In the world of information security, the terms Identification, Authentication, and Authorization play a significant role.
Identification
Identification is the process of claiming or presenting an identity. The main objective of identification is to bind a user to appropriate controls, based on the identity.
An identity can be any of the following:
- Username
- Process ID
- Smart Card
- Biometric Scan, etc
Authentication
Authentication is the process of verifying the identity of a user. To prove identity, a user must provide appropriate information (credentials). The information provided by a user to prove identity is highly confidential, and known only to the user and/or system.
There are several methods of authentication:
- Using something you know- password, personal identification number (PIN), etc.
- Using something you own- smart card, RSA token, etc.
- Using physical characteristics- biometrics.
Authorization
After identification and authentication is completed, a user is granted authorization if the identity is proven.
Note: Authorization is not possible without identification and authentication.
Authorization is the process of defining the various resources a user needs, and the type of access to those resources.
In big organizations, users are divided into roles and groups to manage access.
Web Authentication - Methods
The common web authentication methods are:
- Cookie-based
- Token-based
- Third-party access (OAuth, API-token)
- OpenID
- SAML
