Something I forgot to mention in my post last week, about Jim Harper’s book is that it’s a quick and engaging read. Chapters are short, and each starts with a quirky, irreverant story designed to illustrate an important concept introduced in the chapter. Now, as promised, my niptick:
Three of the central concepts in the book are identification, authentication, and authorization. Harper presents identification and authentication as essentially synonyms (with the suggestion that authentication connotes a more robust form of identification), while authorization as an alternative to identification in which the identity of the person isn’t disclosed. He gives the example of an ATM card: to withdraw money from an ATM, you don’t have to demonstrate your identity, you just have to have the card and know the pin. You could be the card holder’s spouse, child, or trained monkey, for all the ATM machine knows.
However, he doesn’t seem to draw a very clear distinction between identification and authorization. After all, if I have an identical twin, then my photo ID becomes an “authorization” card for me and my twin. On the other hand, banks do issue multiple ATM cards, with separate PINs, for the same account, each intended to be used by one person. The bank probably doesn’t want its customers sharing cards, although they obviously don’t try to hard to prevent it.
It seems to me that Harper’s usage isn’t quite how these terms are used in the computer security field. Here’s how Wikipedia describes the difference between authentication and authorization:
The problem of authorization is often thought to be identical to that of authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes are based on this assumption. However, more precise usage describes authentication as the process of verifying a person’s identity, while authorization is the process of verifying that a known person has the authority to perform a certain operation. Authentication, therefore, must precede authorization.
So here’s my proposal for a slightly different way of describing the concepts: identification is the process of asserting some identity. This can happen by introducing yourself at a party, showing your ID card to an officer, or meeting someone at a particular location wearing a particular color of shirt. Authentication is the process of offering evidence of one’s identity that’s robust to forgery. In face-to-face interactions, identification and authentication usually happen in the same step. In remote transactions, they’re usually separated, as when you provide a username and password. Authorization is the process of determining, given an established identity, what privileges the individual is entitled to.
Now, one of Harper’s theses is that one should use authorization instead of identification wherever possible. But in practice, it’s rarely possible to literally do authorization without identification–if you want to know if you’re authorized to get on an airplane or access a bank account, you have to know who they are. What we can do is to set up systems of third-party authentication, so that we can identify ourselves to a trusted third party (such as the Clear Card company) without having to reveal your identity to a (possibly untrusted) individual who only needs to verify your authorization.
Note that this is completely different from his example of an ATM card as an authorization device. In that case, the ATM knows exactly who you’re purporting to be. You just might not actually be the person whose name is on the card. With the Clear card, the TSA doesn’t know anything about you other than the fact that Clear has asserted that you’re on the registered traveller list.
I think this way of describing things brings out more forcefully emphasizes the fact that what’s really at issue is the right to choose who you will trust with your information. The goal of schemes like Clear isn’t so much to give you more control over whether to identify yourself, but to give you control over to whom you wish to be identified. The system works because there are two pre-existing trust links: one between Clear and you (because you’ve previously undergone a security screening with them) and the other between Clear and the TSA. As long as you and the TSA both trust clear, you don’t need to trust each other in order to do business (or in this case, let you on an airplane).
The same principle applies to financial transactions: if you want to want to make a purchase against a credit card account, you have to identify yourself. But there’s no reason you should have to identify yourself to the store. In fact, it seems to me that it’s rather stupid that they put your name or credit card number on your credit card–that invites credit card fraud in addition to needlessly giving stores an easy way to track you. It would be much better if the card only had images of the cardholder and his signature, with authentication information contained on the card itself. If you had a hard-to-read signature, the store would never know your name or credit card number unless you chose to tell them.
Harper does offer one example where you really do have authentication without identification: the San Francisco medical marijuana card. This was a card used to prove one met the requirements to receive medical marijuana under California law. To resist the enforcement efforts of the feds, the card was designed as an authorization card, without identification information: it contained the bearer’s picture and a serial number, but not his name. And no records were kept linking a serial number to a person’s name.
It seems to me that this is a genuine case of authorization without identification, but it’s not a case authorization without authentication. The holder doesn’t have to say who he is, but he still has to prove he’s the guy whose face is on the card.
With all that said, I think Harper’s policy prescription is right on: rather than centralizing identification and requiring you to identify yourself to more and more people, we should be decentralizing identification and allowing you to authenticate yourself to chosen third parties instead, relying on those third parties to assert on your behalf that you’re authorized to access various resources.