Discover more from Mindful Musings
Demystifying Identity, Authentication and Authorisation: Part 1
These three terms: identity, authentication, and authorisation, are often confused by hackers and technologists.
This is unsurprising. There are a dozens of open source and commercial offerings, decades of development, and at least 23 acronyms to get one’s head around.
This complexity obfuscates more than it reveals. In reality, these ideas are easy to grasp.
These concepts are fundamental to the human experience — not just for apps, but for nearly all offline interactions, too. From dealing with governments and banks for basic services, to getting drink at a bar, we all use identity, authentication and authorisation to get things done.
The aim of this blog post is to provide a high-level understanding of the key concepts of identity, authentication and authorisation. In future posts, I will dig deeper into how these ideas are implemented in real-world systems.
With a solid grasp of the fundamentals, you'll be equipped to discuss these topics when they come up and understand how they fit together in practice.
Identity is the most fundamental concept that underpins authentication and authorisation. But thankfully, you already intuitively know what identity is.
Identity is who youare— it’s the essence of you as an individual.
Identification is the process of sharing your identity using an identifier. In the real world, an identifier could be your name, Social Security Number, or your driving license. In the online world, it could be your email address, a public key, or your device’s IP address. The key is that each identifier points to only one identity.
Authentication is the process of verifying that a presented identifier belongs to the claimed identity.
In the real world example of a driving license, I can authenticate you by checking that you look like the person in the picture on driving license, or by checking that you know information on it that would be hard to learn. Few people in the world look similar to you and also know your birthday, so if I trust the driving license is valid — that it has been issued by the relevant agency — and that you look like the person on it, then I can verify that you are the person you claim to be.
Generally speaking, there are threeways for someone to authenticate themselves:
by demonstrating something they inherently are. In the example above, this is your face being on your person.
by demonstrating ownership of something only they would own. In the example above, this is owning the driving license.
by proving something that only they would know. In the example above, this is knowledge of your birthday.
Teenagers eager for their first drink will happily spend time sourcing and forging driving licenses and remembering fictional birthdays, so they aren’t the strongest means of authentication. However, they work well enough in most circumstances.
Luckily we have better methods to do authentication online. We’ll discuss more about authentication is implemented in online systems in the next post, but before we dig into that, there’s one more concept we need to understand.
If you take one thing away from this post, it should be that authorisation and authentication are two different things.
Authentication is verifying an identity. Authorisation happens after authentication, and is the process of approving or denying access.
In the driving license example above, authorisation happens when the doorman checks if an authenticated guest is old enough to enter the bar.
So, in summary:
Identity is who you are
Authentication is proving you are who you claim to be, and
Authorisation is being approved for access.
In the next post (released next week), I'll explain how these concepts work in software systems. Subscribe to get notified when it's released!
Thanks for reading Technically Thinking! Subscribe for free to receive new posts and support my work.
OAuth, Supabase, Clerk, Zanzibar, OPA, the list goes on… — these all either solve similar or different problems with similar or different approaches
I can think of IAM, JWT, OAuth, OIDC, … you get the idea!
In most technical settings, you can be you — the human (!) reading this blog post — but also a machine, such a script or a browser.
Let’s unpack the phrase “you are” that I just used. You contain multitudes: friendships, affinities, enemies, personality, appearance, knowledge, presence, skills and much else. These all roll up and form your identity.
But defining exactly what makes a specific human that specific human and not any other human is outside the scope of this blog post. Interestingly, it’s an open philosophical problem — it’s unclear if you are you over time.
This is simplifying and ignoring group identity.
Arguably there’s a fourth mechanism: social authentication — using other people’s beliefs to attest that you are you.