When it comes to access control and management, the terms authentication, authorization, and identification come up almost immediately.
Understanding what authorization means is relatively straightforward. Authorization is, effectively, the same as permissions. Should someone be able to access a set of data, software, or even a physical building? Whether or not they should be able to access something is equivalent to whether or not they have the authorization, or permission, to do so.
Authorization is the final step in an access flow. Before someone’s access request is authorized (or denied), you need to know who they are. That’s where identification and authentication come into play.
Identification is the first step in accessing a gated system, whether the gate is a literal gate or a prompt for information on a computer screen.
In most systems, users are either assigned or choose a username and password combination. As far as an application or software is concerned, that username is how you’re identified within the system. If you were at a literal gate identifying yourself to a guard, your identity would be tied to your name. It’s how you say “this is me” to a given entity that is asking.
Why does it matter?
Because people and computer systems can be fooled. Data breaches and identity theft make it possible for cybercriminals to pretend to be just about anyone. If they have your username, how is the system supposed to know if it’s you, or a bad actor? If someone has called into a call center claiming to be you, how does the support rep know if that person is you or a fraudster?
Authentication or Verification
It’s easy to claim an identity. You can call into a support center and claim to be whoever you want. When it comes to digital identities, usernames are often one of the least secure aspects of an identity. You can input any username you like into a system, but you can’t gain access unless you also provide a form of authentication. This is what happens when a call center requires you to verify your identity using a street you’ve lived on, a pin number, or most commonly, a password.
You verify that you are the person who the username is assigned to by providing a secret that only you know: your password or pin number. This process is also referred to as authentication, and passwords are a factor used to authenticate. Other factors can be knowledge-based answers, such as streets you’ve lived on, pet names, and other security questions you commonly have to answer before resetting your password. More secure factors include biometrics, physical keys, tokens, or randomly generated one-time passwords.
Authentication and verification can be used almost interchangeably in this context, and often are. You are ensuring that a given entity (whether it’s a person or a computer connecting on a network) is who they claim to be.
That last point is the main difference between identification and authentication or verification. Identification is the act of presenting your ID or username, while authentication is the act of checking that you are you. If someone is pretending to be you, they should be thwarted by a properly secure or accurate authentication method.
Biometrics as an Authentication Method
While passwords have been used as an authentication method for hundreds of years, that familiarity and commonality is also their downfall. Compared to other authentication methods, they’re easy to steal or hack, making them unsuitable as a standalone authentication factor. While using knowledge based authentication in the form of security questions can help augment passwords, the answers to those questions as well as the passwords themselves are commonly leaked in data breaches.
This is why the National Institute of Standards and Technology (NIST) has been recommending to use at least two factors of authentication for years due to the improved security. Initially, this was done using SMS-based 2FA, which is what many financial institutions still use today.
The downside to SMS-based 2FA or code-based MFA is that using these methods is cumbersome and can potentially still be bypassed. SIM-swapping is a particularly notorious and highly visible bypassing method, but creative hackers aren’t limited to physical phones and SIM cards.
SMS-based 2FA in particular is so easy to bypass that not long after recommending two factor authentication, NIST came out again and said wait, not that kind of 2FA.
Instead, the use of biometrics as an authentication factor exponentially increases the difficulty of attempting to gain fraudulent access to an account or system. While it is theoretically possible to spoof specific biometric readings, spoofing multiple biometrics at once is virtually impossible. For this reason, Q5id utilizes biometrics as a method for both proving an identity (validating that a given person genuinely exists and matches the individual claiming to be that person) as well as for authentication.
A scan of the palm, a spoken phrase, or a quick face image may entirely replace passwords eventually. Microsoft has been pushing for businesses to move to passwordless environments for some time, but the actual implementation and management has often been a barrier for organizations.
Fully passwordless environments may still be in the future, but passwordless and streamlined biometric identity proofing (and authentication) is a reality. Q5id allows organizations to onboard and prove the identity of their customers or employees, who can then use simple biometrics for authentication. No need for username, no need for a password: just you, proven.
If you’d like to find out how this could be implemented in your business, you can set up time to review your use case by emailing us at contact@Q5id.com.
"*" indicates required fields