Identity Proofing & Authentication 101
You may have heard of identification, verification, and authentication...but what are some of the important differences between them?
Cybercriminals are constantly finding new ways to attack businesses, and identity fraud is one of their most frequently used methods. They obtain user credentials in several different ways—including data breaches. According to Cyber Security Hub, “more than 4100 publicly disclosed data breaches occurred in 2022, equivalent to 22 billion records being exposed.”
Fraudsters put stolen information and credentials to work by trying to convince businesses that they are legitimate customers, sometimes attempting to take over real customer accounts. Riskified reported that, during the busy 2021 holiday season, 1 in every 140 logins was an account takeover (ATO) attempt. According to SEON, an estimated 22% of Americans have fallen victim to ATOs, with average losses of around $12,000 per case. As an increasing number of accounts allow customers to log in using credentials from their social media accounts, such as Facebook and Google, the Identity Theft Resource Center (ITRC) found in 2022 that “the velocity of social media account takeovers increased by more than 1,000 percent.”
In its 2022 True Cost of Fraud study for retail and ecommerce, LexisNexis reported that every $1 in fraud cost U.S. businesses $3.75. For banks, that figure amounted to $4.36. Between businesses and their customers, according to Javelin Strategy and Research, identity fraud losses totaled $52 billion and affected 42 million U.S. adults in 2021.
The ITRC warns: “We saw identity fraud-related crimes climb, particularly in attacks where cybercriminals impersonate someone to open accounts using stolen personal information to bypass security features.”
In a digital world fraught with scammers and schemes, it’s more important than ever for businesses in all industries to be able to know their customer (KYC); to know, in other words, without a doubt that the person opening an account or returning later to access it is really who they claim to be.
Let’s look at three terms which comprise the two separate processes that are critical to ensuring someone is who they say they are: identification, verification, and authentication. These terms are often used interchangeably, but they are distinctly different.
What is Identification?
According to Merriam-Webster, identification is “a: the act of identifying; the state of being identified, b: evidence of identity.”
In the physical world, when people are face-to-face, identification is relatively simple; recognizing a friend across the room is a no-brainer. Even when people aren’t face-to-face, the evidence of identity can be as low-key as when someone calls and says, “Hi, it’s Sam Jones.” For more formal and secure identification, government-issued documents such as driver’s licenses, identity cards, and passports are typically used. These same documents can also be used for identification in the digital world.
How Identification is Used
In terms of the identity proofing and authentication process, identification occurs first, during verification.
A customer who wants to open an account online is asked for identifying information, such as their name, address, email, or social security number.
For increased security during the account opening process (also called digital onboarding), the customer may also be asked to provide evidence of their identity. As an example, they may be asked to use their mobile phone to scan their driver’s license.
Similar to MFA, the user is prompted to go through another step to offer evidence of their identity, such as taking and sharing a selfie after they have uploaded their driver’s license (read more about this below). Identification and verification are, technically speaking, part of the same process—identity proofing—but are more easily understood when thought of as having these two steps.
What is Verification?
Merriam-Webster says verification is “the act or process of verifying.” It defines verify as “to establish the truth, accuracy, or reality of.”
Once a customer opening an account has submitted the information or documents required to establish their identity, the business uses verification, also known as identity proofing, to ensure the customer is really who they claim to be.
How Verification is Used
At the most basic level, verification checks the proffered proof of identity (the driver’s license, passport, etc. chosen during the identification step) against known information about that customer, such as the selfie they took, as well as any relevant third-party and government databases, to establish that the person both exists and has a history that matches the information they’ve provided.
Verification has become easier and more secure as innovations in the IAM (identity access and management) industry have become more widely adopted; government-issued documents, for example, have become more sophisticated through the incorporation of technology such like near-field communication (NFC). With NFC, a chip embedded in the identity document contains both information on the customer and a signature from the issuing authority that proves the document is genuine. An organization’s identity proofing platform reads the chip and confirms that the details on the document match those contained within the chip.
When a selfie has also been requested from the customer, it is checked for “liveness.” Liveness detection protects against a fraudster trying to pass off a still photo or a video capture as the user’s genuine selfie.
Once verification is complete and the customer is confirmed to be who they say they are, they can establish the credentials they will use to authenticate themselves when they return to access their new account.
What is Authentication?
The Merriam-Webster online dictionary defines authentication as “an act, process, or method of showing something (such as an identity, piece of art, or a financial transaction) to be real, true, or genuine.”
In the digital identity world, it’s the key security step between someone presenting credentials they’ve previously established and being granted access to their account or data.
How Authentication is Used
Authentication is where the tension between needing to secure accounts against identity fraud and providing easy access for customers plays out. What does a customer have to do to authenticate themselves each time they want to access their account?
Authentication may be as simple as confirming that the customer has entered the correct username and password to be granted account access. It’s pretty easy for the customer, but it’s not very secure for them (or the organization).
The customer could also be asked to provide a more sophisticated identity factor, such as a fingerprint, facial scan, or other biometric factor. Biometrics provides an advantage over passwords because these factors are nearly impossible to steal or replicate.
Businesses can also use multi-factor authentication (MFA) to decrease the likelihood of an ATO. A common example of MFA is when a customer enters their identity factor and is also asked to enter a four- or six-digit code that has been sent to their mobile phone. MFA increases security because it’s unlikely for a criminal who may have stolen the customer’s password to also physically possess the customer’s mobile device.
Identification vs. Verification vs. Authentication
While these three terms are interrelated, the two processes they are part of (proofing and authentication) are different in scope, purpose, how often they’re performed, and where they occur in the customer’s identity journey with a business.
Let’s take a closer look.
Authentication | Identification | Verification | |
What is it? | The act of authenticating a customer’s identity based on the established credentials they provide in an attempt to gain access to their account. | The act of a new customer claiming an identity. The first step in the verification process. |
The act of verifying a claimed identity against other known sources to establish that the customer is who they claim to be before allowing them to open an account or to onboard. |
Is the customer already known? |
Yes | No | No |
Is the process performed more than once?
|
Yes | No | Not usually. An exception may be if an existing customer opens an additional account. |
Who initiates the process?
|
The customer | The customer | The business |
What’s the result of the process? | If the customer has entered the correct credentials, access is granted to their account. | The business verifies the customer identity. | Once the business has verified their identity, the customer is allowed to onboard and establish the credentials they will use to authenticate themselves when they return to the account. |
The Power of Three: Identity Continuity
The proof of identity a customer is asked to provide to open an account (identification), how that proof is verified when the customer is onboarded (verification/proofing), and the sophistication of the credentials a customer must enter to gain access to their account during future authentications all determine an organization’s balance between security and UX. This can be a tricky equation: making accounts secure enough to deter fraudsters while also making them convenient for customers to access is a constant challenge for businesses in an increasingly competitive digital landscape.
Daon’s identity continuity platform, IdentityX®, combines the power of identity proofing and authentication to help you define, deploy, and continually optimize a successful, seamless, and simple digital identity solution that fits the unique needs of your organization and its customers. Learn more by contacting us today.