Authentication vs. Authorization and How Biometric Technology Makes Sense in Implementing Both

Today’s technological landscape has made people to switch to services that can be accessed via the internet on their personal devices like smartphones and computers. It requires user to authenticate their identity whenever they login to a service or switch to other services. Even to secure their own devices, users make use of some kind of authentication method. Authentication, however is not something to be done only in technological perspective, we also perform authentication in our daily life. What authentication is, why it is important and how it is different from other similar sounding terms like identification and authorization, let’s dig a little deeper.

Authentication is the act of confirming the validity of an attribute of a single piece of data provided and claimed true by an entity. Process of authentication is often implemented to create a controlled environment which can only be accessed by eligible entities, let it be a physical space or a digital one. It may be your home, office, computer or social media account where authentication is performed to check your eligibility for accessing it. For example, logging into your email account requires you to provide your ID and the password, which is confirmed against your last updated one, if it matches, you are provided access to the account. In another example, you ask for ID card of a service provider knocking your door and confirm it by calling the company, if it matches with the claim made by the person at the door, you let her/him in.

It is not just human beings or online accounts that require authentication, any entity may require authentication before further access is provided. For example, your pizza delivery guy may claim your pizza to be exactly what you ordered. You might want to confirm this claim by checking the pizza, if it is found to be what was ordered and claimed by the delivery guy, you let the pizza in.

Identification, which is sometime used interchangeably with authentication, is the process of mapping a known quantity to an unknown entity to make it known. A good analogy is when biologists find a new species of a living organism, they first try to categorize it in existing biological nomenclature system, but when they fail to do so, a new species is created in the nomenclature hierarchy and the new finding is placed in it. The known quantity, i.e. species in this case, is called the identifier of the new biological finding.

Methods or ways used for implementing authentication process are called factors of authentication. These ways can be divided into three categories: Knowledge Factor, Ownership Factor or Inherence Factor. Each of these categories consists of means that can be used to verify an entity’s identity before it can have access to a physical or logical facility.

Something the user owns or possesses. This category of authentication factors consists of elements based on ownership or possession. Users are provided with means to keep in possession so that the authentication system can recognize them. For example: Tokens, identity documents, access cards, keys, etc.

Something the user knows. This category of authentication factors consists of elements based on knowledge. Users are provided with information to remember so that the authentication system can recognize them. For example: Passwords, PINs, security questions, etc.

Something the user is or does. This category of authentication factors consists of elements based on inherence. Users can authenticate with their inherent characteristics, for example: iris pattern, fingerprints, voice, retinal pattern, signature, DNA profile and other biometric characteristics.

Authentication is basically the process of confirming validity of an identity claim made by an entity. This verification is performed digitally when a facility or resources is located on a network or information system. For example: entering password to access your social media account. Process of authentication can be implemented using components of one or more than one factors of authentication. Implementing an authentication system is particularly useful in scenarios where users repetitively seek access to a controlled or secure facility.

When a single component is chosen form any of the three authentication factors to confirm the identity claimed by an entity, it is called single factor authentication. For example: providing PIN to access gain access to a locked phone. This is the weakest level of authentication. Shared, guessed or stolen PINs or passwords can compromise the device or the user account security. An unauthorized user can also attempt an access by trying random, default or commonly used PINs or passwords. A minimum password complexity is often implemented when passwords are used as a single factor authentication. Ownership based single factor authentication are also vulnerable to loss or theft. Using inherence based factor can be a potential solution when single factor authentication is used.

When two components are chosen form at least two authentication factors to confirm the identity claimed by an entity, it is called two factor authentication or 2FA. For example: Using password and fingerprint for the network access. Password belongs to knowledge factor while fingerprint comes in inherence based factor of authentication. Two factor authentication is used where level of security required is comparatively high and system is particularly vulnerable to attacks. It can also be used for services or facilities where users are security conscious. If an imposter is able to breach through one method of authentication, another shall sustain and save the system from harm that could have caused by the unauthorized access. An ATM card is a good example of two factor authentication. User has to provide something she/he possesses (Ownership factor) i.e. ATM card and something she/he knows (Knowledge factor) i.e. PIN, to be able to access her/his account and withdraw money.

