation for biometrics, such as a thumb print, retina scan, face ID and more. It authenticates users by matching a physical element of the authenticator to the known value in the system.

Multifactor Authentication

If more than one factor of authentication is used, it is called as multi-factor authentication. Consider a top-secret research organization, where a person has to showcase his access ID card, then enter a PIN and then get his fingerprint scanned to get access (Something you have + Something you know + something you are), this means that the organization has deployed multi-factor authentication.

So now that we’ve successfully identified and authenticated ourselves, two things happened: we claimed to be someone and we’ve successfully proven that our claim is true. Now there’s only one more thing left for the system to determine: what are you allowed to do?

Authorization

Authorization is often the last step of the process.  After a person has been both identified and authenticated, it’s the step that determines what a person is allowed to do on the system.

It’s also important to know that there is no separate authorization without identification and authentication. Say for instance everyone is trying to log in with the same account, you can either grant certain rights to everyone or block certain rights to everyone. If people are using the same account, there is no way to differentiate between users.

If different users are authenticated with different accounts, then it is possible to grant them different levels of access or possibilities, based on their identity. For instance, an admin in a system has more rights and deeper access to the system than a regular user.

Connective offers multiple ways of identification, authentication and authorization with its eSignatures and Identity Hub solutions. If you have any questions on the possibilities within our solutions, do not hesitate to contact us. We are more than happy to show you the numerous options.