Authentication vs. authorization

edit

It should be noted that the problem of authentication is not equivalent to the problem of authorisation. This article confuses the two!

The article needs to be split into two cross-referenced articles about these two closely related but different topics. The differences are subtle, and someone should write about them.

Strictly speaking, the types of authentication are:

  • Something only the user is
  • Something only the user has
  • Something only the user knows

It is not really authentication (or at least, not good authentication) if the user is not the only one in possession of a particular credential.

There is also a fourth, seldom mentioned method of authentication that is often used but almost always in combination with at least one of the other forms:

  • Some place the user is.
*(Let me embellish this further). If the person lives in New York but is attempting to make a transaction from a kiosk in Las Vegas, this could raise suspicion that the actor is not who they claim to be. Furthermore, a time factor may be added: if they last authenticated in New York but 15 minutes later tried to authenticate in Las Vegas, that too might raise suspicion. --68.188.183.91 (talk) 23:40, 15 June 2015 (UTC)Reply

(unsigned request)

The requested material has since been added. -- Beland (talk) 19:07, 27 May 2008 (UTC)Reply

Identity vs. message

edit

Consider the following circumscription of authentication in the current version of the article:

"However, more precise usage describes authentication as the process of verifying a person's identity..."

Doesn't this definition describe what one usually means by "identification"? Or put in other words: what is the difference between authentication and identification (if there is at all any)? Does identification correspond to "entity authentication" (as it is called in the Handbook of applied Cryptography)? What is the general difference between "entity authentication" and "message authentication". Unfortunately, I have not yet seen convincing definitions for these notions in the cryptographic literature- does anyone know about a good reference?

(unsigned comment)

This language has since been changed. -- Beland (talk) 19:07, 27 May 2008 (UTC)Reply


Authorization without authentication

edit

"Since authorization cannot occur without authentication, the former term is sometimes used to mean the combination of authentication and authorization."

Is this true? Consider baseball tickets. They establish my authorization to be in the park, without any authentication of my identity. Not modifying the article myself, as I'm not sufficiently confident I haven't missed something.

(unsigned comment)

When checking your ticket, the stadium staff first need to authenticate that the originator of the ticket was a specific entity. Then they also need to ensure that this entity is authorized to grant tickets. It is only the message being authenticated, not the identity of the bearer. -- Beland (talk) 19:07, 27 May 2008 (UTC)Reply

How about this then: When I use a network, I may have access to the "guest" network share on the file server (everybody is AUTHORISED to access it regardless of their AUTHENTICATION). However I have to log in (ie AUTHENTICATE myself) to access the "private" network share on the file server. Therefore, there is a level of authorisation that can occur before authentication. Put simply: You are authorised only to access certain network resources because you are NOT AUTHENTICATED! —Preceding unsigned comment added by 202.182.91.94 (talk) 05:41, 12 May 2009 (UTC)Reply

You are authenticated as a guest. I.e. you first say that you are a guest, and then the computer authenticates you that you are a guest indeed. Note that this can occur without actually requiring you to specify some identification: the computer might just treat everyone not explicitly providing identification as guests, and then (of course) successfully authenticating them as such. And authorizing them to access the public share only, finally. Note that all this stuff is fine abstract matter, and people often never suppose in the "real" world that they are going through this. 93.74.15.183 (talk) 22:43, 13 March 2013 (UTC)Reply

Expansion request

edit

Authentication is a problem which pre-dates computers. This article, or a companion article, should cover problems and methods in non-electronic authentication. (Think spies, art forgery, criminal investigations, etc.) -- Beland 00:09, 3 October 2005 (UTC)Reply

I've added some coverage of such things, but the History section needs filling in. -- Beland (talk) 18:59, 27 May 2008 (UTC)Reply

expansion is requested, alternatively - a separate entry should be created regarding the all important issue of authentication of court records in the U.S., prior to implementation of digital technologies, and afterwards as well.--InproperinLA (talk) 19:23, 30 November 2009 (UTC)Reply

Citation request

edit

The article mentions "Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability." Is this actually the case? A citation of source would be helpful. —Preceding unsigned comment added by 70.168.37.69 (talk) 17:31, 5 September 2007 (UTC)Reply

Authenticity & the Protocols of Zion

edit

I'm a bit surprised that the concept of Authentication is so rarely used in relation to the Protocols of the Elders of Zion: Fraud, fake, hoax, forgery, plagiarism, etc., but not inauthentic. --Ludvikus (talk) 01:42, 16 April 2008 (UTC)Reply

That word is currently used in that article, but that article's talk page is probably the best place to discuss such issues, not this one. -- Beland (talk) 19:08, 27 May 2008 (UTC)Reply
edit

This page is called Authentication and starts out with that basic concept. But the links from this page are mostly to computer security related things. I believe a clean-up is needed for the "Also read" part. Dont know the template to use for that. --wmasterj (talk) 14:42, 14 September 2008 (UTC)Reply

Misunderstanding? or some other Confusion

edit

The text says as follows on two-factor authentication: "When elements representing two factors are required for identification, the term two-factor authentication is applied."

