Authentication is how an identity is established. This is a prerequisite to controlling a subject's access to critical resources, the topic of Chapter 8. Authentication answers the questions "Who are you?" and "How do I know I can trust you?"
In the physical world, we answer these questions in a variety of ways. If we leave aside personal recognition of friends and acquaintances, identity is typically established in the physical world by means of a token of some sort. Identity badges and spoken passwords are examples of tokens that are used to identify someone to a stranger. When a person presents an identity badge, we trust the badge only if we trust the entity that issued the badge and believe that the badge is not a forgery.
Identity badges and other trust tokens are more properly called credentials . Credentials in the physical world establish our right to claim a certain set of attributes. In the digital world, they are no different. To lay claim to a set of attributes (e.g., an identity), the subject presents credentials that can be authenticated.
In Chapter 3, we discussed the concept of trust in digital identity. Authentication is dependent on trust. As an example, consider how a person uses the picture on a driver's license to authenticate the credential; specifically, the authenticator uses the picture to ensure that the person presenting the license and the person who owns the license are one and the same. There is a second step we perform, however, when we look at a driver's license that we hardly ever think about: we decide whether or not we believe the license was really issued by an authority we trust. In the case of U.S. driver's licenses, that authority is one of the 50 states.
I could create a credential that has all the same information on it as the state-issued driver's license and even include a picture. The clerk at the convenience store could still authenticate that the person pictured is the same as the person presenting the credential, but there's no reason for the clerk to trust that I am telling the truth about the person's name, address, age, or any other attribute.
The same is true of digital credentials. In many cases, we don't have to worry about trust, because the entity authenticating the credentials is the same entity that created them. ID/password systems usually have this property. With other types of credentials, such as digital certificates, the certificate is issued by a different organization. As we've seen, PKIs make up the infrastructure that establishes trust in the world of digital certificates.
Thought of this way, trust may seem like a binary thing: you trust an entity or you do not. In fact, we know from our real-world experience that trust is typically established by way of introduction and built over time as the relationship deepens. This concept of trust is not used often in authentication systems, but it is important in digital identity. For example, over time, I come to gain trust in the identity represented by the email addresses of people I correspond with frequently.