How Authentication and Identification Work Together to Build Digital Trust

October 15, 2019
| |
3 min read

The dictionary definition of trust, according to Merriam-Webster, is the “assured reliance on the … truth of someone or something.” In today’s digital world, trust can be a tricky concept. To do business online, whether you are a bank, retailer, insurer, airline or anything else, you must have some degree of trust in your user — trust that they are who they say they are and not a fraudster or malicious bot attempting to steal money or data. But building trust in an online or mobile user can be more difficult and nuanced than it appears. It requires both identification and authentication.

The Truth About Identity

We can think of the “truth of someone” as their identity. The first step toward understanding a digital user’s identity is known simply as identification. This is just the ability to uniquely identify a user. It is the process by which a user makes a claim about who they are. A user could identify themselves with their full name or an account number, or an identity claim could be as simple as a username. In many cases, such as when opening a new account, this identity must be provisioned or proved initially.

Identification Is Not Authentication

Identification alone, though, is not enough to establish trust in any given digital interaction. Just because you tell me your name is Sam doesn’t mean I should believe you. Certainly, I shouldn’t give you access to Sam’s life savings based solely on that interaction. Trust is an assured reliance on that claimed identity. Assured reliance comes in the form of authentication. Authentication is commonly defined as the ability to prove that a user is genuinely who they claim to be.

There are many ways to authenticate a user. The most commonly used form is likely the password. We often consider a password as “something you know.” That is, a piece of information that only the true owner of an identity would be aware of. Unfortunately, in today’s world, that’s rarely the case.

When a user opens a new online account, they are likely to reuse a password they already have. It makes sense why: At a moment’s notice, a user might need to recall the password for any of around 90 accounts. This can lead to password fatigue, and customers may devise workarounds and ad hoc solutions to help keep things simple. But this can also sacrifice security.

Authentication Strategies for Today

This is where other types of authentication come into play. Strategies such as multifactor authentication (MFA), passwordless authentication and adaptive authentication add layers of analysis to the authentication process, making it significantly more difficult to circumvent. Multifactor authentication requires additional factors that support the user’s identity claim. In addition to something they know, such as a password, the user also needs to prove something they have, such as a device, and something they are, such as a biometric.

Passwordless authentication, on the other hand, leaves out “something you know” entirely. Instead, it uses contextual data against a digital trust framework to help you make decisions about how much to trust the user. This contextual data can be information about the user, the device, the user’s activity, behavior and network environment. The more layers of information that can be added to this analysis, the digital trust can be established, without the frustration of password based authentication.

Fraud Detection: The Flip Side of Authentication

Passwordless authentication brings into play the flip side of authentication: fraud detection. In addition to assessing an identity to prove that a user is who they say they are, organizations should also consider the probability that a user is not who they say they are. Fraud detection, suchh as authentication, should be multilayered. Part of the contextual analysis of a user or device should include looking for negative identifiers — whether the user is a person or a bot, whether the device is rooted or jailbroken, whether the user has malicious malware installed, etc. Understanding the risk involved with a digital user or interaction influences the level of trust in that identity.

Identity, Authentication and Digital Trust

In the end, modern organizations require a strategy that encompasses identification and authentication to build a foundation for digital trust. In better knowing the user, including the full context behind their behavior and interactions, businesses can enable better customer experiences without sacrificing security.

Valerie Bradford
Product Marketing Manager

Valerie Bradford is an IBM Security product marketing professional with over ten years of experience. Her career has focused on security technology, fraud pr...
read more