Strong identity verification solutions are great for securely onboarding users to financial services, verifying gig workers, and fulfilling prescriptions in TeleHealth.
This added security is a necessary precaution and in a lot of cases a compliance requirement for these industries and many more. In some situations, however it can be overkill.
Before you spend time evaluating identity verification solutions, it’s important to understand your requirements and choose the type of solution that best solves your specific problem. Below we list the different user identification methods to consider before settling for a strong(er) identity verification one.
If your goal is to verify that you are not facing a script, bot, or other kind of automation, then CAPTCHA technologies are a great solution to help with this.
CAPTCHAs provide a test that is easy for humans to solve but difficult for machines to figure out. They’re most commonly used in onboarding flows to help protect websites and services from spam and abuse.
We would recommend using reCAPTCHA, which is the state of the art technology provided by Google. It’s currently installed on almost 2 million domains and helps companies in the education, health and other sectors.
However, the gap between computer and human skills is narrowing. It is important to be aware that as deep learning models become more efficient, they become better at identifying buses, straicases and selecting traffic lights.
The Verge reported that humans get CAPTCHAs right only 33% of the time and that trained machine learning algorithms have become much better than them.
If your goal is to prevent duplicate account creation, then an address-based verification technology is a good option to consider (not to be confused with address verification which is used by payment providers to verify a credit/debit card owner’s registered address).
Preventing account duplication is important for services that give away free services at onboarding. Without this type of protection, users can create infinite accounts and effectively steal or abuse services.
Address-based verification works by sending a unique code by SMS to a phone number that was provided by a user. The user then inputs the code they received into a website or application, thereby confirming that they have access to this “address”. This same method can be applied to email as well. It can effectively prevent a user from creating a huge number of fake accounts for malicious reasons.
Some vulnerabilities to be aware of are phone number hijacking, compromised accounts, and collusion between parties. While address-based verification is a great method to avoid duplicate account creation, it can do little to verify the true identity of the person you are dealing with.
Knowledge-based authentication (KBA)
Knowledge-based authentication (KBA) ensures that a user accessing your platform knows specific information such as a password (or a secret). Beyond passwords, one of the most common factoids used in KBA is a user’s Mother’s maiden name.
As you can imagine, this method of authentication has several vulnerabilities. When it comes to questions about a user’s personal life, information is easy to find (or buy after a data breach or leak) - giving fraudsters access to the user’s account.
The most worrisome flaw of KBA is that it relies on shared secrets and once a secret is leaked... it is no longer a secret. Knowledge-based authentication is a familiar and comfortable way for users to authenticate, however, it does little to verify a person’s true identity and has some serious shortcomings.
Choosing a strong identity verification service
If you’re a growing business that can’t live with these shortcomings, it might be time to start evaluating identity verification solutions. We at Passbase, while more restrictive than our older and more vulnerable cousins, will give you a high degree of confidence in the identity of people using your platform.
Interested in learning more? Get started for free today.