Fundamental Difference between ‘Authentication’ and ‘Identification
“What is valid for ‘identification’ must be valid for ‘authentication, and vice versa” — This is a misperception shared by not a few IT professionals, particularly conspicuous among pro-biometrics folks.
It cannot be the case — ‘Identification’ is to give an answer to “Who is this person?” while ‘Authentication’ is to give the answer to “Is this person the one who claims to be?” Can they be equated as the same?
Hence, the correct perception must be “What is valid for identification is not necessarily valid for authentication, and vice versa”.
The typical example is DNA, which is very valid for identification but just invalid for authentication; DNA can be indefinitely copied and easily spread all over the world.
Another one is the secret credential like a remembered password that is valid for authentication but invalid for identification; Such a statement as “Passwords are not good for identification” is only nonsensical.
It is sad that we still have to take up such a very basic ABC; we have already been talking about ‘identification and authentication’ over many decades and yet we see so many people being so indifferent to this essential difference.
Ref: “Leak-resistant Secret Credential”
For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)
< Videos on YouTube>