These three terms: , , and , are often confusing for technologists. identity authentication authorization This is unsurprising. There are dozens of open-source and commercial offerings [1], decades of development, and at least 23 acronyms to get one’s head around [2]. This complexity obfuscates more than it reveals. In reality, these ideas are easy to grasp. These concepts are fundamental to the human experience — not just for apps, but for nearly all offline interactions, too. From dealing with governments and banks for basic services to getting drinks at a bar, we all use identity, authentication, and authorization to get things done. The aim of this blog post is to provide a high-level understanding of the key concepts of identity, authentication, and authorization. In future posts, I will dig deeper into how these ideas are implemented in real-world systems. With a solid grasp of the fundamentals, you'll be equipped to discuss these topics when they come up and understand how they fit together in practice. Let’s start! Identity is the most fundamental concept that underpins authentication and authorization. But thankfully, you already intuitively know what identity is. Identity Identity is who [3] are— it’s your essence as an individual [4]. you is the process of sharing your identity using an . In the real world, an identifier could be your name, Social Security Number, or your driving license. In the online world, it could be your email address, a public key, or your device’s IP address. The key is that each identifier points to only one identity [5]. Identification identifier Authentication is the process of verifying that a presented identifier belongs to the claimed identity. Authentication In the real-world example of a driving license, I can authenticate you by checking that you look like the person in the picture on your driving license, or by checking that you know information on it that would be hard to learn. Few people in the world look similar to you and also know your birthday [6], so if I trust the driving license is valid — that it has been issued by the relevant agency — and that you look like the person on it, then I can verify that you are the person you claim to be. Generally speaking, there are three [7] ways for someone to authenticate themselves: by demonstrating something they inherently . In the example above, this is your face being on your person. are by demonstrating ownership of something only they would . In the example above, this is owning a driving license. own by proving something that only they would . In the example above, this is knowledge of your birthday. know Teenagers eager for their first drink will happily spend time sourcing and forging driving licenses and remembering fictional birthdays, so they aren’t the strongest means of authentication. However, they work well enough in most circumstances. Luckily we have better methods to do authentication online. We’ll discuss more about authentication is implemented in online systems in the next post, but before we dig into that, there’s one more concept we need to understand. Authorization If you take one thing away from this post, it should be that are two different things. authorization and authentication Authentication is verifying an identity. happens after authentication and is the process of approving or denying access. Authorization In the driving license example above, authorization happens when the doorman checks if an authenticated guest is old enough to enter the bar. So, in summary: Identity is who you are Authentication is proving you are who you claim to be, and Authorisation is being approved for access. In the next post (released soon!), I'll explain how these concepts work in software systems. References [1] OAuth, Supabase, Clerk, Zanzibar, OPA, the list goes on… — these all either solve similar or different problems with similar or different approaches [2] I can think of IAM, JWT, OAuth, OIDC, … you get the idea! [3] In most technical settings, you can be you — the human (!) reading this blog post — but also a machine, such a script or a browser. [4] Let’s unpack the phrase “you are” that I just used. You contain multitudes: friendships, affinities, enemies, personality, appearance, knowledge, presence, skills, and much else. These all roll up and form your identity. But defining exactly what makes a specific human that specific human and not any other human is outside the scope of this blog post. Interestingly, it’s an open philosophical problem — it’s unclear if you are you over time. [5] This is simplifying and ignoring group identity. [6] 🙃 [7] Arguably there’s a fourth mechanism: social authentication — using other people’s beliefs to attest that you are you. This post - subscribe for more like it! originally appeared on my personal blog

This story contains new, firsthand information uncovered by the writer.

The ABCs of Identity, Authentication, and Authorization - Part 1

Too Long; Didn't Read

@apuchitnis

Credibility

RELATED STORIES