What is ‘authentication’?

We’re spending a few issues examining a new white paper from The Open Group called “Identity Management” (link below). Today we’ll look at the concept of “authentication.”

In the paper, authentication is defined as “…the process of gaining confidence in a claimed identity.” (If you didn’t see the last newsletter on the concept of “trust,” you might get a copy from https://www.nwfusion.com/newsletters/dir/ and review it before going any further. Alternatively, review the section of the white paper dealing with “trust.”)

Normally authentication is an assertion that someone wishing to use an account is the person who “owns” (or is identified by) that account. Before getting to the actual authentication step, though, the author reminds us that the account (referred to as the “identity”) has to be created and a certain amount of verification of that identity has to occur.

While I could walk into a bank and say that I was Mark Gibbs (https://www.nwfusion.com/columnists/gibbs.html), I’d need to come up with more than a tear sheet from Network World to verify that identity. When talking about an account on your enterprise network, the person in charge of creating accounts most likely relies on information given by the human resources department – or perhaps HR creates the account themselves (see the next issue on “provisioning” for more on that). In either case, HR is most likely relying on government issued documents (in the U.S., social security number, driver’s license, birth certificate, green card, naturalization papers, etc., – probably three or more of these) to verify the identity claimed by a new hire.

In this section, the paper also introduces the subject of “context” as an element of authentication based on roles and rules. What the paper actually says is:

“The best examples are people who have multiple profiles (e.g., employee, citizen, personal, consumer, social). Optimally, a person would have a single identity with multiple profiles associated to them that are invoked based on context. However, this raises the conflict of gaining systems consistency and efficiency vs. potential of exposing personal private information.

“There are areas where some improvements can occur. For example, consistency within the employee profile would greatly assist system consistency and data integrity within the corporate context. There is no rationale for the corporation for linking that to the personal or consumer profiles. However, there may be advantages from employee benefits (e.g., special purchase programs) that should be considered when a person is in the consumer or personal mode.”

As you can see, the paper can raise almost as many new questions as it gives answers to old ones. Read it, discuss it among yourselves, send me your thoughts then come back next time as we delve into the concept of provisioning.