difference between verifying and authenticating


I was just in a meeting where our compliance team was saying there’s a difference between verification and authentication but I can’t figure out what the difference is. Can someone explain it?

In: 21

Imagine you’re meeting a new friend online. Verifying would be like checking if the person’s profile picture looks like the one they show you. It helps make sure they are who they say they are.

Authentication, on the other hand, is like asking them for a secret code that only they know. If they provide the correct code, it means they are the real friend, not someone pretending to be them.

So, verifying is about checking the surface details, while authentication is about confirming their identity with something only they know.

Authentication answers the question: “Who are they?”

Verification answers the question: “Is what they told you true/correct/accurate?”.

As an example: My password authenticates me to Reddit, and allows me to post and comment. By providing my username and password, Reddit knows that my posts and comments should be credited to me. Reddit is interested in knowing “who is making the post/comment”.

To be roasted by r/RoastMe though, they require verification that you consent to be roasted. To do this, they require you to take a picture holding up a slip of paper with “r/RoastMe” written on it. In this case, they don’t particularly care whether you are the person in the picture (they’re not trying to authenticate), they want to verify that the person in the picture consents to be roasted.

E: expanded on authentication a bit

According to the Oxford English Dictionary:

make sure or demonstrate that (something) is true, accurate, or justified.
[LAW] swear to or support (a statement) by affidavit.

prove or show (something) to be true, genuine, or valid.
[COMPUTING] (of a user or process) have one’s identity verified.

Using IF statements:
Verify – IF (X = TRUE)
Authenticate – IF (X = Y)

Authentication is just an extended form of verification.

You used to be able to “verify” users by looking for a blue check mark – but in order to authenticate you might need a password, the phone or email uses to create the account, etc. (think 2fa)

The compliance team almost certainly has some kind of main document that explains what they do – maybe a Procedure or Plan document. This ought to include their definition of these 2 words.

Find that doc and read their definitions. It’s the only way to be certain of the exact usage at your company.

But if the context is user accounts and cyber security, it is probably:


– during Account setup

– is the information the user is providing **true**

– “verify” comes from the Latin word for “truth”)

– eg post a security code to their address or have them input a credit card linked to that address


– each time they login

– do they have the “**authority**” to log into this account?

– (the 2 words aren’t actually related, but it’s a good way to remember the definition)

– eg memorable questions, code-generating apps or gadgets

Couple of sample links from a quick Google:

– [identity verification and authentication](https://www.gbgplc.com/en/blog/identity-verification-vs-authentication/)

– [validation, verification and authentication](https://www.experian.co.uk/blogs/latest-thinking/fraud-prevention/what-is-the-difference-between-validation-verification-and-authentication/?utm_medium=internalRef&utm_source=Consumer%20Services)

– this is why you want to check your own company’s documentation – this source splits the concepts across 3 words..!