Identification, Authentication, and Authorization, How are They Various?
Often used as synonymous or interchangeable, identification, authentication, and authorization are different concepts. However, related to each other, we must distinguish, especially in cybersecurity and data protection. In this article, we explain what identification, authentication, and authorization are, how they are different, and how they are related.
Identification, authentication, and authorization differences
Virtually every day, we identify ourselves, authenticate ourselves and receive authorization to access and use different systems and functionalities; We do it when we go to our email inbox, our profile on a social network, or when we want to leave a comment on a blog article.
These operations have become so common in our daily lives that we need to pay more attention to them beyond entering the information requested in the identification, authentication, and authorization process. And that means that we often use these three terms as if they were synonymous, when in reality, they are different actions and processes related to each other, as we will see later.
So let’s see what each of them is:
What is identification?
Identification is the action or process of identifying a person or a thing. It is about establishing the identity of someone or something, for example, through a unique identifier, such as an ID, username, or telephone number.
What is authentication?
Authentication is the process of proving a person’s identity, that is, verifying through authentication factors and mechanisms that the person is who they say they are. In the context of cybersecurity, it is to authenticate the identifier of a user. To do this, one or more of the following authentication factors can be used:
- Knowledge: Something only the person knows, such as a password.
- Property is something a person owns, such as a mobile.
- Biometric parameters, such as fingerprints.
Computer security authentication, as we will see later, is a fundamental element because, in principle, it guarantees that whoever accesses the system is really who they say they are.
What is authorization?
Finally, authorization specifies what rights and access privileges a person has. Authorization may or may not depend on identification and authentication.
After this explanation, you can surely already see the difference between authenticating and authorizing, or between identifying and authenticating, and that, in reality, and how we will see in the next point, although authorization may not require an identification and authentication process, you can’t talk about identification without authentication and vice versa (no, these concepts and processes are complementary and we never really talk about authentication vs. identification ).
In any case, to make the three concepts clear, let’s see an example:
When you access an account on a social network, the first step is to identify yourself, for which you must enter either a username or an email address. Then we will be asked to enter a password, thus proceeding to authenticate if the username and password match. If, in addition, we have multifactor authentication activated, we will be asked for a second authentication factor (it can be a code sent by SMS to our mobile). Finally, once identification and authentication have been done, the system will authorize us to access our profile and perform different actions (publish posts, comments, images, and give “likes,” etc.).
Identification, authentication, and authorization are three parts of a whole.
As we have been saying, identification, authentication, and authorization are closely related and generally form three parts of a whole, especially in information security.
As you have seen in the example of the previous point, identification and authentication in computer security are key because, through them, unauthorized third parties are prevented from accessing confidential systems or data. Along with authorization, it is also possible to create a system of privileges and roles linked to the identifier; that is, the level of access to resources and data of the members of an organization can be managed.
For example, in a company, not all employees must have access to the customer file database so that the employee identifiers to access the system will be linked to an authorization level based on their position and activity in the company.
In this sense, identification, authentication, and authorization become one more security measure.
Identification, authentication, and authorization in data protection
In data protection, as you can imagine, identification, authentication, and authorization are key elements to ensure that only people with the proper authorization access the personal data that a company handles and processes. As we said, they are part of the technical security measures, but also organizational (the authorization levels based on roles or privileges would enter here), that a company must implement to prevent unauthorized third parties from having access to the personal information of clients, employees, suppliers, etc.
In addition, identification and authentication factors can also be considered personal data insofar as they allow a person to be identified, so data protection measures should also be extended to these elements (for example, by encrypting the database). Data of employees and users).
Identification and authentication and biometric data
Finally, using identification and authentication systems based on biometric data (such as fingerprint readers or facial recognition) is becoming more common. In this sense, and if the company is thinking of adopting this type of system, it is important to take into account that biometric data, when used to authenticate people, are considered personal data of special categories (art. 9 of the GDPR ) and that it is necessary to apply certain data protection measures (impact assessment, express consent, the existence of a prior law or regulation that contemplates it), as well as to determine the proportionality and appropriateness of the measure.
It must be taken into account that the CEPD considers the use of biometric data for authentication to be an excessive and intrusive measure, which may conflict with the rights and freedoms of the interested parties, so it is essential to submit it to this suitability judgment beforehand. And proportionality, that is, if the measure is necessary and there is no other less intrusive alternative to achieve the pursued purpose and if the benefits obtained are greater than the damage caused to the rights and freedoms of the interested parties.
Before implementing a biometric authentication system, it is advisable to consult with a data protection professional about its suitability based on data protection regulations.