Strong identity verification solutions are great for securely onboarding users to financial services, verifying gig workers, and fulfilling prescriptions in telehealth. Identity verification is a necessary precaution, and for an increasing number of industries, a compliance requirement. In some situations, however you may only need a particular security feature and not the whole verification solution.
Before diving straight into identity verification solutions or knowledge based authentication alternatives, it’s important to understand your requirements and choose the solution that best solves your specific problem. Below, we list some common user verification methods to consider that may be more lightweight to implement.
If your goal is to verify that you are not facing a script, bot, or other kinds of automation, then CAPTCHA technologies are a great “liveness detection” solutions.
CAPTCHAs provide a test that is easy for humans to solve but difficult for machines to figure out. This can include cut off images identifying certain objects (such as cars) because a machine may not have enough information to recognize the object (such as the rearview mirror). CAPTCHAs are commonly used in onboarding flows to help protect websites and services from spam and abuse.
Available knowledge based authentication alternatives include reCAPTCHA, which is a popular technology provided by Google. It’s currently installed on almost 2 million domains and helps companies in the education, health and other sectors. Developers can also look for open-source solutions.
However, deep learning models are becoming more efficient and better at identifying buses, straicases and selecting traffic lights. The Verge reported that humans get CAPTCHAs right only 33% of the time and that trained machine learning algorithms have become much better than them.
If your goal is to prevent duplicate account creation, then an address-based verification technology is a good option to consider (not to be confused with address verification which is used by payment providers to verify a credit/debit card owner’s registered address).
Usually address-based verification is performed by sending a one-time password (OTP) to the e-mail or phone number used for registration. The user enters the code that they received into a website or application, thereby confirming that they have access to this “address”. This effectively prevents a user from creating a huge number of fake accounts for malicious reasons.
Preventing account duplication is important for services that have free plans. Without this type of protection, users can create infinite accounts and abuse services.
However, addressed-based verification is vulnerable to e-mail or phone number hijacking, compromised accounts, and collusion between parties. While address-based verification is a great method to avoid duplicate account creation, it does not actually verify the identity of the person you are dealing with.
Knowledge-based authentication (KBA)
Knowledge-based authentication (KBA) ensures that a user accessing your platform knows specific information such as a password (or a secret) and secret answers to questions that are not so secret.
This method of authentication has several vulnerabilities. A secret question is effectively the same as a password and often less secure because it is a word or sentence. Since many users answer these questions honestly, it is easy for fraudsters to access the information (through searching, buying, leaking, or hacking) and use it to gain access.
Knowledge-based authentication relies on shared secrets and once a secret is leaked… it is no longer a secret. It is a familiar and comfortable way for users to authenticate themselves, but not to verify the identity of the person entering the information. Thus is best to seek knowledge-based authentication alternatives if possible.
RFIDs, QR Codes, and Devices
Another method of adding a layer of security is to introduce 2-factor authentication. For example, a user not only has a password, but can only gain access to their account when they can also present something they have, such as an RFID, a QR code, a smartphone, or a Yubi Key.
A common example is using unique QR codes are generated for tickets or online purchases with offline pickups. Sometimes, this level of security is enough because the person who is presenting this item is, in theory, the person who should be receiving access. This could also be a good knowledge-based authentication alternative.
The security of verifying something you have depends on what the method is. For example, a QR code can be easily screencapped, which makes it easy to share and to have stolen. In contrast, a Yubi Key is a physical, encrypted USB key that grants the user access (usually in conjunction with another verification method such as a password) that meets FIDO U2F standards for security. The trade off with physical objects like a Yubikey is that if they are lost, account recovery is difficult.
Finally, authenticator apps are another type of 2FA that businesses can require individuals to use in order to verify their identity. It’s also a secure knowledge-based authentication alternative. Example solutions include Auth0 or or Google Authenticator, where accounts that have activated 2FA will require a constantly refreshed code from the app to also be submitted during a login.
Although these apps add a sophisticated level security, many users may not be familiar with them and so requiring their use may result in lower conversion rates.
Choosing a strong identity verification service
With the strides made in identity verification today, security can also come with convenience. User verification can be performed through secure identity verification done in a matter of seconds. Identity verification based on biometrics (such as your facial features) removes the need for long passwords that are both easily forgotten and hacked. Taking a video selfie helps perform the liveness detection of CAPTCHAs. Here’s how a user can perform an identity verification in under a minute using Passbase:
If you’re a growing business that can’t live with these shortcomings, it might be time to start evaluating identity verification solutions. Passbase is that knowledge-based authentication alternative you need. You can book a demo, explore our developer docs, or sign up here to see how Passbase can be integrated into your product and services.