The changing nature of identity: Identification and authentication
Author: Sandra Peaston
Posted: 2 May 2017
Identification and authentication are two distinct processes that organisations use: firstly to establish your identity (identification) and then, later on, to affirm your identity (authentication) – making sure that the person that they are dealing with is the person that they have previously identified.
Put simply, when you apply for an account, you are identified, and when you later wish to gain access to that account you are authenticated. The factors involved in both processes are different.
How does an organisation effectively identify an individual who comes to them to take advantage of a product or service? More specifically, how does an organisation identify someone applying remotely? They will collect a number of pieces of information to identify and validate their potential customer, which may include a combination of:
- Name and birth date;
- Phone number;
- Email address;
- Your knowledge of your financial footprint;
- A collection of customer reference numbers;
- Physical characteristic (iris’, finger prints, vein patterns, face, voice, etc.);
- Behavioural attributes;
- The device and network used to make contact.
To an organisation, these pieces of information constitute an individual’s identity. Clearly then, identity is a many faceted thing, but with this comes the problem of protecting all the facets that make up an identity. It remains the case that everyone must take responsibility for their personal information, and the information of others that has been entrusted to them, otherwise those perpetrating identity related crimes will continue to prosper.
To authenticate an individual, an organisation simply has to match the information they hold on their customer to information provided by the individual. The balancing act is to choose those pieces of information that provide sufficient security (i.e. can’t be provided by someone who isn’t their customer) and convenience for the returning customer.
The most basic authentication is username (or number) and password. For some accounts, that’s sufficient. An email address is a common user name, but it is also a piece of information that will be widely known. A mobile phone provider may identify their customer using their mobile phone number: a piece of information probably only used as a username by the phone provider, but known by many (and stored as part of customer data by many other organisations).
This means that all the security is based on one factor – the password. For the many people who use the same password for a number of accounts, those accounts are vulnerable should the password be compromised by database hacks or the account holder being phished or otherwise socially engineered.
For all but the least sensitive of accounts then, it must be considered that authenticating an individual purely by one factor is insufficient.
When an account is not secure enough, something physical can be added to the process of securing it – your mobile device, a card reader, or a token that produces a one-time code.
This takes facility takeover fraud (where the fraudster gains access to an innocent victim’s account) out of purely cyber territory. If a fraudster wants to take over an account then, unless they’re prepared to resort to burglary, they need to contact the account holder and convince them to disclose a one-time passcode (along with any other pieces of information that the fraudster needs).
The effects of this type of safety measure can be seen in the reduction in facility takeover frauds – there was an almost 60% decrease in these frauds between 2012 and 2015.
The down side of physical authentication, though, is that it can be annoying for the customer. You might have to take your code token with you everywhere, or you might find the process a bit fiddly. And some fraudsters are very good at convincing people that disclosing that code is the right thing to do – particularly where their victim can be considered vulnerable.
Two-factor authentication is good, but still presents fraudsters with opportunities. Is there a definitive way of authenticating a person that a fraudster can’t get round?
Sandra Peaston is Assistant Director, Insight, at Cifas. She is the author of our annual UK fraud trends report Fraudscape.
Sandra will be speaking at our Annual Conference on 13 June, 2017.