Identification, Authentication, Authorisation. Simply Explained.

There’s been a lot of confusion around security terminology. Let’s clarify the difference between identification, authentication and authorisation.

Oct 8, 2021 - 2 min.
Picture of: Branka Miljanovic
Branka Miljanovic

As online services become more commonplace and more of our day-to-day activities take place in online spaces, we’re all becoming better versed in the terminology once reserved for tech gurus. However, there has also been a lot of confusion around some of these terms. This is especially obvious with the vocabulary used to describe the authentication process.

Most of us are now familiar with various authentication processes – like two-factor and multi-factor authentication – which rely on a series of steps to identify, authenticate and authorise users to access accounts, platforms and data. However, there is a lack of clarity around these processes since these terms are often used interchangeably. In fact, there is a very clear distinction between them.

How can we differentiate these terms?

Let’s take a look at a real-world example to clarify the differences between identification, authentication and authorisation. 

Now that venues are reopening and life is regaining some normalcy, people are taking advantage of the opportunity to enjoy cultural events. Art enthusiasts, film aficionados and sports fans are flocking to museums, theatres and stadiums. In an effort to relax social distancing controls, many of these venues are requiring proof of vaccination against Covid for entry. This is a perfect scenario to explain the distinction between identification, authentication and authorisation!

Step 1: Identification

On the day of the concert, you arrive at the venue with your ticket in hand. In order to identify you as the person whose name is on the ticket, you present your personal identification card to security personnel. This can be equated to your username when logging into online accounts and platforms. 

Step 2: Authentication

The security guard at the concert venue takes your ticket and compares the name and face on the personal identification card to the person wanting to enter (you). If the faces and names match up, you have been authenticated. This step is essentially an analogue version of the facial recognition process. And facial recognition security processes have become a common replacement for account passwords.

Step 3: Authorisation

Once your identity has been authenticated, you still need to be authorised to enter the concert venue. This is where your proof of vaccination comes in. Your Covid vaccination card grants you permission to attend the event. This works in a very similar way to data access permissions that either grant or deny your request to view or edit specific data.

If you as the concertgoer fail any one of these steps, you will not be admitted to the venue.

Back to the online world

Online security has become significantly more important over the past twenty years, as more and more personal data has been digitised and digitalisation has transformed how we do business and conduct our personal affairs. Not everyone should be able to access all available data, which is why rights and restrictions have to be connected to user accounts. 

When logging into your bank account or social media accounts, a username won’t get you very far. That’s a good thing! Otherwise, everyone who knew your username would be able to access all your data. In order to ensure that only you can access your private information, you need access to authenticate your identity. 

By the same way, in order to ensure that every user does not gain access to vital system data and programs, companies can set user permissions so only specific individuals are authorised to view or edit data and information. 

Integrating an IAM system to guarantee security

Identity and Access Management (IAM) systems like Nevis’ solutions make it easy to assign, manage and monitor access rights and privileges on the basis of set guidelines, including parameters like device, location and of course user account. Any unauthorised access attempts trigger an alert and can be further investigated if it is deemed necessary. 

With increased cyberattacks and ransomware threatening data and system security, it is essential for businesses to provide added security wherever they can. Using IAM to automate the allocation of access permissions and authenticate users is one of the most feasible ways to accomplish this. Ultimately, your data and systems deserve at least the same level of protection as concert and sporting venues. 


What is CIAM?