Authenticating users and authorizing access

This topic is part of the ConstructivistGlossary for this wiki. Recall that the description of the term discussed here is contextual.

Security software has long combined two distinct acts, authenticating users and authorizing access to resources, in a single 'black box'. This fundamental error in design has led to a whole host of problems for decades, ranging from students having a hard time learning how to handle authorization and authentication systems on the web, through the dizzying array of electronic accounts most of us are now burdened with in the process of dealing with our everyday lives.

We easily distinguish between authentication and authorization in an embodied context - for example, simply because the guard at the gate of a secured facility accepts my credentials as valid (authenticate me) does not mean that those credentials gain me access to (authorize me) all parts of the same facility, let alone all of the assets of the organization.

With the evolving role of the web in our lives, the need for a rich set of digital identity schemes which reflect the same clean separation of concepts has become paramount. OpenID is an example of such a scheme for web sites.