Identification is only one part of the detection process; add in authentication and you can strongly guarantee a user is who they truly claim to be.
How do I verify a person’s identity? Verifying a person's identity can be as simple as looking at a government-issued photo ID card like someone's passport or driver's license. However, with identity theft on the rise, companies are using more complex ways to authenticate someone's identity.
What are Authentication and Identification?
Most of us are familiar with terms like “authentication” and “identification” in other contexts. However, when it comes to identity management and cybersecurity, these terms take on unique meanings.
With that, let’s define some important terms:
- Identification is the actual indication of a user’s identity. In simpler terms, this is a user account and all the data that an account entails. This account serves as a user’s identity within a system.
- Authentication is the process of verifying that a user is who they say they are. This is typically accomplished by comparing some sort of credentials against stored authentication information tied to a user account.
- Authorization is the specification of specific rights, privileges or permissions for system resources and functionality.
Obviously, these items are closely related. Identifying a user means recognizing the user’s account information as it relates to the work they do in an IT system. So, for example, a user account might contain a name, a unique ID number, a photo or headshot, department, etc.
This identification serves an important purpose of showing who the user is. With that established, the user has to prove they are who they say they are against that identity when they want to enter into your IT system. Identity authentication is a process of using credentials to connect the current (physical) user with a user account identity. These credentials can include:
- Biometrics (fingerprint scans, iris scans, voice recognition)
- Randomly generated and expiring codes
- Verification through third-party apps
- Secure links sent to private email
Once a user authenticates with credentials, they can navigate your system as their user account.
Following this, authorization checks the user’s permissions against different system resources to determine whether or not they can actually access them. Based on their user identity, a person may not have access to all system resources.
What Role Does Authentication Play in Compliance and Cybersecurity?
Authentication is one of the most important aspects of any compliance and security strategy. System protection and security are predicated on having secure identity and access management (IAM) controls in place, which means strong user access controls coupled with authorization.
That being said, the actual emphasis on identity authentication will depend on the framework you are working with. Some major frameworks have slightly different requirements. Some of these are:
- In 2018, PCI DSS required all organizations to implement some form of Multi-Factor Authentication (MFA) to stay compliant. This means at least two different forms of authentication, like passwords coupled with fingerprint scans.
- SOC 2 also requires at least Two-Factor Authentication (2FA).
- FedRAMP, a framework for cloud service providers working with federal agencies, has an entire security control family dedicated to access control. This includes requirements for access management and enforcement, remote access control, wireless and mobile access control and least privilege management.
- HIPAA requirements state that an organization must, for compliance, implement (at minimum) authorization controls that include a unique username or number that can be traced in the system, and at least one of four different controls, including a PIN system, a password system, a callback or token system or a biometric system.
Because authentication is such an important part of all of these frameworks (and others), many organizations use what’s known as the Principle of Least Privilege. This means that users only get access to resources that they absolutely need to do their job and nothing more. Authentication plays a major role in ensuring that these users are verified.
What are the Risks and Penalties for Not Having Proper Authentication Controls?
At this point, it seems obvious that there are significant risks and penalties for not maintaining proper authentication for your infrastructure. These can include:
- 1. Risk of system breach: The most readily apparent risk is that someone steals login credentials or hacks into the system through weak protection. A hacker who can fake their way into identity authentication with a user account that has deep authorization can cause havoc.
- 2. Penalties for non-compliance: Almost every compliance framework has some form of authorization control requirements, not having these controls in place can be a breach of compliance. This means financial penalties that, in some cases, can reach hundreds of thousands of dollars per incident. Likewise, repeat non-compliance can mean revoked licenses or loss of certifications.
- 3. Increased incidents of fraud: Hackers can access user accounts not simply to steal data. They can pose as users in order to get access to other, more sensitive systems. In industries like retail, this can also extend to hackers using stolen accounts to run scams using store inventory.
- 4. Internal risk of theft: According to one study, insider threats constituted up to 60% of all security breaches. Even on your best day, employee data access can be risky if someone tries to abuse their access authorization. Without strong access controls, you could open up an even bigger risk of insider attack from individuals in your company attempting to access systems they are not authorized to use.
Support Compliance and Security Using 1Kosmos BlockID
With 1Kosmos BlockID, you can implement Multi-Factor Authentication (MFA) using frictionless and passwordless authentication methods utilizing some of the most advanced technology available, including:Advanced Biometrics: BlockID includes non-falsifiable biometrics and encrypted data in a low-friction and contact-free environment.
Immutable logs and data records with Blockchain Ecosystem: Our system uses Ethereum blockchain technology to ensure that event logs and information are immutable and verifiable.
Compliance: BlockID brings employees the level of protection that ensures compliance with NIST 800-63-3 guidelines for IAL and AAL2.
With 1Kosmos BlockID Verify, you can capture and verify identities through a simple and secure mobile app. To learn more, read about BlockID Verify. Also, sign up for the email newsletter to stay up to date on 1Kosmos products and services.