Data breaches, compliance mandates, and identity theft have made it increasingly difficult for organizations and individuals to establish trust online. Yet, for those very same reasons, it’s more important than ever.
From the baseline identification of a customer or user to the recurring authentication process of ensuring that the person logging into or using your online services is the person you think they are, there has never been a more urgent need to get it right. Identification, verification, authentication and authorization each play a role in your ability to keep your online channels free from fraud, maintain compliance with KYC/AML and other identity-related regulations, and deliver a positive customer experience.
In this blog, we’ll clarify the differences between identification vs. authentication and the related concepts and explain what each means in the context of online identities and cybersecurity.
What is Identification?
Identification is simply the process of someone claiming to be a specific person. They can identify themselves on the phone as “Robert,” flash a library card with a name on it, swipe a smart card, or have an email address with their name before the @ symbol.
In the context of online transactions, users “identify” themselves by providing a name, email address or phone number on a webform, for example. Or, when they purchase a new pair of shoes online, by entering a credit card number and billing address. If using a process of identification alone, as long as a person has the card holder’s information associated with a credit card or other form of identification, they are pretty much accepted as is.
A business that uses identification alone is essentially acknowledging that they have no reason to doubt the person is who they claim to be despite having not independently verified the information as truthful. It’s like asking, “Who are you?” and taking the answer at face value. For low-stakes transactions, like getting into a sporting event or checking out a book, having someone declare their identity without actually verifying it may suffice.
For most online transactions, however, identification alone is rarely adequate. It’s like having a username without a password.
So how do we know that the person who’s on the computer interfacing with us is who they say they are? That’s where verification comes in.
What is Verification?
Verification doesn’t just ask, “Who are you?” It takes the next step and asks, “Are you really who you say you are?” and provides a high degree of confidence that the answer is accurate.
Establishing a trustworthy link between who someone claims to be and who they really are requires an identity verification process to be embedded into the onboarding or account opening process.
That verification process usually starts with the verification of a government-issued ID document. Through the use of document experts, advanced technologies, automated data extraction and machine learning, can we confirm that the documentation is authentic and valid? Is there any sign of tampering?
Verifying someone’s identity to a high degree of certainty takes effort. At a time when service providers want to provide a “frictionless” onboarding process, some may cut corners and require a low barrier to entry. Typical social media accounts, for example, only ask new users to provide a name, email address, username and password. A phone number may be thrown in as an identifier for good measure.
If a business does have more stringent standards, they may rely on traditional methods of verifying an identity, for example through credit bureau searches or knowledge-based verification. The problem is that, due to the prevalence of private information available on the dark web, that type of information has become less reliable. These organizations run the risk of getting information such that they don’t really know if they’re dealing with a real person or a fraudster.
Apply for an online bank account, though, and you may be expected to provide a social security number, photo ID or passport, and proof of your current address. The stakes associated with a bank account are much greater than those with a TikTok account, therefore the verification requirements are more stringent. In fact, in the financial sector alone, there are numerous regulatory acts to prevent fraudsters from setting up false bank accounts, laundering money, and other unseemly criminal activities. The compliance mandates associated with these regulations are not satisfied by traditional verification methods, which is why businesses are beginning to make a shift to pairing a customer’s identity information with one of their biometric markers at the point of onboarding.
This process is also known as identity proofing and corroboration, which is a process of taking something that validates someone’s identity (e.g., passport) and binds it with one of their biometrics (e.g., facial scan, iris scan, fingerprint). Only by combining those two things can you be confident that you know who you are dealing with in the future.
The Future of Identity Proofing
- Identification: I claim to be someone.
- Verification: You verify that I am that person by validating my official ID documents. You pair my valid ID with one of my biometrics.
- Authentication: I access your platform and you compare my current, live identity to the biometrics of me you already have on file.
- Authorization: You grant me access to the resources or services.
What is Authentication?
Verification is usually performed just once, but once verified, a person’s identity must be authenticated each time they access a system or resource through a method of access control.
