Someone presumably sowed the seed of confusion decades ago when they came up with a numbers-only short password and called it ‘PIN = Personal Identification Number’ instead of ‘Personal Authentication Number’.
It is like “This is a fork called a knife. Amazingly, cybersecurity people apparently did not argue and were willing to deploy ‘Personal Identification Number’ as a member of the password family for ‘Identity Authentication’.
It was what happened many years before I jumped into the world of identity assurance. While knowing its absurdity, it was no longer possible for me to do anything to change the situation.
Nowadays, logic-literate people, who are clearly aware of the difference between what is necessary for identification and what is necessary for authentication, seem to be a minority among identity and cybersecurity professionals.
It’s especially hard to find such logic-literate professionals among the people who promote biometrics for authentication and biometrics-dependent passwordless authentication schemes, with big tech firms like GAFAM included.
Most alarmingly, ‘Cybersecurity Gurus’ are often found to be mixing up the identification factors with authentication factors.
Besides this ‘identification vs authentication’ problem, there are many more issues that logic-illiterate cybersecurity professionals are not just misguided but misguiding the public as summarised here — “What We Know for Certain about Authentication Factors https://www.linkedin.com/pulse/what-we-know-certain-authentication-factors-hitoshi-kokumai/
As you may have noted, ‘what we know for certain’ does not necessarily mean ‘what security-illiterate, science-illiterate and logic-illiterate cybersecurity professionals and Gurus know for certain’.