Identification, Authentication, and Authorization: The three Cornerstones for Digital Security
In today’s new digital era, all our activities and interactions are constantly monitored and verified. We must be continually identified, authenticated, and authorized to access any service. While these terms are often used interchangeably, they are distinct processes that play crucial roles in ensuring online security.
Identification means identifying a particular user, often through a username or email address, while authentication is proof of the user’s identity, which is commonly managed by entering a password.
Only once the user has been properly identified and authenticated can they be authorized to access the systems or privileges. The authorization aspect assigns rights and privileges to specific resources. Identification and authentication have specific purposes and are necessary components of data security.
Understanding identification & authentication
Identification is the first step in most online transactions and requires a user to “identify” themselves, usually by providing a name, email address, phone number, or username. This is the process of someone saying that they are a certain person.
In the digital aspect, however, it can be a difficult process to verify that someone is giving a real identity and that they are who they claim to be.
Identities are being verified through providing informative documents, like the government-issued IDs for say Aadhaar or passport. The verification process normally done at the very first time when one creates a new account or access a site for the first time. After that onwards, the identity will be authenticated, usually by the creation of the password or PIN to go along with the username.
Initially while signing up, accessing, or onboarding on the system, service, or company —after the identity been verified — a form of authentication is set up. It will be used each time the service or application needs to be accessed.
Once a user’s identity has been verified, authentication is implemented. This involves proving one’s identity through various methods, such as:
- Something You Know: Passwords or security questions
- Something You Have: Tokens, smartcards, or ID cards
- Something You Are: Biometric data like fingerprints or facial scans
The authentication helps the user to show that they are the one who they claimed to be during the identification phase. One of the safest and most common authentication methods is Multi-factor authentication (MFA), which uses more than one form of authentication.
Explaining the next step, authorization
Authorization comes as the final step towards the security process after identification & authentication. It grants users access to specific services or systems based on their verified identity and authentication. Authorization ensures that only authorized individuals can access sensitive information or perform specific actions.
Back in 2020, nearly about 5 million identity theft and fraud was reported. The term Cybercrime appeared then that was an issue with the bad actors of stealing personal information and posing as legitimate users.
The authorization phase ensures that a user who they claim to be authorized should only have the access to the particular services and privileges. The authorization should come after both identification and authentication to be effective.
Where each process is used as follows:
The initial setup stage of any account, service, or simply onboarding starts with Identification process. It is necessary to provide personal information to identify a person and then verify this identity.
Verifying the identity can involve the identification through the documents, or the information that only the real person would have, or by entering personal data such as a Aadhaar number etc. Mostly, identification is done whenever a user accesses a new account or service in the form of a username.
Authentication come as the second step after Identification. It matches the information provided initially with the user to ensure that the indeed person is the one they claim to be. The authentication process occurs when the user enters the password or provides the agreed-upon information then the system will then cross check what they have stored and make sure they match.
Sometimes while authenticating, the systems also ask for the OTP (One Time Password) to ensure the user’s identity is legitimate. The OTP is often sent to the email or phone number initially provided at the time of identification via a SMS/ WhatsApp/Text message and the user have to enter the code as an additional authentication factor. Once identification and authentication are verified then only authorization occur.
Finally, after authorizing the user, they will be granted the access or gets the rights and privileges. The authorization will protect the resources in the organization as well as users by preventing unauthorized use or access.
- Use case scenario on how the identification, authentication & authorization is implemented:
- A user is on boarded into the bank by providing the required identification information.
- Then he/she will set up an authentication factor, such as a IPIN (Internet PIN) or MPIN (Mobile PIN) or simply a password, for their future access.
- Now whenever the user returns to login, the banking system will ask the identification (username) and authentication factor (password).
- Once the user enters the information the system will authenticates the user by verifying that the information is correct and cross matches it with data that is stored in the database.
- Finally, once everything matches the user will get the access into systems and resources that the admin has authorized.
Adding to above information to keep the personal data safe online and protecting their identity, one needs use strong authentication processes.
Like creating a strong password or Multi-factor authentication. Here are some tips:
- By using a password manager one can ensure that their password is strong and harder enough to guess for bad actors. Changing the passwords often is great practice, also ensure not use the same password from site to site.
- Adding two-factor authentication to accounts is also a good recommendation, such as a password and a verification code that ensures, even if someone does gain access to a one’s credentials, they still won’t be able to log in without the additional factor. Many sites have its own built-in ability to activate two-factor authentication.
- The adoption of Multi-factor authentication using three or more authentication factors is even better. More the authentication factors one uses, the more save and secure is the account will be. Implementing the biometric authentication, like fingerprints, facial recognition and retinal scanners can add an extra layers of security as well.
Authentication is perhaps the ultimate key to protect one’s accounts and keeping data and resources more save.