Identification vs Authentication vs Authorization
Identity, Roles, and Permissions
Identification, authentication, and authorization are closely related, but not the same.
Identification is about knowing who somebody is, even without their cooperation.
Surveillance systems, fingerprints, DNA samples are the techniques that come to mind in the physical world. In the digital world, device fingerprinting is used. It’s also possible to identify individuals by their way of writing or even how they play computer games.
Authentication is about proving who I am.
I want to show my bank who I am by entering a secret only I know — the PIN. The same for pretty much any other website. The difference between identification and authentication is that the former is happening without my (explicit) cooperation, whereas the latter includes me in the process. Typical terms in this area are two-factor authentication (2FA), multi-factor authentication (MFA). As authentication is hard, single-sign-on (SSO) and OpenID come into play.
Authorization is about access control.
Most authorization schemes need either identification or authentication, but not all…
