| Here's my take on the authentication vs authorization distinction. Authentication is the verification of identity. Authorization is the verification of permission (authority) to perform an action. The two are often related, but need not be. For example, most phone manufacturers think that the owner of a phone should always have permission to perform any action on the phone, so as long as they can authenticate the person holding the phone, they can authorize them to do anything. In this case, authentication => authorization. Contrast this with OAuth, which it seems most people don't understand well. OAuth is a mechanism for authorizing people other than yourself to perform actions on your behalf, e.g. a third party application to post on your Facebook wall. In this case, authorization !=> authentication. However, sometimes third-party applications don't care about performing actions on your behalf. They work on the assumption that only the owner of the account could authorize an OAuth token to give back to them, so they use other OAuth providers as authentication, e.g. login via Facebook. So in this case, authorization => authentication. Another example is accessing secret files at a company. A person might be authorized to view the files but only from a secure device. In this case, authentication is required but not sufficient for authorization. In this case, authentication !=> authorization. In the case of payment via phone, you need authorization. Authentication can be one factor in the authorization process, but clearly its not sufficient because the authorizing party could be asleep and therefore unaware of the transaction. Phone manufacturers might want to look at risk-based escalation -- requiring more factors for some applications, or as the sum of money increases, or perhaps even based on time of day. |