The Identity Verification Spectrum of Assurance
July 31, 2019
There are many identity verification methods, but not all techniques are appropriate for all users based on the amount of friction and the level of assurance. Enterprises must evaluate their current business needs to determine which mechanism (or combination of mechanisms) are best suited for their specific use case.
This infographic illustrates a few examples of popular identity verification techniques, ranging from the lowest to the highest level of assurance, followed by a description of each method.
Self attestation provides the lowest level of assurance because it requires no corroboration with authoritative sources. In this method, an individual self-certifies that they are who they claim to be by photocopying their ID document, signing it, and writing “true copy” or “self attested.” This verification method is not typically considered sufficient by today’s standards.
The Knowledge-Based Verification (KBV) method will remain wholly insufficient so long as consumer credit reporting agencies continue to experience major data breaches in which peoples’ sensitive personal data (the information that is typically used for knowledge-based answers) is made easily available online and/or cheaply obtained by cybercriminals via the Dark Web. The U.S. Government Accountability Office (GAO) recently released a report stating that several prominent government agencies still rely on the three major credit agencies (Equifax, Experian, and TransUnion) to verify a person’s identity with KBV, even though NIST no longer endorses this security method.
Social Media Logins
Nearly every platform has a sign-on integration with Facebook and Google, but the problem with using social media logins as an identity verification method is that they openly share peoples’ personal data with third parties for marketing purposes, and have experienced multiple serious data breaches in which millions of peoples’ personal data were exposed to cybercriminals. There’s no way to guarantee that the person using a social media login to reset their password on a different platform is in fact the account holder because social media identities aren’t verified––they only ensure that the individual attempting to recover their linked account has access to the email address associated with the social media account.
There are different types of records checks available to help businesses reduce risks associated with bad hires, but if conducted without another stronger identity verification technique, they won’t be able to flag synthetic or false identities or account for human error (e.g. an applicant accidentally entering the wrong driver’s license number on their mobile device). Identity verification provides an added layer of assurance for anyone that conducts records checks, especially the ones that are cost-effective, but offer a lower level of diligence.
Requesting utility bills to verify an individual’s address can be an effective identity verification method, but only when it’s combined with more robust techniques. The reason for this is because there are little to no security measures in place to send and receive utility bills, which makes them frighteningly easy to forge. Even those who lack basic design skills can leverage questionable online resources to produce a very convincing imitation, essentially making fraud attainable for anyone.
ID Document Scans
Scanning an ID document is equivalent to finding one piece of the puzzle, as this method can only prove that the document is valid, but not that the individual is the person in the ID. Remote identity verification providers that use ID document scanning alone employ widely different technologies to scan documents, some of which are not as effective and may produce inaccurate results.
Identity verification is usually performed once, but authentication––which proves an individual’s assertion that they are who they claim to be––can be performed many times. It’s for this reason that, when combined with similar identity verification methods, authentication can be a powerful tool to validate a person’s identity and credentials.
Biometric Liveness Selfie
An ID is easier to verify when it’s accompanied by a selfie of the applicant who’s submitting the document in question, but recent advancements in artificial intelligence technologies have made it possible to completely fabricate static photos of faces. Biometric liveness selfies can be helpful for preventing fraud, as they rely on unique biological characteristics to verify an individual’s identity, but should ideally be combined with other verification techniques, as this method is still susceptible to “presentation attacks” like spoofing.
Virtual In-Person Verification
The technology behind virtual in-person verification is akin to a virtual meeting via video chat that enables an individual to speak directly with an authoritative official to verify their identity. In-person verifications are typically considered the gold standard because physical faces and fingerprints are much harder to falsify, but as global connectivity continues to progress, virtual in-person verifications will become the next best option.
Identity verification mechanisms and techniques can be used interchangeably to strike the right balance between adding friction and reducing fraud. Enterprises should think critically about which combination is best for their specific business needs, and implement them accordingly to prevent fraud, optimize conversions, and increase revenue.