Authentication is not the same as identification.
Identification is the process of establishing who an individual is through the use of a trusted credential that asserts the identity of the person who possesses it, or through some other attribute of the person that can be tied to an identity. For instance, a passport is a credential that establishes the identity of the person who possesses it. A fingerprint can also establish the identity of the person whose fingerprint is presented, provided that a trusted database exists that links fingerprints with identities. In this case, identification results if there is a successful one-to-many matching between the presented fingerprint, and the many fingerprints in the database.Authentication, on the other hand, verifies the identity claimed by someone who presents some type of "token" that is previously known to be in the possession of the person whose identity is claimed. For instance, a password could be considered a weak kind of token whose "possession" is demonstrated by knowledge of the password. A fingerprint can also be used to authenticate someone's identity, provided that the fingerprint can be matched against another fingerprint previously known to belong to the person whose identity is claimed. Authentication requires only a one-to-one matching between between the presented fingerprint and the "known" fingerprint.
In general, authentication is a process that seeks to verify the truthfulness of some claim.
Authentication does not necessarily have to involve claims of identity. In the context of financial services, authentication generally means verifying someone's claim of authority to access a certain financial account. Phrases such as "account takeover" and "account hijacking" have been used to describe what happens when this process fails.Authenticating someone for the purposes of account access is not necessarily the same as verifying that person's identity. That is, proving that you're authorized to access a particular bank account does not necessarily require that you prove that you truly are who you claim to be.
Many times the distinction between these two types of claims is blurred, because we assume that only certain known individuals are authorized to access a given financial account. But a financial institution may not provide unique credentials, such as different login IDs and passwords, to each person authorized to access the same account. For example, although many financial accounts are setup as joint accounts between several people, such as spouses, each person probably does not have a separate login ID and password for account access. When the same login ID and password is used by more than one authorized person for accessing the same account, no authentication of individual identities takes place. Instead, the authentication scheme only verifies authority to access the account.
Authentication is traditionally specified in terms of factors.
Authentication is based on the presence of several independent "factors." The more factors present, the "stronger" is the confidence that the claim is valid. Three such authentication factors have traditionally be defined: "something you know" such as a password, "something you have" such as a physical object or token in your possession, and "something you are" such as a fingerprint biometric. An authentication procedure that combines two of these independent factors is known as two-factor authentication. Generally, combining two or more authentication factors is known as multifactor authentication.
Recently, other types of factors have been proposed as also having validity in the authentication process. These include:
- geographical factors such as IP address, or other location-related indicators,
- behavioral factors such as the pattern of keystrokes made when typing, or pen movement when writing a signature,
- risk-based factors such as time of day when accessing an account, or other historical patterns or frequencies of making various types of financial transactions.
Multifactor Authentication
Multifactor authentication procedures include at least two types of factors:
"Something you know" factors
- Passwords
- Prearranged challenge/response questions
- Preselected images
"Something you have" factors
- USB tokens implementing PKI client certificates/private keys
- Hardware tokens with visual interfaces implementing One-Time Password generators
- PIN/TAN sheets or "scratch cards" containing a list of covered, one-time passwords
- Grid or "bingo" cards that provide a table of secret numbers referenced by row and column
- "Soft token" implementations of One-Time Password generators
- "Soft token" implementations of PKI client certificate/private key
- Cell phones implementing One-Time Password generators
- Computer "signature"
- Smart card challenge/response calculators
- Other risk-based factors, including IP address, time-of-day
- Out-of-band phone calls
- Biometrics such as fingerprints or voiceprints