Keep Your Online Business Safe: Navigating Identity Verification and Authentication

Summary: Building Trust in the Digital Age

In the digital marketplace, trust is paramount. Every business needs a robust Identity and Access Management (IAM) solution to build this trust and protect users from fraud and abuse. Key elements of this solution are strong identity verification, authentication, and authorization. These tools help businesses answer three crucial questions: Who owns this account? Is the person accessing it the rightful owner? Are they acting of their own volition?

This post is geared towards the professionals and managers that are not directly part of the identity teams building and managing these solutions, but that need to interact and collaborate with them as fighting fraud and abuse becomes a shared responsibility across the organization. The first two sections of this post provide a high-level overview of how some of the key IAM technologies and tools are deployed across the user journey, and some ideas about the structure and teams that a company needs to implement, integrate and manage those solutions.?

The third section is forward-looking, describing a highly likely future where users (humans) are empowered to build and own verifiable identities, which can be shared with apps or services of their choice. These digital wallets (we could also call them accounts or agents) would be tied to individuals, not businesses, and both would trust them to keep the information safe, up-to-date, and tightly coupled with its rightful owner. This would give users more flexibility and control while reducing business effort and costs. It would also change the crucial questions businesses need to answer from the three listed above to two equally powerful ones: Should we become a wallet provider? If not, which wallets will we trust?

A Comprehensive Approach to Online Security

Fraud in payments and broader online interactions poses a significant challenge. At the most basic level, online businesses need to answer three main questions:?

• Do we know who owns the account??
• Is the person accessing the account the same one that created it??
• And are they acting freely, without coercion or deception?

Fortunately, we have robust Identity and Access Management (IAM) methods and tools, like identity verification (IDV) and authentication, to address these concerns. However, these tools constantly evolve, requiring a delicate balance between friction, security, and privacy.

Let's explore a simplified digital customer journey, pinpointing key steps where fraudsters might strike and where the IAM tools can protect users. Note that these processes, while reducing most types of fraud, may not detect synthetic identities. This is a complex topic that warrants a separate discussion.

Onboarding: The First Line of Defense

The onboarding process aims to familiarize businesses with their customers. In regulated industries, this might involve various forms of ID and other official proofs, while in others, it could simply confirm the user is human.

Applying progressive risk segmentation is vital. This means adjusting the level of information required, and therefore incorporating “dynamic friction”,? based on the risk associated with the user. Even new users can be assessed for risk using other sources like device data, mobile network operators, watchlists, and credit bureaus.?

For instance, low-risk users may only need to upload an ID. For intermediate risk - say, a newly activated phone number - you might require additional verification like a selfie. For high risk - such as a number linked to scams - a video call could be necessary.

During onboarding, it's also crucial to enable two key security features:

• Multi-factor authentication (MFA): It provides additional protection to passwords. As users create their login credentials, integrating MFA, such as one-time passwords via text or authenticator apps, significantly boosts security.
• Passkeys: These represent a move towards a passwordless future. Created by the FIDO (Fast IDentity Online) Alliance, and following the WebAuthN standard, passkeys use public key cryptography for secure access. Credentials (private keys) are stored and never leave the user's device, meaning they cannot be leaked.

Login and Transaction Verification: Ensuring Security via Continuous Authentication

Once a user is onboarded, maintaining good security is paramount. This stage demands strong authentication methods, tailored to the risk associated with each action. Utilizing a combination of passwords, MFA, or passkeys, often in tandem with physical biometrics, strengthens security. Adding low-friction, silent authentication methods that run in the background is key to building a reliable confidence score. These include:

• Behavioral analytics: Analyzing user-specific patterns such as keystroke cadence, speed, voice ID, and device handling. External factors like login times and frequency also contribute to this analysis.
• Device and carrier information: Leveraging data like geolocation, network authentication (matching the device SIM with the user profile), and timing of the last SIM swap. This also involves cross-referencing user information with data from the mobile network.

Passkeys vs. 3DS

Specific to card payment transactions, and particularly given all the drawbacks of 3DS (US - lack of adoption; EU / ROW - high friction that results in abandonment), Visa, MasterCard and other card networks implementation of passkeys could greatly improve card-based authorization and reduce fraud for the merchant / business.

It is not the merchant's decision to put this in place (it needs to come from the networks), but they would need to support it. In the US this might be a challenge without a solid business case (e.g. liability shift). In the EU it should be simpler. SCA (Secure Customer Authentication) is mandated and liability shift established, but most merchant opt out of 3DS due to poor approval rates. It would also align well with eIDAS and the EU Digital Identity Wallet project.

Behavioral Analytics in Scam Detection

Behavioral analytics play a pivotal role in detecting fraud scams where the legitimate user, albeit unknowingly, is guided by a scammer. For instance, a simultaneous call during an online interaction could indicate external manipulation, flagging the need for further verification.

Re-Verification in High-Risk Scenarios

High-risk scenarios necessitate re-verification. This step is crucial in confirming that the person currently accessing the account is the same individual who created it. Techniques such as comparing a real-time selfie with the original ID photo or requesting additional documents help reinforce security. Keeping a record of each interaction and utilizing machine learning and AI for automation ensures each verification step adds value.

