Authentication means establishing that a user really is who he or she claims to be. Today, it’s typically done by asking the user for a username and a matching password, but other options are becoming more and more common. For example, most web servers support client certificates for authentication. Biometrics, which is the use of unique biological patterns like fingerprints for identification, will likely be another option in the near future. What’s important is that an application should not be concerned with the way a user has been authenticated (since the method may change), but only that he or she has passed the test.

Access control, or authorization, is another security mechanism that’s strongly related to authentication. Different users may be allowed different types of access to the content and services a web site offers. When you have established who the user is through an authentication process, access control mechanisms let you ensure that the user can access only what he or she is allowed to access.

In the end, authentication provides information about who the user is, and that’s what is needed to provide personalized content and services. For some types of personalization, the procedures we might think of as authentication may be overkill. If the background colors and type of news listed on the front page are the extent of the personalization, a simple cookie can be used to track the user instead. But if personalization ...