Identification and Authentication: Similarities and Differences
As the world moves increasingly online, users are constantly being identified, authenticated, and authorised. These terms are often used interchangeably; however, they are not the same and work differently to achieve specific tasks.
Only after a user has been properly identified and authenticated can they then be authorised access to systems or privileges. The authorisation aspect assigns rights and privileges to specific resources. Identification and authentication have specific purposes and are necessary components of data security.
Defining identification & authentication
Identification is the first step in most online transactions and requires a user to “identify” themselves, usually by providing a name, email address, phone number, or username. This is the process of someone saying that they are a certain person.
In an online environment, however, it can be difficult to verify that a person is giving a real identity and that they are who they say they are.
Identities can be verified through providing more information, often a form of government-issued ID. The verification process generally only happens the first time you create an account or access a site. After this, your identity will be authenticated, often by the creation of a password to go along with your username.
When initially signing up, accessing, or onboarding with a system, service, or company —after your identity has been verified — a form of authentication is set up. This will be required each additional time the service or application is accessed.
Digital authentication requires one of the following:
- Something a person knows: a password or security question
- Something a person has: a token, smartcard, ID card, or cryptographic key
- Something a person is: biometric data, such as a fingerprint or facial scan
The authentication process is a way for a user to prove that they are still the person they claimed to be during the identification phase. The safest authentication methods involve multi-factor authentication (MFA), which requires the use of more than one form of authentication.
Authorisation is granting a user access to services or the system — allowing rights and privileges based on the identification and authentication already provided.
In 2020, there were nearly 5 million reports of identity theft and fraud. Cybercrime is an issue with bad actors stealing personal information and posing as legitimate users.
The authorisation aspect helps to ensure that a person is who they claim to be, and they are authorised to access particular services and have certain privileges. Authorisation must come after both identification and authentication to be effective.
Where each protocol is used
Identification is used in the initial setup stage of accounts, services, and onboarding at a company. It is necessary to provide personal information to identify a person and then verify this identity.
Verification of identity can involve identification documents, knowledge only the real person would have, or entering personal data such as a social security number. Typically, identification is used each time a user accesses an account or service in the form of a username.
Authentication is the second step. It is initiated to match a user with previously provided information to ensure that they are indeed the person they claim to be. Authentication occurs when a user enters a password or provides the agreed-upon information. The system will then check what they have stored and make sure they match.
Authentication systems can also ask for a one-time verification code to ensure that the user’s identity is legitimate. This is often sent to a previously provided email or phone number via a text message and requires the user to provide the code as an additional authentication factor. Only after the identification and authentication are verified should authorization occur.
Lastly, the system will grant access or give rights and privileges to the user after authorising them. Authorisation can protect resources in a system as well as individual users by preventing unauthorised use or access.
How identification, authentication & authorisation are used
An example would include the following:
- The user is onboarded into the system by providing identification information.
- The user sets up an authentication factor, such as a password, for future entrance.
- The user returns to login and the system asks for the identification (username) and authentication factor (password).
- The system authenticates the user by verifying that the information is correct and matches what is stored.
- The user is granted access to systems and resources that the admin has authorised.
Keeping personal data safe online requires protecting your identity and using strong authentication processes. Here are some tips for creating a strong password.
A password manager can also help to ensure that your password remains strong and harder to guess for bad actors. Change your passwords often and do not use the same password from site to site.
It is also recommended to use at least a two-factor authentication process, such as a password and a verification code. Many sites have a built-in ability to activate two-factor authentication.
Multi-factor authentication using three or more authentication factors is even better. The more authentication factors you provide, the more secure your account will be. The use of biometric information, such as fingerprints, retinal scanners, and facial recognition, can add extra layers of security as well.
Authentication is perhaps the key to protecting online accounts and keeping data and resources more secure.
Multi-Factor Authentication: Who Has It and How to Set It Up. (January 2022). PC Mag.
Facts + Statistics: Identity Theft and Cybercrime. (2022). Insurance Information Institute, Inc.
What Makes a Good Password? 9 Rules to Protect You From Cyberattacks. (February 2022). CNET.
Biometrics. (December 2021). U.S. Department of Homeland Security (DHS).