Author: Steve Craig
What does a bank teller, a bar bouncer, and an airport security officer have in common?
They all might ask to see your identity document to confirm you are who you claim to be!
Most adults in modern civilization have presented their physical government-issued identity document to assert their identity at one point in time.
In the real-world, the verifier (teller, bouncer, officer) examines the credential (your ID card) to validate your claim. The claimant (you) are physically present and provide additional evidence (your smiling face) that is matched against the portrait on the ID with the verifier’s own innate human face recognition ability. If all goes well, you’re quickly “verified” and go about your business.
With the rise of digital transactions, this same process was naturally adapted for the online world. Today, millions of people snap images or record videos of their ID documents along with live selfie portraits to assert their identity on the Internet. Document-centric identity proofing, or commonly just identity verification, is the foundation for establishing trust and safety in the virtual world.
But did you know there are other techniques to assess identity claims online? Here are a few cutting-edge technologies that can augment or replace the need to ask for that identity document.
One of the early attempts at solving the online identity problem was to leverage private financial information from credit reports to present challenge questions to consumers to evaluate identity claims.
The process of knowledge-based authentication, or KBA, assumed that only the true consumer could answer the questions correctly and in doing so “proved” identity. Unfortunately, with data breaches, the proliferation of private information published on social media, and sophisticated phishing techniques, KBA became less effective. In fact, KBA has earned a bad reputation for preventing fraud and is no longer recognized as a strong technique.
As such, the data-centric category has fallen out of favor. However, there is an entire generation of identity verification solutions that have turbo-charged data-centric processes with artificial intelligence, machine learning and data science techniques.
Today’s advanced data-centric solutions are built using state-of-the-art algorithms that analyze every dimension of a consumer’s identity, not just information found in a credit report.
Correlations between a customer’s name, date of birth, address, email, and phone are evaluated against hundreds of authoritative data sources, public records, and other databases. An individual’s digital footprint is transformed into an identity graph that is used to evaluate an identity claim and affirm the likelihood that consumers are who they claim to be.
While a data-centric or identity graph approach does not provide absolute certainty, when combined with data consortiums, or pooled data linkages across multiple companies, it becomes highly predictive of potential identity fraud or misrepresentation. Further, if augmented with device, location, or IP address data, it becomes statistically strong enough to accept or reject an identity claim in lieu of capturing identity documents.
Data-centric approaches are gaining momentum in the market, not just because of their predictiveness, but also because of the seamless user experience. Many of the data-centric solutions rely on personal information already captured during the onboarding process. There are no challenges questions to answer and no ID document images or selfies to capture.
Many marketplaces and digital platforms seek to optimize their onboarding process and data-centric can supercharge conversion while detecting potential fraud.
In parallel with the evolution of data-centric solutions, device-centric identity approaches have also emerged as innovative, low-friction alternatives to document-centric identity proofing.
Also known as mobile or phone-centric, a device-centric approach leverages mobile number intelligence and device characteristics to link a user to an identity by cross-checking network operator customer data, proprietary device databases, and/or live location information.
In 2017, smartphones and mobile devices surpassed desktop computing as the primary form of online interaction. And even if a consumer is using a desktop or laptop computer, that consumer likely has a cellular-connected device nearby.
Device-centric processes affirm an identity using multiple factors. First, the consumer is confirmed to be in possession of the device. This can be done through software on the device, a one-time passcode process via text message or SMS, or triangulation of cellular location data. Second, the ownership of the device is linked to the consumer. This could be through phone number correlation or data lookups directly with the cellular carrier. Some providers of device-centric identity verification solutions also have powerful proprietary risk engines that assess a device’s reputation either through pattern analysis or data consortiums.
Similar to data-centric IDV, device-centric techniques do not provide absolute certainty that the person holding that device is truly who he or she claims to be. However, because device-centric approaches combine multiple factors of identity evidence, it has grown in popularity and usage.
Beyond marketplaces and digital commerce platforms, many banks, healthcare companies, and even the public sector have begun to adopt device-centric strategies
Now, back to document-centric identity verification.
While data-centric and device-centric approaches are viable for progressively streamlining consumer onboarding processes and validating identity claims, they are often not considered by the broader market to be identity proofing techniques.
Identity proofing requires the use of a government-issued identity document containing a portrait of an individual that can be linked to an actual live and present human. Identity document authentication combined with biometric face matching provides a strong verification just like in the real world. But online document-centric identity is not a foolproof process. Identity documents can be tampered or forged. Faces can be spoofed or artificially generated.
Top providers of document-centric identity verification deploy sophisticated mobile capture techniques and advanced computer vision processes, and sometimes even expert human reviewers, to assess document authenticity, liveness, and facial matching. Even with all that technology, bad actors, fraudsters, and those with malicious intentions find a way to subvert the best systems. Using document-centric identity proofing on its own may not be enough to prevent fraud so often data-centric and device-centric methods are layered in.
Further, because collecting images or videos of identity documents and selfie portraits is high friction for the consumer, many people may decide just to “drop out” of the process due to the extra work.
Signal vs. Noise
Over the past decade, dozens of innovative companies have emerged and each claims they are the best… the most accurate… and the global leader in identity verification!
As a trust & safety leader, how do you decide which solution providers will create the best experience for your marketplace? It starts with understanding your options and choosing the right signal and avoiding the noise.
Are you a marketplace or digital platform struggling with IDV and interested in learning more?
Join me for the presentation “The Different Faces of IDV: Understanding Today's Identity Verification Methods” at this year’s Marketplace Risk Management Conference, May 16 - 18 in San Francisco. Register here
This presentation is a primer on digital identity and highlights today's primary identity verification approaches. You’ll also hear how different marketplaces use different IDV signals to boost platform trust and block out fraud!