Authorization = Identification or Alternatives + Authentication

by on July 14, 2006 · 18 comments

As promised in his welcome write-up of my book, Tim Lee has also picked a nit with it. Unsurprisingly, he homed in on an issue that others are likely to find difficult: terminology.

In researching the book, I found no end to the variety of uses given to words like “identification,” “authorization,” and especially “authentication.” I generally avoided the latter because it is so confusing.

So why don’t I review, and perhaps improve on, my treatment of terms in the book. I think Tim has gotten some of his thinking wrong in his comment. Because he does so after reading my book, the error is mine. I did not convey my thinking well enough to fully explain or persuade on the first shot.


First, here is a definition I give early in the book for “identification”

“Identification” occurs when one person or entity compares the identifiers of another to a set of identifiers that he or she has previously recorded and finds a match between the two. The person making the identification, called the “verifier,” can then summon information and memories about the identified party. Identification allows a relationship to pick up where it previously left off–with anything from a conversation about last weekend’s symphony performance, to a transfer of millions of dollars, to interrogation or arrest.

I do distinquish identification and authentication, though perhaps focusing more heavily on their use in language than on a tight, legalistic definition.

A semantic difference between the words “identification” and “authentication” does reveal an important point, however: “Identification” connotes a personal transaction in which there is nearly perfect accuracy. When was the last time you didn’t recognize your sister? The word “authentication,” on the other hand, admits to a risk that a comparison might be inaccurate. When we check to see if something is “authentic,” we review its provenance, like an old painting, doing our best to make sure it is what it is claimed to be. We can never be certain because it has been hundreds of years since the painter’s hand touched the canvas. No one alive can bear witness to the painting’s authorship. But we are sure enough to go forward.

I think the Wikipedia definition Tim appeals to is not very good, particularly where it calls authorization “the process of verifying that a known person has the authority to perform a certain operation.” Gratuitously, it includes the word “known,” though people are authorized to do things all the time without being known. They may be admitted to a building (authorized to enter) because they appear to have a not unlawful purpose. They may be authorized to remove goods from a store because they have paid. Even in computer science, transactions are authorized all the time without the presence of a known person or a known computer. Hotmail authorizes access to e-mail accounts without ever knowing a person.

Likewise, I think Tim is in error to believe that identification is all that important for transactions like ATM withdrawals or air travel. (“[I]n practice, it’s rarely possible to literally do authorization without identification–if you want to know if you’re authorized to get on an airplane or access a bank account, you have to know who they are.”)

Banking is the easy case. An ATM will not refuse a transaction because the wrong person uses a card and associated PIN. Banks (and law enforcement) may draw inferences about who has used ATMs based on common uses of cards and PINs, but the machine does not identify the user.

Air travel only requires identification because of government and airline policy – not because there is anything intrinsic to traveling that requires identification. More transactions than Tim thinks can be done, and are done, without identification all the time.

I think the best place to talk about all this is in a sort of hierarchy: When we want to limit access to some good, service, or infrastructure, we require the accessor to be authorized consistent with relevant limits. (Only payors take food from store; only key holders unlock front door, etc.) Sometimes, the relevant limit in an authorization is to a specific identity (only Jim Harper signs Jim Harper’s checks), but other times authorization turns on other factors, such as paying, possession of a key, and so on.

Sometimes, there is doubt about the provenance of a proferred characteristic. Authentication is the sometimes separate step in which that provenance is checked. ([username] enters [passcode]; merchant checks credit card holder’s ID)

So, as the title of this post suggests: Authorization = Identification or Alternatives + Authentication. (But I fear the math will mislead some readers: I mean “Authorization is based on identification or alternatives, plus authentication when needed.”

Hmmmm. This is pretty good. Maybe not great. Tim? Others?

  • http://abstractfactory.blogspot.com/ Cog

    You seem to be confusing the issue of authorization (i.e., matching an identity to its privileges) with the issue of an identity’s value.

    The Hotmail user foobar123@hotmail.com is a low-value identity, and accordingly one uses low-strength mechanisms (username and password) to authenticate that identity.

    The “Jim Harper” account-holder at Bank X is a high-value identity, and accordingly one presumably uses high-strength mechanisms (principally, the various punishments available within the legal system) to authenticate that identity.

    There is no hard distinction between foobar123@hotmail.com and “Jim Harper” at Bank X. Both identities persist between interaction sessions and have associated privileges. It is not the case that one is an “identity” and the other is not.

    Also, ATM withdrawals and airplane flights do require identification, although not in precisely the way Tim means.

