Identification vs Authentication and Why the Difference Matters for Security

With the frequency of data breaches and the ever-increasing sophistication of AI deepfake technology, it’s becoming easier than ever to pretend to be someone else online. That makes the question of identification vs authentication increasingly more crucial. Though many people think of them as the same thing, they are related but different concepts. And the differences matter when it comes to online security.

See Security Gaps Hackers Exploit with Aaron Painter for a complete transcript of the Easy Prey podcast episode.

Aaron Painter is the CEO of Nametag, an identity verification company focused on high-risk verification moments. He became aware of verification issues at the start of the pandemic. Everything was becoming remote, and several loved ones had their identities stolen. Aaron, being a good family member and friend, decided to help them resolve the issues. Every company he called asked security questions – most of which related to previous addresses or their social security number. He realized that someone could have easily taken over the accounts just by figuring out the answers to these questions. And he quickly started wondering how it was possible in the modern age that we still couldn’t easily verify who was behind the screen, calling the helpdesk, or logging into an account. With Nametag, he set out to build technology to solve that problem.

Identification vs Authentication

Identification and authentication are subtly but crucially different. Identity can refer to who you are, what you stand for, and how you come across. Identification ties to a particular individual. Authentication just asks if the person in question has the right item(s) – password, piece of information, or anything else – to allow access. Anyone with the right items can be authenticated, whether they’re someone who should have access or not. And most of what we think of as identification in digital systems is just authentication.

In the digital space, most of what we think of as identity has really just been authentication.

Aaron Painter

We previously haven’t had the technology to actually determine who a person really is. But in a world where trust is decreasing in most areas, it matters if you can identify a specific person in a specific moment. It’s a bit like a credit card. When you swipe a card to use it, that’s where identification becomes important. The system checks in real time if your account is in good standing and has available credit. Whether or not you were once given the card doesn’t have much bearing on the transaction.

Identification is also a real-time question. Are you this person in this moment, or are you trying to impersonate someone? Most of what we think of as identification is actually authentication – checking if they have the right credentials. When then internet was new, that wasn’t a huge problem. The idea was that if you could log onto something, you had a .edu or .gov email address, and someone had already identified you and vetted you. But now, with unlimited free emails through services like Gmail and Hotmail, your email doesn’t represent your identity, it’s just an alias. And that degrades trust.

Trends that Made Identification Harder

One thing that has made identification more challenging is the rise in remote work and remote interaction. If you worked in education or the government in the early days of the internet, you went into an office. People there saw you and could both identify and authenticate you. Aaron worked at Microsoft for over a decade. When he started, after visiting HR, he went to the security office. They helped set him up with a smart card, but seeing him and checking his ID was a physical process. Now, many workers are entirely remote and nobody sees them in person.

Another trend is the rise in technology that makes it easier to impersonate people. Think of deepfakes. They’re almost mainstream. It’s easy to make them, and many services offer the capabilities for free. When you put the two things together, it’s really hard to know for sure who you’re interacting with. A lot of companies also hire IT workers remotely, who potentially have a lot more access. This can be a big risk. Some companies do background checks and require certain certifications or proof of schooling to attempt to mitigate this. But this is authentication, not identification. John Smith may have the certification, but how can you verify it’s John Smith doing the work? The question of identification vs authentication is incredibly crucial for companies with remote workers.

Deepfakes and Identification

Voice cloning is a deepfake process of mimicking someone’s voice. Just a few years ago, to make a voice clone of someone, you had to record them reading a 20-minute script with a predetermined set of words, let your system learn that, and you’d come up with something pretty close. Now, all you need is 3-5 seconds of audio – that you can grab from a podcast, phone call, voicemail, or video on social media – to create a realistic and convincing voice clone.

Photo editing, video creation, photo sharing, and a lot of other tools out there made impersonating other people easier. Tech has basically given us new superpowers doing really cool things. And there are a lot of beneficial uses, like living history, memory aids, and bringing back people who are no longer with us. But it also means that someone could easily impersonate you without you necessarily knowing. The level of sophistication is insane, and it’s often free to end users.

It’s that rise of the ability to impersonate someone that’s made [deepfakes] such a dangerous tool and given these superpowers to bad actors.

