This feels similar to [[entity authentication]], but for human actors within a system. Authentication is not the same as [[authorisation]]. Authentication should assure the claimed [[identity]] of an entity - that is, it should be a 1:1 check between the claimed and real identity. This could be anything from a quick check that they look the same as they do on their ID up to biometrics, a [[challenge-response protocol]], or something even spicier. The most common means of authentication is a [[password]] To perform authentication the user must be registered with the system. [[NIST]] has a fairly complex model for how this should work: ![[Screenshot 2023-03-13 at 19.12.52.png]] ### Means of authentication - something a user knows - something a user has - something a user is (that is, [[biometrics#Static|static biometrics]]) - something a user does (that is, [[biometrics#Dynamic|dynamic biometrics]])