Cybersecurity In-Depth

The Edge

What Is the Difference Between Identity Verification and Authentication?

Identity verification and identity authentication are neither synonymous nor interchangeable, and implementing both is essential to fighting fraud.

Question: What is the difference between identity verification and authentication?

Shai Cohen, senior vice president of global fraud solutions, TransUnion: As more services shift to a virtual format, consumers and organizations are threatened by more efficient and evolved forms of fraud. To confirm that a customer is who they say they are requires both identity verification and identity authentication.

These two terms are not synonymous or interchangeable, and the organizations that don't know the difference make themselves vulnerable to increased fraud losses. Treating a verified identity ("this identity exists") as authenticated or proofed ("this user is who they claim to be") makes an organization vulnerable to account takeover fraud and synthetic identities.

Securing Account Creation and Use

The combination of a name, address, phone number, and email on an online form can provide enough information for a company to verify a consumer's identity and establish a layer of trust when an account is first created. This information can be checked against multiple data sources, such as utilities or telephone carriers, to ensure the name matches the other qualifying data.

It's critical to note, however, that verifying that the identity exists does not prove it belongs to the person entering that information. Criminals can use illicitly obtained identifying information to apply for new accounts or benefits in victims' names. Some create synthetic identities where credentials have been fabricated and are not associated with a real person but can fool verification processes.

This type of identity theft has prompted a shift toward proofing or authentication practices. These approaches require significantly more rigor than simply verifying that an identity exists. Organizations work to confirm that the identifiers supplied to create a new account belong to the person entering the information — i.e., that the applicant is who they say they are. Some identity-proofing systems may request a selfie and government photo ID for a facial recognition match from new customers.

Authentication, on the other hand, is an ongoing identity-proofing process that both checks the identity of digital users and ensures the integrity of the devices they use. Two-factor authentication and one-time passcodes are both commonly used authentication methods that help grant account access to the right person in real time.

Note that security measures have to balance consumer needs. A 2021 study from the CMO Council reported that authentication frustration caused 61% of consumers to abandon a transaction, and TransUnion's 2022 "Global Digital Fraud Trends Report" showed that approximately two-thirds of consumers would switch companies for a better digital experience. Organizations should incorporate both identity verification and authentication processes so that they can ensure safe interactions and create a trusted virtual channel that keeps consumers coming back.