    First, both writing a check and making an ATM withdrawal hinge on a spoofable authentication process, so I don’t see the distinction you’re trying to draw here. Presumably there are even circumstances (you break your hand and your wife takes care of writing the checks this month) when you would want the check-writing process to be spoofed. The reason ATMs use different authentication mechanisms than checks is simply a matter of engineering the right cost/benefit tradeoff for preventing these two kinds of crime.

    Second, the process of riding on an airline flight does require identity, although not the high-value flesh-and-blood human identity that you’re talking about. When I reserve a ticket online, pick up the boarding pass at an e-ticket machine, and present that pass to board my flight, the airline necessarily cares a great deal that the person or persons who do these three things are connected somehow. If someone else spoofs the process and picks up my ticket, then the airline will have an unhappy customer on their hands. The relevant identity here is “Passenger 123″, which may represent one person or a group of people (maybe someone else makes my reservation for me and fetches my boarding pass), but it is nonetheless an identity that persists between interactions and possesses privileges.

    Where you’re getting tripped up is the fact that the airlines insist that you surrender a much longer-lived and higher-value identity, not just “Passenger 123″, for no good reason.

    Incidentally, a better discussion of the relationship between identity, authentication, and access control is found at the Wikipedia article on access control. To be blunt, you seem to be making up new definitions for words that have relatively standard meanings in computer security.

  • http://abstractfactory.blogspot.com/ Cog

    Well, it’s kind of early over here on the West Coast, so I’m less than fully coherent. Corrections…

    Re: my first paragraph above: I phrased this in an odd way. I was trying to make two points. First, your definition of identification seems to focus on the matching between a token and its associated state and privileges. To me that just sounds like authorization. There’s always an authentication step, even if that step’s as simple as recognizing your sister’s face. Second, your criteria for calling something an “identity” seems to be based on how valuable that thing is. But there’s always an identity involved whenever two interactions need to be linked. The distinction between identities and non-identities is unclear.

    The rest of my comment was an elaboration on these two ideas.

    Re: my third paragraph above: legal punishments are not better authentication mechanisms, but they are ways that we dissuade spoofing of the authentication mechanisms that exist.

  • http://abstractfactory.blogspot.com/ Cog

    You seem to be confusing the issue of authorization (i.e., matching an identity to its privileges) with the issue of an identity’s value.

    The Hotmail user foobar123@hotmail.com is a low-value identity, and accordingly one uses low-strength mechanisms (username and password) to authenticate that identity.

    The “Jim Harper” account-holder at Bank X is a high-value identity, and accordingly one presumably uses high-strength mechanisms (principally, the various punishments available within the legal system) to authenticate that identity.

    There is no hard distinction between foobar123@hotmail.com and “Jim Harper” at Bank X. Both identities persist between interaction sessions and have associated privileges. It is not the case that one is an “identity” and the other is not.

    Also, ATM withdrawals and airplane flights do require identification, although not in precisely the way Tim means.

    First, both writing a check and making an ATM withdrawal hinge on a spoofable authentication process, so I don’t see the distinction you’re trying to draw here. Presumably there are even circumstances (you break your hand and your wife takes care of writing the checks this month) when you would want the check-writing process to be spoofed. The reason ATMs use different authentication mechanisms than checks is simply a matter of engineering the right cost/benefit tradeoff for preventing these two kinds of crime.

    Second, the process of riding on an airline flight does require identity, although not the high-value flesh-and-blood human identity that you’re talking about. When I reserve a ticket online, pick up the boarding pass at an e-ticket machine, and present that pass to board my flight, the airline necessarily cares a great deal that the person or persons who do these three things are connected somehow. If someone else spoofs the process and picks up my ticket, then the airline will have an unhappy customer on their hands. The relevant identity here is “Passenger 123″, which may represent one person or a group of people (maybe someone else makes my reservation for me and fetches my boarding pass), but it is nonetheless an identity that persists between interactions and possesses privileges.

    Where you’re getting tripped up is the fact that the airlines insist that you surrender a much longer-lived and higher-value identity, not just “Passenger 123″, for no good reason.

    Incidentally, a better discussion of the relationship between identity, authentication, and access control is found at the Wikipedia article on access control. To be blunt, you seem to be making up new definitions for words that have relatively standard meanings in computer security.

  • http://abstractfactory.blogspot.com/ Cog

    Well, it’s kind of early over here on the West Coast, so I’m less than fully coherent. Corrections…

    Re: my first paragraph above: I phrased this in an odd way. I was trying to make two points. First, your definition of identification seems to focus on the matching between a token and its associated state and privileges. To me that just sounds like authorization. There’s always an authentication step, even if that step’s as simple as recognizing your sister’s face. Second, your criteria for calling something an “identity” seems to be based on how valuable that thing is. But there’s always an identity involved whenever two interactions need to be linked. The distinction between identities and non-identities is unclear.

    The rest of my comment was an elaboration on these two ideas.

