Authentication is how an identity is established. This is a prerequisite to controlling a subject’s access to critical resources, the topic of Chapter 8. Authentication answers the questions “Who are you?” and “How do I know I can trust you?”
In the physical world, we answer these questions in a variety of ways. If we leave aside personal recognition of friends and acquaintances, identity is typically established in the physical world by means of a token of some sort. Identity badges and spoken passwords are examples of tokens that are used to identify someone to a stranger. When a person presents an identity badge, we trust the badge only if we trust the entity that issued the badge and believe that the badge is not a forgery.
Identity badges and other trust tokens are more properly called credentials . Credentials in the physical world establish our right to claim a certain set of attributes. In the digital world, they are no different. To lay claim to a set of attributes (e.g., an identity), the subject presents credentials that can be authenticated.
In Chapter 3, we discussed the concept of trust in digital identity. Authentication is dependent on trust. As an example, consider how a person uses the picture on a driver’s license to authenticate the credential; specifically, the authenticator uses the picture to ensure that the person presenting the license and the person who owns the license are one and the same. There is a second ...