Aaron Painter

And criminals often don’t need high fidelity to make a realistic deepfake. Think of a shaky video clip captured from the back of someone’s car, or someone calling a helpdesk on a bad phone connection. It’s getting easier to produce the high-definition ones, but, ironically, sometimes people are more trusting of imperfect deepfakes. This happens a lot with companies that rely on individuals’ recognition. If HR knows everybody, or this banker knows all their clients, they’re even more inclined to trust when they recognize the voice, even though it could easily be someone with a voice clone.

Identification and Authentication Online

Think about going to a conference. Chances are good you were invited to begin with. At the door, someone’s checking your ID and maybe your business card and confirming your email and where you work. Then you get a nametag. People who you meet there know you’ve been vetted and are likely not impersonating someone. The same is true at the airport – there’s a security check before you get to the area where the flights are departing. In the real world, we have controls to verity people to make sure the environments are safe. But that’s a lot harder online.

In the real world, we have these controls to verify who people are so that the environments can be safe. Increasingly in the online world, it’s very difficult to get that same level of trust.

Aaron Painter

People also don’t want to be verified. If you go to the airport, you want to make sure everyone getting on that plane with you is verified. But if you’re going to go online and post about some political hot topics, you may not want people to know who you are. One of the challenges of identification for online platforms is that not every user wants that.

It makes sense to have the option to operate anonymously or under a pseudonym. But if platforms want to combat misinformation, disinformation, bots, and similar, they have to make sure content is coming from real, known people. Each platform can have its own business model and way to offer anonymous profiles. But being able to identify users is important. The matter of identification and authentication is even more crucial in work contexts, where the “platform” is your corporate network. It matters that you know who each person is.

Identification, Authentication, and Account Recovery

MGM, a company that runs hotels and casinos in Las Vegas, was attacked about two years ago. A bad actor called the IT helpdesk and claimed to be an employee locked out of their account. It took about eight minutes for them to get the helpdesk worker to reset access to the account. They got in, added ransomware, and took MGM offline for two weeks. That level of attack has continued – that’s just the most well-known example. Helpdesks are actually one of the biggest vectors for these kinds of fraud.

Your protection is only as secure as the recovery mechanism.

Aaron Painter

When it comes to authentication, your protection is only as good as your recovery mechanism. If you set up phishing-resistant systems with authenticator code MFA, that’s great. But the vulnerability isn’t necessarily the tech, it’s the human process. All it takes is someone calling the helpdesk and saying “It’s me, but I can’t get in,” and the tech safeguards don’t matter. Now it’s up to that person on the phone to decide if you’re really the account owner and if they should let you in. It’s a backdoor that lets a lot of criminals in.

The vulnerability is not necessarily the technology, it’s the human processes.

Aaron Painter

Another issue with most authentication processes is that they often ask for documentation like a driver’s license, but don’t have anything to compare it to. It’s easily bypassed with generative AI and doesn’t keep accounts secure. Security questions that most banks ask aren’t built for actual security, either. These are systems built for regulatory compliance, not for actual security.

Most Verification Doesn’t Work

When Aaron first started Nametag, he thought the most useful applications would be social media and dating sites – places where you’re building virtual relationships. At the time, there was less market interest. Now Tinder and Bumble both have identification verification processes. Digital signatures is another interesting case – generally you sign with your IP address location, although you can choose to hide that. It makes no sense that there’s no verification there but we all still trust you signed the document. There are a lot of cases where we want some form of identity verification, but if the process makes it easy to use a deepfake, it just feels like theatrics.

There are also cases where the identity verification was great, but it only happened once. Take home rental platforms. Profiles are only verified once. You can have a really thorough identification process, but if it only happens once, someone with the right authentication information can take over the account and use someone else’s verified identity. And often the initial verification is set up in a web browser, which is not secure.

So much verification is just confirming information like name, address, or email. It’s theatrics. It’s not keeping the account safe, it’s frustrating and time consuming for everyone, it’s enabling bad actors, and it’s the norm. There’s a lot of friction with some of these things, too. If you don’t remember which address you lived at in 2005 and didn’t save your last paper bill with the access number, you’ve now failed two security questions. A lot of these things are hard to know, hard to remember, or so obscure that it has no real security benefit.

