What is user identification?
Is the person logging in Sarah, who lives in Montana and has been a user on the account since 2016, or is it a fraudster in another country who gained access to Sarah’s account through a data breach leak?
Online user identification is when users are identified to be who they say they are through established processes on a website. (For example, knowing that Sarah is Sarah in the above example.) This can be accomplished in various ways, such as requiring a password or other credentials, multiple stages of identification, and even by analyzing browser attributes with browser fingerprinting technology.
Why is user identification important?
User identification is essential for any software requiring users to log in to access the product. Authentication is necessary to confirm that the person logging in is the legitimate account holder and not someone else attempting to gain access. Most importantly, user identification helps protect personal information from being accessed by unauthorized individuals, which helps prevent fraud or abuse.
It is also vital for user identification to ensure that the system is secure and private. For example, most online banking services require two-factor authentication, so only approved users can access sensitive information. There are laws in many countries requiring financial institutions to KYC or know your customer. Without proper authentication, malicious visitors could easily gain access to private accounts which could lead to situations such as data breaches, credit card chargebacks, and legal consequences.
Let’s discuss how user identification differs from verification, the pros and cons of a few common user identification methods, and how crafting a robust identification process can protect against fraud and build trust with users.
User Identification vs. User Verification
Before we dive into common user identification methods, let’s define the differences between verification and identification. As mentioned above, online user identification recognizes and verifies the user’s identity (For example, logging in with a username and password). Online user verification, however, more thoroughly verifies identity by confirming personal information such as name, address, date of birth, and phone number. These pieces of PII (personally identifiable information) generally require explicit user input and opt-in to collect these. We’ll be focusing on methods of identification rather than verification.
Three Common User Identification Methods
Identification by Username and Password
With the rise of phishing attacks and password breaches, relying on username and password as the only method of identification leaves a significant opportunity for fraudsters to take advantage of a less secure login page. This can sometimes occur as a dedicated credential stuffing attack when automated login attempts using usernames and passwords are obtained from elsewhere on the internet. In that case, a login page is used to test credentials that may or may not work on the targeted site.
With growing concerns around the security of usernames and passwords, the idea of a passwordless future is becoming more and more appealing. In a recent blog post, we examined how organizations can embrace passwordless authentication for secure user access. We discussed how companies could use technologies like biometrics and digital certificates to verify identity without relying on passwords and strategies for securely linking passwords with other authentication methods. We also advised implementing passwordless solutions in an effort to provide a seamless customer experience.
While usernames and passwords can be an excellent introductory step in the user login process, they shouldn’t be the sole method of identification when building a user identification model.
Utilizing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
Two-factor authentication (2FA) is a security measure organizations use to prevent unauthorized access to user accounts. One type of 2FA is SMS-based, which requires users to enter a one-time passcode sent to their phone via text message. This type of authentication can be convenient and secure if it is set up correctly.
Multi-factor authentication (MFA) is a similar security measure to 2FA and is also used by organizations to prevent unauthorized access. The key difference here is the MFA methods require at least two forms of authentication, if not more.
A few methods that, when combined, can be used to authenticate users using 2FA or MFA include:
- A password
- A PIN code
- An SMS-based text message to a specific phone number
- A USB key
- An authentication application such as Google Authenticator
- Biometrics, such as facial recognition or fingerprint verification
One of the most common 2FA methods is SMS-based authentication. However, there are downsides to relying solely on a 2FA or MFA method in some cases. One example is the growing risk of SIM swapping in cell phones which poses a considerable security risk to SMS-based authentication methods. SIM swapping is a type of fraud when a fraudster successfully convinces a mobile carrier to transfer another user’s phone number to a new SIM card in the hands of the fraudster. This can have several snowballing effects, including gaining access to accounts with SMS 2FA implemented.
Generally, you want to combine a few of these methods and make sure at least one falls into each of the following categories:
- Something you know (ex., password).
- Something you have (ex., cellphone).
- Something you are (ex., facial recognition).
We’ll discuss why this is important a little later in this article.
Single Sign-On (SSO) and SAML (Security Assertion Markup Language) Authentication
Single sign-on (SSO) and SAML methods of software login processes can be an effective way to identify individual users accurately. They are part of an organization’s identity and access management (IAM) process and are crucial to ensure user and access security. By using SSO or SAML SSO, users gain access to multiple software applications through a single source. A well-known example of this is Google SSO, which many organizations offer for its employees and users as a streamlined and secure way of accessing software.
Using SSO or SAML as a method of multi-step user authentication can have many benefits in addition to a secure IAM process, including a streamlined login process for the user by saving the user and the organization time and money. This is done by removing the need to remember passwords, and when passwords are not recognized correctly, there is no longer a need to increase the IT burden to issue password or account resets.
However, SAML and SSO can lead to weaknesses and vulnerabilities due to faulty access control policies or failure to validate users. In an article by WorkOS, they looked at some of the common SAML vulnerabilities and possible mistakes organizations can make when utilizing SAML SSO. This can expose companies to significant security risks and allow hackers to bypass the authentication process and gain administrative rights to the system, like in this one example from 2020. It also recommends regularly testing SAML applications, only allowing specific protocols to be used in certain environments, and periodically rotating keys.
Why you shouldn’t rely on only one user identification method
Online user identification is increasingly essential in any business’s security strategy. Even more so, additional authentication is required by some standardized security certifications. For example, SOC 2 certification requires organizations to enforce an MFA user authentication method. By verifying users through multiple ways, businesses can ensure that only legitimate and trusted individuals are allowed access to their systems.
However, a reliance on just one method of identification can leave companies vulnerable to attack and fraud. For example, if passwords are the only form of authentication used, attackers may be able to enact an automated credential stuffing attack and gain access to confidential data. Similarly, using more than one type of single sign-on mechanism may provide more protection from hackers attempting to reuse credentials across multiple accounts.
Using various identification techniques such as passwords, multi-factor authentication, and single-sign-on or other methods provides an additional layer of security. This helps protect sensitive information but also helps prevent unauthorized access or malicious activities from outside parties.
To maximize online user security, businesses must implement a comprehensive mix of identification strategies, including passwords, two-factor authentication, biometrics, and machine learning algorithms. Following the framework, we mentioned earlier around something you know, own, and can help create strong levels of protection and help mitigate the threat posed by malicious actors.
How Device Identification Can Help
We understand that implementing multiple steps to a user’s experience can create friction for the user, even with the organization’s best intentions. This is where user identification solutions that aren’t visible to the user can help bridge the gap between secure login methods and vulnerable login methods. Using highly accurate device identification platforms, such as Fingerprint, for user verification provides several benefits over traditional methods, such as username and password combinations or email confirmation links.
One of the benefits is that it is much harder to fake a browser fingerprint, part of a device’s identity, than other credentials. Secondly, device identifiers are always up-to-date and do not require manual maintenance or renewal like passwords. Highly-accurate device identifiers also do not suffer from identifier drift and remain accurate for months. Lastly, sophisticated device identification models can provide advanced levels of security by allowing access only to those with compatible and expected devices or operating systems.