Identification and Authentication Fundamentals

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.

Visiting Fellow, Department of Computer Science, Australian National University

This document was prepared as an introduction to a session on 'Authentication and Identification: New Paradigms', at the Conference on 'State Surveillance after September 11', at U.N.S.W. on 8 September 2003

Version of 22 August 2003

© Xamax Consultancy Pty Ltd, 2003

This document is at

The session will consider new developments in the areas of human identification, and the authentication of human identity.

Identification is such an obvious idea that people take it for granted. But it requires close examination, in order to avoid mistakes. The following is an introduction to the fundamental concepts on which the session will build. The Introduction is accompanied by a set of PowerPoint slides.

The first requirement is that a distinction be made between the real world of people and their behaviour, on the one hand, and the abstract world of records stored in databases, on the other.

An identity exists in the real world, not on disk drives. It is a presentation or role of some underlying entity. An entity may be a pallet full of cartons, or a device such as a mobile phone; but what this session focusses on is entities that are living people.

It is normal for a person to perform many roles, and to have attributes that are associated with some roles, but not with others. For example, when a supervisor may be able to sign sick leave forms for the people he is responsible for, but while acting up in his boss's role he can sign purchase orders as well; and when he's the fire warden for the fourth floor, he can order to the CEO's secretary to get out of the building. Each of those roles is an identity.

In the abstract world of information systems, identities and their attributes are represented by data-items expressed in digital form. Some of the data-items are used to distinguish the identity. That data-item or items is called an identifier, and is typically ther person's commonly-used name, or some kind of organisation-imposed 'username' or code. An identifier is associated with an identity or role, not directly with the underlying entity, i.e. with the person fulfilling that role.

To get to the underlying entity requires a biometric measure of the particular instance of homo sapiens. A useful general term for the means of distinguishing entities from one another is an entifier.

Identifiers need some closer attention. In many circumstances, there are means available to strike through to the underlying entity. But sometimes no such means are available. An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. If an identifier cannot be linked to an entity at all, then it is usefully called an anonym. And a term that encompasses both pseudonyms and anonyms is nym.

Building on the definitions used in the preceding paragraphs, it is possible to explain identification as the process whereby data is associated with a particular identity. The process is performed by acquiring an identifier.

It's rare to be certain that the identification process has been reliable. If a reasonable level of confidence is needed in the assertion that data is being associated with the right identifier, then the assertion needs to be authenticated. Authentication is a process whereby confidence is established in an assertion of identity. It is performed by cross-checking against one or more authenticators.

Authenticators for identity assertions are of various kinds. They include things that a person knows (such as a password or PIN), things that a person does (such as the act of providing a written signature), and things that a person has (such as an id-card). What the person is (i.e. biometrics) is am authenticator of an entity assertion.


These matters are dealt with in considerably greater detail in a long series of papers indexed here, in particular:

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994). At

Clarke R. (1999) 'Anonymous, Pseudonymous and Identified Transactions: The Spectrum of Choice ', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, at

Clarke R. (2001) 'Authentication: A Sufficiently Rich Model to Enable e-Business', at

Clarke R. (2003) 'Authentication Re-visited: How Public Key Infrastructure Could Yet Prosper' Proc. 16th Int'l eCommerce Conf., at Bled, Slovenia, 9-11 June 2003m at


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 22 August 2003

Last Amended: 22 August 2003

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916