We forget the friction that we’ve begun to tolerate today for what’s actually been very little security value.

Aaron Painter

Techniques for Identification, Not Authentication

When you do a mobile check deposit, you do it directly through your bank’s app. There’s no opportunity for you to edit the image, and the app can interact with the hardware to make sure you’re really taking a photo and not uploading something edited. By asking someone to scan their ID and take a selfie exclusively on an app, you can benefit from the cryptography on that device. The face ID camera on modern iPhones can capture a 3D selfie, which is much richer than a webcam. Mobile phones can make verifying identity more secure.

Tools like behavioral biometrics can also be helpful. The way we type, the way we move, our clicking patterns, all of this can be analyzed to see who’s logging in. But this again becomes a challenge of identification vs authentication. Behavioral biometrics can tell you if the person logging in is the same person who set up the account, but it doesn’t necessarily identify who that person is. And what happens if you shut your finger in a car door and your typing changes? If you have to call someone and say you’re locked out, we’re back to the same challenges.

There was an article a while ago where a dad in Florida got locked out of his iCloud account. He offered Apple $10,000, and offered to fly to their headquarters to reset it, because he wanted the family photos from that account. He said that they had his Face ID, Apple should know who he was. Apple said that they knew his was the face enrolled in Face ID, but that didn’t prove he was the owner of that iCloud account. That’s the difference between identification and authentication, and that’s the real challenge.

Steps for Better Security Now

As a consumer, you can ask if there are additional protections available for your most important accounts. Many people think of banking accounts as important, but also consider what other accounts matter to you. Also protect your email – it’s often a central point to logging into a lot of crucial accounts. Take advantage of whatever they provide. Even if it’s not perfect, it’s the right direction. Any security is better than minimum security. You can always ask for more, too. Asking creates a sense of demand, which can help push companies to provide more security.

Some companies are differentiating themselves by offering more secure processes. HubSpot offers account takeover protection on accounts, and that’s definitely a differentiator when choosing CRM providers. But it’s still important to look at recovery mechanisms. One commercial bank offered Yubikeys, a security key that offers great protection. But the recovery process was just a text. Aaron appreciates that they were trying to differentiate themselves, but an account is only as secure as the recovery process. If they haven’t thought about the recovery process, it’s basically just for show.

[It’s] actually not going to keep my account more secure if they haven’t thought about the recovery mechanisms.

Aaron Painter

Verification is also important in business. Most companies run background checks on new hires, but just because someone can pass a background check doesn’t mean that’s the same person you hired. And giving someone access to your network is risky – and it’s almost an epidemic status because it’s so common. We’ve switched to whole industries with no physical office, and scammers are exploiting that. Aaron is glad attention is shifting to how to protect accounts and use identification instead of just authentication. Consumer and business demand for more trust leads to a better society.

Have a Healthy Skepticism

When it comes to interacting with anything in the digital space, shifting your mindset from authentication to identification can be beneficial. Start by looking at your consumer accounts and companies you already work with and see if any of them have additional security tools. Start adopting some of those. If they offer multi-factor authentication, turn it on – it’s a great first step. Aaron encourages everyone to turn it on as a necessary security measure.

When someone reaches out to you, be skeptical, even if it’s someone you know. Are they the person they claim to be? Verification is important. Rightly or wrongly, we all need to have some skepticism – or curiosity, if you prefer – when interacting with people online.

It’s just this healthy skepticism or curiosity I think we have to bring to all of these digital interactions.

Aaron Painter

Who’s the person, what’s the context, and what’s the channel? Is this someone you know or a stranger? A group chat or one-on-one? Are they suddenly asking for something unexpected? Aaron once had someone on LinkedIn that he hadn’t spoken to in years message him out of the blue and start asking personal questions. That context was very wrong for someone he hadn’t spoken to in so long – that’s suspicious. If you get a Facebook message from someone who would normally text or call you, it’s probably a compromised account. You have to bring some skepticism to all digital interactions. It’s so hard to verify identity right now that it’s good to be wary.

Aaron Painter is most active on LinkedIn, where he publishes content to keep people aware of general trends, challenges, and techniques that he sees are working. You can also follow Nametag on LinkedIn or visit their website at getnametag.com.