Examples of re-verification applications include:

• Drivers in the gig economy: Re-verifying drivers to prevent incidents like the identity fraud issue Uber faced in London in 2019.
• Housing market and hospitality: Re-verifying renters or guests before property access, possibly with a quick selfie.

Perpetual KYC: A Continuous Relationship

In fact, this type of re-verification process is a clear sign that the industry is moving towards perpetual know-your-customer (pKYC), signaling that identity is a relationship, not a one-off transaction. It is about bringing a person’s offline persona to the online world and identifying who they truly are behind the screen every time they access the account. Perpetual KYC’s continuous monitoring proves a person is who they say they are — not just whether they should have access — while providing a process for users to add and update information to ensure that their online and offline personas are fully aligned.

Account Recovery: Simplifying User Experience

Nearly every user eventually encounters the need for account recovery. This process often involves calls and emails to the business, creating friction for users and high costs for the merchant. However, this can be simplified with effective digital verification and authentication processes. These should be user-friendly and secure, ensuring a smooth experience for users while maintaining the integrity of their accounts.

Implementation: A Strong Team is Necessary to Make it All Happen

To effectively implement these technologies, most companies work with vendors that provide best-in-class solutions, and build a strong internal team capable of selecting, integrating, and managing the vendors and solutions. There are no shortcuts to build a great customer experience while developing a robust IAM system

Vendor Selection: Finding the Right Fit

There are many articles and posts that include maps and diagrams covering providers identity verification (also called identity proofing), authentication and authorization. Below is one of them, a personal favorite, that also specifies whether the solution is focused in the consumer or employee spaces, or if it is applicable to both.?

All providers have their own pros and cons, and need to be assessed against the specific needs of the business. For example, to assess an ID verification solution, you need to consider accuracy and reliability, coverage, compliance with local and international regulations, audit trails, user experience and cost.

Equally critical is to reflect on how well you understand how it works, how configurable it is and how well it integrates with your other systems. In a nutshell, how well the systems play together. For example, disjointed systems can result in a fragmented and cumbersome user experience with repetitive requests, as well as security and compliance gaps, due to inconsistencies in security protocols or data handling.

To ensure the most optimal solution overall, it may be wise to prioritize working with providers that focus on open standards and interoperability, perform thorough tests on the combined system, and plan for scalability and future changes.

Internal Organization: Collaborative Effort

A strong Identity Team is vital for assessing, integrating, and managing services. This team should work closely with Security, Fraud, Compliance, Privacy, and User Experience Teams, but will also interact with Product (e.g. Payments), Operations, Customer Services… potentially touching every area of the organization, as building trust with users becomes a shared responsibility.?

In marketplaces, Identity will also include, or work closely with, the Trust & Safety Team. This team often focuses on aspects that have not traditionally been part of IAM, such as users’ reputation, content produced (source, quality, alignment with policies), and civility of interactions. These aspects of a person’s identity should be added to their profile.

The Future: There is a Better Way

Despite significant investments in identity and security, online fraud, scams, and abuse continue to grow. Even as new solutions develop, technologies that can support bad actors seem to develop even faster. Deep fakes, for example, present a real threat to identity verification processes like photo-based KYC.

Companies excel in their domains – crafting unique products, connecting people, creating engaging experiences. However, identity management often falls outside their core competencies. There is a better alternative that can free up business resources while giving users more control, flexibility and privacy: Empowering users to build and own verifiable identities, which they can share with apps or services of their choice.?

These verifiable identity would be held in digital wallets (we could also call them accounts or agents) tied to individuals, not businesses, and would be trusted by both to keep the information safe, up-to-date and tightly coupled with its rightful owner. These tools could offer more specialized solutions, such as incorporating “human-in-the-loop” verification processes for high-risk scenarios, and richer, more effective, continuous authentication and pKYC.

This paradigm shift would lead businesses to ponder:?

• Do we want to become wallet / agent providers??
• If not, which wallets / agents will we trust?

Any business can provide these services, as long as: 1) it makes the necessary (likely large) investments to make identity an additional core competency, 2) it has earned the trust of its customers, and 3) creates a solution that is centered around what the human needs to thrive across their digital, and physical, life.?

Having said this, most companies will opt to use wallets developed by others, and choose providers based on their specific requirements around data protocols, security and privacy requirements, coverage… This is where standards and interoperability become crucial so that users and businesses are not locked down to a single solution.?

Initiatives like the European Digital Identity Wallet, the OpenWallet Foundation, the Open Identity Exchange, and the Trust Over IP Initiative are leading this charge toward a standard-based, interoperable future for digital identity. Companies, regardless of their decision to provide these services, should stay informed about these developments to future-proof their investments and strategies. This, I believe, is where the future lies.?

Note: I am well aware that I am oversimplifying the future, as wallets, to be adopted at scale, will need to be multi-functional wallets that help us protect and share our identity, make payments, board planes and much more. I am focused just on identity here given that it can facilitate access to almost every other aspect of our lives: Healthcare, finance, government, insurance, commerce... We are effectively decoupling identity from any specific area of our lives, to then apply it to all of them.

You can find this post also directly on my personal website: https://trishburgess.com/f/keep-your-online-business-safe-navigating-identity-verification