Key takeaways
Identity verification confirms you are who you say you are when registering for a service.
Authentication is a fundamental element of computer security, confirming that you are the same person who registered.
Identity verification and authentication work together to form the backbone of digital identity trust.
Passwordless and adaptive authentication methods are replacing traditional password-based security.
What is identity verification?
Are you who you say you are? At account registration or sign-up, that is the question answered by identity verification. Its goal is to connect a real-world person to a digital account with a high degree of accuracy and confidence. Once you have established your identity, the service grants you access. For example, you go into a bank, or more commonly these days, you apply online for an account. The bank may ask you for proof of identity like a Social Security number or driver's license that it can check against government records. Or it may ask you for a facial photo to match against other sources. Only then will the bank open an account for you.
There are many ways to verify identity. Here are some common methods.
Government records: Modern verification systems can match submitted data such as a driver's license, passport, or other IDs against government records using machine learning techniques to check for authenticity and currency of submitted data.
Biometrics: Biometric verification checks a biometric characteristic, such as a fingerprint, facial scan, or iris scan, against the data on the user's ID. This ensures that the person requesting verification is the person represented in the submitted data.
Databases: Organizations can verify identity data against databases such as those from credit bureaus, government registries, and other identity-related resources. This type of verification is popular with organizations that have Know Your Customer (KYC) or Anti-Money Laundering (AML) regulatory requirements.
Knowledge-based information: Verification depends on users being able to answer questions regarding present personal facts or past history, such as prior addresses, old loans, or other information supposedly only the user would know. This method is becoming less popular due to increasing social engineering and theft of personal information.
What is authentication for account security?
Can you prove you are who you said you were? When returning to access an account, authentication verifies that the person trying to sign in is the same person who registered for the account. The system grants access only after authenticating you. In the bank example, after opening your account, to later access that account in person you may need to show your driver's license or sign a withdrawal slip. Online, you may need to input your password credentials or transmit your fingerprint or facial scan.
Factors of authentication
Traditional online authentication methods employ one or more of the factors from the three categories of authentication to grant login access: knowledge, possession, and inherence.
Phishing-resistant authentication
Most secure authentication methods today rely on multi-factor authentication (MFA), which uses information from two or more authentication categories to allow system access. Cisco Duo Push and Duo Mobile are two examples of possession-based authentication methods. One typical MFA method is to combine username and password credentials (knowledge) with a one-time passcode (OTP) delivered to the user's mobile phone (possession). This process is considered more secure but still not ideal, as attackers can intercept and reuse the OTP for unauthorized access.
Phishing-resistant methods like passkeys eliminate this interception risk. Passkeys use public-private key encryption tied to a specific device to provide a strong authentication method. Because the private key never leaves the device, passkeys cannot be phished, intercepted, or reused, making them one of the most phishing-resistant authentication methods available.
How identity verification and authentication work together
Identity verification and authentication serve two related purposes and work together to form the backbone of digital trust and help guard against cyber breaches. Verification establishes initial identity (root trust) at onboarding, while authentication validates access on a continuing basis (persistent trust). Together, identity verification and trusted authentication form the foundation of digital access security.
The table below summarizes the relationship between identity verification and authentication.
How identity verification vs. authentication compare
Process | Identity verification | Authentication |
|---|---|---|
What it is | One-time establishment of identity. | Repeatedly confirms the user's identity. |
When it is used | Onboarding or registration. | Recurring system access. |
Goal | Ensures that a person is who they say they are. Creates an initial trust relationship. | Establishes ongoing, secure access to accounts. Grants access only to the correct, authenticated user at each login. |
Threats addressed | Identity fraud, impersonation, synthetic identities. | Account takeover, credential theft, unauthorized access. |
Data used in process | Personal documents, IDs, biometrics, government data. | Password-based credentials, hardware tokens, biometrics, passkeys. |
User experience | Can be extensive and intrusive. | Should be as frictionless as possible. |
Identity verification and authentication in identity management
Here is an example of how identity verification and authentication can work together in an identity management system using Duo to protect against cyber breaches. A new user needs to log in to the organization's network. The system requires that the user establish their identity at enrollment, and that they prove their identity each time they return and log in.
Establishing identity: Identity verification happens once at onboarding to confirm that the user is real and is eligible to have an account. The user may be required to submit proof of their identity, like a facial photo. The user also verifies their email and trusted device. This answers the question, who are you?
Setting credentials: The system adds the user to its directory and requires the user to set their credentials, typically username and password.
Logging in: The user navigates to the system site and enters their credentials. Duo MFA sends a push notification to their trusted device. When the user approves the second authentication factor, the system allows access. This answers the question, is it really you?
The future of identity security
The cybersecurity ecosystem, both from a technology perspective and a cultural perspective, is evolving at a rapid pace. As new threats emerge, new security processes are developed to combat them. Identity management is no exception.
Application of artificial intelligence (AI): Organizations are using AI to identify deepfakes, process biometric data to determine liveness, and perform pattern and document analysis to strengthen identity security and defeat fraudsters who are using the technology to facilitate their hacking activities.
Passwordless and adaptive authentication: Passwords are giving way to passwordless authentication, which relies on advanced cryptography to provide better security and a better user login experience. New identity security solutions like adaptive authentication use contextual signals to authenticate users. Continuous authentication can be used to facilitate zero-trust access, where users are authenticated and authorized each time they request a new action or access a new resource. To learn more about how authentication, authorization, and access control work together, see our guide to trusted access.
Changing regulatory pressures: Regulatory bodies are likely to implement more and stricter policies and regulations focused on data protection. Compliance requirements depend on what industry the organization is in and how it does business. Deploying comprehensive identity security solutions can help organizations avoid regulatory penalties and fines.
Digital identity verification (DIV): Digital identity verification confirms a person's identity online using digital data, like digital driver's licenses and digital ID cards, biometrics, and device information, to securely grant access to online services, prevent fraud, and ensure compliance.
Steps for securing the identity lifecycle
To help you build a phishing-resistant and secure identity lifecycle, our end-to-end guide to phishing-resistant identity walks through five essential steps your organization can take.