Authentication vs. Verification in General and with Biometrics

Question

I am reading The Basics of Information Security, 2nd. Ed., Andress, Jason.

He says on p.25, "Identity verification is a step beyond identification, but it is still a step short of authentication, which we will discuss in the next section." He then goes on to mention that even if documents proving who one are presented that that is only "verification" and not "authentication." Okay, but he never discusses "verification" again in detail.

On p.26 he says that, "Authentication is, in an information security sense, the set of methods we use to establish a claim of identity that has been made is correct." Okay great.

On p.31, he says, "When we complete an authentication transaction with a biometric identifier, we are essentially asking the user to provide evidence that he or she is who he or she claims to be; this by definition, verification, and not authentication." Now I am lost.

I have researched more on the difference between "verification" and "authentication," but just don't know where the crucial, and I assume subtle, difference is.

I know that there are two types of biometric authentication, verification that the data matches the data of the person that the presenter says he is, and identification, where an attempted match is tried against all entries in the biometric database.

How can presenting per-enrolled biometric info be anything other than authentication?

Answer 1

Verification is the act of proving your identity. Authentication is the act of proving you are the same person as before, without necessarily knowing who that person is.

re: Biometrics, I think the confusion comes down to the nature of biometrics. A username/password (something you know) says nothing about who you are. The same is true of a hardware token (something you have).

The author of the book you are reading is of the opinion that since biometrics are something you are, they are indistinguishable from a verification event.

This is not always the case for at least two reasons: 1. Presenting your biometric will be compared to the pre-enrolled biometric. This says nothing about who you are, only that you are the same person as was present at enrollment. 2. The data stored for a biometric may be less than that required for a verification event. If the system fails to identify you it can't just go and get extra samples, which you could if you were performing a verification.

Consider the use of biometrics to protect the privacy of data. A system might take a biometric to protect data that you have entered so it is only shown to you when you return. If this system does not tie the biometric to an identity through a verification process, the biometric is just as much an authentication factor as a password issued for the same process.

Answer 2

My answer is purely speculative, based on my own interpretation and would need some form of validation. I don't know any authoritative source that answers the question and I may very well myself be making mistakes. Some help from the SE community is greatly appreciated. So far the following sources seem to concur with my interpretation:

• A 2009 press release from a company called "Electronic Verification Systems" which may or may not be right
• Multiple interpretations made by members of the Security StackExchange community on a related question as pointed out by TildalWave
• The Wikipedia article on Two-Step Verification (which has a list of useful references) summarises the difference as being one of "[having obtained] no proof [...] that the bearer of the unit is identical to the owner of the unit"

I believe what is meant is that you can verify a user's alleged identity (i.e. the auths factor provided are correct and correspond to someone) without believing that this identity is authentic (the factors may be forged or stolen).

The authorisation process

First you provide some information that informs a system of your identity. At this point if this identity corresponds to a service's user's, then you are identified. The identity needs to be verified usually by means of authentication factors which are assumed to belong exclusively to the person of the aforementioned identity. You must then provide these factors.

A system may verify that these factors are correct (you provide the factors that were stored along with the identity you claim) but believe that they are not authentic -- because they're forgeable or easy to steal and reuse or because of other cues.

Once you have authenticated you are certain that a remote end holds an authentic characteristic (in the case you discuss, an authentic identity but it could be verifying that a characteristic relevant to authorisation e.g., a token is not forged but "semantically valid"). The next step would logically be authorisation which decides whether the authentic characteristics grants a privilege.

Some more speculating

In operation, does it make sense to assume that verified factors are not authentic? In a closed-loop system which does not take any external cues into account, no: why would you accept factors if you believe they can be forged or stolen easily?

However some authentication systems such as Google Mail's will use information such as your IP address and browser user-agent and where you usually connect from as implicit authentication factors which complement your password and/or PIN (the explicit ones). If the implicit factors do not match, Google may believe your correct explicit factors may not be authentic and may refuse to authenticate you.

The discussion made by the author seems to point towards the idea that biometrics are less authentic a factor than knowledge-based factors. This is an opinion which I will not discuss. :-)