Often, when people think about biometrics-based access management and security, they think of two different words: Identification and verification. However, when it comes to actually implementing and using access control systems and setting up a security infrastructure that deploys biometrics, they often confuse these terms and how they apply to their security needs. It can be easy to be confused by the difference between identifying a user and verifying them, but it’s an important distinction that’s necessary for optimizing access management.
Who Are You?
The key difference between identifying someone and verifying them is that identification is asking “who are you?” In biometrics terms, this known as 1-to-n matching. You’re taking the individual and comparing their biometrics to a database of possible identities in order to match them and discover their identity. This is how law enforcement and border control often uses biometrics – scanning a latent print or pulling someone’s fingerprint and running it against a database to see if it matches against a previously captured print.
Identifying someone with their biometrics in this way is very useful in many instances, but not in the average enterprise use case. When using biometrics for access control at a bank or hospital, you don’t need to identify the user, you need to see if they are who they say they are.
Are You… You?
Verification, on the other hand, is the process of asking “are you who you say you are?” Proving your identity. This is the actual basis of access management and biometrics-based security. Whether deploying biometrics in a mobile banking app or setting up a biometric multi-factor authentication system for accessing a secure server, the user will be claiming the identity of someone already known to the system. This is known as 1-to-1 matching in biometrics. I already know who you claim to be, I just need to verify that it’s true.
The best example of this is how we use biometrics with modern smartphones. Every time you use your fingerprint to unlock your smartphone, you’re verifying that it’s you against the fingerprint you previously scanned. It’s distinctly different from identifying you based on your fingerprint, and the distinction is important for security.