When I start talking with folks about security, one of the areas of confusion I often find has to do with the three A’s of security. Specifically, the difference between the first two: authentication and authorization. Let’s look at the first today.
Authentication is simply proving who you are. With authentication we are confirming identity. We are not worried about permissions. That’s authorization and that’s separate from authentication.
The traditional way we authenticate in the computer world is by specifying a username and password. However, because anyone can grab and store a password, we often rely on multi-factor solutions to prove identity. The traditional way to think of multi-factor is two or more of the following:
- What you have
- What you know
- What you are
For instance, you enter a password, what you know, and then a pseudo-random series of letters and numbers either generated by an application, fob, or read from a grid card, which is what you have.
There are other means by which we authenticate. For instance, the Kerberos security protocol uses a trusted 3rd party, in the Windows world that’s an Active Directory domain controller, to attest to the identity of both the client and the server. Client and server certificates work similarly, with a trusted 3rd party providing some measure of identity verification.
To close, nothing thus far is about determining what you are allowed to do. Authentication is simply about proving identity. Permissions have nothing to do with authentication. Authentication is when you prove you are who you say you are, whether you are a person, a user account, a service, a computer, or a web site.
