Identification vs Authentication - How Well Do You Know Your Employees?

Your business has certain security practices in place. You have a lock on the front door. You use passcodes to enter certain rooms in your building, or have access to data on your computers. You secure it in one of two ways.

Identification involves isolating one individual from a group. It occurs when someone or something analyzes an individual’s characteristics and compares it to a select group. The question becomes: Do I know you?

Authentication, also called verification, involves ensuring that a person is who he or she claims to be. It occurs when an individual claims identity by presenting a code, a card, a fingerprint, or facial recognition. It asks the question: Are you who you claim to be?

Biometrics is quickly becoming the standard for both the identification and authentication process. Biometrics is defined as: Automated methods of recognizing a person based on physiological or behavioral characteristics. Biometrics can include many types of tests, including face, fingerprints, handwriting, retinal, vein, and voice.

In many cases, the two words are used interchangeably. But the fact is they are very different processes. And while biometrics is very good at authentication, it has a much more difficult time with the identification process.

Let’s imagine for a minute that your building requires security to enter. With authentication, a person may need a keycard or a passcode; once the information is entered, they are free to move forward. Identification takes the next step in security. It may look at the passcode or keycard and pull up records of who you claim to be, but it needs an extra verification process to ensure it is true. It may require facial recognition to be built into your card, or a fingerprint check from a database kept on file.

Because biometric systems rely on templates, there, of course, is a margin or error inherent in the system. They are called Type I and Type II Errors, or False Rejection Rates (FRR) and False Acceptance Rates (FAR).

FRR is categorized as the frequency that an authorized person is found to be unauthorized by the system. FAR is the frequency in which an unauthorized person is deemed to be matched by the system. Obviously, there is more risk involved with giving someone access when they shouldn’t have it, which makes FAR data much more critical. FRR and FAR are directly proportional to one another: when one is lowered, the other will rise. It’s a balancing act depending on your business and what you prefer.

Have you built biometrics into your security processes?