In a recent article Stephen Downes makes some good points about the lack of benefit to the user provided by various schemes of “authentication”, but in doing so he slanders authentication by using it’s name to refer to something better called Identity Imposition.
Authentication (ie verification) is what allows the recipient of an identity claim to confirm that the claim is true. This is often necessary if the identity claim is being used in order to claim a right (such as money out of a bank account), so efficient and effective authentication is certainly desirable.
Perhaps an identification claim could be made in such a way as to include its own authentication, but it doesn’t seem easy to do so in a useful way. For example, I am the author of this self-authenticating identification claim, but this claim doesn’t really have much use.
Stephen also makes some valid points about what constitutes identity. For example, I claim to be Alan Cooper but I am not Alan Cooper. But, in fact if, I choose to call myself “Stephen Downes”, then I am also Stephen Downes, so identification by name is of little significance. What is important is identification by attribute. I am the author of the page at this link , and the claim is self-authenticating unless you suspect two people of claiming to be one another.
I am also the owner of various bank accounts to which I can delegate access by providing my bank card and PIN. Although the tokens don’t confirm identity as me, they do confirm identity as an authorized user of my account (absent the occurrence of a crime more serious than mere fraud). Stephen suggests that such tokens just represent an Identity Claim, but if they cannot be obtained without my permission then they do indeed constitute authentication of identity as someone to whom I gave them.
So to the extent that using them constitutes a claim it is one that is essentially self-authenticating.
For remote access, (assuming a secure communications link), the userID and password can play a similar role to the physical token (key or card) and PIN. (In both cases the password or PIN provides redundancy but little added security. A better system would be to verify knowledge of the password without requiring its transmission – which can in fact be easily done using the ideas of public key cryptography.)
The type of “Authentication” that Stephen objects to is that provided by IP or MAC address or processorID, but this is no more authentication than the car license plate to which he (correctly) likens it. These tools do not prove the user’s identity at all, but they are often used as evidence to assert it even without the consent or against the will or interests of the person identified. This is what I call Identity Imposition.