How identification, authentication, and authorization differ

It happens to every one of us every day. We are constantly identified, authenticated, and authorized by various systems. And yet, many people confuse the meanings of these words, often using the terms identification or authorization when, in fact, they are talking about authentication.

That’s no big deal as long as it is just an everyday conversation and both sides understand what they are talking about. It is always better to know the meaning of the words you use, though, and sooner or later, you will run into a geek who will drive you crazy with clarifications, whether it’s authorization versus authentication, fewer or less, which or that, and so on.

So, what do the terms identification, authentication, and authorization mean, and how do the processes differ from one another? First, we will consult Wikipedia:

  • Identification is the act of indicating a person or thing’s identity.”
  • Authentication is the act of proving […] the identity of a computer system user” (for example, by comparing the password entered with the password stored in the database).
  • Authorization is the function of specifying access rights/privileges to resources.”

You can see why people who aren’t really familiar with the concepts might mix them up.

Using raccoons to explain identification, authentication, and authorization

Now, for greater simplicity, let’s use an example. Let’s say a user wants to log in to their Google account. Google works well as an example because its login process is neatly broken into several basic steps. Here is what it looks like:

  • First, the system asks for a login. The user enters one and the system recognizes it as a real login. This is identification.
  • Google then asks for a password. The user provides it, and if the password entered matches the password stored, then the system agrees that the user indeed seems to be real. This is authentication.
  • In most cases, Google then asks for a one-time verification code from a text message or authenticator app, too. If the user enters that correctly as well, the system will finally agree that he or she is the real owner of the account. This is two-factor authentication.
  • Finally, the system gives the user the right to read messages in their inbox and such. This is authorization.

Authentication without prior identification makes no sense; it would be pointless to start checking before the system knew whose authenticity to verify. One has to introduce oneself first.

Along the same lines, identification without authentication would be silly. Anyone could enter any login that existed in the database — the system would need the password. But someone could sneak a peek at the password or just guess it. Asking for further proof that only the real user can have, such as a one-time verification code, is better.

By contrast, authorization without identification, let alone authentication, is quite possible. For example, you can provide public access to your document in Google Drive, so that it is available to anyone. In that case you might see a notice saying that your document is being viewed by an anonymous raccoon. Even though the raccoon is anonymous, the system did authorize it — that is, grant it the right to view the document.

However, if you had given the read right only to certain users, the raccoon would have had to get identified (by providing its login), then authenticated (by providing the password and a one-time verification code) to gain the right to read the document (authorization).

When it comes to reading the contents of your mailbox, Google will never authorize an anonymous raccoon to read your messages The raccoon would have to introduce itself as you, with your login and password, at which point it would no longer be an anonymous raccoon; Google would identify it as you.

So, now you know in what ways identification is different from authentication and authorization. One more important point: Authentication is perhaps the key process in terms of the security of your account. If you are using a weak password for authentication, a raccoon could hijack your account. Therefore: