Talk:Authentication

Authentication vs. authorization
It should be noted that the problem of authentication is not equivalent to the problem of authorisation. This article confuses the two!

The article needs to be split into two cross-referenced articles about these two closely related but different topics. The differences are subtle, and someone should write about them.

Strictly speaking, the types of authentication are: It is not really authentication (or at least, not good authentication) if the user is not the only one in possession of a particular credential.
 * Something only the user is
 * Something only the user has
 * Something only the user knows

There is also a fourth, seldom mentioned method of authentication that is often used but almost always in combination with at least one of the other forms:
 * Some place the user is.


 * *(Let me embellish this further). If the person lives in New York but is attempting to make a transaction from a kiosk in Las Vegas, this could raise suspicion that the actor is not who they claim to be.   Furthermore, a time factor may be added: if they last authenticated in New York but 15 minutes later tried to authenticate in Las Vegas, that too might raise suspicion. --68.188.183.91 (talk) 23:40, 15 June 2015 (UTC)

(unsigned request)


 * The requested material has since been added. -- Beland (talk) 19:07, 27 May 2008 (UTC)

Identity vs. message
Consider the following circumscription of authentication in the current version of the article:

"However, more precise usage describes authentication as the process of verifying a person's identity..."

Doesn't this definition describe what one usually means by "identification"? Or put in other words: what is the difference between authentication and identification (if there is at all any)? Does identification correspond to "entity authentication" (as it is called in the Handbook of applied Cryptography)? What is the general difference between "entity authentication" and "message authentication". Unfortunately, I have not yet seen convincing definitions for these notions in the cryptographic literature- does anyone know about a good reference?

(unsigned comment)


 * This language has since been changed. -- Beland (talk) 19:07, 27 May 2008 (UTC)

Authorization without authentication
"Since authorization cannot occur without authentication, the former term is sometimes used to mean the combination of authentication and authorization."

Is this true? Consider baseball tickets. They establish my authorization to be in the park, without any authentication of my identity. Not modifying the article myself, as I'm not sufficiently confident I haven't missed something.

(unsigned comment)


 * When checking your ticket, the stadium staff first need to authenticate that the originator of the ticket was a specific entity. Then they also need to ensure that this entity is authorized to grant tickets.  It is only the message being authenticated, not the identity of the bearer. -- Beland (talk) 19:07, 27 May 2008 (UTC)

How about this then: When I use a network, I may have access to the "guest" network share on the file server (everybody is AUTHORISED to access it regardless of their AUTHENTICATION). However I have to log in (ie AUTHENTICATE myself) to access the "private" network share on the file server. Therefore, there is a level of authorisation that can occur before authentication. Put simply: You are authorised only to access certain network resources because you are NOT AUTHENTICATED! —Preceding unsigned comment added by 202.182.91.94 (talk) 05:41, 12 May 2009 (UTC)
 * You are authenticated as a guest. I.e. you first say that you are a guest, and then the computer authenticates you that you are a guest indeed. Note that this can occur without actually requiring you to specify some identification: the computer might just treat everyone not explicitly providing identification as guests, and then (of course) successfully authenticating them as such. And authorizing them to access the public share only, finally. Note that all this stuff is fine abstract matter, and people often never suppose in the "real" world that they are going through this. 93.74.15.183 (talk) 22:43, 13 March 2013 (UTC)

Expansion request
Authentication is a problem which pre-dates computers. This article, or a companion article, should cover problems and methods in non-electronic authentication. (Think spies, art forgery, criminal investigations, etc.) -- Beland 00:09, 3 October 2005 (UTC)


 * I've added some coverage of such things, but the History section needs filling in. -- Beland (talk) 18:59, 27 May 2008 (UTC)

expansion is requested, alternatively - a separate entry should be created regarding the all important issue of authentication of court records in the U.S., prior to implementation of digital technologies, and afterwards as well.--InproperinLA (talk) 19:23, 30 November 2009 (UTC)

Citation request
The article mentions "Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability." Is this actually the case? A citation of source would be helpful. —Preceding unsigned comment added by 70.168.37.69 (talk) 17:31, 5 September 2007 (UTC)

Authenticity & the Protocols of Zion
I'm a bit surprised that the concept of Authentication is so rarely used in relation to the Protocols of the Elders of Zion: Fraud, fake, hoax, forgery, plagiarism, etc., but not inauthentic. --Ludvikus (talk) 01:42, 16 April 2008 (UTC)
 * That word is currently used in that article, but that article's talk page is probably the best place to discuss such issues, not this one. -- Beland (talk) 19:08, 27 May 2008 (UTC)

Also see & Links
This page is called Authentication and starts out with that basic concept. But the links from this page are mostly to computer security related things. I believe a clean-up is needed for the "Also read" part. Dont know the template to use for that. --wmasterj (talk) 14:42, 14 September 2008 (UTC)

Misunderstanding? or some other Confusion
The text says as follows on two-factor authentication: "When elements representing two factors are required for identification, the term two-factor authentication is applied."

This seems to confuse identification and authentication. Identification is, as I understand it, the statement 'I am XYZ'. The authentication is the processes of deciding if that is true or not. That requires additional input ... password, fingerprint, urine sample, challenge/response info ... which are the 'factors' that make up the n-factor authentication. Conflating identification and factors seems to lead to misunderstanding.

Alternatively, I am the one who misunderstands, and in that case that passage may need to be made clearer.Athulin (talk) 09:02, 30 July 2010 (UTC)

I agree and have made the update in the article. Captpossum (talk) 15:40, 23 January 2013 (UTC)

Inaccurate discussion
The discussion provided in section "Authentication in Communication" is largely inaccurate. First, without context, authentication as a term has only a very vague meaning, as given in the lead. What is discussed here is entity authentication, which is only one specific aspect of authentication. What is largely missing is the emphasis on the authentication aspect of entity Y over the aliveness aspect ("Y currently wants to communicate"). The terminology presented is also somewhat contradicting to other, longer existing terminology. Specifically, strong authentication refers to a property where the credential cannot be retrieved by an eavesdropper (e.g., password-based schemes). Probably more appropriate (and conforming) terminology would probably be explicit authentication - we need more references here.

But this article really needs to address the other issues of authentication in communications security, such as data origin authentication, transaction authentication and key authentication. Regarding sections 1 and 2, I suggest to rename section 1 to "Authentication in communications security" and section 2 to "Authentication by physical means". Something like that.

Care to comment? Nageh (talk) 12:49, 25 August 2010 (UTC)

---

So Nageh, is the concept of social relationships as they relate to improving authentication in the future (this authentication in communications stuff, best somewhere else in wikipedia? —Preceding unsigned comment added by 98.215.103.214 (talk) 06:59, 20 September 2010 (UTC)


 * There were two problems with your edits. First, you tried to smuggle in a link that has been deleted before as spam by concealing it with a subsequent "fixed bad link" message edit where you merely removed another link. Second, the source you provided is a blog and essay and nowhere near the quality we expect of sources. Nageh (talk) 10:59, 21 September 2010 (UTC)

Software and Online Authentication
I was looking for some information on authentication between client and server over the internet (access tokens, sessions, OpenID, Facebook connect, ???) but instead I got this article which barely even mentions computers, is that aspect of authentication really so minor? I do not understand how this article currently has a C rating in the Computer Security Wikiproject — Preceding unsigned comment added by Norlesh (talk • contribs) 04:19, 28 February 2011 (UTC)


 * Well, perhaps you're looking in the wrong place. This article not titled "Computer Authentication" or "Online Authentication", either, so its lack of computer-specific information is quite understandable. Also, Wikipedia is an encyclopedia, not a catalog, so I recommend you enter some of the terms you mentioned in your comment (above) into the search engine of your choice and have at it. You might also try www.openid.org and www.rsa.com. &mdash; UncleBubba ( T @ C ) 04:47, 28 February 2011 (UTC)

Authentication is not verification of claim made *by* subject
From the article: "'Authentication [...] is the act of establishing [...] that claims made by or about the subject are true'"

&rarr; I suggest to remove underlined text

The act of verifying that a claim is true (whether expressed by a subject or not) is called validation, and this is not authentication. Opposite of authenticity is counterfeit, not "wrong" or "false". Authentication does include verification of attribution, i.e. verify that someone claimed something (whether true or false) or that subject did something (whether good or bad). But this is actually verifying a claim about subject. Authentication could (at some extend) also be about verifying the sincerity of someone (see Authenticity), but again this is same as verifying a claim about subject that he is really thinking that a given claim is true (indep. of whether said claim is true or false) Fuujuhi (talk) 16:40, 13 April 2011 (UTC)

Digital Authentication and other issues
I will provide some paragraphs during the next days. I would appreciate feedback and discussion. ScienceGuard (talk) 16:50, 1 August 2016 (UTC)
 * I think the article needs the section "digital authentication" covering the specific issues of computing and communication. The focus is too much on "products".
 * The paragraph on Strong authentication is giving a purely US American. I suggest to add the European and if possible Asian perspective.
 * The article speaks of 2factor authentication, however misses 1 factor, and multi-factor authentication.

Rework and Improvement of the Content
Following several of the above documented discussion points, I started reworking the article.

Digital Authentication
Following the suggestions concerning authentication in communications security, I added "Digital Authentication". There are several words used but "Digital Authentication" was the one I personally came across most often. It is also used by NIST. This subsection deserves a full article and can only be summarized here. I built on Tuner's introduction into Digital Authentication and summarized the NIST model. The question is: shall we add scenarios like "man-in-the-middle-attack"?

Structure
I started working on the structure, completed the types of authentication, which were limited on 2FA, included strong authentication into that categorization. Multifactor authentication needs some more input.

More work to be done
The text still shows several weaknesses. My suggestion is either to delete sections or to better integrate them into the flow. Any suggestions? ScienceGuard (talk) 11:32, 9 August 2016 (UTC)
 * Information Content: Whereas Digital and Product Authentication make sense and provide a stringent storyline, Information Content does not fit in here. What is it, a use case? Or a different category of Authentication?
 * Authorization: Also Authorization and Access Control appear to be pretty random.
 * Methods: The section "Methods" also appears to be an article on its one which does not really blend into the rest of the article. Can that be rephrased or should it be even deleted or shortened?
 * History: the paragraph on cryptography is not substantiated and appears like a personal opinions or original research and would need a source. Otherwise better delete it. The finger print section makes sense but stands alone. Did the article miss a section "biometric authentication?

Draft:Authentication
A draft has been submitted by an editor who is no longer active that focuses on cryptographic authentication, and appears to contain information that is not in this article. A comparison and possible expansion would be useful. Robert McClenon (talk) 04:45, 9 April 2019 (UTC)


 * I can't find any such draft article. What am I missing? Tom Scavo (talk) 13:21, 9 April 2019 (UTC)
 * User:Trscavo It seems that the author of the draft came back from hibernation and deleted the draft. Thank you for trying.  Robert McClenon (talk) 01:29, 10 April 2019 (UTC)

Overhaul
I'm going to overhaul this article and see if we can get it through WP:GAN. Jehochman Talk 14:10, 5 July 2019 (UTC)

Plagiarism and lack of fact checking
Whilst researching I found that people plagiarising (earlier versions of) this article is rampant in the literature. Unfortunately, the ones that uncritically plagiarized the stuff about "blind credentials" appear to be unreliable sources, because they do not know their own subject enough to have recognized that as simply not an established concept in the field when copying wholesale from Wikipedia. (No, it is not anonymous credentials, blind signatures, or blinding (cryptography).) The tell-tales were this sentence that wrote 4 minutes after writing blind credential and this sentence where it was rewritten in 2008 by  as part of a merger. If a source contains either of these, check that it isn't just a copy of an earlier version of this very article and a bad source that was not fact-checked. Some that I found, all of which copied more than 1 sentence (sometimes entire sections), are: Uncle G (talk) 09:25, 17 September 2019 (UTC)

Definition and introduction
I think the page would benefit greatly from an easier to understand introduction.

The very first sentence mostly consists of a fairly irrelevant parenthesis on ethymology.

The second sentence is rather unclear and mentions identification that is given a peculiar definition and a link to a page that doesn't even mention the word (identification). (In practice the difference is about performance 1-N vs N-N, anyway.) The second half of the second sentence simply restates what the first sentence did about proving an assertion.

So, I think the first two sentences unnecessarily introduce ethymology and a contrast with identification. These may be valuable topics but not for the introduction, as far as I can tell.2A00:1598:C006:0:0:0:0:8D3C (talk) 21:04, 16 December 2019 (UTC)

Proposed merge of Message authentication into Authentication
wide overlap. fgnievinski (talk) 23:15, 22 September 2023 (UTC) fgnievinski (talk) 23:15, 22 September 2023 (UTC)


 * It's some overlap. But are seen as separate problems in IT-security circles. 62.20.62.215 (talk) 07:13, 9 October 2023 (UTC)
 * Closing, given the uncontested objection and no support with stale discussion. Klbrain (talk) 22:18, 2 January 2024 (UTC)