I was interviewed by Karen Schwartz from ITPro Today in July, 2019 to discuss why digital identity verification is gaining ground. Since then, identity verification has only been accelerated due to the Covid-19 pandemic and increasing fraud. Looking back, many of the topics we had discussed remain just as relevant in 2021.
In 2019, more than IT professionals don’t use advanced solutions and processes for their authentication processes, according to Equifax in 2018. Not having more robust authentication and verification processes leaves room for fraud, which drives customers away because they do not trust the services they are using. Organizations now recognize that digital identity verification solutions helps them build trust with users from the moment they sign up and verify their identities to every subsequent login and transaction. The solutions often use a combination of official ID verification and biometric verification such as selfies and fingerprint scans. The post Covid-19 identity verification market is set to grow to USD 15.8 billion by 2025, according to BusinessWire.
Why is two-factor authentication (2FA) no longer good enough for verification purposes?
Through brute force, phishing or third-party login processes, like the option to log in through Facebook, user accounts may fall prey to data breaches. When deploying authentication, businesses should avoid simple two-factor authentication methods like one-time passwords over SMS, voice calls or emails. Attacks have become more sophisticated since these were introduced over fifteen years ago and these are no longer sufficient security measures.
Is there an acceptable digital identity verification baseline for businesses?
Businesses perform digital identity verification processes to protect data and prevent fraudulent activities. With today’s technologies, the ideal digital identity tool would leverage biometric technology such as facial recognition, fingerprint scanning and liveness detection combined with government-issued ID verification. With smartphone penetration, these services can be done on a smartphone camera and offer the user a frictionless experience. But to enable digital identity verification, businesses shouldn’t only streamline the identity verification process; they need to enable identity ownership and reuse across different services.
How does regulatory compliance affect companies managing identity verification today?
Without a robust identity verification process, organizations increase their exposure to Know Your Customer (KYC) and anti-money laundering (AML) penalties. With data privacy laws like the EU’s GDPR and the California Consumer Privacy Act (CCPA), companies need to ensure that the information they collect, which includes personal and sensitive data, complies with the regulations. Companies handling data need to be transparent about the personal data collected, manage requests for deletion of data and ensure policies against reselling data are in place.
The paradigm shift for organizations is that they need to – at the same time – know who they are providing services to, while protecting their privacy and limiting access to their data. To be compliant today without providing great inconvenience to a user, companies must use solutions like biometric authentication, which use machine learning, to verify an individual’s identity without needing to collect or expose unnecessary personal data during the verification process. Organizations need to rethink their identity verification process to become one that gives users control over what data to share and who to share it with.
How do organizations offer users services or facilitate transactions without exposing personal information or breaching compliance obligations?
Organizations will need to use access control policies. They should protect people’s information by design and collect only the information they need for the services accessed. They should enhance their latest protections with a combination of biometric authentication, decentralized systems and anti-spoofing technologies.
The only true way of protecting personal data is by not sharing it. When considering ways to prevent identity theft and attacks and the future of cybersecurity, a blend of biometric authentication and zero-knowledge proofs is the way forward. Verification no longer needs to depend on passwords or personal data stored in an organization’s servers, but machine-learning assisted processes such as facial recognition and document verification. Users will own their data, but don’t need to share it.
How can they do that while still being sure of the identity of the user accessing their platform?
Organizations can integrate data privacy regulation compliant identity verification processes that have privacy built in. Make sure to choose a platform that uses a combination of knowledge-based authentication, biometrics and liveness detection, that is compared against government-issued ID verification.
What is zero-knowledge authentication and why is it important?
Zero-knowledge authentication allows a user to prove that he/she knows a credential without having to share that credential. A verification process using this requires no transfer or storage of passwords/user credentials, which reduces the data handling risk for an organization as well. End-to-end encryption is an example of ways companies use zero-knowledge proof that data is delivered to the target recipients without knowing what the data is.
What technologies can help organizations offer zero-knowledge authentication?
Organizations can leverage biometrics such as facial recognition or fingerprint scans using a device owned by the user, which acts as a hardware key or they can analyze the device’s features/details.
When is it useful for organizations to source identity verification solutions and when is it better if organizations manage it themselves?
Outsourcing identity verification could help businesses gain access to some of the best technologies available today and integrate the components they need, such as identity checks and fraudulent accounts through software development kits (SDKs). Identity verification solutions add significant value by saving an organization from building their own solution from scratch or the painful process of manual identification. This is useful to small businesses and large enterprises alike. Smaller businesses need to facilitate interactions, but don’t have the resources to hire and sustain a compliance division in-house or store sensitive data on their servers. Enterprises also use industry-standard solutions for optimizing operational performance, such as reduced processing time. The goal is to supply businesses with the technology they need to reduce fraud and remain compliant, while making it cost-efficient for them to use the services.
How does the future of user authentication look?
A paradigm shift is underway where companies will move away from collecting and aggregating user data. The future of security is heading towards a privacy-centric architecture where users can enjoy the same ease of use for services while having control over their data.