Identification : “who are you?“
Authentication: “we know who you are – prove to us that you are this person”

Identification is claiming that you are someone. Authentication is proving it.

The two are sometimes interchangeable in language, where identification implies authentication, such as supplying a driver’s license or passport. We call that Identification, but a piece of paper with your name written on it provides the same Identification information. The security features of the driver’s license (hologram, bar code, microprint, UV watermark, …) provides the Authentication.

Edit to clarify, as I misspoke – your picture on the driver’s license is actually the Authentication

Authentication takes the form of something you know, something you have, or something you are.

Something you know would be a password, PIN, secret handshake

Something you have would be a token, access card, key

Something you are would be your face, fingerprints, voice pattern

So when you present your driver’s license, your identification is your name, address, and other information on the card. Your picture is the Authentication as whoever is authenticating you would compare the picture on the license to your face.

*Hi, my name is John Doe (Identification) and here is my license with the permission to enter your building (authentication).*

SYL

identification: “who are you” – “I am Hatem96”

authentication: “please prove you are a member of the cool club” – “sure, here’s my clubcard/the secret handshake”.

often they overlap. most of time you want to verify (authenticate) the identity of someone. and most of the time someone proving they’re allowed to do something identifies them.

entering your PIN for your credit card in order to “authenticate” a payment is independent of your “identity”. someone who has your pin is allowed to use the card (well, usually the terms and conditions of the bank say otherwise in theory).

meanwhile if you were forced to show your ID as well in order to pay, you’d need to identify to/and authenticate.

Are you actually interested in the difference between identification and *authentication*, or did you mean to ask about the difference between identification and *authorization*? All three of these concepts are related, but the former two are more often paired.

Identification is answering the question, “who are you, specifically?” Authorization is answering the question, “what are you allowed to do?” (And authentication is about how someone *proves* the answers to those questions.)

Traditionally, the way you determine authorization is first you determine identification, and then you see what that person is allowed to do. So authorization was treated as secondary. This gets a bit more complicated when some authorizations are *temporary*, e.g. filling in when someone’s sick, or emergency overrides. But mostly authorizations were thought of as something attached to an identity.

However this doesn’t need to be the case! Sometimes it’s possible, and desirable, to know that someone is *authorized* to do something without knowing *who* particularly they are.

As a very simple example, I can make a Google doc and set permissions for who can view it. One possibility is that I give access to people with specific gmail accounts. This is identity-based authorization. Google identifies the person, and they have authorization based on that identity.

But I can also create a link and email it to someone, and when they use that link they can view the document. This does not require identification! Google does not need to actually know which Google account (if any!) the person has–the link itself passes permission to whoever uses it. This is called a “token,” where *possession* of the token grants authorization, irrespective of the identity of the one holding it.