Identification, Authentication & Authorization

Whenever a user wants to access any protected content or service is faced with a process of validation. This process can be broken down into three steps: identification, authentication and authorization. This lesson clarifies these steps.

Lesson goals and objectives

In this lesson you will learn:

  • what is identification
  • the meaning of authentication
  • what can go wrong at the authorization

The first step of user validation is user identification. This step aims to find out who the user is. This step can be carried out by a user or by a machine. A user can tell his name or present his id. The user can also be recognized through the camera.

Face recognition is getting very accurate and frequently used to identify users.

The second step is authentication. In this step, the user must verify that he is who he claims to be. This can be done in different forms. For example – someone can compare his face with a photo in a passport, the user is prompted to enter a pin when paying with a bank card …

User can be authenticated on very different ways.
(User vector created by stories –

The final step of validation is an authorization. This step aims to find out if the user is eligible to carry out the action that he intends to. Does he have enough money in his bank account? Does he have a hotel reservation? Does he have permission to access the protected web page …

The video below explains this steps.

Although there are some exceptions we can say that in all cases, validation consists of all three steps.

Broken authentication

The OWASP Foundation, in their project about the Top 10 Application Security Risks – 2017, placed “Broken Authentication” as second, “Broken Access Control” as fifth.



Leave a Reply

Your email address will not be published. Required fields are marked *