This article is the first in a series on cybersecurity to be discovered on the Evolucare website.
Identification, authentication, authorization: what are they? How do they work?
As users of computer software, we are increasingly required to log on, either because we are using online software, or because logging on enables us to trace the actions carried out in the software, which, in the medical and medico-social fields, contributes to the patient identification vigilance process and data protection.
Identification: who am I?
With identification, we demonstrate our identity. This definition may seem very circular, but it covers a wide range of realities.
When I show my ID card to the letter carrier when I sign for a registered letter, or pick up a parcel, I’m identifying myself.
When I pick up the phone and say my name, I’m also identifying myself.
And we can see, in these two examples, that the level of certainty about identity is not the same. The letter carrier has a formal means of identification, with my first and last name, which he can compare with his registered mail, and my photo, which complies with an official standard, which he can compare with my face. My telephone interlocutor, on the other hand, has to make do with the assumption that the person answering is indeed the person whose telephone number he has.
In computing, it’s the same. The simplest means of identification is the “login” or user name, which we have created or which has been created for us to access the software. In many cases, knowing this username is equivalent to identification. In other cases, more certainty is required. For example, to create certain online accounts, you may be asked not only for a copy of your identity card, but also for a photograph of the cardholder holding the card in his or her hand, to enable the software supplier to carry out a check almost equivalent to that of my letter carrier.
The term “electronic means of identification” refers to the tangible (e.g. smart card) or intangible (e.g. username) device that contains personal identification data and is used to authenticate for an online service.
Authentication: I am who I say I am
Authentication is inseparable from identification.
Authentication is what proves that I am who I say I am. When I show my identity card to the letter carrier, I identify myself: when the letter carrier reads it, compares my name with the one on the letter, and my photo with my face, he authenticates me.
Authentication can be based on three types of elements, called “factors”:
- what I know: a password, a PIN code, a specific drawing…
- what I own: a smart card, a telephone number (for sending text messages with codes), an electronic certificate…
- what I am: my face, my fingerprints, my retinal prints…
Depending on the sensitivity of what it protects, authentication can be called “simple” or “strong”.
Simple authentication uses a single authentication factor.
Logging in with the username and password we all know is simple authentication. My telephone exchange with someone who simply heard me answer “Lauranne Peyron” is also simple authentication (I own the phone whose number he dialed).
Strong authentication, also known as “multi-factor”, uses at least two authentication factors (and sometimes three).
When I make a bank transfer while logged in with my user name and password on my customer area, my bank sends me a telephone notification to validate the transfer via the application, that’s strong authentication. When the letter carrier checks my identity card, this is also strong authentication (I have my identity card and my face matches the photo).
Authorization: what I’m allowed to do
Authorization is the final stage. We identify and authenticate people to give them the right, the authorization, to perform actions.
The letter carrier gives me the right to receive and consult my registered letter. My bank gives me the right to make a bank transfer. My computer software gives me the right to access my files.
Authorizations can be very broad (consultation of all files) or more granular (consultation and modification of all files in the “physiotherapy” department of the “Happy Hamsters” nursing home in Bumbleberry-on-Toast).
Stay tuned!
