Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <032A8E4F-1034-4154-A83F-F8C9D794CC8C@goldmark.org>
Date: Sat, 16 Dec 2017 01:43:26 -0600
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

I wrote about this fairly extensively recently in

 https://blog.agilebits.com/2017/09/14/why-is-this-information-sensitive-the-deeper-equifax-problem/

I tried to explain the difference so that I could then whine about the danger of using knowledge of non-secret identifiers as authentication proofs.

Roughly, identification is the process of figuring out who we are talking about. For many systems, a username is all that is needed. A username is all and only what is needed to identify a particular account on the system. Knowledge of an identifier does not prove that you are that person.

In other circumstances, one might need a name and a date of birth to uniquely identify the appropriate record. 

Authentication typically requires proof of access to a secret that only the prover should have.

Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms.

Cheers,

-j

–- 
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
https://1password.com



> On Dec 15, 2017, at 9:53 AM, Matlink <matlink@...link.fr> wrote:
> 
> You won a point, Authentication¹ is often an action from the user
> (unless continuous authentification), while Identification is rather
> done by the service.
> 
> ¹: I previously made a typo cause in french the translation is very close.
> 
> 
> Le 15/12/2017 à 16:49, e@...tmx.net a écrit :
>> On 12/15/2017 04:44 PM, Matlink wrote:
>>> Basically:
>>> 
>>> Authentification is verifying 
>> 
>> by the user himself
>> (i prefer to make definitions precise, which voice is active and which
>> is passive)
>> 
>>> that an user is really the one she's
>>> pretending to be (i.e. by asking for a password).
>> 
>> 
>>> Identification is trying to put an identity on someone, like her name is
>>> Alice Smith from London (or less precisely by tracking her across
>>> websites).
>> 
>> in other words "THEY DO IT TO YOU"
>> with or without your consent,
>> although you need them to do it to you for your benefit quite often.
>> 
>> 
>>> Le 15/12/2017 à 16:32, Alex Smirnoff a écrit :
>>>> It confuses me as well. Isn't it exactly the opposite? Identification
>>>> involves a person, and authentication involves abstract "entity" which
>>>> could be non-person, group of people or whatever.
>>>> 
>>>> On Fri, Nov 24, 2017 at 09:29:16AM +0100, Eugene Panferov wrote:
>>>>> it dawned on me recently, the difference between the two is easy to
>>>>> grasp
>>>>> and easy to formulate:
>>>>> 
>>>>> You do want exactly one man to be capable of authentication.
>>>>> You do want multiple men to be capable of identification.
>>> 
>> 
> 
> -- 
> Matlink - Sysadmin matlink.fr
> Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/
> XMPP/Jabber : matlink@...link.fr
> Clé publique PGP : 0x186BB3CA
> Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
> 
> 


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.