The process of verifying who a user is (proving identity). Distinct from **authorization**. Common methods include passwords, tokens, and OAuth. (Ch. 17, 27)