Verification and authentication: What’s the difference and what’s the latest?

Security tips
by
 | 
Jan 27, 2022

Verification and authentication have taken center stage of late in businesses’ efforts to validate digital identities of customers. The terms are often confused, but there is a difference. So, what are the main differences between verification and authentication, and what are the current trends surrounding them?

We explain this and more in this article, providing a few insights to keep in mind as you plan and maintain your fraud prevention solutions.

What is digital identification?

Identification is the base level of understanding who a person is. When beginning your relationship with a new company, you are frequently prompted to provide identifying information about yourself in the account creation process. Common identifiers can include your name, physical address, email address, birth date, and phone number.

Additional attributes may also be collected as part of your “digital fingerprint” including device, browser, and IP address.  The rigor or collecting this information is dependent on the type of account you’re creating.  For instance, opening a bank account has a higher bar for collecting information than say, signing up for a social network.

Simplistically, digital identity can be thought of as collection of identifiable datapoints that are created by the customer and tied to an account.  

Once this information is collected, the next step in the process is to verify the identity that was provided in the sign up process.

What is verification?

Verification is a confirmation that the person is who they propose to be.  

Verification is when a digital identity is confirmed, typically at the start of a new relationship between company and customer. It is performed by requesting a date of birth or phone number or even government-issued ID cards, with an alternative and authoritative data source to verify if the information or documents are valid.

Verification comes in all different shapes and sizes depending on the source requesting the confirmation. It can be as extensive as digging into official data sources such as credit checks, or as minimal as asking for an email address. To an extent, verification is all in the eye of the beholder, and a person isn’t verified until the company vetting them is comfortable.

What is authentication?

Authentication is the continued validation of the now a verified digital identity.  In other words,  it’s a check to make sure the person accessing an account is the rightful owner of that account tied to the verified identity.

Authentication typically happens each time a person uses a company’s system. It’s so engrained in our work flows that you might not even think about it today as “authentication” – more just “how I access my accounts.”  Authentication requires a customer to provide a factor - like a password, a one-time-passcode, fingerprint, or face scan. Authentication factors fall into 3 categories:

  • Something you know – also known as a “knowledge based challenge” and often is your user name and password or a question like “what street did you grow up on?”
  • Something you have – also known as a “possession challenge”.  Most often, this is a one-time-pass code sent by text message or authentication app.  It can also be a physical security token.
  • Something you are – this factor is a biometric check. Facial recognition and fingerprints are the most common factors here.

Authentication can be one factor or multi-factor (2 or more factors authenticated) to grant access to an account.

A recap and simplification of the process, then, looks like this:

  1. Digital identity: A person says they are this person.
  2. Verification: A company verifies the claim is true using identifying documents/factors.
  3. Authentication: When that person accesses their account, they authenticate their identity using one or more factors of to confirm they are the rightful owner of the account.

What’s the difference between verification and authentication?

At the end of the day, verification and authentication are two sizes of the same coin.  Verification, well, verifies the information that a customer is providing is authentic. Authentication ensures that the person accessing an account should be allowed to access the account.  

Deciding how much information you need to verify – and when and how you need to authenticate – isn’t a one-size-fits-all solution. It depends on the regulations in the industry and countries that you’re operating in, the risk profile of your product and company, and the risk profile of your customers.

For instance, in the financial industry, Know Your Customer (KYC) and Anti Money Laundering (AML) regulations require significantly more information to be verified than signing up a customer for a food delivery service account. Another example is PSD2 authentication requirements in the European Union which dictates how you need to authenticate purchases and monetary exchanges for transactions that take place in the EU.

What’s the latest?

The following trends show what really matters to customers and what companies need to do in order to meet their needs.

Taking risk-based approaches to authentication

Authentication is tricky. Obviously, the more factors your authenticate, the more sure you can be that the user is legitimate. However, asking someone to jump through multiple authentication processes just to access their account every day or at every login can really ruin a user experience and lead to frustration and churn. Layering in intelligence that can help identify the risk and level of trust between you and your customer helps monitor signals that can keep your accounts safe while only challenging for authentication when the risk level is elevated.

Ramping up due to increase in online usage

The increase in volume of online transactions has forced a complete reworking in how companies manage digital identity. As the numbers increase, digital identity verification checks are expected to triple in the next 5 years.

Customers prefer safety-minded companies

The average customer sees how data-intensive their company relationships have become, and they are recognizing the potential security risks. Customers are now more than ever weary of companies that don’t have the correct checks and balances in place to stop fraud and ID theft. And when customers don’t feel safe, they leave.

The bottom line

As more and more of our daily lives move online, people expect that they can safely and easily conduct business—from routine shopping to high-value transactions. It has therefore never been more important to accurately identify, verify, and authenticate customers with minimal friction to keep their trust and keep them coming back.  

Need help planning out your verification and authentication strategy?  We can help.

Related posts