I’ve gotten a lot of value from my alma maters’ alumni portals. There are career development resources, coaching sessions, library access, webinars, and free software subscriptions — just to name a few. But admittedly, they’re not resources I use every week, and I don’t always remember my password.
At some schools, resetting passwords and unlocking accounts can be a manual process that requires reviewing emailed copies of identity documents or hopping on video calls and asking to see copies of identity documents. That might be a slight nuisance for an alumnus. But it’s a much bigger one for current students and faculty, especially when IT departments are only available during regular business hours.
The ongoing requests are also eating up the IT department’s time, keeping staff from working on more strategic digital transformation projects. To manage long queues of locked-out students, staff, and alumni, some schools have hired additional employees focused on manual account recovery. As requests can ebb and flow, an online identity verification (IDV) process could be a more cost-effective and efficient solution.
What’s leading to an increase in account recovery requests?
The two primary drivers of increased password reset and account recovery requests aren’t inherently bad for universities:
- Increased enrollment: A 2023 report from Best Colleges found that almost half of school administrators surveyed said their schools are increasing spending for online programs. And over half of students took at least one online course during Fall 2022. Online courses, certificates, and degrees can give the school a new revenue stream, but high enrollment rates also result in more student and alumni accounts to manage.
- Good password practices: Faculty, alumni, and students may use unique and hard-to-remember passwords for their many online accounts. Although it’s encouraging to see people embrace security, they may be more likely to forget their passwords if they’re not using a password manager.
There could also be cases of account takeover fraud, when a bad actor attempts to reset the password and take over the account of a student, alumnus, or faculty member.
Attackers might use the account’s single sign-on access to break into other accounts, or gather personal information from the account that they can use for other schemes. It’s worth being mindful of this threat, but it doesn't appear to be a widespread issue at the moment.
Online identity verification can streamline account recovery
For the most part, we’ve all become accustomed to easily and safely verifying our identities online, especially when it comes to something as simple as identity authentication for resetting an account password. But in some cases, it’s easier to get back into your online bank account than a student or alumni portal.
Colleges and universities may be able to automate account recovery processes by incorporating online IDV checks. For example, when a user attempts to reset their password, you might prompt them to start a:
- Government ID verification: One of the first steps is generally asking the user to upload a picture of an official identity card, such as a government-issued ID. Data is extracted from the ID to help ensure it’s legitimate, unedited, and current.
- Selfie verification: Selfie identity verification requires the user to upload one or several selfies, or a short video, to compare their face with the image from the uploaded ID. Liveness detection and image analysis can help catch AI-generated selfies and other types of deception.
- Digital ID verification: Some states are issuing mobile driver’s licenses (mDLs) as a government-issued form of electronic identification. These can help reduce errors during IDV, such as when someone has trouble taking a clear image. And they may offer higher levels of assurance as a government ID verification as users generally need to use FaceID or a fingerprint scan to access their mDL.
These types of identity verification require input from users. Behind the scenes, you can use additional checks to help confirm what someone submits.
For example, in participating states, information collected from a driver’s license can be quickly checked against the American Association of Motor Vehicle Administrators (AAMVA) database. Additionally, schools may be able to use internal databases to match the identifying information on a driver’s license with a college or university ID.
Implement passive signals to automate more holistic risk assessments and make better decisions
Behind the scenes, the IDV system can also leverage various types of signals to identify riskier requests:
- Passive signals: A passive signal, or device signal, can help you learn more about the user without increasing friction. These may include the user’s IP address, location data, metadata, device fingerprint, and browser fingerprint.
- Behavioral signals: A user’s behavioral signals, such as how they interact with a form or use their keyboard and mouse, can also be analyzed to detect unusual activity and bots.
You can use these signals to automatically decline high-volume requests that may be part of a credential stuffing attack. Additionally, you can customize the signal parameters and use results to accept, deny, or route requests to a manual review.
For example, you might design your account recovery flow to check the IP address of a current student who wants to reset their password. If the device’s IP address is within 50 miles of the school, they can use a government ID and selfie verification to reset their password on their own (assuming those checks are cleared). However, if the device is further than 50 miles from the school, you can dynamically reroute the request to an IT support team member for verification.
Persona offers a flexible and secure solution
Persona can integrate directly with your school’s existing technology stack to free up your IT team’s time and help improve the experience for your students, alumni, and faculty. Our identity platform uses a building-block approach that lets you choose the products and tools that best fit your needs.
Preply, an online language tutoring platform, was dealing with similar scalability issues before working with Persona. The support team spent hours every day manually reviewing tutors’ identity verification documents and struggled to keep up with Preply’s rapid growth.
With Persona, Preply created a customized system to automatically verify and accept candidates, decline them, or send edge cases to review. The automated system decreased how much time the review team spends on identity verification by 80%. It also led to fewer errors and increased conversions, allowing the team to focus on strategic projects.
Persona enables teams to increase operational efficiency and better serve end users without compromising on security or privacy:
- Persona maintains certifications for the highest industry standards, including ISO 27001, Service Organizational Control 2 (SOC 2), and the Kantara Initiative’s IAL2 certification.
- Our solutions comply with global regulations, such as the General Data Protection Regulation (GDPR) for EU citizens, and with state-level data privacy laws like the California Consumer Privacy Act (CCPA).
- Government ID verifications are available with IDs from over 200 countries and territories, which can be important if you have international students and faculty or your alumni move abroad.
- We can work with you to align data retention and redaction policies, including instantly redacting users’ personal information after verification.
Want to learn more about how Persona can help you expedite account recovery requests and reduce manual review? Start for free or get a demo today.