a good thing!
Identification, verification and authentication all have a role in identity management and security. Keeping bad actors from using stolen identities and credentials requires enterprises to be proactive. According to the FBI, internet crime costs Americans $4.2 billion in 2020.
Choosing the appropriate level of security depends on the application. For example, a financial services company with high-value assets and transactions typically requires more proof of identity than a social media company. Of course, that doesn't mean social media companies can forgo strong identity security measures. In 2016, hackers took over Katy Perry's Twitter account, which was the most followed account at the time.
Let's discuss how identification, verification and authentication are used for online identity management and security.
Identification asks the question: "Who are you?" When a new user completes the registration process, they are identifying themselves for you. Some companies limit their identity management process to just identification, taking the information users provide at face value. This can be very risky.
Without additional steps to ensure the user is who they claim to be, companies often have no way of knowing whether the person is using their real identity or a fraudster is using a fake name or stolen identity. For example, bad actors can easily create social media accounts with fake names and personas for a variety of nefarious purposes, including human trafficking.
Verification moves from "Who are you?" to "Prove it." To verify the person is using their real name, address, phone number and so on, enterprises ask for verification. Verification can be in the form of a driver's license or government issued ID card, or biometric data, such as fingerprints or verified photos to be used for facial recognition.
Verification is typically used once, during the registration process. Identity verification can be integrated directly into mobile apps to help ensure customers are who they claim to be.
If a verification process isn't in place, fraudsters with stolen identities or credentials can successfully use them. At the beginning of the pandemic, organized crime rings used stolen identities to file fraudulent unemployment claims and collect millions of dollars in benefits. Once the scope of the fraud was uncovered, states started using identity proofing services that compared selfies to official photo documentation to ensure applicants were legitimate. Because fraudsters couldn't provide the required selfies, they were stopped from committing additional fraud. Unfortunately, real applicants who didn't have devices capable of taking selfies were kept from collecting legitimate benefits.
Watch this short video to see the customer verification process in action.
Authentication is also used to prove users are who they claim to be. Authentication typically occurs every time a user signs on, and can also be implemented when a user attempts a high-value transaction or tries to access sensitive data from a high-risk location, like an airport.
Types of authentication fall into three main categories, also known as authentication factors:
Two-factor authentication (2FA) and multi-factor authentication (MFA) require users to provide proof from more than one category, which stops bad actors with compromised passwords or other credentials from accessing accounts.
Watch this brief video to learn more about modern multi-factor authentication (MFA).
Identification is the first step in the process, where a user provides information about themselves when setting up an account. While a legitimate user will provide accurate information, a fraudster can provide false or stolen information.
Verification forces the user to prove the information they provided is true. Because stolen identities can be used to set up accounts, this step stops fraudsters unable to provide the required proof of identity from creating fake accounts. Users may be asked to provide a fingerprint, facial scan, copy of a driver's license or other form of verification.
Authentication also requires users to prove their identities and can occur every time a user logs on. Methods used for verification are also used for authentication, including fingerprint scans and facial recognition. Risk-based, adaptive authentication incorporates contextual data into the decision-making process, stepping up the need for additional proofs based on whether the user is logging on at an unusual time, location or other factor.
To learn more the importance of ensuring users are who they claim to be, read our blog