Authentication and Authorisation

Authentication and Authorisation

by Simon Biles

Authentication and Authorisation (please notice the “s” is _not_ a spelling error!) are fundamental to information security – identifying who a user is (authentication), and what they are allowed (authorised) to do allow us to restrict access to data in such a way that only the rightful permitted people can access, modify or copy it. It seems in the current day and age, we have a habit of lumping the two together with the term “Identity and Access Management” – but personally, I think that it is wise to remember that they are separate and distinct processes, handled at different times and by different parts of the computer that you are using.

Let’s start off with Authentication – the “prove who you are” part. Authentication can be performed in certain ways – typically these are described as something you know, something that you have or something that you are – each one of these is called a “factor” and, logically, combine two or more of them and you have “multi-factor” authentication. The password is an example of the first of these “factor” types, although there are other things, such as the questions you answer for your password reset (the name of your first pet goldfish, your favourite teacher at school, how many warts you have between your toes, that kind of thing). The things that you have are things like smartcards or dongles, whereas the things that you are include all of the biometric measurements – fingerprints, voice recognition and the like. Each of them has their inherent issues – people forget things, lose things, and, rather frighteningly, people can have bits of them taken – numerous examples abound in film – “Angels and Daemons” springs to mind as the most recent, but I recall “Thunderball” also makes use of the concept…

Read more

Please use this thread for discussion of Simon's latest column.