Are you actually interested in the difference between identification and *authentication*, or did you mean to ask about the difference between identification and *authorization*? All three of these concepts are related, but the former two are more often paired.

Identification is answering the question, “who are you, specifically?” Authorization is answering the question, “what are you allowed to do?” (And authentication is about how someone *proves* the answers to those questions.)

Traditionally, the way you determine authorization is first you determine identification, and then you see what that person is allowed to do. So authorization was treated as secondary. This gets a bit more complicated when some authorizations are *temporary*, e.g. filling in when someone’s sick, or emergency overrides. But mostly authorizations were thought of as something attached to an identity.

However this doesn’t need to be the case! Sometimes it’s possible, and desirable, to know that someone is *authorized* to do something without knowing *who* particularly they are.

As a very simple example, I can make a Google doc and set permissions for who can view it. One possibility is that I give access to people with specific gmail accounts. This is identity-based authorization. Google identifies the person, and they have authorization based on that identity.

But I can also create a link and email it to someone, and when they use that link they can view the document. This does not require identification! Google does not need to actually know which Google account (if any!) the person has–the link itself passes permission to whoever uses it. This is called a “token,” where *possession* of the token grants authorization, irrespective of the identity of the one holding it.