Authentication and Authorization

While being similar and often combined these are two separate concerns.

Authentication: Binding an identity to a subject.
Authorization: Binding rights to a subject.

Authentication

The authentication process consists of 4 distinct steps:

Receiving authentication data
Extracting unique features
Comparison with reference data
Final Authentication

Most authentication procedures are based around secrets:

What do I know?
Where am I?
What do I have (biometric)?

The authentication can be split into verification, which means comparing the authentication data with the reference data (1:1) and identification were we compare the authentication data against the reference data of all registered people (1:n).

Knowledge based authentication

Uses secret knowledge like a pin or password which is not known to anyone else. This secret needs to be complex enough such that it can't be guessed, and it should be changed frequently.

Example authentication steps:

Typing in your password
Hashing the password
Comparing hash with reference hash
Identical or not identical, that's the question lol

Possession based Authentication

Biometric Authentication

Static: Stuff like a fingerprint or a retina scan, which tend to be more consistently recognizable unless you have sweaty hands for example.

Dynamic: This refers to stuff like your handwriting or typing pattern, which are pretty to recognize consistently, but can be a great addition for multifactor authentication.

Error-Rate

Biometric authenticaiton can be quite unreliable; producing false negatives when trying to unlock with wet hands or false positives when your smartphone grants access to your twin brother via face id. The following 3 metrics are used to compare these kinds of errors between systems:

False Rejection Rate (FRR): \frac{\text{False Negatives}}{\text{Total Authorized Tries}}
False Acceptance Rate(FAR): \frac{\text{False Positives}}{\text{Total Unauthorized Tries}}
Equal Error Rate(EER): If FAR = FRR