Blurred Motion

Identity vs Authentication –

What the heck is the difference?

In today’s progressively more online world, where the convenience and benefits of transacting online are more and more valuable, companies continue to struggle with keeping their customers’ accounts secure, and users have more concerns than ever over privacy.

 

The latest trend for companies is to create new Identity Access Management (IAM) systems, requiring thorough “identity” screening of customers up front, and then “authentication” every time they re-access their accounts. The identity phase is usually a one-time thorough verification of the customer, often requiring proof via driver’s license, selfies and other documentation or biometrics. Authentication is less stringent because requiring this every time a customer accesses their account would be too cumbersome, and, in theory, the company already knows who you are. For an analogy, it’s a little like joining a country club. You go through a thorough screening to get accepted, interviews, recommendations, fees, etc. - the identity phase - but once you belong, you only need to show your account number or maybe your ID, - authentication - to get in, play that round of golf, eat at the restaurant, or access other activities within in the secure confines of the club.

 

Many companies have strong identification processes. They can utilize everything from credit checks to background checks to scanning government issued identity documents to establish the customer’s identity. However, when they try to authenticate the user, the tie-in to that initial authentication is often tenuous. This is analogous to a country club being exclusive to join, but then having weak checkpoints at entry, or when activities are booked. Non-members or criminals could get in.

 

Companies mostly still use username/passwords for authentication, but passwords lack in security and are often reused across accounts. Another option is to utilize text message based one-time-passcodes (SMS OTPs) which are tied to a phone number the customer registered during onboarding. But again, that link isn’t very strong as phishing is rampant and SMS OTPs are vulnerable to SIM swapping, SS#7, and many other types of attacks. In the last few years, companies have started moving to biometrics as a solution. We agree that biometrics are the best solution, but the current two main implementations are lacking. On-device biometrics just establish that someone is using the device (and can be reset via PIN), while FIDO biometrics work great if they are only being used for one application and one device, but don’t work across devices, require a separate onboarding for each application and each device, and have no built-in recovery method if the customer loses their device. A final option is to just have the customer go through a new identification process (such as scanning their government issued ID) every time. While this does establish the identity, it is onerous for the user, can be a lengthy process, and is expensive. We have a better way.

 

 

Asignio is focused on making sure the authentication, proving it is the same user for every point of access, ties back to the initial identification. When a user’s identity is set up, they create their Asignio sign-in. Then, every time they access their account, they use their unique Asignio sign in making it more secure and easier for the user.

 

Asignio uses dual biometrics to authenticate the user. Handwriting recognition and passive facial verification (with voice and facial verification as a back-up) are used to authenticate the user and tied back to the initial identification. The system is web-based (no new apps) and works across devices, providing powerful omni-channel authentication, and allowing for easy account recovery if a device is lost. It is as fast and easy and the best route forward for tying together identification and authentication in a digital world.

Contact Calvin Rutherford at demo@asignio.com for more information