I wrote this article because I need to talk about this topic to a group of local bank executives. What I have in mind is how to get them to understand the vague differences between these three terms using illustrations from our daily lives.

For these reasons, I picked up a number of books to read. Indeed, I have to give credit to the book Beyond Fear by Bruce Schneier, as he gave a number of analogies about these terms in chapter 13 of his book.

I hope writing this article can help clarify my explanation of the key concepts of these three terms.

To start, let’s use some simple ideas to describe these three terms:

Identification: Who are you?

Authentication: Prove it!

Authorization: Okay, you are allowed to do these things because we have successfully authenticated you (proved you are who you say you are)

Let’s look at an example to illustrate this. Suppose you take your passport (containing your photo and signature) and go through an immigration counter to get into a country. The immigration officer asks who you are, and you reply politely with your name. This is the step of Identification. The office then verifies your identity by looking at your photo, and may check your signature on your immigration form against that of your passport. After this process, hopefully you are authenticated by him to be the genuine holder of the passport you have shown. This is the step of Authentication. Then the officer will check against your country of origin and whether you need and have any visa to show that you have the authorization to get into the country. This is the step of Authorization.

In an Access Control system, these three steps are crucial since they control whether a person is authorized to gain access to the particular area of a system. This is essentially a Prevention Control System.

In Schneier’s book, he used another interesting example using the London Underground ticket system. A passenger can purchase a monthly ticket with unlimited travel for a month. This ticket (authorization) contains no authentication capability. The passenger has to bear another photo card (which is permanent) with a unique number for authentication. The unique number has to be written down on the monthly ticket the passenger purchases to get it validated. So, these two items form an authentication-and-authorization system. Note there is no serious identification element in this system (though you can write your name on the ticket beside the photo card number) since no one will check your ID to verify if you really own the name shown on the photo card. The London Underground only cares to prevent two persons from sharing the same monthly ticket, and your photo card is already an effective tool to prevent this from happening (unless you have a look-alike or a twin, in which case you can ride at half-price!). The ticket itself is sufficient to serve the purpose of authorization.

However, in an IT system, we need a full identification system. This is because we need the information to complete an entire authorization process (just like the previous example of using a passport to get into a country).

We also need to track against the users’ activities in the system for the purpose of having an Audit Trail (a kind of security detection control). Without a good identification element, we can still analyze the system log to uncover abnormal user activities, such as when a breach of a user’s limit of accessing certain network resources, etc. But we will have a hard time following up without knowing the identity of the user.

In this way, the three-step authentication, identification, and authorization process serves both the prevention and detection access control for an IT system.

Tags: Access Control System