When multiple components are chosen from the authentication factors to confirm the identity claimed by an entity, it is called multi-factor authentication. Multi-factor authentication offers high level of security as user has to present evidences of his or her identity, which belong to multiple factors. Multi-factor authentication is implemented when level of security required is very high. Facility or services that involve weaponry storage, R&D facilities, military facilities, storage or processing centers of highly confidential information or transactions, etc. may choose to employ multi-factor authentication.

• Showing or asking for an ID to confirm identity (e.g. asking for an ID from a home service provider or showing driving licence to a traffic police officer)
• Unlocking PCs or smartphones with PINs, passwords or fingerprints
• Logging into a computer, email or social media accounts
• Entering PIN or OTP at an online or retail store
• Withdrawing Money from an ATM

There can be multiple instances in daily life when we have to verify identity of someone or have our own identity verified.

Authorization comes into action when authentication has been successfully performed. It can be seen as a more detailed set of specifications what is actually accessible post-authentication. For example: Your workplace PC may provide you access by authenticating your credentials, yet you may not be allowed (or authorized) to changed its settings. Authentication is required for granting access and access policy is defined by authorization. Authorization determines what a user is and is not allowed to do once she/he has been authenticated. For example, a university computer network can be accessible by all employees and students using their credentials. Authentication is performed when users login to the university network, however, post-authentication it may define level of access differently depending on the user. Lecturers may be authorized to access training material while non-teaching staff is not. Students may only be authorized to access student’s section.

Cards, tokens, badges and other possession based elements of authentication have been historically used to prove identity. Rise of technology made people switch to technology powered authentication solutions because traditional solutions did not offer any help. You can show your ID to a human being but not to a computer, even if machines are made to read traditional identity documents, it would create more loopholes than it will fix. Passwords came to rescue and resolved the issue of online identity authentication. It quickly became a widely used, secure and inexpensive way of identity authentication on information systems and internet based services. Passwords served the purpose until there were only a few of them to remember. But in current scenario, passwords too have lost their relevance and experts are now looking at biometrics, which uses unique human characteristics to authenticate user identity.

Passwords still are most used authentication method on information systems and networks. Amid increasing threats to information security, passwords alone are not sufficient to keep users safe. Users reuse and forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also are difficult to remember and prone to attacks like “pass the hash”. User authentication on the basis of behavioral or physiological characteristics or biometrics is being adopted to overcome inadequacies of knowledge or possession based authentication factors.

Personal identification on the basis of human anatomical characteristics has been in use since the beginning of 19th century. Pattern formed by friction ridges on fingertips was the first human characteristic adopted for the purpose. Early biometric applications were limited to door access, employee attendance, etc. but now they are even available even on smartphones and tablets. Entering passwords on a present day touch screen devices slow down the whole authentication process and deprecate the user experience. Today, more and more users are getting digitally savvy and expect an easy connection with their service providers anytime, anywhere yet many of them still have to access their client space using complicated passwords or tokens that they can hardly remember.

Biometrics eliminates all those inadequacies associated with passwords and provides a seamless authentication experience. Users just have to get their biometric identifier scanned, which does not take more than a second. A touch on the fingerprint scanner or just looking at the iris scanner is all authentication effort required at the user end and they can decision of granting or denying access is made instantly.

Confirming the validity of an identity claim made by an entity is called authentication, which is an important activity in access control scenarios. Even in our homes, we authenticate identity to make a decision of granting or denying access to someone. Factors of authentication can be based on knowledge (e.g. PINs, passwords, etc.), possession (e.g. tokens, ID cards, etc.) or inherence (e.g. fingerprint, iris pattern, etc.). These factors can be used to implement single-factor, two-factor or multi-factor authentication applications. Authorization is the process that takes place post-authentication, it defines access policy that what a user is or is not allowed to do.

Due to ever increasing numbers and complexity of passwords, a forward-looking identification system like biometrics has become essential to keep up with the needs current users who are now more tech savvy than ever.