Data breaches, compliance mandates, and identity theft have made it increasingly difficult for organizations and individuals to establish trust online. Yet, for those very same reasons, it’s more important than ever.
From the baseline identification of a customer or user to the recurring authentication process of ensuring that the person logging into or using your online services is the person you think they are, there has never been a more urgent need to get it right. Identification, verification, and authentication each play a role in your ability to keep your online channels free from fraud, maintain compliance with KYC/AML and other identity-related regulations, and deliver a positive customer experience.
In this blog, we’ll clarify the differences between identification versus verification versus authentication and explain what each means in the context of online identities and cybersecurity.
What is Identification?
Identification is simply the process of someone claiming to be a specific person. They can identify themselves on the phone as “Robert,” flash a library card with a name on it or have an email address with their name before the @ symbol.
In the context of online transactions, users “identify” themselves by providing a name, email address or phone number on a webform, for example. Or, when they purchase a new pair of shoes online, by entering a credit card number and billing address. If using a process of identification alone, as long as a person has the card holder’s information associated with a credit card or other form of identification, they are pretty much accepted as is.
A business that uses identification alone is essentially acknowledging that they have no reason to doubt the person is who they claim to be despite having not independently verified the information as truthful. It’s like asking, “Who are you?” and taking the answer at face value. For low-stakes transactions, like getting into a sporting event or checking out a book, having someone declare their identity without actually verifying it may suffice.
For most online transactions, however, identification alone is rarely adequate. It’s like having a username without a password.
So how do we know that the person who’s on the computer interfacing with us is who they say they are? That’s where verification comes in.
What is Verification?
Verification doesn’t just ask, “Who are you?” It takes the next step and asks, “Are you really who you say you are?” and provides a high degree of confidence that the answer is accurate.
Establishing a trustworthy link between who someone claims to be and who they really are requires an identity verification process to be embedded into the onboarding or account opening process.
That verification process usually starts with the verification of a government-issued ID document. Through the use of document experts, advanced technologies, automated data extraction and machine learning, can we confirm that the documentation is authentic and valid? Is there any sign of tampering?
Verifying someone’s identity to a high degree of certainty takes effort. At a time when service providers want to provide a “frictionless” onboarding process, some may cut corners and require a low barrier to entry. Typical social media accounts, for example, only ask new users to provide a name, email address, username and password. A phone number may be thrown in as an identifier for good measure.
Learn What Gartner Says About Fraud Detection and Authentication
Market Guide for Identity Proofing and Affirmation
If a business does have more stringent standards, they may rely on traditional methods of verifying an identity, for example through credit bureau searches or knowledge-based verification. The problem is that, due to the prevalence of private information available on the dark web, that type of information has become less reliable. These organizations run the risk of getting information such that they don’t really know if they’re dealing with a real person or a fraudster.
Apply for an online bank account, though, and you may be expected to provide a social security number, photo ID or passport, and proof of your current address. The stakes associated with a bank account are much greater than those with a TikTok account, therefore the verification requirements are more stringent. In fact, in the financial sector alone, there are numerous regulatory acts to prevent fraudsters from setting up false bank accounts, laundering money, and other unseemly criminal activities. The compliance mandates associated with these regulations are not satisfied by traditional verification methods, which is why businesses are beginning to make a shift to pairing a customer’s identity information with one of their biometric markers at the point of onboarding.
Gartner refers to this as Identity Proofing and Corroboration which is a process of taking something that validates someone’s identity (e.g., passport) and binds it with one of their biometrics (e.g., facial scan, iris scan, fingerprint). Only by combining those two things can you be confident that you know who you are dealing with in the future.
This identity proofing starts with the acquisition step.
The Future of Identity Proofing
- Identification: I claim to be someone.
- Verification: You verify that I am that person by validating my official ID documents. You pair my valid ID with one of my biometrics.
- Authentication: I access your platform and you compare my current, live identity to the biometrics of me you already have on file.
What is Authentication?
Verification is usually performed just once, but once verified, a person’s identity must be authenticated each time they access a system or resource through a method of access control.
For instance, if you actually know someone, you can “authenticate” them simply by looking at them. However, since the vast majority of transactions occur online or with people we don’t know, organizations put systems in place to re-establish that the person is who they say they are and not an impostor.
The user is asked to re-validate that they are the same person who registered for the service. In low-stakes services, authenticating may be as simple as having the user provide the password that is associated with a specific username, or entering in other specific login credentials.
In traditional digital authentication, a person has in their possession certain pieces of information, or authenticators, one or more of which have already been registered with the service provider at the initial point of signup or identity verification. A basic version of this you’ve probably come across is two-factor authentication for an email account.
There are three types of authenticators most systems rely on:
- Something the customer knows (e.g., security question, password)
- Something the customer has (e.g., ID badge, a cryptographic key, driver’s licenses)
- Something the customer is (e.g., facial recognition, biometric data)
The strength of authentication systems is largely determined by the number and quality of factors incorporated — the higher the level and more factors employed, the more robust the authentication system. Each time you log in to a social media account, for example, you need only provide a username and password (i.e., something you know). When you stop at your local bank, however, you’re asked to show a form of identification (i.e., something you have).
Unfortunately, since data breaches have made much of this private data readily available, the first two types of authentication – what you know or have – can no longer be counted on to be valid.
The most secure systems require proof of something you are through multi-factor authentication methods. In these scenarios, the service provider already verified your claimed identity upon signup and paired it with a biometric; they now compare that data to proof you provide in the moment, such as a hand scan (if onsite) or a high-resolution selfie (if remote).
The Main Difference Between Identification & Authentication
To reiterate, identification is essentially the process of claiming an identity. On the internet, this would amount to identifying that a user exists without authenticating that they are indeed that person.
Verification establishes a trustworthy link between who someone claims to be and who they really are.
Verification is usually performed just once, but once verified, a person’s identity must be authenticated each time they access a system or resource.
Authentication puts a process or processes in place for a user to prove that they are still that person.
Verification Vs. Authentication: A Shifting Paradigm
Identity theft, breaches, and social scams are pervasive, so identity verification and authentication are paramount to assuring the authenticity of digital identities across public and private sectors.
Gartner predicts that in the next couple of years, 50 percent of the market will move toward binding identity documentation and biometrics as a part of both onboarding and authentication.
Here at Jumio, we’re at the forefront of that movement. We work with some of the largest enterprises out there, helping them meet their compliance requirements, keeping their customers’ identities safe, and securing their business transactions.
We’d be pleased to tell you more about how we can help your business do the same. Contact us at any time.