For instance, if you actually know someone, you can “authenticate” them simply by looking at them. However, since the vast majority of transactions occur online or with people we don’t know, organizations put systems in place to re-establish that the person is who they say they are and not an impostor.
The user is asked to re-validate that they are the same person who registered for the service. In low-stakes services, authenticating may be as simple as having the user provide the password that is associated with a specific username, or entering in other specific login credentials.
Traditional digital authentication relies on knowledge based authentication. This is where a person has in their possession certain pieces of information, or authenticators. One or more of these authenticators may have already been registered with the service provider at the initial point of signup or identity verification. A basic version of this you’ve probably come across is two-factor authentication for an email account.
There are three types of authenticators most systems rely on:
- Something the customer knows (e.g., security question, password)
- Something the customer has (e.g., ID badge, a cryptographic key, driver’s licenses)
- Something the customer is (e.g., facial recognition, biometric data)
The strength of authentication systems is largely determined by the number and quality of factors incorporated — the higher the level and more factors employed, the more robust the authentication system. Each time you log in to a social media account, for example, you need only provide a username and password (i.e., something you know). When you stop at your local bank, however, you’re asked to show a form of identification (i.e., something you have).
Unfortunately, since data breaches have made much of this private data readily available, the first two types of authentication – what you know or have – can no longer be counted on to be valid.
The most secure systems require proof of something you are through multi-factor authentication methods. In these scenarios, the service provider already verified your claimed identity upon signup and paired it with a biometric; they now compare that data to proof you provide in the moment, such as a hand scan (if onsite) or a high-resolution selfie (if remote).
What is Authorization?
Authorization determines what resources and services the user can access once their identity has been confirmed. Essentially, authorization determines which users can access what, and when they can access it. Businesses conduct authorization through a variety of means, such as passwords, biometric factors like fingerprints or facial recognition, or physical tokens like smart cards or USB keys.
At its core, authorization is based on the concept of user access. These permissions can range from simple read-only access to full administrative control, depending on the level of access required.
About Repudiation
Repudiation refers to the ability to deny having performed a specific action or transaction. It is an essential feature in situations where accountability and traceability are critical, such as financial transactions, legal agreements and regulatory compliance.
There are various mechanisms for implementing repudiation, including digital signatures, audit trails and non-repudiation protocols. These mechanisms help ensure that actions or transactions cannot be denied or repudiated by the parties involved, which can be especially important in situations where disputes or legal proceedings may arise.
The Main Difference Between Identification & Verification
To reiterate, identification is essentially the process of claiming an identity. On the internet, this would amount to identifying that a user exists without verifying that they are indeed that person.
Verification establishes a trustworthy link between who someone claims to be and who they really are. Verification is usually performed just once, but once verified, a person’s identity must be authenticated each time they access a system or resource.
The Main Difference Between Authentication and Authorization
Authentication puts a process or processes in place for a user to prove that they are still the person you verified.
Authorization, on the other hand, is the process of granting or denying access to a resource or system based on a user’s authenticated identity. In simpler terms, it answers the question, “What can this authenticated user do or access?” While authentication confirms a user’s identity, authorization determines what actions they are allowed to take or what resources they can access based on their identity. For example, in the real world when entering a nightclub, the bouncer at the door checks your ID card to authenticate that you are of legal drinking age. Once your age is verified, the bouncer then determines whether you are authorized to enter based on the club’s dress code, behavior policies or capacity limits. In the digital world, authorization is often handled through access control lists (ACLs) or role-based access control (RBAC) systems.
A Shifting Paradigm
Identity theft, breaches, and social scams are pervasive. In today’s environment, identity verification and authentication are paramount to assuring the authenticity of digital identities across public and private sectors. That’s why the market has been rapidly moving toward binding identity documentation and biometrics as a part of both onboarding and authentication.
Here at Jumio, we’re at the forefront of that movement. We work with some of the largest enterprises out there, helping them meet their compliance requirements, keeping their customers’ identities safe, and securing their business transactions.
We’d love to tell you more about how we can help your business do the same. Contact us at any time.
Updated December 12, 2023