Identification, identity verification and authentication – what are the differences?
According to a bitkom study from the summer of last year, the German economy suffers a total loss of 223 billion euros annually due to theft, espionage and sabotage. The frightening thing is that the amount of damage is more than twice as high as in 2018/2019 (103 billion euros). A total of 88 percent of the companies were affected in the survey period 2020/2021, compared to 75 percent in 2018/2019. These figures illustrate the tense threat situation in terms of cybercrime, which will continue to exist in 2022 and is likely to worsen.
But what can companies do specifically to protect themselves? First, it is important to deal with basic terms of cyber security. One thing is certain: identity management with identification, verification and authentication basically plays an essential role for IT security, and each individual element requires the other.
IBM’s “Cost of Data Breach 2021” report once again impressively demonstrates the critical importance of the secure management of identities and login data, as the report shows that compromised login data is the first attack vector and is responsible for 20 percent of data thefts. Here, too, a significant increase in the danger situation can be observed: the average cost of such a theft of corporate data rose from $ 3.86 million in the previous year to $ 4.24 million in 2021. In order to prevent malicious actors from using stolen identities and login data, companies must therefore act proactively.
While different companies and industries have different needs in terms of data protection and data security – especially in terms of compliance – these issues should never be neglected – after all, a successful IT security attack can be business-critical. Of course, a financial services company with high-value assets and transactions usually needs a higher proof of identity than an organization in the field of social media. However, this does not mean that social media companies can do without strong identity security measures. Security researchers discovered a leaked Facebook database with 533 million accounts and personal information of users from 106 countries. It doesn’t take much imagination to imagine what criminals can do with this data.
How are identification, identity verification and authentication used for online identity management and IT security?
Identification is the first step of the process, during which a user provides information about himself when creating an account. While a legitimate user provides correct information, a fraudster may provide false or stolen data.
Identification involves, first of all, the question: “Who are you?”, because when a new user completes the registration process of a service, he has also identified himself with it. Some companies limit their identity management procedure to identification and take the information provided by users at face value. This can be very risky.
Without additional steps to ensure that the user is who he claims to be, businesses often have no way to detect whether the person is using his real identity or a fraudster is using a fake name or a stolen identity. For example, cybercriminals can easily create social media accounts with fake names and personas for a variety of reprehensible purposes, including human trafficking.
Verification requires “proof” of the authenticity of the information during identification. To verify that the person is using his real name, address, phone number, etc., companies require verification. Since stolen identities can easily be used to create accounts, this step prevents fraudsters who are unable to provide the necessary proof of identity from creating these fake accounts in the first place. The verification takes place, for example, in the form of showing the driver’s license or an official ID, or in the form of biometric data such as fingerprints or verified photos, which are used for face recognition.
As a rule, verification is carried out once during the registration process. Identity verification can be integrated directly into mobile applications to ensure that customers are who they claim to be.
If there is no verification procedure, fraudsters who have compromised identities or credentials can misuse them for their own purposes. At the beginning of the pandemic, for example, organized crime rings used stolen identities to make fraudulent unemployment claims and collect millions in benefits. For example, when the scale of the fraud was revealed, the US began to use identity verification services that compared selfies with official photo documents to ensure that the applicants were legitimate. Since the scammers could not provide the required selfies, they were prevented from committing further fraud offenses. Unfortunately, real applicants who did not have devices with which they could take selfies were prevented from receiving lawful benefits.
Authentication is also used to prove that a user is really who he claims to be. Authentication usually occurs every time a user logs in, and can also be implemented when a user makes a high-value transaction or tries to access sensitive data in a high-risk place, for example, an airport. The methods used for verification are also used for authentication, such as fingerprint scans and face recognition. Risk-based, adaptive authentication involves contextual data in the decision-making process and requires additional evidence if the user logs in at an unusual time, place, or because of other unusual behavior patterns.
The types of authentication can be divided into three main categories, which are also called authentication factors:
- Knowledge – Something that users know. Information or secrets that only the legitimate users know; including passwords, PINs and answers to security questions.
- Ownership – Something that users have. These include smartphones, cards, key chains and physical tokens that can either generate or receive unique passwords or codes.
- Biometrics – Something that users are: These are unique physical features that can be confirmed by fingerprint scans, voice recognition, face recognition and other scanning techniques using a device such as a mobile phone.
Two-factor authentication (2FA) and multi-factor authentication (MFA) require users to provide evidence from more than one category, which prevents malicious actors with compromised passwords or other credentials from accessing accounts.
The three mentioned procedures are all part of the process necessary to ensure the security of users’ data when setting up and using online accounts. It is not a question of choosing between the three processes – namely identification, identity verification and authentication – but they must all be passed through in order to prevent fraudsters from setting up fake accounts or compromising credentials.