For the purposes of this specification, identification typically involves the collection of data and a determination of who a user is from a database of users while authentication typically involves the use of data to confirm a user is who they present themselves to be (i.e. to verify a user's identity).
Identification and/or authentication of a user identity is an essential step in accessing many secure services or devices, such as banking, stored personal details or other restricted data. This identification and/or authentication is usually achieved by the use of passwords or personal identification numbers (PINs), which are usually assumed to be known only by the authorised user or users of a service or device.
However, knowledge of a user's password or PIN is enough for an unauthorised third party to gain access to the service or device. Additional layers of security or improved security are therefore required to reduce the risk of passwords and PINs from being used by unauthorised third parties.
Adding further security measures to the authentication process usually requires a trade-off between the increased level of security and the degradation of the user experience.