What Is Authentication?

And why is Authentication central to computer system security?

I prefer to explain the concept in real-world terms: You’ve been invited to an exclusive event at a secured venue. On the day when you arrive, the security personnel at the entrance will be concerned with establishing your authenticity: who you are and will you be allowed to enter?

The bouncer asks for your name. You tell her. She also wants to see your photo id to verify that you are who you say you are. You hand over your driver’s license. The bouncer looks at the photo and then looks you over while trying to determine whether you are who you say you are. Ultimately, she nods, accepting your identity—you’re in. 

During any Authentication process, whether real-world or in a computer system, we establish our identity, our authenticity, with another party. We never authenticate just by ourselves—we already know who we are. Authentication is always to someone (or something) that does not know who we are.

Similarly, When you authenticate an object, you want to verify that it’s not a fake. FYI, the word came into English from the Latin ‘authenticat-‘ meaning ‘established as valid’.  

In computer systems, Authentication occurs via an electronic artefact only the user or client process would have: a username & password combination, a digital certificate or a security token. 

In the exclusive event example, you passed Authentication successfully. Yet, Authentication can also fail. Consider what happens when we don’t identify to the required level—for example, we provide the wrong username or password. Access denied.

When Authentication is anonymous, it means the other party does not care who we are. Our identity is not required; we don’t need to authenticate ourselves. All comers are welcome. 

Authentication is a simple notion. However, it took me a long time to fully understand Authentication as I frequently mixed it up with Authorisation, a related yet different concept.

We’ll explore Authorisation next time.