This seems to confuse identification and authentication. Identification is, as I understand it, the statement 'I am XYZ'. The authentication is the processes of deciding if that is true or not. That requires additional input ... password, fingerprint, urine sample, challenge/response info ... which are the 'factors' that make up the n-factor authentication. Conflating identification and factors seems to lead to misunderstanding.

Alternatively, I am the one who misunderstands, and in that case that passage may need to be made clearer.Athulin (talk) 09:02, 30 July 2010 (UTC)Reply

I agree and have made the update in the article. Captpossum (talk) 15:40, 23 January 2013 (UTC)Reply

Inaccurate discussion

edit

The discussion provided in section "Authentication in Communication" is largely inaccurate. First, without context, authentication as a term has only a very vague meaning, as given in the lead. What is discussed here is entity authentication, which is only one specific aspect of authentication. What is largely missing is the emphasis on the authentication aspect of entity Y over the aliveness aspect ("Y currently wants to communicate"). The terminology presented is also somewhat contradicting to other, longer existing terminology. Specifically, strong authentication refers to a property where the credential cannot be retrieved by an eavesdropper (e.g., password-based schemes). Probably more appropriate (and conforming) terminology would probably be explicit authentication - we need more references here.

But this article really needs to address the other issues of authentication in communications security, such as data origin authentication, transaction authentication and key authentication. Regarding sections 1 and 2, I suggest to rename section 1 to "Authentication in communications security" and section 2 to "Authentication by physical means". Something like that.

Care to comment? Nageh (talk) 12:49, 25 August 2010 (UTC)Reply

---

So Nageh, is the concept of social relationships as they relate to improving authentication in the future (this authentication in communications stuff, best somewhere else in wikipedia? —Preceding unsigned comment added by 98.215.103.214 (talk) 06:59, 20 September 2010 (UTC)Reply

There were two problems with your edits. First, you tried to smuggle in a link that has been deleted before as spam by concealing it with a subsequent "fixed bad link" message edit where you merely removed another link. Second, the source you provided is a blog and essay and nowhere near the quality we expect of sources. Nageh (talk) 10:59, 21 September 2010 (UTC)Reply

Software and Online Authentication

edit

I was looking for some information on authentication between client and server over the internet (access tokens, sessions, OpenID, Facebook connect, ???) but instead I got this article which barely even mentions computers, is that aspect of authentication really so minor? I do not understand how this article currently has a C rating in the Computer Security Wikiproject — Preceding unsigned comment added by Norlesh (talkcontribs) 04:19, 28 February 2011 (UTC)Reply

Well, perhaps you're looking in the wrong place. This article not titled "Computer Authentication" or "Online Authentication", either, so its lack of computer-specific information is quite understandable. Also, Wikipedia is an encyclopedia, not a catalog, so I recommend you enter some of the terms you mentioned in your comment (above) into the search engine of your choice and have at it. You might also try www.openid.org and www.rsa.com. — UncleBubba T @ C ) 04:47, 28 February 2011 (UTC)Reply

Authentication is not verification of claim made *by* subject

edit

From the article:

"Authentication [...] is the act of establishing [...] that claims made by or about the subject are true"

→ I suggest to remove underlined text

The act of verifying that a claim is true (whether expressed by a subject or not) is called validation, and this is not authentication. Opposite of authenticity is counterfeit, not "wrong" or "false". Authentication does include verification of attribution, i.e. verify that someone claimed something (whether true or false) or that subject did something (whether good or bad). But this is actually verifying a claim about subject. Authentication could (at some extend) also be about verifying the sincerity of someone (see Authenticity), but again this is same as verifying a claim about subject that he is really thinking that a given claim is true (indep. of whether said claim is true or false) Fuujuhi (talk) 16:40, 13 April 2011 (UTC)Reply

Digital Authentication and other issues

edit
  • I think the article needs the section "digital authentication" covering the specific issues of computing and communication. The focus is too much on "products".
  • The paragraph on Strong authentication is giving a purely US American. I suggest to add the European and if possible Asian perspective.
  • The article speaks of 2factor authentication, however misses 1 factor, and multi-factor authentication.

I will provide some paragraphs during the next days. I would appreciate feedback and discussion. ScienceGuard (talk) 16:50, 1 August 2016 (UTC)Reply

Rework and Improvement of the Content

edit

Following several of the above documented discussion points, I started reworking the article.

Digital Authentication

edit

Following the suggestions concerning authentication in communications security, I added "Digital Authentication". There are several words used but "Digital Authentication" was the one I personally came across most often. It is also used by NIST. This subsection deserves a full article and can only be summarized here. I built on Tuner's introduction into Digital Authentication and summarized the NIST model. The question is: shall we add scenarios like "man-in-the-middle-attack"?

Structure

edit

I started working on the structure, completed the types of authentication, which were limited on 2FA, included strong authentication into that categorization. Multifactor authentication needs some more input.

Sources

edit

I added missing sources at several places in the text

More work to be done

edit

The text still shows several weaknesses.