    Re: my third paragraph above: legal punishments are not better authentication mechanisms, but they are ways that we dissuade spoofing of the authentication mechanisms that exist.

  • http://www.cato.org/people/harper.html Jim Harper

    Thanks, Cog. Since both you and Tim mentioned it, I guess I should emphasize that my book is not about computer security or written with a CS audience particularly in mind. It is about human identification, and it is for everyone – perhaps especially for technical laypeople.

    Therefore, though I looked carefully at the use of terms in CS and even consulted with a friend who is a CS professor, I chose the terms that work the best, and are most consistent with their meanings, in plain English.

    You appear to be using the term “identity” where I would use “identifier.” And what you are calling the “value” of an *identity*, I would discuss as the value of a *transaction*. A low-value transaction like access to a Hotmail account requires username and passcode, two low-quality identifiers. A high-value transaction like a creation of a deed of trust will require high-quality identifiers like a signature or in-person appearance (each a use of biometrics).

    In Chapter 7, I discuss the three variables that affect identifier quality: fixity, distinctiveness, and permanence. Chapter 8 is about the role of risk management in choosing identifiers and Chapter 9 deals with advanced identification techniques that help balance the need for speed against the need for accuracy in confirming identity.

    I think we’re in general agreement on how the processes work, but we probably have much more to hash out on how to talk about it. It’s important because jargon that obscures these things from the general public will suppress the adoption of new ways of doing identification and credentialing.

  • http://www.cato.org/people/harper.html Jim Harper

    Thanks, Cog. Since both you and Tim mentioned it, I guess I should emphasize that my book is not about computer security or written with a CS audience particularly in mind. It is about human identification, and it is for everyone – perhaps especially for technical laypeople.

    Therefore, though I looked carefully at the use of terms in CS and even consulted with a friend who is a CS professor, I chose the terms that work the best, and are most consistent with their meanings, in plain English.

    You appear to be using the term “identity” where I would use “identifier.” And what you are calling the “value” of an *identity*, I would discuss as the value of a *transaction*. A low-value transaction like access to a Hotmail account requires username and passcode, two low-quality identifiers. A high-value transaction like a creation of a deed of trust will require high-quality identifiers like a signature or in-person appearance (each a use of biometrics).

    In Chapter 7, I discuss the three variables that affect identifier quality: fixity, distinctiveness, and permanence. Chapter 8 is about the role of risk management in choosing identifiers and Chapter 9 deals with advanced identification techniques that help balance the need for speed against the need for accuracy in confirming identity.

    I think we’re in general agreement on how the processes work, but we probably have much more to hash out on how to talk about it. It’s important because jargon that obscures these things from the general public will suppress the adoption of new ways of doing identification and credentialing.

  • http://abstractfactory.blogspot.com/ Cog

    The identity foobar123@hotmail.com persists between transactions, so I don’t think I’m talking about the value of a transaction. Clearly the value of an identity can be characterized as some formula over the value of all transactions that identity will ever engage in.

    Are we to understand that you make a distinction between an “identity” and an “identifier”?

  • http://abstractfactory.blogspot.com/ Cog

    The identity foobar123@hotmail.com persists between transactions, so I don’t think I’m talking about the value of a transaction. Clearly the value of an identity can be characterized as some formula over the value of all transactions that identity will ever engage in.

    Are we to understand that you make a distinction between an “identity” and an “identifier”?

  • http://www.techliberation.com/ Tim Lee

    I also think we’re in agreement about how the processes work. My girlfriend finds your terminology more intuitive than I do, so maybe I’ve just been warped by being used to the terms of art used in CS.

  • http://www.techliberation.com/ Tim Lee

    I also think we’re in agreement about how the processes work. My girlfriend finds your terminology more intuitive than I do, so maybe I’ve just been warped by being used to the terms of art used in CS.

  • http://http:/0zu.tw/ short url

    433b6ee5e1bc Good work short url short url

  • short url

    433b6ee5e1bc Good work short url short url

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Very good tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Very good tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Nice site tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Nice site tramadol tramadol

  • http://shrinkurl.us/fares Antibush

    Bush is forever saying that democracies do not invade other countries and start wars. Well, he did just that. He invaded Iraq, started a war, and killed people. What do you think? Why has bush turned our country from a country of hope and prosperity to a country of belligerence and fear.
    Are we safer today than we were before?
    We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

  • http://shrinkurl.us/fares Antibush

    Bush is forever saying that democracies do not invade other countries and start wars. Well, he did just that. He invaded Iraq, started a war, and killed people. What do you think? Why has bush turned our country from a country of hope and prosperity to a country of belligerence and fear.
    Are we safer today than we were before?
    We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

Previous post:

Next post: