Data breaches and identity theft are critical concerns for most organizations today. According to data from the Identity Theft Resource Center (ITRC), the number of data breaches reported in the first three quarters of 2021 was 17% higher than the total recorded for all of 2020.
The ITRC also expects identity fraud to continue to rise through 2022 as attackers look to compromise payment apps, digital wallets, peer-to-peer services, and more. In addition, many malicious actors are now looking for ways to compromise companies rather than individuals and gain access to larger volumes of identity data.
As a result, it’s more important than ever for businesses to know who they’re dealing with each time they interact with a customer. To accomplish this goal, two approaches work in tandem: identity verification and identity authentication.
Here’s a look at how each approach works, where they differ, and what role they play in building consumer trust.
What is identity verification?
Identity verification (IDV) is the process of confirming that users are who they say they are. Verification can look different depending on the industry, use case, company, and user — for example, one company might have users submit their date of birth and SSN during onboarding, while another might ask users to submit a photo of their driver's license and take a selfie to confirm their identity.
Online identity verification is growing increasingly common thanks to advances in secure data capture and processing technologies. With online identity verification (IDV) solutions, companies can verify customers in a variety of ways, from collecting and verifying digital documents, such as government IDs or businesses licenses, to verifying PII against authoritative databases or having users take a selfie.
What are the most common ways to verify identity?
To verify identities, businesses rely on a variety of signals — pieces of information that help determine if an individual is who they say they are. Common signal types include:
- Active signals: These are signals provided by the individual, such as their name, SSN, government ID, selfie, and identifying documents.
- Passive signals: Passive signals include data pulled in about the individual, such as their IP address and device or browser fingerprint.
- Behavioral signals: Signals tied to behavior include hesitation and distraction events, and whether the individual uses developer tools, copy/paste, or autofill.
- Third-party signals: Third-party signals are pulled in the background from official lists, such as watchlists, phone risk reports, adverse media reports, and politically exposed persons (PEP) lists.
How to use identity verification for your business
If you’re considering implementing identity verification for your business, you’ve got a lot of options to choose from. Some of the most commonly-used IDV methods include:
- Government ID verification: Government ID verification usually requires the user to upload a photo of their ID — such as a driver’s license, passport, or other ID — which is then verified. It is often paired with other verification methods, such as database and selfie verification.
- Digital ID verification: As IDs become increasingly digitized, some businesses are choosing to leverage digital ID verification by accepting mobile driver’s licenses (MDLs), e-passports, and other NFC-enabled IDs. These provide users with more choice and can remove friction from the verification process.
- Document verification: Document verification allows you to collect additional documents other than government-issued IDs, which can be used to verify a user’s address, income, employment history, business documents, and more.
- Database verification: Database verification allows you to compare user-supplied information against authoritative databases, such as those managed by the DMV and IRS.
- Selfie verification: Selfie verification involves requiring a user to submit one or multiple selfies. These selfies are then compared against the photo in a government-issued ID to ensure a match. It’s often used to combat identity theft.
- and more
How does the identity verification process work?
First, businesses must pinpoint key moments that require identity verification, such as when users want to open an account, withdraw funds, or change account information. Then, they ask users to provide proof of their identity and use this information to determine whether the individual is actually who they say they are. Finally, they can use this information to make calculated, risk-based decisions.
What are the top benefits of automated ID verification?
Key benefits of automated identity verification include:
Increased customer confidence
Robust IDV processes help boost customer confidence in business processes. If customers know that in-depth verification is required for all new accounts or high-value transactions, they also know the company is taking steps to reduce the chance of account takeover fraud or identity theft, in turn making them more confident that their personal information and assets are secure.
Digital identity verification solutions make it quick and easy for customers to submit their documents for approval — what used to take days or months can now be accomplished in a matter of seconds, increasing conversions and providing a better user experience.
Reliable regulatory compliance
Both Know Your Customer (KYC) and anti-money laundering (AML) regulations require companies to verify user identities. Failure to do so could result in sanctions or substantial fines, even if the oversight was accidental. Comprehensive IDV can help ensure regulatory obligations are met.
Reliable verification means reduced risk. By leveraging solutions that check against authoritative data sources, such as the IRS and Telco, businesses are better able to assess potential risk and make informed decisions.
Are there specific regulations or standards for identity verification?
