Identification, Authentification, and Authorisation are three completely different things, that should be done in exactly this order. I will explain the differences now and try to illuminate them via a personal passage clearance and via an online login procedure.
Identification is the process of telling someone/thing who you are. This is merely a statement without a prove. It is equal to stating your name and/or entering your username into a login form. Identification is always done by the requester.
Authentification is the process of verifying the identity of someone/thing. Authentification could be done without the identitification step before, but identifying before authenticating reduces the risk of false authentification a lot. During an authentification the requester tells the guard a secret or response to a challenge which the guard is able to verify and link to a specific entity. For the example: The requester shows the ID to the guard, and a password/secret is entered to a login form. As you may see, only entering a password may work, but it may be, that a wrong person gets logging in due to the same password used. Identifying before authentice reduces this risk.
Authorisation is the process of allowing someone/thing to access/enter/do specific things. To authorise, an authentication must have taken place! Authentication is always only done by the guard. Example: The guard checks if the authenticated person is allowed to enter that building, and/or the program checks if the logged in user is allowed to change these userdetails.
Previous Blog EntryNext Blog Entry
Last update: 2024-12-24