Identification vs. Authentication: What’s the Difference?

In discussions of identity and access management (IAM), you sometimes find terms used interchangeably, when they actually describe very different processes. While this may not matter in casual conversation, recognizing and solving security issues relies on effective labeling. One of the most common of these mislabeled processes is when people discuss identification vs. authentication. 

Identification vs. Authentication: What’s the Difference

People may use them in the same contexts, but identification and authentication play very different roles. While the mechanisms that surround them can vary widely, they broadly can be defined as follows:

• Identification: This is who the user is, i.e., their account name or user ID. Inside a system, this defines their access privilege. For example, on Facebook, the account holder is the only person entitled to view an account’s private messages. In an enterprise context, this identification will define the suite of applications and data a specific user can use.
• Authentication: This is how the user proves they are the legitimate account holder. The most common example of this is a password. The authentication should be something only the user and the service provider can access, or better still, only the user. 

Rather than identification vs. authentication being oppositional, they are sequential steps in the IAM process. An example of this intertwined relationship is online banking. Your username is specific and unique to you, but an account number may be shared by specific users (i.e., a joint checking account). Only authorized users should have complete access to the account and the privilege to perform transactions. In practice, your bank will seek several forms of authentication before allowing an authorized user to log in and may present additional authentication challenges around specific transactions.

Example of the identification and authentication steps:

1. You provide the required identification information and are onboarded into the system.
2. You set up an authentication factor, such as a password or passkey, for future entrance.
3. When you want to log in, the system asks for the identification (username) and authentication factor.
4. The system verifies that the information is correct and, if it is, authenticates your identity and grants you access to systems and resources that the admin has authorized.

Identification vs. Authentication: Types

To effectively distinguish between identification vs. authentication, it’s helpful to look at the different forms and varieties in each category. 

Different Types of Identification

Identification is the first step in most online transactions and requires users to “identify” themselves. This is usually done by providing a username, email address, or phone number, but identification can also occur via single sign-on and other methods. Here are a few of the different types of identification: 

• Username: This is a name of your choice that identifies your online account. 
• User ID: A user ID is usually granted from the server or admin side, so it could be a random alphanumeric pattern, a series of digits or part of your name or email address. 
• Verified Identity: For “high value” accounts (also frequently targeted by cybercriminals), you may be required to provide layers of verification for the account. This may include sending a photographic government-issued ID, such as a driver’s license or passport.
• Guest ID: This is the opposite of a verified ID because it’s a one-time session ID that likely holds no extra information. An example is purchasing tickets for a sports or music event; it doesn’t matter what the identity is as the ticket is anonymous. 
• Single Sign-On: This is a form of identity common among enterprises whereby a trusted identity provider (IdP) will give a user an identity they can use to sign in to multiple accounts. Learn more about HYPR’s passwordless SSO.
• Contextual ID: As you move around online, different services build up a profile of you, often without even knowing your name. This will use cookies stored on your browser or contextual information such as your IP address, device type or geographic location to identify you. 

Different Kinds of Authentication

Authentication is how a user proves they are the person they claimed to be during the identification phase. It’s easy to claim an identity. For example, you can input any username you like into a system. That’s why authentication is a critical security step. Online authentication requires one or more of the following: 

Passwords/Something You Know: An original authentication method, even before the advent of the online world, is for a person to gain access by providing a password or something that both the individual and the gatekeeper know, supposedly a secret. Unfortunately, secrets can be overshared or guessed (at a rate of thousands per second). Sometimes, a user may also be deceived into handing it over to an attacker. 

Something You Have: While passwords may have been the original and are still the most common form of authentication, extra layers of authentication were introduced to combat attacks. Now multi-factor authentication (MFA) is the recommended minimum for authentication processes. This means providing two or more from the something you know, something you have or something you are buckets. 

Something You Are: Also called inherence, this authentication factor is based on something that is inherent to you that can’t be copied or stolen. This includes features such as a face scan, retina scan, fingerprint or voice recognition. As scanners for these biometric features are now included in most off-the-shelf personal smart devices, it has become easier to include this strong authentication method in standard processes.

Presenting the required authentication factors is only one aspect of the authentication process, the part that the user sees. What happens on the backend to verify the authentication factors means the difference between a secure, phishing-resistant authentication process and one that can be breached or circumvented. For example, if identity is verified by matching the user’s fingerprint or face scan to one stored in a database, then it can be intercepted by attack techniques like man-in-the-middle, making it not much more secure than a password. Authentication verification should be conducted by secure public-key cryptographic exchange protocols.

Finding the Right IAM Balance

Discussing identification vs. authentication isn’t an either/or question but about how to best prepare both elements for an attack. The level of account privilege will often determine the strength of the authentication process. If an identity has high privileges (such as making a bank transfer) and the authentication is a simple password, an attacker will focus heavily on finding that password. However, if an account asks for a retina scan to see the weather, a user will choose not to use the service. 

Finding a balance between keeping user accounts safe from fraud without too much frustration doesn’t always have to be a trade-off. An organization can improve security while making authentication seamless by deploying a passwordless MFA solution. HYPR’s Passwordless MFA eliminates passwords and other shared secrets and utilizes biometric identifiers on a user’s device to reduce friction. This creates a phishing-resistant authentication process that’s easy to use and deploy.

Find out more about HYPR’s phishing-resistant, passwordless MFA.