Comparing Identification and Authentication

A key part of any access control system is the identification of individuals. If you can’t identify individuals, everyone is anonymous. If everyone is anonymous, there is no way you can control access to different resources. Either everyone has access or no one does.

However, if you are able differentiate between different users, you can grant access to some users while denying access to other users. This process starts with identification. In many authentication systems, the identity of a user is simply the user’s name. The user professes to be a specific person by using that person’s logon name, and they validate the identity by providing additional authentication, such as a password.

EXAM TIP Identification occurs when a user professes, or claims, an identity by presenting the identity to a system.

Figure 2-1 shows the overall process of identification, authentication, and authorization. First, the user claims an identity, such as with a user name, and is authenticated (by validating a password, for example). Then access controls (such as permissions) authorize the user to access the resources. If these three steps don’t come together, the user is not able to access the resource.

Figure 2-1 Identification, authentication, and authorization

Just because someone knows a username doesn’t mean they are authenticated. They must also prove their identity by providing authentication data, such as a password. Once the user is authenticated, the system grants access to different resources.

TIP It’s important to realize that just because someone claims or professes an identity by using a logon name, the user’s identity isn’t validated until he or she authenticates.