A secure digital exchange starts with identity. An organization needs to know who a person is before it can interact with them, because their identity dictates what they’re allowed to see and do.
The technical terms verification, authentication and access management refer to different methods for determining who a person is. The method used depends on the context of the exchange:
- Is this the first interaction or the fiftieth?
- Is the interaction high risk or low risk?
- Is the person a customer or an employee?
- Which country are they in?
The distinction between these methods matters when you are designing or updating a digital system and determining what identity services you need.
What is digital identity?
Identity is multidimensional. You are one person with one identity, but there may be hundreds or even millions of data points that together form the full picture of who you are (depending on how finely we’re measuring). These data points are called personally identifiable information (PII) when they can be used to identify a specific person (for example, full name or driver’s license number).
Some aspects of digital identity are fixed or rarely change:
- Date of birth
- Home address
- Phone number
- Biometrics such as fingerprints
- IP address
Some aspects of digital identity can be chosen and easily changed:
- User name
- Security questions
These data points could be in a database maintained by a company or a government, or they could be stored on a smartcard. They could be encrypted or randomly generated. What makes these data points part of digital identity is that they’re computer-readable and identify a single person.
What is identity verification?
Identify verification answers the question, “Are you a real person?”
Verification is usually a one-time event that happens during a person’s first interaction with a system (also called registration or onboarding).
Verification can be done digitally in two main ways:
- By comparing user-submitted identity data such as name, date of birth and phone number to third-party data sources
- By examining an identity document such as an ID card or driver’s license to make sure it is valid
The purpose of identity verification is to make sure that the person registering with the system exists.
Financial services and gaming providers use verification to help screen out people who may be trying to commit a crime or defraud the system. In these cases, verification is legally required to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations. Since these regulations vary between jurisdictions, the verification method used depends on what’s demanded by the local regulations.
Online marketplaces and social networks use verification to help make sure people aren’t misrepresenting themselves to trick others, hide their activities or misuse the system. These organizations use verification voluntarily to create more user confidence in their services.
What is authentication?
Authentication answers the question, “Are you who you say you are?”
A person is authenticated regularly and repeatedly, every time they log in to a digital system. Authentication is not a one-and-done event — it’s an ongoing activity.
Authentication is done by asking the user for information and comparing it to the information associated with that identity or account:
- Something the user knows, such as a password or the answer to a security question
- Something the user was given, such as a mobile phone or security key
- Something the user has inherently, such as a fingerprint or facial recognition
A common example of authentication is an email activation link sent to a user of a digital service: if the user can’t click the link because they don’t have access to the email account, they can’t be authenticated, and they don’t get access to the service. They’re not who they say they are.
The purpose of authentication is to make sure that the person logging in has the right to access the system.
Because the average person needs to access many different digital systems (email, social networks, banks, retail stores, ridesharing, the list goes on), they have multiple digital account identities.
Low-risk systems, such as free content sites, use minimal authentication to keep the barriers to entry as low as possible. Higher-risk systems like financial institutions and email accounts use stronger authentication. For example, multi-factor authentication (MFA) involves asking for more than one “factor” or piece of information to securely confirm that the person logging in is the same person who originally registered.
A note on liveness checks: some facial recognition software requires that the user wink or move their head to demonstrate that they’re alive and that the facial image is not a static photo. Liveness checks can be part of identity verification (confirming that it's a live image of a real person) or authentication (confirming that it's a live image of the person claiming a certain identity).
What is identity and access management?
Identity and access management (IAM) is a framework for maintaining all of the digital account identities for a particular system. IAM answers the question: “Are you allowed to access this system?”
IAM allows administrators to set the access rules for a system, help legitimate users get in, and keep unauthorized users out. For example, IAM governs the following:
- What information does the system ask for when a user registers?
- How long does a password need to be and which type(s) of characters does it require?
- What different types of users are there and what do their roles allow them to do?
Traditional IAM systems help organizations manage access for their employees. Employee IAM governs which employees can use certain software applications, log in to certain networks, and perform certain functions within those applications and networks.
Customer IAM systems (CIAM) are designed for companies to manage customer access. CIAM manages accounts for all types of businesses, including eCommerce, entertainment and online marketplaces, as well as organizations such as governments and non-profits.
A note on OAuth: OAuth is an authorization framework that allows a member of one identity system to access another system without logging in again. When you use Facebook and an app asks if it can access your user name or email address or friends list, that’s OAuth in action. The user has granted the two systems the right to interact by clicking Yes.
Importantly, OAuth is not an authentication protocol. The person who clicks Yes to allow an application access to data may not be the person who is represented by that data.
Trulioo GlobalGateway is an identity verification platform
In the current market, there’s a wide and varied array of identity solutions, as evidenced by the 2019 OWI identity landscape: “Since 2016, the number of identity companies has exploded from 230 companies to over 2,000.” So some confusion about different types of identity solutions is understandable.
Trulioo is proud to be in the business of identity verification. Using GlobalGateway, our clients can compare user-submitted data to over 400 global data sources to determine whether those users are real people. In addition, GlobalGateway can also help verify businesses and their connected entities, such as owners and shareholders.
Clients can also use GlobalGateway to perform identity authentication by combining identity verification with ID document verification and liveness checks.
By returning reliable match/no-match results, GlobalGateway helps our clients welcome legitimate users and keep out fraudsters and criminals, in service of our mission to build trust online.
The vocabularies of digital identity verification, authentication and access management are always evolving with their respective technologies. But in the meantime, we hope these definitions will serve you well.
Learn how Trulioo’s marketplace of identity data and services can help your company build trust online, comply with cross-border AML/KYC requirements and prevent fraud.