Stay ahead of the curve with the latest news, ideas and resources on all things Identity Assurance and Passwordless.
Identification vs. Authentication: What’s the Difference?
Highlights:
- How authentication differs from identification and how each method can be defined
- A look at the different types and forms of identification and authentication methods
- Why it's crucial to find the correct IAM balance between security and user-experience
HYPR Team
7 Min. Read | April 24, 2023
In discussions of identity and access management (IAM), you sometimes find terms used interchangeably, when they actually describe very different processes. While this may not matter in casual conversation, recognizing and solving security issues relies on effective labeling. One of the most common of these mislabeled processes is when people discuss identification vs. authentication.
Defining Identification vs. Authentication
People may use them in the same contexts, but identification and authentication play very different roles. While the mechanisms that surround them can vary widely, they broadly can be defined as follows:
- Identification: This defines who the user is, such as their account name or user ID. It determines their access privileges within a system. For example, on Facebook, only the account holder can view private messages. In an enterprise context, identification specifies which applications and data a user can access.
- Authentication: This is how the user proves they are the legitimate account holder. Common methods include passwords, biometrics, or security tokens. Authentication should be something only the user and the service provider can access, or ideally, only the user can access.
The key difference between identification and authentication is that identification establishes the user's identity using account names or user IDs, while authentication verifies it using passwords, biometrics, or security tokens.
Rather than identification vs. authentication being oppositional, they are sequential steps in the IAM process. An example of this intertwined relationship is online banking. Your username is specific and unique to you, but an account number may be shared by specific users (i.e., a joint checking account). Only authorized users should have complete access to the account and the privilege to perform transactions. In practice, your bank will seek several forms of authentication before allowing an authorized user to log in and may present additional authentication challenges around specific transactions.
Example of the identification and authentication steps:
- You provide the required identification information and are onboarded into the system.
- You set up an authentication factor, such as a password or passkey, for future entrance.
- When you want to log in, the system asks for the identification (username) and authentication factor.
- The system verifies that the information is correct and, if it is, authenticates your identity and grants you access to systems and resources that the admin has authorized.
Identification vs. Authentication: Types
To effectively distinguish between identification vs. authentication, it’s helpful to look at the different forms and varieties in each category.
Different Types of Identification
Identification is the first step in most online transactions and requires users to “identify” themselves. This is usually done by providing a username, email address, or phone number, but identification can also occur via single sign-on and other methods. Here are a few of the different types of identification:
- Username: This is a name of your choice that identifies your online account.
- User ID: A user ID is usually granted from the server or admin side, so it could be a random alphanumeric pattern, a series of digits or part of your name or email address.
- Verified Identity: For “high value” accounts (also frequently targeted by cybercriminals), you may be required to provide layers of verification for the account. This may include sending a photographic government-issued ID, such as a driver’s license or passport.
- Guest ID: This is the opposite of a verified ID because it’s a one-time session ID that likely holds no extra information. An example is purchasing tickets for a sports or music event; it doesn’t matter what the identity is as the ticket is anonymous.
- Single Sign-On: This is a form of identity common among enterprises whereby a trusted identity provider (IdP) will give a user an identity they can use to sign in to multiple accounts. Learn more about HYPR’s passwordless SSO.
- Contextual ID: As you move around online, different services build up a profile of you, often without even knowing your name. This will use cookies stored on your browser or contextual information such as your IP address, device type or geographic location to identify you.
Different Kinds of Authentication
Authentication is how a user proves they are the person they claimed to be during the identification phase. It’s easy to claim an identity. For example, you can input any username you like into a system. That’s why authentication is a critical security step. Online authentication requires one or more of the following:
Passwords/Something You Know: An original authentication method, even before the advent of the online world, is for a person to gain access by providing a password or something that both the individual and the gatekeeper know, supposedly a secret. Unfortunately, secrets can be overshared or guessed (at a rate of thousands per second). Sometimes, a user may also be deceived into handing it over to an attacker.
Something You Have: While passwords may have been the original and are still the most common form of authentication, extra layers of authentication were introduced to combat attacks. Now multi-factor authentication (MFA) is the recommended minimum for authentication processes. This means providing two or more from the something you know, something you have or something you are buckets.
Something You Are: Also called inherence, this authentication factor is based on something that is inherent to you that can’t be copied or stolen. This includes features such as a face scan, retina scan, fingerprint or voice recognition. As scanners for these biometric features are now included in most off-the-shelf personal smart devices, it has become easier to include this strong authentication method in standard processes.
Presenting the required authentication factors is only one aspect of the authentication process, the part that the user sees. What happens on the backend to verify the authentication factors means the difference between a secure, phishing-resistant MFA process and one that can be breached or circumvented. For example, if identity is verified by matching the user’s fingerprint or face scan to one stored in a database, then it can be intercepted by attack techniques like man-in-the-middle, making it not much more secure than a password. Authentication verification should be conducted by secure public-key cryptographic exchange protocols.
Finding the Right IAM Balance
Discussing identification vs. authentication isn’t an either/or question but about how to best prepare both elements for an attack. The level of account privilege will often determine the strength of the authentication process. If an identity has high privileges (such as making a bank transfer) and the authentication is a simple password, an attacker will focus heavily on finding that password. However, if an account asks for a retina scan to see the weather, a user will choose not to use the service.
Finding a balance between keeping user accounts safe from fraud without too much frustration doesn’t always have to be a trade-off. An organization can improve identity security while making authentication seamless by deploying a passwordless MFA solution. HYPR’s Passwordless MFA eliminates passwords and other shared secrets and utilizes biometric identifiers on a user’s device to reduce friction. This creates a phishing-resistant authentication process that’s easy to use and deploy.
Find out more about HYPR’s phishing-resistant, passwordless MFA.
Key Takeaways:
Identification vs. Authentication: Identification establishes the user's identity using account names or user IDs, while authentication verifies it using passwords, biometrics, or security tokens.
Methods of Identification and Authentication: Identification is typically done through usernames, user IDs, verified documents, or single sign-on. Authentication is how you prove you are the person you claim to be. This is done through "something you know" (passwords), "something you have" (tokens), and "something you are" (biometrics).
Balancing Security and User Experience: Strong authentication is necessary, but it's important to minimize user friction. Passwordless MFA offers a secure, user-friendly solution that eliminates passwords and improves the user experience.
HYPR Team
Related Content