Biometrics vs. the wallet: The future of authentication
By Dr. Heinrich Grave, Senior Vice President Digital Identity at IDnow
Authentication, identification and authorization – these three terms are constantly encountered by users in a digitized world and are often used to mean the same thing. In reality, however, the similar-sounding terms hide three processes that perform three completely different tasks in everyday digital life.
The three processes of authentication, identification and authorization are currently receiving more attention than ever as a result of the planned changes to the eIDAS regulation (electronic Identification, Authentication and trust Services).
This is because the European Commission is promoting a Digital Identity Wallet (EUDI Wallet) as part of eIDAS 2.0. This is intended to enable all citizens of the EU to identify and authenticate themselves digitally – as the name of the regulation suggests. It is therefore worth taking a look at the different meanings of the terms and the current and future possibilities for digital authentication.
Identification is typically the first step in a digital customer journey. It takes place, for example, when the user first logs on to a platform, an online service or a company. Here, the user is identified – in other words, their identity is verified.
This is often done by means of a user name or a personalized email address, the entry of the first and last name and the address. However, depending on the use case or the required level of security, identification can also request additional information. For example, in highly regulated finance, verification of an identification document, a credit card, or a mini transaction from an account is required.
Passwords for authentication are long outdated
Once the user has been successfully identified, a form of authentication is usually set up the first time the user logs on. A password is often still used for this purpose, even though it has long been outdated for security reasons.
This authentication method is required for every future access to the system or service and saves the user having to identify themself again and again. In other words, the user proves that he or she still has the same identity as in the identification stage.
Authorization is the third and final step. If the user is correctly identified and authenticated, they are assigned certain rights in the system. Authorization is used primarily in corporate structures and employees are usually assigned only the rights and privileges for resources that they absolutely need (Principle of Least Privilege).
Digital authentication by token or biometric data
Since authorization does not play a major role for end users, especially in view of the eIDAS 2.0 regulation, it is particularly worth taking a closer look at authentication and developments in this area.
In principle, three factors can be used for successful authentication in the digital space:
- What a user knows: This case describes the now already “traditional” approach via a password or security question.
- What a user possesses: This can be a (security) token or a cryptographic key, for example. The token is an object and can take the form of a smart card or a USB token.
- What a user is: This refers to biometric data, such as fingerprints or face scans, which are already frequently used today by the major smartphone manufacturers for unlocking the devices.
These three factors can be used independently of each other but can also be combined. Authentication that combines several factors, for example, a token with a PIN or a password, is known as multifactor authentication (MFA).
Two-factor authentication (2FA), which is also often mentioned, is a special case of MFA. MFA is generally considered to be more secure than authentication using only one knowledge-based factor.
Passwordless authentication vs. MFA
In the discourse around MFA, the term “passwordless authentication” often comes up and is often mistakenly used to mean the same thing, since both concepts apply several different authentication factors. However, MFA is different because it is added as a second layer of security to password-based authentication.
Passwordless authentication, on the other hand, does not use a knowledge-based factor (PIN, password, or security question), but relies solely on a high-security factor, such as the user’s fingerprint. This makes authentication convenient and fast for the user.
Biometric authentication is therefore considered to be the technology of the future by many, not least when illustrated by futuristic-looking concepts like the iris scan.
Biometrics or identity wallet? Or both?
The other revolutionary development in this area is that of identity wallets, which are also being promoted by the EU. The updated digital identity regulation and the ongoing development of EUDI Wallets are expected to enable authentication for many more online transactions.
To create the identity wallet in the smartphone, the user identifies themselves, for example, via an NFC-based function of their ID card or via a video identification process. Once this initial onboarding is successfully completed, the wallet can be used for authentication. In an identity wallet, users can thus store their already verified identities and use biometric processes, like their fingerprint or facial recognition, to quickly and easily reuse the digital identity for verification with new services or platforms.
Biometric factors and identity wallets therefore will be closely intertwined in the future to enable users to easily and securely identify themselves online.
About the author
Dr. Heinrich Grave is Senior Vice President Digital Identity at IDnow.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.