Traditional businesses are taking their operations fully digital, and newer all-digital businesses are growing. Both groups need to onboard new users to their services remotely. But they also need to monitor the risks to their platform as their user base increases.
In the past, we’ve seen a few different ways to verify an online user’s identity. None of them are perfect. Most of them aren’t even fit for purpose. Geographical reach, user experience and fraud prevention exist in a balance. Industry best practice is to layer a number of solutions to build a comprehensive solution, but this only further highlights the difficulty in balancing security and growth.
At the same time, the way businesses manage their customer relationships is changing. Customers expect more services to be available remotely, with less friction. This means that identity verification is no longer just a check conducted at sign-up, it’s part of a wider identity access management lifecycle.
This report looks at identity in three ways:
3. National identity card
4. Residence permit
5. Voter identification document
When using government-issued IDs for identity verification, it’s important to consider that forgery is common. Detecting misrepresentation of the user and other types of fraud is key. Also, there’s no single global schema for a consistent ID format. So processing these documents needs deep expertise, especially to do so globally. Finally, since documents are real-world artifacts, manipulating them in a digital format requires some form of scanning and analytics.
Biometrics are the unique traits of the human body which can be used as personal identifiers. The most common biometrics include fingerprints, retina scans, facial traits and voice patterns.
A biometric by itself isn’t enough for an initial identity verification. That is, unless the user’s biometrics were previously captured and registered to a trusted identity. So they’re used as a second factor to authenticate a returning user as the account holder, or to confirm true ownership of other identity credentials.
Some of the other considerations for using biometrics include spoofing (masks, digitizers or other technological cheating), data storage and sensitivities around surveillance.
Phones and phone numbers
Our phones have become extensions of our lives. To some degree, they are a trusted extension of a person’s identity. This is especially true when many of us keep our phone number when replacing phones.
The phone itself is able to provide a fairly rich set of identifying data. This is a way to identify the user, as long as the user still owns the phone. It’s relatively common in many fraud risk engines within the advertising ecosystem, but it’s falling under increased privacy scrutiny by privacy regulators.
While this is a popular method, it is open to vulnerabilities such as porting scams, device theft, device ID spoofing/ reset and more.
Email, social network and instant messaging identities.
Much like our mobile identity, our online identity is an important part of our full identity. It can be the source of some fairly reliable components, including:
1. Email addresses
2. Instant messaging profiles
3. Social networks
4. Professional networks
Ultimately though, social networks are considered lower assurance identity systems. They were designed for casual social interactions used repeatedly over a period of time— not for out-of-the-box, instant use in high risk transactions.
These are systems that house data—data previously collected and verified as part of a registration system. They can be private databases run by for-profit companies, or public databases run by governments. Examples of private databases include credit bureaus and telephone directories. Examples of public databases include government identifiers (Social Security, tax or voter numbers) or the DMV that houses Driver’s License data and numbers.
When using databases for identity verification, it’s important to consider the cost of access, the fact that historical data breaches will have compromised the data trustworthiness and whether the data can be used commercially under current privacy regulations.
KBAs (Knowledge-based authentication)
Knowledge-based questions work on the assumption that only the person being asked knows the answer to the questions being asked.
They are frequently derived from financial information, which is problematic for the same reasons as databases. A huge amount of this data has been compromised, and could be available to fraudsters.
So to be truly effective they need to be very specific, which means a poor experience for users, who will not immediately be able to remember the answers to strong questions, like ‘what was the interest rate on your mortgage in June 2005?’.
A successful customer identity and access management (CIAM) system is at the heart of any good business- customer relationship. That’s because the lifecycle of a customer involves many different interactions, each driven by different needs and at different stages in the relationship.
Historically, identity verification might have been seen as a step completed at registration and then forgotten about. But as products and services become ever more digital, the identity lifecycle has grown. There are multiple moments in an ongoing customer relationship where identity verification provides security. These are typically high-risk moments: for example, if a customer wants to recover their account, or make a high-value transaction.
Document and biometric verification bring higher security, whilst empowering customers to self-serve and enjoy greater access with less friction. That’s because using document and biometric verification at account creation forges an anchor of trust. This anchor can then tie a user back to an account later in their identity lifecycle.
At moments of risk, a user can re-authenticate by providing a selfie. The facial biometrics in that selfie can then be matched against the identity document originally provided to create the account. If they match, the business then has a high degree of certainty that the interaction is genuine, not fraudulent. So they won’t need to introduce higher friction (and lower security) solutions such as KBAs or call- centres, or quick but more easily-compromised ones like SMS or email two-factor verification.
What does this look like in practice?
Below you can see how trust is maintained across an identity lifecycle using two different approaches:
1. User Onboarding
User onboarding is a meeting point of risk and opportunity. It’s one of the best places to catch identity fraud, but it’s also an easy way to lose customers to drop-off if your UX has too much friction.
Digital identity verification lets you anchor an identity to the user’s account, preventing identity fraud at sign-up and also later in the customer lifecycle.
And a seamless digital experience utilising technology like OCR autofill (where data is extracted from a document, and used to prepopulate sign-up forms) can help get your users through the door, first time round, wherever they are in the world.
2. User Verification
Verified profile schemes help you catch bad actors on your platform and enable genuine users to elevate their status, with a visual flag such as a blue tick or verified badge. This, in turn, builds trust and gives customers more confidence in your services.
The key is understanding when to ask for additional information so it’s least cumbersome for customers.
This doesn’t have to happen at onboarding. You could create an opt-in only verified profile, or verify users’ profiles before they start buying or selling.
3. KYC and AML
Being compliant and knowing your customer’s identity are linked, which can cause issues for businesses who acquire customers remotely.
You need a risk-based solution that fits your wider plan to address KYC and AML regulations. You could use a document- first onboarding process to supplement traditional credit data checks, and only users who don’t match traditional data sources need to perform an additional document or biometric check. Or you could replace credit data checks altogether, and have all users perform a biometric step at onboarding to confirm their identity.
4. Age Verification
Regulations around age restricted commerce are complex and constantly changing. A pop-up screen that asks if a website visitor is over 18, or over 21, does not qualify as age verification and is no longer enough to prove due diligence.
Air-tight age verification processes start with knowing your user’s identity, not just what they self-report on a checkbox. This can mean adding a step at onboarding, point of purchase or other key moments, to digitally extract date of birth from a government-issued ID.
5. Chargeback Prevention
Identity verification at checkout can help prevent chargebacks before they happen. By combining it with other signals and only triggering verification for risky transactions, it can be used to prevent fraud without inconveniencing trusted customers. It gives you effective prevention, with fewer abandoned carts.
6. High-risk moments
There are certain high-risk moments in a customer relationship where identity verification can provide needed assurance.
For example, if a user has forgotten their account credentials, some form of verification should take place to re- authenticate them before re-granting access.
Similarly, if a user is completing a high- value transaction or a transaction that is outside of their usual behaviour, like accessing their account from a new country or device, re-authentication can help both parties feel assured the transaction is not fraudulent.