A look at different methods for identity validation and verification, including the pros and cons of each.

For some companies, Identity validation and identity verification are merely useful. For others, it’s a mandatory part of their KYC process. But there’s more than one way to get the most from your checks.

In this post, we’ll cover the basics, and we will demonstrate why some methods are more effective than others.

Let’s start with a few definitions:

What About Identity Verification and Validation?

Identity verification and validation both refer to the process during which your company confirms a user’s identity. It ensures the identification process is valid, that there is a real person behind an action, and that they are who they say they are.

It is particularly important in the context of fraud prevention, where flagging false identities is often the best way to reduce damage to your organisation. 

And Authentication?

Identity authentication happens after verification. While ID validation typically only needs to be checked once, customer authentication may be necessary multiple times. For instance, if a user logs in from a previously unknown device or location.

A Three-Step Process

To summarise, this is what every business should put in place to confirm identities:

1. Identification: gather and log user data at any time.
2. Identity verification: confirm that the data is valid, not stolen, or fake.
3. Identity Authentication: ensure the verified data is consistent every time the user reappears on your site.

Why Verify Someone’s Identity?

Fraudsters and criminals do their best not to tie their activities to real-world identities. 

This is precisely why they create fake profiles before abusing your business, whether they want to default on an online loan, create multiple accounts to abuse your promo system or trigger affiliate rewards.

But more importantly, ID verification is increasingly a regulatory and compliance issue. 

While this has long been the case in the world of banking and financial institutions, we’re seeing a more pressing need to perform identity-based authentication in a variety of verticals. This includes online stores, OTAs and payment gateways, to name but a few.

An example includes SCA (strong customer authentication) from the PSD2 directive, or the Patriot Act in the US, which states the minimum requirements for identity verification services.

“(2) MINIMUM REQUIREMENTS —The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for—

(A) verifying the identity of any person seeking to open an account to the extent reasonable and practicable;

(B) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information.”

US Patriot Act Section 326

What Are the Consequences of Poor Identity Verification and Authentication?

Confirming an identity is the cornerstone of risk management. The more a customer appears legitimate, the less likely they are to commit fraud or cybercrime on your site.

An efficient identity verification process at the login stage results in the same benefits but also improves the chances of catching ATO attacks when fraudsters log into legitimate users’ accounts.

Then there are the large fines issued for lack of KYC compliance or AML (anti money laundering) checks.

How do You Authenticate Someone?

There are many trusted solutions available to authenticate a user. You can do so via secure document verification, biometrics, or multi-factor authentication. These methods serve as identifying a user and approving or declining the action depending on the quality of the data sources results.

How Do Companies Verify Identity?

This is where things get interesting. There are broadly four solutions you can deploy for eKYC or Customer Due Diligence (CDD) at your company, but not all of them are created equal.

The key point to understand is that it’s generally more affordable and easier to scale when you outsource these services to a third party company. The maintenance is taken care of off-site, which may make life easier for your developers, but may cause data privacy concerns.

Now let’s see which solutions work, which solutions don’t, and let’s try to understand why.

Document and Video Verification

Customers are prompted to submit high-quality images or videos of their real ID documents. These may include driver’s licenses, passports, identity cards, residency permits, or voter ID cards.

Most of the time, a selfie ID must also be submitted alongside other verification documents. 

Images are then authenticated through a global network of document verification services. 

• Friction: high. It is a serious obstacle to those who expect a quick user onboarding process or fast transaction.
• Efficiency: mixed. On the one hand, some customers may feel safer when their online identity is verified, but fraudsters have no problem fooling the process. They can use a plethora of services that create photoshopped selfies. There are many Stolen ID scans also on the dark web. Note that deep fake technology is also making it easier for fraudsters to create videos without someone’s consent.

Biometrics

Biometrics are body measurements that should point to a user’s unique features. These include fingerprints, face ID and voice recognition. 

From a legal perspective, many countries have yet to adopt biometrics identification as valid, but it’s increasingly becoming commonplace. India, New Zealand, Australia and Pakistan, for instance, now accept biometrics for both identity-based security and identity verification methods.

• Friction: low. Scanning your fingerprint or Iris is much faster than submitting documents or using a password.
• Efficiency: mixed. There can be legal issues, and data privacy is a concern for some users. A false positive (or inaccurate result) can also be frustrating for users and cause spikes in your customer insult rate.

2FA (2-Factor Authentication) and OTP (One Time Password)

2FA, or 2 Factor Authentication and OTP (One Time Password) are both forms of multi-factor user authentication which confirm user identities by linking them with more than one device. 

• Friction: medium-high. Most of us are already familiar with failed 2FA attempts and struggling to gather the right device at the right time. It’s not always fast or easy.
• Efficiency: mixed. The rise of SIM-swapping attacks, which sees fraudsters gain possession of a user’s phone messages, is seriously hampering the efficiency of 2FA. 

Digital Footprint Analysis

The concept of digital footprint for identity proofing differs drastically from the aforementioned methods. Your customers have digital lives, and they need to submit information on your site to onboard, log in or process a transaction. 

Why not extract as much information as possible behind the scenes to confirm their identity? While this was a common practice as part of the OSINT (Open Source Intelligence) method, it’s a resource-heavy and time-consuming task.