The internet is full of misconceptions and ambiguity around the terms authentication and identity verification, and sometimes the terms are used interchangeably. How is it that one action performed can be an act of authentication whereas another system refers to the very same act as identity verification? The answer to this question is to be found in an old saying that “one man's ceiling is another man's floor”.
Before exploring the meaning of that, there is a need to understand both the distinction and the interrelationships between these two processes. In this article we juxtapose identity verification vs authentication, but we also explain how they are interrelated. In this we also introduce a third, and often forgotten, term that also needs to be understood - credentials.
Authentication and identity verification are two related but distinct concepts within digital identity. Each of them represent a process of verifying a person's identity but they serve different purposes and they often apply different methods. There are many good reasons for why to keep these concepts apart but there are also great wins in having an aligned strategy for the two.
The fundamental purpose behind both processes is for an entity - such as a system, service, organization - to be able to trust their users when performing online transactions. Identity verification aims for learning to know someone to a certain degree. Authentication on the other hand aims for being able to recognize someone that is already known.
Thereby - identity verification is needed to enter and maintain relationships, whereas authentication is needed while interacting with those you have a relationship with.
We will not go into depth on this here, but it is also worth mentioning that these processes can be performed with different degree of confidence in the identity proofing. The concept level of assurance is used to describe how well one knows the user (identity verification) and how well one can recognize the user (authentication). However, this is a broader area, driven by multiple standardization and regulatory frameworks, that deserves more space and is elaborated in another article in our blog.
Finally, there is a mediator bridging the difference between verification vs authentication - the credentials. Wikipedia has a decent definition of what a credential is: “a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so”. Throughout this article we will learn how credentials are the underlying building block for both identity verification and authentication.
Identity verification is about ensuring that a user's claimed identity matches their actual identity. The claimed identity is represented by collected and validated statements and properties of the user for the purpose of linking a digital identity with a user's identity. Such statements and properties are referred to as credentials and can constitute anything from traditional self-asserted data, third party attestations, copies of legal documents or even digital credentials of various kinds.
Verification is specifically about matching credentials with an actual identity, i.e. the person that intends to enter (or remain part of) a relation. Often this is carried out by anchoring details of any collected data with attributes of the real person in question such as biometric data, but it could also be some secrets that are unlikely for anyone else to know or by declaring possession of items that it is unlikely that anyone else has access to.
A complementary method is to verify the private data provided with an authoritative source, such as a bank account or a national registry. This is efficient to prevent fraud, i.e. distinguish existing people from made up identities, and at the same time often get access to additional relevant data.
There are many good reasons to apply a solid identity verification process, not only to prevent identity theft and data breaches. Sometimes, fundamental quality data on users are needed in the onboarding process and other business processes to even deliver a service and various levels of background checks are often applied to reduce the risk level.
However, the lion’s share of the id verification applications are driven by Know Your Customer (KYC) checks, AML (Anti Money Laundering) checks, PEP (Politically Exposed Persons) checks and other identity related regulations appealing mainly to businesses active in regulated environments, e.g. the banking industry.
With a bird's-eye perspective, authentication does the same as identity verification; one needs to zoom in to see the important differences. Both expect that the user presents credentials to be validated and verified. Authentication implies these to be digital credentials that are associated with secure deterministic authenticators. The purpose of these credentials is not to directly verify the properties of the actual person, but to verify the linkage to an already verified digital identity, i.e. that it is the same person.
On a second note, authentication implies the user to always be present in person, or through Power of Attorney (POA), and that the user is an active part. Identity verification is often partly carried out as background checks without the user’s full awareness, for example running background checks against data sources to maintain compliance with respect to AML and PEP.
Authentication is a cybersecurity discipline, well formalized and standardized. Just as identity verification benefits from collecting multiple credentials from multiple sources that can be cross-verified through multiple processes, secure authentication methods has the same requirements. Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) are basically a series of interlinked authenticators based upon different credentials of different types: Something You Have (SYH), Something You Know (SYK) and Something You Are (SYA).
Credentials presented during identity verification can be useful as authentication factors as well, for example a verified phone-number or email address is quite common to use in an out-of-band One Time Password (OTP) authenticator and a biometric liveness-aware passport verification method can work as a very secure SYH/SYK authenticator - however cumbersome and costly.
The main purpose of authentication processes used to be access control, i.e. to understand who access accounts so that authorization policies can be enforced (granting a user appropriate rights and permissions). In trust-sensitive businesses where e.g. large values or sensitive data are handled, the main driver is prevention of identity fraud and identity theft - i.e. to reduce the risk of cybercriminals accessing resources and functionality impersonating a real user.
Worth to notice is that in many free-to-use public apps, authentication is often rather a driver to understand the visitors - so that customer experience can be improved for increased loyalty and conversion.
Authentication is a cornerstone when interacting with users, therefore a positive customer experience is key, something we elaborated in another of our blog articles. Also low cost is vital - allowing security to compete with significant cost savings is bad practice.
Further, a good authentication solution allows the user to stay logged-in when (and only when) present and when the user has full transparency into current and historical activities. A tightly related feature that typically can be expected is the ability for all critical decisions to be recorded and signed for non-repudiation, i.e. a deal is a deal - also on the Internet.
As shown, the fundamental common denominator between verification and authentication are the credentials. Within the field of Identity and Access Management (IAM), identity verification belongs to the identity management domain and authentication belongs to the access management domain.
National Institute of Standards and Technology (NIST) has extended this concept with another domain, credential management as the connecting link between these two. To learn more about the conceptual architecture around digital identities; NIST has some great content. *
Credentials are objects often issued by an asserting party with the purpose to bind attributes to an identity. These are not always issued by official authorities, but may also encompass self-asserted credentials and those issued by parties without any official trust anchor.
Both identity verification and authentication are based upon credentials and sometimes the same methods and capabilities can be applied on both processes. Identity verification will typically use slower and more expensive methods - often data-driven covering multiple sources and where decisions are based on probability. Authentication on the other hand is often quick, smooth and cheap both in terms of performance and cost.
There are fundamentally two categories of credentials:
Different credentials have the purpose to prove different aspects of a person, e.g.
The capabilities for a person to prove possession and control of a credential is often referred to as an authenticator. Single-factor authentication (1FA) is an authentication process with a single authenticator. MFA is consequently the term for an authentication process with multiple authenticators - however of at least two distinct types among: SYH, SYK and SYA.
Note that passwords, OTPs, private keys, tokens are often mistaken for being credentials, but they are rather authenticators - i.e. they provide means to prove being in control of credentials to which they are tied.
We have seen how identity verification is a method for how to learn to know users, and just as in real-life, this is an iterative process. The initial identity verification is often quite verbose as being a method to establish initial trust before engaging further. But a well crafted identity verification process is rather circular than linear, i.e. verification is an iterative process.
We have also seen how authentication is a method for recognizing users across touchpoints in the customer journey and to ensure that no user is fraudulently (or deliberately) being exposed to masquerading. On top of that, to authenticate customers helps strengthen trust over time, and thereby any actions performed by an authenticated user can feed into identity verification.
The end game is to verify the authenticity of users by the proof of association to one or multiple credentials. Any credential issued by a trusted asserting party would be eligible in identity verification - and here is the catch. An authenticator provided by someone you trust can contribute to your own identity verification.
This hierarchy of federated confidence captures the fundamentals for how trust is established on the internet today. We build trust on top of each other - “one man's ceiling is another man's floor”.
* FICAM Architecture. (n.d.). U.S. General Services Administration. Retrieved May 17, 2023, from https://playbooks.idmanagement.gov/arch/services/