Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Dec 2017 01:43:26 -0600
From: Jeffrey Goldberg <>
Subject: Re: Authentication vs identification

I wrote about this fairly extensively recently in

I tried to explain the difference so that I could then whine about the danger of using knowledge of non-secret identifiers as authentication proofs.

Roughly, identification is the process of figuring out who we are talking about. For many systems, a username is all that is needed. A username is all and only what is needed to identify a particular account on the system. Knowledge of an identifier does not prove that you are that person.

In other circumstances, one might need a name and a date of birth to uniquely identify the appropriate record. 

Authentication typically requires proof of access to a secret that only the prover should have.

Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms.



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

> On Dec 15, 2017, at 9:53 AM, Matlink <> wrote:
> You won a point, Authentication¹ is often an action from the user
> (unless continuous authentification), while Identification is rather
> done by the service.
> ¹: I previously made a typo cause in french the translation is very close.
> Le 15/12/2017 à 16:49, a écrit :
>> On 12/15/2017 04:44 PM, Matlink wrote:
>>> Basically:
>>> Authentification is verifying 
>> by the user himself
>> (i prefer to make definitions precise, which voice is active and which
>> is passive)
>>> that an user is really the one she's
>>> pretending to be (i.e. by asking for a password).
>>> Identification is trying to put an identity on someone, like her name is
>>> Alice Smith from London (or less precisely by tracking her across
>>> websites).
>> in other words "THEY DO IT TO YOU"
>> with or without your consent,
>> although you need them to do it to you for your benefit quite often.
>>> Le 15/12/2017 à 16:32, Alex Smirnoff a écrit :
>>>> It confuses me as well. Isn't it exactly the opposite? Identification
>>>> involves a person, and authentication involves abstract "entity" which
>>>> could be non-person, group of people or whatever.
>>>> On Fri, Nov 24, 2017 at 09:29:16AM +0100, Eugene Panferov wrote:
>>>>> it dawned on me recently, the difference between the two is easy to
>>>>> grasp
>>>>> and easy to formulate:
>>>>> You do want exactly one man to be capable of authentication.
>>>>> You do want multiple men to be capable of identification.
> -- 
> Matlink - Sysadmin
> Sortez couverts, chiffrez vos mails : https://café-vie-privé
> XMPP/Jabber :
> Clé publique PGP : 0x186BB3CA
> Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2

Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.