Authentication Is Not The Same As Identification
Identification
is the process of establishing who an individual is through the use of
a trusted credential that asserts the identity of the person who
possesses it, or through some other attribute of the person that can be
tied to an identity. For instance, a passport is a credential
that establishes the identity of the person who possesses it. A
fingerprint can also establish the identity of the person whose
fingerprint is presented, provided that a trusted database exists that
links fingerprints with identities. In this case, identification results if there is a
successful one-to-many matching between the presented fingerprint, and the many
fingerprints in the database.
Authentication (as it pertains to identity), on the other hand, verifies the identity claimed by someone who presents some type of "token" that is previously known to be in the possession of the person whose identity is claimed. For instance, a password could be considered a weak kind of token whose "possession" is demonstrated by knowledge of the password. A fingerprint can also be used to authenticate someone's identity, provided that the fingerprint can be matched against another fingerprint previously known to belong to the person whose identity is claimed. Authentication requires only a one-to-one matching between between the presented fingerprint and the "known" fingerprint.
Authentication (as it pertains to identity), on the other hand, verifies the identity claimed by someone who presents some type of "token" that is previously known to be in the possession of the person whose identity is claimed. For instance, a password could be considered a weak kind of token whose "possession" is demonstrated by knowledge of the password. A fingerprint can also be used to authenticate someone's identity, provided that the fingerprint can be matched against another fingerprint previously known to belong to the person whose identity is claimed. Authentication requires only a one-to-one matching between between the presented fingerprint and the "known" fingerprint.
Authentication Seeks To Verify The Truthfulness Of A Claim
Authentication does not necessarily have to involve claims of identity. In the context of financial
services, authentication generally means verifying someone's
claim of authority to access a certain financial account. Phrases
such as "account takeover" and "account hijacking" have been used to
describe what happens when this process fails.
Authentication for the purpose of account access is not necessarily the same as verifying someone's identity. That is, proving that you're authorized to access a particular bank account does not necessarily require that you prove that you are a particular person.
Many
times the distinction between these two types of claims is
blurred, because we assume that only certain known individuals are
authorized
to access a given financial account. But a financial institution
may not
provide unique credentials, such as different login IDs and passwords,
to
each person authorized to access the same account. For example,
although many
financial accounts are setup as joint accounts between several people,
such as spouses, each person may not necessarily have a separate login
ID
and password for account access. People also often designate
others to have access to their accounts. When the same login ID
and
password is used by more than one authorized person for accessing the
same account, no authentication of individual identities takes
place.
Instead, the authentication scheme only verifies authority
to access the account.
Authentication Is Usually Specified In Terms Of "Factors"
Authentication
is based on the presence of several independent "factors." The more
factors present, the "stronger" is the confidence that the claim is
valid. Three such
authentication factors have traditionally be defined: "something you
know" such as a password, "something you have" such as a physical
object or token in your possession, and "something you are" such as a
fingerprint biometric. An authentication procedure that combines two of these independent factors is known as two-factor authentication. Generally, combining two or more authentication factors is known as multifactor authentication.
Recently, other types of factors have been proposed as also having validity in the authentication process. These include:
- geographical factors such as IP address, or other location-related indicators,
- behavioral factors such as the pattern of keystrokes made when typing, or pen movement when writing a signature,
- risk-based
factors such as time of day when accessing an account, or other historical
patterns or frequencies of making various types of financial
transactions.
Multifactor Authentication
Multifactor authentication procedures include at least two types of factors. Generally these are:
"Something you know" factors
- Passwords
- Prearranged challenge/response questions
- Preselected images
"Something you have" factors
- USB tokens implementing PKI client certificates/private keys
- Hardware tokens with visual interfaces implementing One-Time Password generators
- PIN/TAN sheets or "scratch cards" containing a list of covered, one-time passwords
- Grid or "bingo" cards that provide a table of secret numbers referenced by row and column
- "Soft token" implementations of One-Time Password generators
- "Soft token" implementations of PKI client certificate/private key
- Cell phones implementing One-Time Password generators
- Computer "signature"
- Smart card challenge/response calculators
- Other risk-based factors, including IP address, time-of-day
- Out-of-band phone calls
- Biometrics such as fingerprints or voiceprints
- Behavioral characteristics such as handwriting or typing styles.