  • Information Content: Whereas Digital and Product Authentication make sense and provide a stringent storyline, Information Content does not fit in here. What is it, a use case? Or a different category of Authentication?
  • Authorization: Also Authorization and Access Control appear to be pretty random.
  • Methods: The section "Methods" also appears to be an article on its one which does not really blend into the rest of the article. Can that be rephrased or should it be even deleted or shortened?

My suggestion is either to delete sections or to better integrate them into the flow.

  • History: the paragraph on cryptography is not substantiated and appears like a personal opinions or original research and would need a source. Otherwise better delete it. The finger print section makes sense but stands alone. Did the article miss a section "biometric authentication?

Any suggestions? ScienceGuard (talk) 11:32, 9 August 2016 (UTC)Reply

Draft:Authentication

edit

A draft has been submitted by an editor who is no longer active that focuses on cryptographic authentication, and appears to contain information that is not in this article. A comparison and possible expansion would be useful. Robert McClenon (talk) 04:45, 9 April 2019 (UTC)Reply

I can't find any such draft article. What am I missing? Tom Scavo (talk) 13:21, 9 April 2019 (UTC)Reply
User:Trscavo It seems that the author of the draft came back from hibernation and deleted the draft. Thank you for trying. Robert McClenon (talk) 01:29, 10 April 2019 (UTC)Reply

Overhaul

edit

I'm going to overhaul this article and see if we can get it through WP:GAN. Jehochman Talk 14:10, 5 July 2019 (UTC)Reply

Plagiarism and lack of fact checking

edit

Whilst researching Blind credential (AfD discussion) I found that people plagiarising (earlier versions of) this article is rampant in the literature. Unfortunately, the ones that uncritically plagiarized the stuff about "blind credentials" appear to be unreliable sources, because they do not know their own subject enough to have recognized that as simply not an established concept in the field when copying wholesale from Wikipedia. (No, it is not anonymous credentials, blind signatures, or blinding (cryptography).)

The tell-tales were this sentence that EntmootsOfTrolls (talk · contribs) wrote 4 minutes after writing blind credential and this sentence where it was rewritten in 2008 by Beland (talk · contribs) as part of a merger. If a source contains either of these, check that it isn't just a copy of an earlier version of this very article and a bad source that was not fact-checked. Some that I found, all of which copied more than 1 sentence (sometimes entire sections), are:

  • Erbes, Milan (2008). "Smart Home and Health Telematics". In Helal, Abdelsalam; Mokhtari, Mounir; Abdulrazak, Bessam (eds.). The Engineering Handbook of Smart Technology for Aging, Disability, and Independence. John Wiley & Sons. p. 900. ISBN 9780470379356. {{cite book}}: Invalid |ref=harv (help)
  • Afizi, Mohd Shukran Mohd (2015). "Literature review". Novel approach of authentication using pixel value graphical password scheme. Anchor Academic Publishing. p. 18. ISBN 9783954899135. {{cite book}}: Invalid |ref=harv (help)
  • Hung, Le Xuan. "Research Taxonomy" (PDF). u-Security Research Group: 4. {{cite journal}}: Cite journal requires |journal= (help); Invalid |ref=harv (help)
  • Prasad, P. E. S. N. Krishna; Prasad, B. D. C. N.; Chakravarthy, A. S. N.; Avadhani, P. S. (2012). "Password Authentication Using Context-Sensitive Associative Memory Neural Networks". In Meghanathan, Natarajan; Chaki, Nabendu; Nagamalai, Dhinaharan (eds.). Advances in Computer Science and Information Technology. Computer Science and Engineering: Second International Conference, CCSIT 2012, Bangalore, India, January 2-4, 2012. Proceedings, Part 2. Springer. p. 455. doi:10.1007/978-3-642-27308-7_49. ISBN 9783642273087. {{cite book}}: Invalid |ref=harv (help)

Uncle G (talk) 09:25, 17 September 2019 (UTC)Reply

Definition and introduction

edit

I think the page would benefit greatly from an easier to understand introduction.

The very first sentence mostly consists of a fairly irrelevant parenthesis on ethymology.

The second sentence is rather unclear and mentions identification that is given a peculiar definition and a link to a page that doesn't even mention the word (identification). (In practice the difference is about performance 1-N vs N-N, anyway.) The second half of the second sentence simply restates what the first sentence did about proving an assertion.

So, I think the first two sentences unnecessarily introduce ethymology and a contrast with identification. These may be valuable topics but not for the introduction, as far as I can tell.2A00:1598:C006:0:0:0:0:8D3C (talk) 21:04, 16 December 2019 (UTC)Reply

Proposed merge of Message authentication into Authentication

edit

wide overlap. fgnievinski (talk) 23:15, 22 September 2023 (UTC) fgnievinski (talk) 23:15, 22 September 2023 (UTC)Reply

It's some overlap. But are seen as separate problems in IT-security circles. 62.20.62.215 (talk) 07:13, 9 October 2023 (UTC)Reply
Closing, given the uncontested objection and no support with stale discussion. Klbrain (talk) 22:18, 2 January 2024 (UTC)Reply