A look at different methods for identity validation and verification, including the pros and cons of each.
For some companies, Identity validation and verification is useful. For others, it’s a mandatory part of their KYC process. But there’s more than one way to get the most from your checks.
In this post, we’ll cover the basics, and we will demonstrate why some methods are more effective than others.
Let’s start with a few definitions:
What is Identification?
Identification can come from the customers themselves or from your own system. It’s the information customers provide your business (by filling form fields), or the one you collect (IP address, credit card number, etc…).
What About Identity Verification and Validation?
Identity verification and validation both refer to the process during which your company confirms a user’s identity. It ensures the identification process is valid, that there is a real person behind an action, and that they are who they say they are.
It is particularly important in the context of fraud prevention, where flagging false identities is often the best way to reduce damage to your organisation.
Identity authentication happens after identity verification. While ID validation typically only needs to be checked once, customer authentication may be necessary multiple times. For instance, if a user logs in from a previously unknown device or location.
A Three-Step Process
To summarise, this is what every business should put in place to confirm identities:
- Identification: gather and log user data at any time.
- Identity verification: confirm that the data is valid, not stolen, or fake.
- Identity Authentication: ensure the verified data is consistent every time the user reappears on your site.
Why Verify Someone’s Identity?
Fraudsters and criminals do their best not to tie their activities to real-world identities.
This is precisely why they create fake profiles before abusing your business, whether they want to default on an online loan, create multiple accounts to abuse your promo system or trigger affiliate rewards.
But more importantly, ID verification is increasingly a regulatory and compliance issue.
While this has long been the case in the world of banking and financial institutions, we’re seeing a more pressing need to perform identity-based authentication in a variety of verticals. This includes online stores, OTAs and payment gateways, to name but a few.
An example includes SCA (strong customer authentication) from the PSD2 directive, or the Patriot Act in the US, which states the minimum requirements for identity verification.
“(2) MINIMUM REQUIREMENTS —The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for—US Patriot Act Section 326
(A) verifying the identity of any person seeking to open an account to the extent reasonable and practicable;
(B) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information.”
What Are the Consequences of Poor Identity Verification and Authentication?
Confirming an identity is the cornerstone of risk management. The more a customer appears legitimate, the less likely they are to commit fraud or cybercrime on your site.
An efficient identity verification process at the login stage results in the same benefits but also improves the chances of catching ATO attacks when fraudsters log into legitimate users’ accounts.
Then there are the large fines issued for lack of KYC compliance or AML (anti-money laundering) checks.
How do You Authenticate Someone?
There are many ways to authenticate a user. You can do so via document verification, biometrics, or multi-factor authentication. These methods serve as identifying a user and approving or declining the authentication depending on the quality of the results.
How Do Companies Verify Identity?
This is where things get interesting. There are broadly four ways you can deploy eKYC or Customer Due Diligence (CDD) at your company, but not all of them are created equal.
The key point to understand is that it’s generally more affordable and easier to scale when you outsource these services to a third party company. The maintenance is taken care of off-site, which may make life easier for your developers, but may cause data privacy concerns.
Now let’s see what works, what doesn’t and why.
Document and Video Verification
Customers are prompted to submit high-quality images or videos of their real ID documents. These may include driver’s licenses, passports, identity cards, residency permits, or voter ID cards.
Most of the time, a selfie ID must also be submitted alongside other identity verification documents.
Images are then authenticated through a global network of document verification services.
- Friction: high. It is a serious obstacle to users who expect a quick onboarding process or fast transaction.
- Efficiency: mixed. On the one hand, some customers may feel safer when their identities are verified, but fraudsters have no problem fooling the process. They can use a plethora of services that create photoshopped selfies. There are many Stolen ID scans also on the dark web. Note that deep fake technology is also making it easier for fraudsters to create videos without someone’s consent.
Biometrics are body measurements that should point to a user’s unique features. These include fingerprints, face ID and voice recognition.
From a legal perspective, many countries have yet to adopt biometrics identification as valid, but it’s increasingly becoming commonplace. India, New Zealand, Australia and Pakistan, for instance, now accept biometrics for both identity-based security and identity verification.
- Friction: low. Scanning your fingerprint or Iris is much faster than submitting documents or using a password.
- Efficiency: mixed. There can be legal issues, and data privacy is a concern for some users. A false positive (or inaccurate result) can also be frustrating for users and cause spikes in your customer insult rate.
2FA (2-Factor Authentication) and OTP (One Time Password)
2FA, or 2 Factor Authentication and OTP (One Time Password) are both forms of multi-factor user authentication which confirm user identities by linking them with more than one device.
- Friction: medium-high. Most of us are already familiar with failed 2FA attempts and struggling to gather the right device at the right time. It’s not always fast or easy.
- Efficiency: mixed. The rise of SIM-swapping attacks, which sees fraudsters gain possession of a user’s phone messages, is seriously hampering the efficiency of 2FA.
Digital Footprint Analysis
The concept of digital footprint for identity proofing differs drastically from the aforementioned methods. Your customers have digital lives, and they need to submit information on your site to onboard, log in or process a transaction.
Why not extract as much information as possible behind the scenes to confirm their identity? While this was a common practice as part of the OSINT (Open Source Intelligence) method, it’s a resource-heavy and time-consuming task.
The answer is automating the process via:
- Reverse email address lookup: to check whether the domain is valid, if it’s from a low-friction provider, or if the name appears suspicious
- Phone number analysis: see if the phone number is valid, in the right country, and use virtual sim card detection.
- IP analysis: identify spoofing attempts from proxies, VPNs and Tor usage, amongst others. See if the geolocation changes suddenly.
- Device fingerprinting: users who rely on emulators and change their devices too often could be considered high risk – especially during the login identity authentication process.
Last but not least, you can gather social media data linked to the email address and phone number. This is a powerful identity verification tool that lets you gather: social media profiles, including bio, avatar and date last seen on the platform.
ID Verification Done Right
When it comes to identity verification, the more data you have, the better. But it’s always a balancing act between gathering information and adding too much friction.
A slow onboarding process, too many obstacles during a transaction, or a stringent authentication system can increase customer churn, and send your users towards competitors.
At SEON, we believe that digital footprint analysis and reverse social media lookup offer the best of both worlds for your identity-checking process, allowing you to make informed decisions, meet legal requirements, and support a smooth customer journey at the same time.
Learn more about our products
Jimmy is the CCO of SEON and brings his in-depth experience of fraud-fighting to assist fraud teams everywhere.