Date: Sat, 16 Dec 2017 01:43:26 -0600 From: Jeffrey Goldberg <jeffrey@...dmark.org> To: passwords@...ts.openwall.com Subject: Re: Authentication vs identification I wrote about this fairly extensively recently in https://blog.agilebits.com/2017/09/14/why-is-this-information-sensitive-the-deeper-equifax-problem/ I tried to explain the difference so that I could then whine about the danger of using knowledge of non-secret identifiers as authentication proofs. Roughly, identification is the process of figuring out who we are talking about. For many systems, a username is all that is needed. A username is all and only what is needed to identify a particular account on the system. Knowledge of an identifier does not prove that you are that person. In other circumstances, one might need a name and a date of birth to uniquely identify the appropriate record. Authentication typically requires proof of access to a secret that only the prover should have. Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms. Cheers, -j –- Jeffrey Goldberg Chief Defender Against the Dark Arts @ AgileBits https://1password.com > On Dec 15, 2017, at 9:53 AM, Matlink <matlink@...link.fr> wrote: > > You won a point, Authentication¹ is often an action from the user > (unless continuous authentification), while Identification is rather > done by the service. > > ¹: I previously made a typo cause in french the translation is very close. > > > Le 15/12/2017 à 16:49, e@...tmx.net a écrit : >> On 12/15/2017 04:44 PM, Matlink wrote: >>> Basically: >>> >>> Authentification is verifying >> >> by the user himself >> (i prefer to make definitions precise, which voice is active and which >> is passive) >> >>> that an user is really the one she's >>> pretending to be (i.e. by asking for a password). >> >> >>> Identification is trying to put an identity on someone, like her name is >>> Alice Smith from London (or less precisely by tracking her across >>> websites). >> >> in other words "THEY DO IT TO YOU" >> with or without your consent, >> although you need them to do it to you for your benefit quite often. >> >> >>> Le 15/12/2017 à 16:32, Alex Smirnoff a écrit : >>>> It confuses me as well. Isn't it exactly the opposite? Identification >>>> involves a person, and authentication involves abstract "entity" which >>>> could be non-person, group of people or whatever. >>>> >>>> On Fri, Nov 24, 2017 at 09:29:16AM +0100, Eugene Panferov wrote: >>>>> it dawned on me recently, the difference between the two is easy to >>>>> grasp >>>>> and easy to formulate: >>>>> >>>>> You do want exactly one man to be capable of authentication. >>>>> You do want multiple men to be capable of identification. >>> >> > > -- > Matlink - Sysadmin matlink.fr > Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ > XMPP/Jabber : matlink@...link.fr > Clé publique PGP : 0x186BB3CA > Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2 > > Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.