Definition of AuthN in "Authentication and Authorization"

[deansaxe]

The definition for authN on page 2 of the doc includes, "Authentication is the process of proving that the user with a digital identity who is requesting access is the rightful owner of that identity." I see a two issues with this statement:

• Not all authentication is digital, authN can take place in the physical world
• AuthN does not prove that the entity authenticating is the owner of the digital identity. AuthN proves that someone has the proper credentials to access the account. AAL1 and AAL3 are at different ends of this spectrum of assurance levels guaranteed by the authN event.

[cronical]

I agree with Dean that the definition needs work. Ian also noted such on ref architecture but his comment was misplaced. Adding it here:

• I’d love a more expansive definition of authentication to include something to the tune of “validating that the entity presenting a credential today was the same one presenting it in the past”

My note: [Authentication definition is not here only AuthN / Assertion. The comment is valid and the definition in the main Terminology section is could be improved by it.]