You’re fed up with fraud, tired of customer complaints, but don’t want to invest in expensive, clumsy, and time-consuming manual processes that test the patience of your tech-savvy customers. Online identity verification is to be the way forward, but you’re not sure which direction to take. There are the tried and tested methods which have been around for years and the new kids on the block making bold claims. Who to choose and why? We take a look at three big-hitters of the identity verification and authentication world to see how they stack up against each other.
Knowledge-Based Authentication (KBA)
The simple premise of KBA is that a user is asked questions that only he or she knows the answers to, thereby proving their identity. Static KBA, used for re-authentication, asks questions which were defined by the user when signing up. Dynamic KBA, which asks random real-time questions from public and private databases such as credit agencies, allows companies to use this protocol to verify identities during new customer onboarding as the personal identifiable information (PII) is “secret” and the questions are not pre-determined. When due care is taken in selecting the types of questions, with adequate historical depth and from secure sources, KBA is seen as a robust method.
However, as illustrated by the many publicized data breaches and hacks of ‘secure’ databases in recent years, your private information is only as safe as the houses storing them. From the Equifax breach of 2017 where the sensitive PII of 143 million Americans was accessed, to the mind-boggling 3 billion Yahoo accounts that were exposed in 2013, it raises the question of how secure this verification method is. If these centralized databases, honeypots for the modern hacker, are at risk and potentially hacked, your once secure business will have a systemic breach.
By asking you to prove access to an owned device, account, or token, two-factor authentication is a widely used protocol, most commonly applied to re-authentication. An example of this is when providing a code from a secondary authentication token or fob which only you have access to, and which can also be password protected. But there is the question of convenience. What if you don’t have your token on you, or have perhaps lost it, or forgotten its password? As smooth and friction-free process, these can prove less than ideal and at worst frustrating.
The most common method for both re-authentication and new customer identity verification is the SMS protocol. Here, users are asked to provide their mobile telephone number to which the business, through partnerships with mobile operators or third parties, send a verification code via SMS. Entering the code proves you are holding the telephone, own the telephone account and can be linked to the underlying credentials. The method is easy to integrate and easy to use. It is also becoming one of the least secure. The method simply hasn’t evolved as fast as the hacker’s ability to spoof SIM cards or intercept the encrypted messages. The risks with SMS verification even moved the National Institute of Standards and Technology (NIST) in the US to recommend it be used less.
Digital Identity Verification
And so to the upstarts of the industry – digital identity verification. With advancements in machine learning, AI and computer vision, this field has sprung on to the scene with much fanfare. The key difference with this solution is that it doesn’t rely on any third party but instead goes straight to the source, and verifies the person themselves. The capabilities are most powerful for the trickier new customer onboarding use case, but can also be used for re-authentication.
Through the eyes of mobile and desktop cameras, the meticulously trained software verifies the authenticity of government-approved ID documents, checking for forgery attempts and the presence of security features in the more advanced solutions. As a next step, these solutions compare the ID photo with a video selfie, complete with a liveness check to protect against fraudsters wearing a mask or simply holding up a photo. There are no databases to hack and no authentication codes to intercept, it’s a real-time shoot-out between smart tech and old-school fraud where the fraudster needs to pass the double-gauntlet of ID and identity authentication.
Some feel that it is too invasive, or too personal asking for a selfie. Ask that to the selfie-stick wielding generation of today – have no doubt, millennials take to this like a duck to water. Not to forget, the selfie component alone is often enough to scare off the lower tier of fraudsters. Other detractors say that the technology has a long way to go, and fraudsters will catch up. However, being part of the highly invested AI and machine learning disciplines gives it a long development runway and potential to continuously improve. Even if it does have some way to go, it is already enabling new capabilities – to securely verify the identity of new customers without needing them to be physically present, thereby driving leaner business models and faster time to revenue generation. That’s not a bad start.