Authentication and Authorization

An authentication system is how you identify yourself to the computer. The goal behind an authentication system is to verify that the user is actually who they say they are.

There are many ways of authenticating a user. Any combination of the following are good examples.

Password based authentication

Requires the user to know some predetermined quantity (their password).

Advantages: Easy to impliemnt, requires no special equipemnt.

Disadvantages: Easy to forget password. User can tell another user their password. Password can be written down. Password can be reused.

Device based authentication

Requires the user to posses some item such as a key, mag strip, card, s/key device, etc.

Advantages: Difficult to copy. Cannot forget password. If used with a PIN is near useless if stolen.

Disadvantages: Must have device to use service so the user might forget it at home. Easy target for theft. Still doesn't actually actively identify the user.

Biometric Authentication

My voice is my passport. Verify me. This is from the movie sneakers and demonstrates one type of biometric authentication device. It identifies some physical charactistic of the user that cannot be seperated from their body.

Retina Scanners:

Advantages: Accurately identifies the user when it works.

Disadvantages: New technology that is still evolving. Not perfect yet.

Hand Scanners:

Advantages: Difficult to seperate from the user. Accurately identifies the user.

Disadvantages: Getting your hand stolen to break into a vault sucks a lot more than getting your ID card stolen.

Once the system knows who the user is through authentication, authorization is how the system decides what the user can do.

A good example of this is using group permissions or the difference between a normal user and the superuser on a unix system.

There are other more compicated ACL (Access Control Lists) available to decide what a user can do and how they can do it. Most unix systems don't impliment this very well (if at all.)