Authorization = Identification or Alternatives + Authentication

by on July 14, 2006

As promised in his welcome write-up of my book, Tim Lee has also picked a nit with it. Unsurprisingly, he homed in on an issue that others are likely to find difficult: terminology.

In researching the book, I found no end to the variety of uses given to words like “identification,” “authorization,” and especially “authentication.” I generally avoided the latter because it is so confusing.

So why don’t I review, and perhaps improve on, my treatment of terms in the book. I think Tim has gotten some of his thinking wrong in his comment. Because he does so after reading my book, the error is mine. I did not convey my thinking well enough to fully explain or persuade on the first shot.

First, here is a definition I give early in the book for “identification”

“Identification” occurs when one person or entity compares the identifiers of another to a set of identifiers that he or she has previously recorded and finds a match between the two. The person making the identification, called the “verifier,” can then summon information and memories about the identified party. Identification allows a relationship to pick up where it previously left off–with anything from a conversation about last weekend’s symphony performance, to a transfer of millions of dollars, to interrogation or arrest.

I do distinquish identification and authentication, though perhaps focusing more heavily on their use in language than on a tight, legalistic definition.

A semantic difference between the words “identification” and “authentication” does reveal an important point, however: “Identification” connotes a personal transaction in which there is nearly perfect accuracy. When was the last time you didn’t recognize your sister? The word “authentication,” on the other hand, admits to a risk that a comparison might be inaccurate. When we check to see if something is “authentic,” we review its provenance, like an old painting, doing our best to make sure it is what it is claimed to be. We can never be certain because it has been hundreds of years since the painter’s hand touched the canvas. No one alive can bear witness to the painting’s authorship. But we are sure enough to go forward.

I think the Wikipedia definition Tim appeals to is not very good, particularly where it calls authorization “the process of verifying that a known person has the authority to perform a certain operation.” Gratuitously, it includes the word “known,” though people are authorized to do things all the time without being known. They may be admitted to a building (authorized to enter) because they appear to have a not unlawful purpose. They may be authorized to remove goods from a store because they have paid. Even in computer science, transactions are authorized all the time without the presence of a known person or a known computer. Hotmail authorizes access to e-mail accounts without ever knowing a person.

Likewise, I think Tim is in error to believe that identification is all that important for transactions like ATM withdrawals or air travel. (“[I]n practice, it’s rarely possible to literally do authorization without identification–if you want to know if you’re authorized to get on an airplane or access a bank account, you have to know who they are.”)

Banking is the easy case. An ATM will not refuse a transaction because the wrong person uses a card and associated PIN. Banks (and law enforcement) may draw inferences about who has used ATMs based on common uses of cards and PINs, but the machine does not identify the user.

Air travel only requires identification because of government and airline policy – not because there is anything intrinsic to traveling that requires identification. More transactions than Tim thinks can be done, and are done, without identification all the time.

I think the best place to talk about all this is in a sort of hierarchy: When we want to limit access to some good, service, or infrastructure, we require the accessor to be authorized consistent with relevant limits. (Only payors take food from store; only key holders unlock front door, etc.) Sometimes, the relevant limit in an authorization is to a specific identity (only Jim Harper signs Jim Harper’s checks), but other times authorization turns on other factors, such as paying, possession of a key, and so on.

Sometimes, there is doubt about the provenance of a proferred characteristic. Authentication is the sometimes separate step in which that provenance is checked. ([username] enters [passcode]; merchant checks credit card holder’s ID)

So, as the title of this post suggests: Authorization = Identification or Alternatives + Authentication. (But I fear the math will mislead some readers: I mean “Authorization is based on identification or alternatives, plus authentication when needed.”

Hmmmm. This is pretty good. Maybe not great. Tim? Others?

Comments on this entry are closed.

Previous post:

Next post: