What is identity?

This episode describes identity and authentication. Authentication is the process you go through to prove your identity and there are several ways you can do this. It’s often confused with authorization but they’re different things and should not be used as if they are the same. Authorization controls what a person is allowed to do while authentication proves who a person is. If you’re not worried about authorization and have a completely open system where everybody has full access, then you don’t need to worry about who’s who.

The episode describes four separate ways to authenticate and then describes how this can be combined for even greater security. After I recorded the episode, I realized that I left out another form of authentication. It’s not very common so should not cause any major problems especially when most articles online only discuss three forms anyway. Here are the forms of authentication from least secure to most secure:

  1. Where you are. With this form of authentication, just showing up is prove enough. Sometimes sites will have unadvertised URLs that the hosts only provide to certain people. It’s assumed that if you visit one of these URLs, then you must be who you say you are.
  2. Who knows you. This is the mode that I left out of the podcast. It’s most often used in real life when another person vouches for you. Maybe you forgot your identity card but a friend steps in and says, “It’s alright, I know this person.”
  3. What you know. This is the most common form of online authentication and usually involves knowing a name and password. If another person obtains this information, then they can effectively steal your identity.
  4. What you have. This is probably the most common form of authentication in the real world. Every key that you have is a form of this type of authentication. As long as you have the key, then you’re good. This can also be a movie ticket or a sports ticket or even cash. Now, don’t get me wrong, cash doesn’t usually prove your identity unless you have your own country and it’s your picture on the bills. But just having the cash does prove ownership.
  5. What you are. This involves aspects that are unique to you such as fingerprints, voice recognition, and retinal scans. I should have mentioned DNA but just thought about that.

You can really improve security by combining these. If you haven’t yet enabled two-factor authentication for your email and other online sites, then do that right now. It’s really important. With two-factor or sometimes it’s called multi-factor authentication, a system usually starts by asking for what you know such as your password, then it will send some extra information to a device you have such as your mobile phone. Now, in order for an attacker to steal your identity, the attacker needs to both know your password as well as have your phone. This is much more difficult and secure.