Identity Verification vs. Authentication
The recent, numerous high-profile attacks targeting identity processes, like those by the Lapsus$ group, underscore the need for strong identity security. New research by the Identity Defined Security Alliance found that 90% of organizations had an identity-related incident in the past year with two-thirds of those suffering direct business impact as a result. Identity verification and identity authentication are both essential elements of a comprehensive identity security strategy. While they sound similar, they serve very different, but interconnected, purposes.
With the increased attacks on identity systems, it’s critical to understand identity verification vs. authentication to determine where your organization may be vulnerable and put in effective measures to address these weaknesses. In the most basic terms:
- Identity verification, also referred to as identity proofing, is the process of confirming if someone is who they say they are.
- Authentication is the process of making sure that the person trying to log in is the same person whose identity was confirmed before.
Here, we take a closer look at identity verification vs. authentication, what each of the terms means, how they work, and what role they play in a broader identity security strategy.
What is Identity Verification?
Verification connects an individual with an identity, validating that someone is who they claim to be. It proves that the personal information being used to establish identity is legitimate and isn’t forged or stolen. While this may involve manual checks, technological advances in secure data capture and processing have enabled fully digital identity verification methods. For example, digitally verifying government-issued IDs, matching PII against official databases or even taking a selfie.
Identity verification is frequently used to validate customer identity, especially relating to financial processes, such as opening a bank account. It’s an important part of Know Your Customer (KYC) standards and other guidance and regulations aimed at stopping fraud, corruption, money laundering and other criminal activities. Increasingly, identity verification is being used for Know Your Employee (KYE) purposes, particularly for managing employee onboarding and access control.
Common Methods of Identity Verification
There are various ways to verify identity. The methods an organization uses will depend on the level of identity assurance they require and what works with their business processes. Typically you will use multiple methods together. Methods include:
- Document verification — This is typically a government-issued ID such as a driver’s license or passport. This could be a photo or scan of a physical ID or a digital ID such as a mobile driver’s license.
- Biometric verification — This usually involves using a mobile phone to take a selfie, with the selfie then compared against an official ID to ensure a match.
- Database verification — User-supplied information is compared against official databases, such as those managed by the DMV and IRS.
Some identity verification solutions include options for additional levels of assurance such as video verification through a live video feed or attestation from a manager.
What is Authentication?
Authentication is the process by which a user proves that they are the holder of the verified identity. For example, to access an online bank account you may be asked to enter a username and password, plus answer security questions or click on a link sent by email or SMS.
Common Methods of Authentication
Online authentication relies on the user presenting one or more factors from the following three categories:
- Knowledge — This is something you know such as a password, PIN or security question. It’s the least secure authentication factor, as it can be guessed, cracked or obtained by malicious actors through phishing, social engineering and other attack methods.
- Possession — This relates to something you have, such as a device or security key. It offers a stronger level of authentication since an attacker would need to steal or intercept the item in question. Some possession factors, such as an SMS OTP, have proven very easy to bypass.
- Inherence: This is something you are such as your fingerprint or facial characteristics. Typically this is the most secure factor but that highly depends on how authentication is implemented.
Multi-factor authentication requires two or more factors from different categories. While most multi-factor authentication solutions use a multi-step process, there are some that combine factors into a single action. FIDO-based passwordless authentication uses biometrics (inherence) to unlock a device-stored cryptographic key (possession) for login.
Providing the necessary authentication factors is just the user-facing part of authentication. The factors must still be verified. The backend methods used for verification affect the level of security in authentication as much as the factors used. For instance, if biometric factors are verified by comparing them to ones stored in a central database, then they can be intercepted or stolen just like a password. Look for solutions that perform authentication verification through robust public-key cryptographic exchange protocols.
Identity Verification vs. Authentication: Similarities
Identity verification and authentication both concern the confirmation of identity. They are frequently used in tandem to ensure that only a valid user can access systems and resources. Identity verification and authentication come in at different points in the identity lifecycle. Verification is used to establish an identity and, when necessary, re-confirm identity. Authentication is what verified individuals use for daily access. Both are necessary to identity security.
Identity Verification vs. Authentication: Differences
Although they sound similar and are often used in conjunction, major differences exist between identity verification and authentication. Verification involves establishing a legitimate, proven user identity. Authentication deals with preventing illegitimate users from entering a system on an ongoing basis. Below we compare them in key areas.
Purpose
Verification confirms an individual is who they claim to be by verifying the authenticity of their proof of identity. Authentication determines if someone attempting to access an account is authorized to do so.
Data Type Used
Identity verification usually involves some official form of documentation, such as government IDs, and/or a live photo that proves a person’s physical identity. Authentication may not be tied at all to the person’s physical identity; it can use information such as passwords or possession of a code or key.
Identity Timeline
Verification is performed at a specific point in time, when first onboarding an individual to establish their identity. There may be reverification triggers at times of increased risk or other key events. Authentication is performed on an ongoing basis to continuously validate a person’s identity to grant access to systems and resources.
Building a Comprehensive Identity Security Strategy
Stringent identity verification policies cannot protect your data and systems if that identity can be easily spoofed through insecure authentication methods. Similarly, strong authentication won’t help you if a bad actor has possession of legitimate authentication credentials.
HYPR’s passwordless MFA eliminates breachable credentials from your authentication processes. Based on FIDO passkey standards, it provides the strongest authentication to form the basis of a comprehensive identity security strategy. To find out how HYPR passwordless authentication can protect your organization, speak to one of our identity security experts.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by HYPR Team. Read the original post at: https://blog.hypr.com/identity-verification-vs-authentication