In ancient history – 2019 – when we met someone for the first time, we shook hands and introduced ourselves by stating our names. Remember that? Good times. Today, building trust during online introductions requires proof.
Businesses operating in an increasingly digital world must take more stringent steps to ensure that an identity is genuine and they know who they are dealing with. This is a process commonly referred to as ‘identity verification’ or ‘know your customer’ for regulated industries.
Well-established techniques involve the matching of name, date-of-birth and address information to reputable data sources such as credit reference agencies or an electoral roll, however, these steps can be in vain if one fundamental truth is not established one step earlier – that of identity proofing.
Identity proofing is the process of ensuring that the person introducing themselves, or claiming their identity, is the legitimate holder of that identity, to ensure that all subsequent checks are applied correctly. It is arguably the most important part of an identity verification journey, as failure to establish this correctly, not only has the potential to invalidate all further checks but can also be the cause of reputational and financial loss to the organization and their stakeholders.
In a face-to-face environment, we can usually rely on visual cues to make subconscious assessments of a claimed Identity’s legitimacy, even if we request confirmation by performing a cursory, visual check of some form of government-issued identity document such as a driving license or a passport to validate the claim. However, this becomes far more difficult when the person claiming this identity is doing so remotely. In a post-Covid world, the need to perform remote identity proofing on individuals with whom we interact is a cornerstone of a trusted relationship. So, how best to undertake this, knowing that the person with whom we are interacting cannot simply hand their documentation to us?
Many attempts have been made to accommodate this. For example, knowledge-based authentication establishes an element of identity proofing by asking questions that only that individual should know, such as the amount spent on their mortgage every month, or the color of their first car. These are perfectly legitimate questions, however, they are just as easily answered by a spouse, or in fraudulent cases, any bad actor that has gained access to somebody else’s credit report via a data breach. Sadly, these types of breaches are far too commonplace, so in a real-world scenario, knowledge-based authentication isn’t strong enough to establish the levels of trust most organizations require.
So, we must use solutions that replicate a face-to-face interaction and couple that with image-capturing technologies that most people have access to, such as a smartphone camera and an internet connection.
Digital identity proofing, step by step
1. Document scan
To begin, the identity claimant is asked to scan and submit a good-quality picture of their government-issued identity document. Robust identity proofing systems will immediately be able to identify the legitimacy of the document by extracting the relevant information via optical character recognition (OCR), visual analysis and a range of anti-tampering checks to ensure that no manipulation has taken place on the document.
2. Face match
Once confirmed, the next step is to ensure that the person presenting the document is its legitimate owner. We do this by asking the identity claimant to provide a selfie, which is programmatically matched with the image extracted from their identity document. Face-matching is an important part of digital identity proofing and machine matching algorithms perform far more effectively than human beings on crucial matching decisions unless people are highly trained.
Anticipating this step, fraudsters will substitute the photograph on the document with another. Good identity proofing solutions can detect these substitutions, text changes and any other document tampering, and will red flag them.
3. Liveness check
But wait, who’s to say that the individual claiming this identity has not simply submitted a photograph of someone else that they downloaded from social media? We test for this by running a ‘liveness check’ on the selfie image submitted. Liveness checks ensure that the person submitting the selfie was genuinely present and facing the camera at the time the image was captured. This prevents the use of any impersonation tool such as photographic printouts, deep fake videos and silicone masks when submitting facial images.
Liveness, or presence attack detection is evaluated and graded by the US National Institute of Standards in Technology. Our liveness detection is Level 2 accredited, the highest standard in a remote verification environment without the use of dedicated hardware such as a fingerprint reader.
Identity verification experts tend to agree that no one-size-fits-all digital identity proofing process is 100% fraud-proof; with any system there are outliers and exceptions. Corruption, for example, can result in legitimately printed government identity documents issued with a fraudulent identity. So, a multi-layered approach to digital identity verification is wise.
By layering trusted third-party identity data into the identity proofing process, a business can establish trust in the longer term existence and credibility of the individual or flag that no such history or confirmatory data exists. Data-centric identity verification, using data sets that best match an organization’s use case and risk propensity is the strongest form of defense against determined fraudsters and a solution that can go a long way to mitigating the most frequently used methods of identity fraud.
Speed and convenience matter as much as security for successful brands looking to build customer relationships based on trust. So, a great onboarding experience and a safe onboarding experience both matter for business growth.
Good customers and bad actors will both be subjected to identity proofing checks, and while these steps will make it far more difficult for fraudsters to gain unauthorized access to your organization, customer onboarding friction aimed at fraud prevention must be balanced against ease-of-use. We also know, however, that consumers feel strongly about security when opening a new online account. 57% of consumers surveyed for The State of Digital Identity 2022, cited security as a key concern, so balancing a degree of ‘friendly friction’ in an onboarding experience that reads well for digital identity verification is a best practice for business.
Fraudsters, like water, will always take the path of least resistance, and by placing a range of fraud detection and prevention steps between a bad actor and their goal, a business can confidently allow legitimate customers to consume a product our service in a safe and compliant manner.
So, by deploying a robust identity proofing process in conjunction with the correct mix of trusted data sources for compliant identity verification, a brand can not only protect against bad actors, but also build reputational credibility in the eyes of genuine customers who feel safer knowing that it truly appreciates their legitimate business.
No. identity proofing is an integral component of the larger identity verification process. Knowing that someone is who they purport to be does not necessarily allow them to consume the service or good that they are engaging with. The larger Identity verification process further ensures the individual meets all the additional requirements such as nationality, age restriction or affordability.
Biometric identity authentication is the process of verifying an individual’s identity by drawing comparison between known and trusted biological characteristics against those presented by someone claiming an identity. These biological characteristics traditionally include facial characteristics, fingerprints, irises, and voice prints.
Mobile identity authentication is the process of establishing confidence in an individual’s claimed identity by matching their claimed identity against the known and trusted record held by a Mobile Network Operator (Mobile-to-Person Matching or MPM). This type of check includes various fraud mitigation aspects, including SIM-Swap detection, call forwarding checks and mobile account age determination to further bolster credibility.
Identity fraud is the intentional use by one person of another person’s personal identifiable information or identity credentials, with or without the express consent of the legitimate holder, to commit a crime or to deceive or defraud another person or organization.
This article was originally published by GBG.