Identification, Authentication, or Authorization: What’s the Difference?
There’s understandable confusion about the differences between identification, authentication, and authorization when it comes to identity or user management. If you’re not immersed in the industry, you may be confused as to why they’re not interchangeable terms. Even those of us in the industry can get caught up in the colloquial use of the terms as opposed to their strict technical definitions.
The terms get even muddier when you start using them in combination with specific forms of biometric modalities - the most notorious being Facial Authentication vs Facial Recognition.
We’ll start with the technical definitions for each, in the context of a cybersecurity environment.
Identification: The process used to allow the [user or device] to provide information as to their identity, which can then be used to validate them. In short, it’s the answer to the question of “Who are you?” (From The Official (ISC)2 Guide to the SSCP CBK)
Authentication: The act of providing and validating identity within the access control system, and/or of verifying the identity of a user. It’s the answer to “Are you really who you said you are?” (From The Official (ISC)2 Guide to the SSCP CBK)
Authorization: Determines the user’s right to access a certain resource, based on the outcome of the authentication process. This is the answer to “Should you be allowed in?”
Most access management systems are set up to do all three things, in the order listed. How this process is implemented is the basis for how systems security administrators set up their systems to keep your organization safe. The actual technological processes to make this happen can be relatively simple or quite complex; it depends on the needs of the business and of the users and devices within that business.
It’s important to note that these terms also apply to devices! The need for consistent terminology to refer to servers, computers, databases, or other non-human things trying to access data is part of the reason the people-identifying aspect can feel complicated. The steps required for access control to inanimate objects can feel strange when applied to people.
You may notice that “recognition” isn’t one of the terms defined above. That’s because Facial Recognition, when viewed from a security lens, is simply a method for authentication (as defined in multiple cybersecurity certification training materials). In the strictest sense, Facial Recognition is an authentication method that recognizes if a specific face matches the identity presented.
Facial Recognition: It’s Complicated
With the rise of facial recognition technology used for surveillance purposes, rather than purely for authentication, significant amounts of backlash have risen over its use.
Facial recognition has been around for a very long time, however. Wikipedia notes, citing The History of Information Security: a Comprehensive Handbook, that as early as the mid 1960s, people were manually marking facial features on images and using a computer to recognize faces. By the late 90s, multiple universities had made systems that recognized human faces, and were able to identify individuals from imperfect face views.
Around the same time, ImageWare was developing our digital booking platform for law enforcement agencies. Our system wasn’t looking to pick out a known face from a sea of faces in a single photo; it was checking whether the face presented was already in the system or not (matching one face out of many options, or 1:n matching).
This technology was adapted for government use, and by necessity, scaled to handle millions of potential matches. The purpose wasn’t to monitor people’s movements or pick them out of a video of a crowd! Rather, it was to manage use cases such as government ID issuances for employees, or for citizen IDs, like Driver’s Licenses.
Surveillance use of Facial Recognition, on the other hand, is taking a known image of someone, and comparing that to video to try and locate that person. The more concerning uses of active facial recognition for police body cameras, for example, are starting to be banned by various states. Social media use of facial recognition gives many security and privacy professionals pause.
In recent years, FaceApp came under scrutiny as it was harvesting metadata about facial images, and with the company being based in Russia, there were deep suspicions about how that data was used.
These examples are not what a privacy-minded application of facial recognition for user authentication does.
How Biometrics Fit Into the Access Management Process
We can’t speak for other authentication providers, but the way ImageWare handles all of our biometric algorithms is to match the mathematical representation of a biometric data point to another data point in the repository. Generally, there’s a process for allowing users into a system, and biometrics are well suited to be a secure part of that.
Going back to our three step process, the way biometrics are used in an authentication flow is (roughly) as follows:
1: Identification - You identify yourself to the system. “Hi, system, I’m User Erlich Bachman. May I come in?”
2: Authentication - System says “Yes, Erlich Bachman is a user here. Let me check if you’re really Mister Erlich.” System kicks on the designated sensor - say, your laptop’s built in webcam.
At this point, the system uses the facial recognition algorithm, and applies that to a scan of your face. It uses your facial features as the basis for a mathematical calculation, and then takes that result and checks the system database to see if that matches the calculation originally created for Mister Erlich Bachman when he first was enrolled.
If yes, we go to step 3. If no, he’s kicked out, and that’s the end of it (this is known as 1:1 matching).
3: Authorization - The system then checks the rules for the user Erlich Bachman, and allows him to access the data and business systems he should have access to.
There’s an important nuance in step 2 that’s worth pointing out. The facial recognition algorithm recognizes that there is a face in the webcam view, then creates the ones and zeros that the database is comparing to what is on file.
With ImageWare’s solution, it’s not actually Erlich Bachman that’s being looked up. It’s, in essence, a bunch of ones and zeros that were made up based on his face, and it’s compared to the ones and zeros that were made up when he was onboarded.
This means reports can be generated for how often his face-number is used to log in, or how often it fails. It also means that it’s not all that useful for things people get nervous about: tracking him from place to place, or monitoring his movements. That face-number doesn’t really do much outside of the system it was generated for.
One to One or One to Many?
This type of authentication uses 1:1 matching, but what about the 1:n or one to many matching of the government type implementations?
The 1:n or one to many matching types are still leveraging the same technology, just conducting a different type of search. Taking our example from above, with Erlich Bachman presenting himself to the system. With 1:n, the system is taking that presented data, and checking if any of the biometric data templates in the database could match. It’s still an anonymous set of ones and zeroes being referenced, not Erlich Bachman himself.
Here at ImageWare, we designed our Biometric Engine to operate in this way intentionally. We value privacy, security, and control over your data. So while yes, facial recognition is a technology leveraged to allow users in, it’s just that: it’s a technology that recognizes faces, as opposed to palm, fingerprint, or iris.
Identification, authentication, and authorization are at the core of access management. Leveraging biometrics as a secure method for your authentication process can be a powerful way to improve the security of your overall system. If using face-based authentication measures are still a concern for you or your workforce, an advanced authentication provider can offer you biometric options, starting with voice, palm, or fingerprint.
Want to learn more? Let’s talk. Set up time with our team by clicking here.