Due to exponential growth in the number of online consumers, identity proofing and verification requirements are becoming top of mind for CIOs/CSOs, IT teams, and cybersecurity experts alike. The pandemic has forced even the most tech-resistant consumers to start performing transactions online, a phenomenon HID has seen across industries. More users and digital transactions widen the attack surface for cyber criminals and necessitates enhanced security measures. The finance, telecom, and utilities sectors, for example, are beginning to demand more robust onboarding implementations beyond simple registration forms that only capture username, email, and password, coupled with uncorroborated personal information that’s easy for identity thieves to steal.
As identity fraudsters become more sophisticated, the threat they pose becomes increasingly diverse and puts the expanding digital population at risk. Discussing the principles, practices, and trends in identity and access management (IAM) can help your organization gain a fuller understanding of how to adapt to growing threats and accommodate newcomers.
What do we mean by identity proofing?
Let’s begin by describing identity proofing. Identity proofing is the process of ensuring a person is who he/she claims to be and is “confirmed into” his/her digital account. This can be done by asking for physical credentials such as a passport or government-issued driver’s license. A challenging aspect of identity proofing is replicating the identity document’s checks digitally while keeping the process fast, reliable, and secure.
Why Proving Identities is Crucial
Fraudsters are displaying increased levels of cunning and organization, using a combination of social engineering, vulnerability exploitation, and other tampering techniques to forge and falsify authentic identity documents during the onboarding process. That makes it even more essential to start the customer journey with a strong focus on identity and document integrity.
The need for strong identity proofing from the start is abundantly clear when you compare two scenarios: one where a customer is targeted by fraudsters after establishing a legitimate account, and another where the account is fraudulent from the very beginning. Protecting an already-established legitimate account is much simpler. Mitigating the risk of fraud in that scenario can be as straightforward as introducing stronger customer authentication procedures like requiring customers to present what they know, what they have, who they are, and where they are (AKA multi-factor authentication), paired with additional measures like enrolling trusted devices or employing behavioral biometrics at login. With a strong trust foundation and a reliable risk management system, breaches of the legitimate account can be detected and recovered quickly.
In contrast, a compromised onboarding journey where imposters have used false information (i.e., false identity documents, doctored photos, unverified addresses, etc.) to establish an account immediately breaches the foundation of trust. It’s much harder to detect a fraudster if they're your initial customer, and the financial impact of ongoing fraud from a counterfeit account can be devastating for affected consumers.
That’s why organizations should be incorporating the right processes and technologies to automatically eliminate threats during onboarding. Introducing more layers of identity proofing significantly reduces the risk of impersonation. Identity proofing measures should be coupled with risk-based (multi-factor and/or contextual) authentication that balances security and usability. This applies to the entire identity lifecycle, and to both logical and physical access within the organization.
Understanding Trends in Identity Verification
To get a fuller picture of identity verification trends, let’s explore methods of identity proofing in use today. The process starts by capturing and verifying an identity document. With the initial capture (or picture) your solution should be able to validate the physical aspects of the ID based on ISO or ICAO standards. Whenever possible (if the ID supports it), it’s a good idea to perform verification on the ID itself by reading information on a chip embedded inside the card, or by interrogating the issuance authority or another trusted third party. This isn’t available in all jurisdictions so your actual implementation may vary.
Due in part to jurisdictional variance, a layered approach to validation is better than depending on one check alone. Additional identity proofing procedures include reliable facial matching solutions, passive liveness checks with iBeta compliance, and address verification that supports enhanced “2+2” verification. 2+2 verification involves verifying an individual’s name and D.O.B against a government–backed ID and then confirming with biometric analysis that the person providing the document is the true owner of that document. The individual’s name and address are then extracted and verified against multiple databases looking for a clear full address match. Lastly, having eChip verification capability is a stronger measure, resulting in a higher level of assurance.
The level of security you can provide with identity proofing depends on how many procedures you’re able to incorporate. Passive liveness significantly facilitates liveness testing for the users performing that particular step, but the main priority should be securing the entire customer journey with a seamless process. Ultimately, organizations have to consider how their identity proofing strategy feeds into the goal to differentiate, which can be considered a function of respect.
At HID, we predict an increased demand for solutions providers who offer easily-integrated products to secure the entire customer journey, a prediction that’s backed up by data:
• Per Mordor Intelligence, the market for identity verification solutions should grow at a CAGR at 13.1% until 2026, reflecting an increased demand for online services—and an increase in crimes targeting online accounts.
• The United States Federal Trade Commission (FTC)’s Consumer Sentinel Data Book reveals that nearly 1.4 million cases of identity theft were reported in 2020, a year-over-year increase of nearly 200%.
• A survey HID performed in partnership with Dark Reading of almost 200 IT and cybersecurity professionals revealed a widespread sense of caution around today’s threats. 40% of professionals predicted that security challenges would get harder to deal with in the coming years, and 49% said the complexity of the security environment is the biggest challenge they face.
We believe that a customer journey beginning with multi-layered identity proofing and verification has the best chance of meeting future challenges head-on.