Article

Strong identity verification alternatives

Adoption of identity verification is growing. But does every company need a solution this rigorous? We look at the other options that companies can explore.

Strong identity verification solutions are great for securely onboarding users to financial services, verifying gig workers, and fulfilling prescriptions in telehealth. Identity verification is a necessary precaution, and for an increasing number of industries, a compliance requirement. In some situations, however you may only need a particular security feature and not the whole verification solution.

Before diving straight into identity verification solutions or knowledge based authentication alternatives, it’s important to understand your requirements and choose the solution that best solves your specific problem. Below, we list some common user verification methods to consider that may be more lightweight to implement.

CAPTCHAs

If your goal is to verify that you are not facing a script, bot, or other kinds of automation, then CAPTCHA technologies are a great “liveness detection” solutions.

CAPTCHAs provide a test that is easy for humans to solve but difficult for machines to figure out. This can include cut off images identifying certain objects (such as cars) because a machine may not have enough information to recognize the object (such as the rearview mirror). CAPTCHAs are commonly used in onboarding flows to help protect websites and services from spam and abuse.

Available knowledge based authentication alternatives include reCAPTCHA, which is a popular technology provided by Google. It’s currently installed on almost 2 million domains and helps companies in the education, health and other sectors. Developers can also look for open-source solutions.

captcha example with blurred images

However, deep learning models are becoming more efficient and better at identifying buses, straicases and selecting traffic lights. The Verge reported that humans get CAPTCHAs right only 33% of the time and that trained machine learning algorithms have become much better than them.

Address-based verification

If your goal is to prevent duplicate account creation, then an address-based verification technology is a good option to consider (not to be confused with address verification which is used by payment providers to verify a credit/debit card owner’s registered address).

Usually address-based verification is performed by sending a one-time password (OTP) to the e-mail or phone number used for registration. The user enters the code that they received into a website or application, thereby confirming that they have access to this “address”. This effectively prevents a user from creating a huge number of fake accounts for malicious reasons.

Preventing account duplication is important for services that have free plans. Without this type of protection, users can create infinite accounts and abuse services.

However, addressed-based verification is vulnerable to e-mail or phone number hijacking, compromised accounts, and collusion between parties. While address-based verification is a great method to avoid duplicate account creation, it does not actually verify the identity of the person you are dealing with.

Knowledge-based authentication (KBA)

Knowledge-based authentication (KBA) ensures that a user accessing your platform knows specific information such as a password (or a secret) and secret answers to questions that are not so secret.

This method of authentication has several vulnerabilities. A secret question is effectively the same as a password and often less secure because it is a word or sentence. Since many users answer these questions honestly, it is easy for fraudsters to access the information (through searching, buying, leaking, or hacking) and use it to gain access.

Knowledge-based authentication relies on shared secrets and once a secret is leaked… it is no longer a secret. It is a familiar and comfortable way for users to authenticate themselves, but not to verify the identity of the person entering the information. Thus is best to seek knowledge-based authentication alternatives if possible.

RFIDs, QR Codes, and Devices

Another method of adding a layer of security is to introduce 2-factor authentication. For example, a user not only has a password, but can only gain access to their account when they can also present something they have, such as an RFID, a QR code, a smartphone, or a Yubi Key.

A common example is using unique QR codes are generated for tickets or online purchases with offline pickups. Sometimes, this level of security is enough because the person who is presenting this item is, in theory, the person who should be receiving access. This could also be a good knowledge-based authentication alternative.

The security of verifying something you have depends on what the method is. For example, a QR code can be easily screencapped, which makes it easy to share and to have stolen. In contrast, a Yubi Key is a physical, encrypted USB key that grants the user access (usually in conjunction with another verification method such as a password) that meets FIDO U2F standards for security. The trade off with physical objects like a Yubikey is that if they are lost, account recovery is difficult.

Authenticator Apps

Finally, authenticator apps are another type of 2FA that businesses can require individuals to use in order to verify their identity. It’s also a secure knowledge-based authentication alternative. Example solutions include Auth0 or or Google Authenticator, where accounts that have activated 2FA will require a constantly refreshed code from the app to also be submitted during a login.

Although these apps add a sophisticated level security, many users may not be familiar with them and so requiring their use may result in lower conversion rates.

Choosing a strong identity verification service

With the strides made in identity verification today, security can also come with convenience. User verification can be performed through secure identity verification done in a matter of seconds. Identity verification based on biometrics (such as your facial features) removes the need for long passwords that are both easily forgotten and hacked. Taking a video selfie helps perform the liveness detection of CAPTCHAs. Here’s how a user can perform an identity verification in under a minute using Passbase:

video

If you’re a growing business that can’t live with these shortcomings, it might be time to start evaluating identity verification solutions. Passbase is that knowledge-based authentication alternative you need. You can book a demo, explore our developer docs, or sign up here to see how Passbase can be integrated into your product and services.

Get the latest news from Passbase

Passbase © 2022

KI VERBAND

Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.