Unfortunately, there is no single standard for identity verification that will apply in all cases. (That would make things too easy!) The reality is that IDV requirements can vary significantly depending on a variety of factors, such as:
- The industry a business operates within: Businesses in certain industries may be subject to different laws and regulations around identity verification. Financial institutions, for example, must comply with AML and KYC requirements, while online marketplaces must comply with verification requirements found in the INFORM Act and other laws. Federal agencies (and some businesses working with federal agencies) are subject to NIST Special Report 800-63-3, which defines the requirements for implementing IDV.
- The specific jurisdictions a business operates within: Different jurisdictions have their own laws and regulations in place, some of which may have identity verification requirements. While these laws may be comparable from state to state or country to country, they may not be, and it’s important to understand and comply with the regulations in each jurisdiction in which your business operates.
- The age of a business’s customers: Businesses dealing with certain age-restricted products (such as alcohol, tobacco, gambling, adult entertainment, etc.) are subject to regulations specifically aimed at age verification.
- The unique risks that a business is exposed to: Not all businesses are exposed to the same types or levels of risk. And yet, these risk profiles are essential in informing the verification methods that a business implements.
What is identity authentication?
Identity authentication is the process of determining if users should have access to specific actions or services.
What are the most common ways to authenticate customers?
There are four main methods businesses use to authenticate customers:
Despite reports of their demise, passwords remain alive and well. Usernames or email addresses combined with passwords remain popular for single-factor authentication.
Two-factor authentication (2FA)
2FA adds an additional factor to authentication. This often takes the form of a unique code generated and sent via SMS or an authentication app when a user attempts to log in. Users must provide their username, password, and 2FA code for access.
Knowledge-based authentication (KBA)
KBA asks users to provide answers to “secret” questions that were created when they first set up their account, and is used in combination with other authentication techniques. Familiar questions include the names of pets or mothers’ maiden names — ideally, KBA answers should be easy to remember but not easy to guess.
Biometric authentication uses fingerprints, voice recognition, or iris scans to confirm user identity. For example, unlocking a phone or laptop with a fingerprint. Note: Persona does not offer biometric authentication.
What value does authentication offer for businesses?
By comparing provided factors against initial data used to create the account, businesses can reduce the risk of account takeovers and identity fraud.
Authentication also streamlines the process for customers, making it easier for them to access accounts or conduct transactions without compromising security. For example, single sign-on (SSO) solutions allow users to remember a single set of credentials that provide access to multiple accounts.
Put simply, improved authentication processes can help boost customer satisfaction, in turn making them less likely to seek out other companies for key transactions.
Verification vs. authentication: a comparison
Identity verification and authentication play a similar role in confirming user identity. Let’s break down how they compare across three key areas:
The intent of identity assessment
Verification looks to confirm who customers are by leveraging signals to prove their identity. Authentication, meanwhile, looks to determine if customers should have access to specific services or data.
The type of data collected
Verification typically focuses on bringing offline identities online. To do this, companies usually look at data that proves individuals’ physical identity, such as government IDs or selfies. With authentication, on the other hand, businesses are less concerned about proving identities and more concerned about ensuring it’s the same person logging in each time. As such, this method often relies on information that doesn’t necessarily connect with the individual’s true identity, such as passwords, knowledge-based answers, or 2FA codes.
The frequency of collection
Verification and authentication can both occur when users make accounts or conduct their first transaction, or when users want to access accounts or services with a business they’ve engaged with before. The type and frequency of collection depend on multiple factors, such as the company’s use cases and risk tolerance, along with applicable compliance regulations.
The role of ID verification and authentication in building trust
While identity verification and authentication are necessary for organizations to ensure regulatory compliance, they also play a role in building trust, in turn setting the stage for long-term customer relationships.
If customers are confident in your verification and authentication process, they’re more likely to trust your organization with personal, financial, legal, or medical data. Deploying solutions capable of quickly and accurately verifying user data, meanwhile, makes individuals more likely to complete the onboarding process and continue working with you in the future.
What’s next for identity verification?
The future of identity verification is digital. With customers now willing to share digital identity documents with companies capable of effectively defending their data — and many governments testing the waters with IDs such as digital drivers’ licenses and ID cards — online verification and authentication tools are becoming commonplace.
But it doesn't stop there. The next generation of digital ID verification and authentication tools will also leverage additional details such as user location and typical behaviors to more effectively confirm ID, and incorporate advanced algorithms to deliver real-time verification results.
Enhance your identity verification processes with customizable, no-code building blocks and workflows from Persona.