As the world continues to become more digital, accurately verifying that users are actually who they say they are is becoming increasingly important.
Unfortunately, identity verification can be challenging and requires a delicate balance if you want to deter fraud while still allowing legitimate users to easily access your service.
At Persona, we partner with some of the world’s largest companies, including Postmates, Square, and Coursera, to solve their identity needs. Over the years, we’ve learned a lot and wanted to dig into the three main challenges of identity verification we see businesses face — along with how to solve them.
Challenge #1: More data breaches and sophisticated fraud technology
Every day, fraud is becoming more common. In fact, 49 million consumers fell victim to identity fraud in 2020, with total losses of $56 billion. Because of this, it’s easier than ever to find and access personal information online. Unsurprisingly, businesses can no longer solely rely on something like a Social Security number (SSN) to verify identity, as over 70% of SSNs have been leaked.
Technology also plays a role here. While companies used to be able to simply ask for passwords or ID cards, these methods in isolation aren’t enough to accurately verify identities, as fraudsters can use bots to perform hundreds of account takeovers a second and Photoshop to forge official documents. Even selfies aren’t a foolproof verification option, as bad actors can use deepfake software to create realistic photos and videos that can fool even a sophisticated computer.
Solution: Adopting a flexible and adaptable digital identity verification solution
As data breaches become more and more common and fraud techniques grow increasingly sophisticated, companies grow more susceptible to fraud.
While it might not be possible to avoid fraud completely, the key to mitigating it is using a flexible identity platform that allows your business to catch bad actors quickly and evolve to better deter, detect, and deny fraud.
Identity verification isn’t one-size-fits-all. It should consider the user context and customize verification for each individual — including those involved in a data breach. If someone’s personal information was leaked, it doesn’t make sense to verify them the same way as someone not affected by a data breach, as the risk is higher.
Staying on top of fraud is like riding a wave — it’s all about adjusting to the current and environment. Regulations, fraud techniques, industries, and use cases are changing faster than ever. If you don’t want to wipe out, you need an agile identity verification solution that gives you the flexibility to instantly adapt all aspects of a verification flow — from the look and feel to the number and types of verification methods, how many times users can attempt verification, and more.
Challenge #2: Identity is fragmented and quickly evolving
Identity verification is also difficult because identity itself is more complex than ever. If you ask yourself what it means to be you, the answer will most likely involve a lot of factors that exist in the real world, such as your appearance and personality. The real challenge is bringing this offline identity to the online world, where we can’t rely on these innate traits that make it easy to identify a person during an in-person transaction.
Solution: Taking a holistic approach to identity verification
To replace these in-person signals and determine if the person behind the screen is truly who they say they are offline, it’s essential to take a holistic approach to identity verification. Unlike traditional approaches to identity verification, this involves taking into account multiple signals, including:
- Active signals: Signals provided by the individual, such as their name, SSN, government ID, selfie, and identifying documents
- Passive signals: Data pulled in about the individual, such as their IP address and device or browser fingerprint
- Behavioral data: Signals such as hesitation detection, distraction events, and whether the individual uses developer tools, copy/paste, or autofill
- Third-party data: Signals pulled in the background from official lists, such as watchlists, phone risk reports, adverse media reports, and PEP lists
While a traditional approach to IDV might be sufficient for lower-security situations, businesses that rely on trust, such as those that deal with PII and financial transactions, need a better approach to identity verification to both stay compliant and establish secure spaces on the internet.
Taking a holistic approach can be more effective because it doesn’t rely on a single verification data point, such as an SSN or government ID, which are easily stolen. Even additional authentication methods, such as complex passwords, knowledge-based questions, and 2FA, aren’t infallible, as hackers are getting more sophisticated and consistently finding loopholes.
Additionally, taking a holistic approach could help you verify more users. Relying on one single type of verification could turn away good users. For example, if you only accept SSNs, you may lose out on turning new Americans into customers. If you only accept driver’s licenses, you automatically rule out around 16% of Americans who may have a different (but just as legitimate) form of ID, such as a state ID card.
As your business empowers more people to make transactions online, you might be working with higher-risk groups that are harder to verify: people with a thin credit history, fewer available records, or even low-quality cameras. Looking at multiple signals allows you to provide alternative ways to verify customers and be more inclusive. For example, Branch serves workers who are blocked by traditional KYC methods because of their limited financial histories. With Persona, that’s not an issue. “We can now seamlessly run step-up verifications for our customers who would otherwise fail KYC verification, increasing conversion and reducing drop-off from legitimate customers,” they share.
Challenge #3: Identity verification requires a delicate balance
If you’re too lenient during identity verification, you risk letting in fraudsters who can damage your business and harm your users. But if you’re too strict, your subpar user experience can stop real users from accessing your service, resulting in low conversion rates and hurting business growth.
Solution: Using progressive risk segmentation to balance verification and user needs
As mentioned earlier, taking a holistic approach to identity verification can help you accurately verify more users. However, introducing additional verification methods can also create more friction for users and increase your financial and operational burden.
Fortunately, risk management and conversion optimization aren’t enemies — they’re simply two ends of a seesaw. The secret is finding the right balance between these two at the right time — not too strict that you lose good customers, but not too lenient to let in bad actors. And the key to finding this balance is using progressive risk segmentation.
What is progressive risk segmentation?
Progressive risk segmentation is a strategy that helps you balance fraud prevention with user experience by segmenting individuals based on signals that occur in real time and adjusting the level of identity verification based on the riskiness of the interaction.
With traditional verification methods, each user completes the same steps, no matter how risky the transaction, meaning that your user experience is always going to be a fixed compromise between risk and conversion.
In contrast, progressive risk segmentation allows you to incorporate “dynamic friction” and modify a user’s experience based on signals it receives during the verification process. By leveraging the risk segments you’ve created and establishing a logic to sort users into these segments, you can use different methods to complete verification as required.
This means you can introduce a higher level of friction by requiring additional verification methods specifically when signals indicate that a transaction is risky — instead of blindly applying friction to all users. For example, if an individual’s IP address is very far from the residential address on their government ID or utility bill, this could be a risk signal, and you can ask them to submit a selfie to help confirm it’s actually them.
Meanwhile, an everyday transaction, such as a one-time low-value transfer, should have very little friction since the risk level is pretty small, allowing individuals to convert quickly and easily. This creates a better user experience, as they only have to submit the minimum needed for their specific situation.
How can businesses implement progressive risk segmentation?
Download our free guide to learn how to implement progressive risk segmentation at your business and find the best balance between fraud prevention and user experience.
Persona as an adaptable, holistic, and automated solution
With Persona’s identity infrastructure, weeding out fraud, accurately verifying users, and optimizing conversions no longer needs to come at a cost to the end-user experience or create additional operational burden. Our solution is:
- Flexible: Get the building blocks you need to personalize your identity experience based on your industry, use case, risk appetite, regulatory need, customer base, and more.
- Holistic: We offer an extensive suite of verification components as well as a wide range of reports and signals you can mix and match to truly understand each user.
- Automated: Streamline your identity processes by automating dynamic verification decisions based on real-time signals with Dynamic Flow.
Identity verification is complicated. Learn how Persona can help tackle your biggest identity challenges by reaching out to your CSM or getting in touch with our team at [email protected].