The ABCs of Identity, Authentication, and Authorization - Part 1

These three terms: identity, authentication, and authorization, are often confusing for technologists.

This is unsurprising. There are dozens of open-source and commercial offerings [1], decades of development, and at least 23 acronyms to get one’s head around [2].

This complexity obfuscates more than it reveals. In reality, these ideas are easy to grasp.

These concepts are fundamental to the human experience — not just for apps, but for nearly all offline interactions, too. From dealing with governments and banks for basic services to getting drinks at a bar, we all use identity, authentication, and authorization to get things done.

The aim of this blog post is to provide a high-level understanding of the key concepts of identity, authentication, and authorization. In future posts, I will dig deeper into how these ideas are implemented in real-world systems.

With a solid grasp of the fundamentals, you'll be equipped to discuss these topics when they come up and understand how they fit together in practice.

Let’s start!

Identity

Identity is the most fundamental concept that underpins authentication and authorization. But thankfully, you already intuitively know what identity is.

Identity is who you [3] are— it’s your essence as an individual [4].

Identification is the process of sharing your identity using an identifier. In the real world, an identifier could be your name, Social Security Number, or your driving license. In the online world, it could be your email address, a public key, or your device’s IP address. The key is that each identifier points to only one identity [5].

Authentication

Authentication is the process of verifying that a presented identifier belongs to the claimed identity.

In the real-world example of a driving license, I can authenticate you by checking that you look like the person in the picture on your driving license, or by checking that you know information on it that would be hard to learn. Few people in the world look similar to you and also know your birthday [6], so if I trust the driving license is valid — that it has been issued by the relevant agency — and that you look like the person on it, then I can verify that you are the person you claim to be.

Generally speaking, there are three [7] ways for someone to authenticate themselves:

• by demonstrating something they inherently are. In the example above, this is your face being on your person.
• by demonstrating ownership of something only they would own. In the example above, this is owning a driving license.
• by proving something that only they would know. In the example above, this is knowledge of your birthday.

Teenagers eager for their first drink will happily spend time sourcing and forging driving licenses and remembering fictional birthdays, so they aren’t the strongest means of authentication. However, they work well enough in most circumstances.

Luckily we have better methods to do authentication online. We’ll discuss more about authentication is implemented in online systems in the next post, but before we dig into that, there’s one more concept we need to understand.

Authorization

If you take one thing away from this post, it should be that authorization and authentication are two different things.

Authentication is verifying an identity. Authorization happens after authentication and is the process of approving or denying access.

In the driving license example above, authorization happens when the doorman checks if an authenticated guest is old enough to enter the bar.

So, in summary:

• Identity is who you are
• Authentication is proving you are who you claim to be, and
• Authorisation is being approved for access.

In the next post (released soon!), I'll explain how these concepts work in software systems.

References

[1] OAuth, Supabase, Clerk, Zanzibar, OPA, the list goes on… — these all either solve similar or different problems with similar or different approaches

[2] I can think of IAM, JWT, OAuth, OIDC, … you get the idea!

[3] In most technical settings, you can be you — the human (!) reading this blog post — but also a machine, such a script or a browser.

[4] Let’s unpack the phrase “you are” that I just used. You contain multitudes: friendships, affinities, enemies, personality, appearance, knowledge, presence, skills, and much else. These all roll up and form your identity.

But defining exactly what makes a specific human that specific human and not any other human is outside the scope of this blog post. Interestingly, it’s an open philosophical problem — it’s unclear if you are you over time.

[5] This is simplifying and ignoring group identity.

[6] 🙃

[7] Arguably there’s a fourth mechanism: social authentication — using other people’s beliefs to attest that you are you.