Understand the Invaluable Distinction Between Identity Verification and Authentication
In order to meet consumer expectations for safe, smooth remote interactions, organizations need greater trust in consumer identity. Trust allows organizations to approve consumer applications to open accounts and, subsequently, grant access to those accounts. The processes for establishing trust in remote interactions — from preliminary identity verification to ongoing authentication — occupy complementary and distinct points in the customer journey.
Unfortunately, the difference between identity verification and authentication eludes even some sophisticated organizations. The mistake leads to undeserved trust in individuals who are not legitimate customers. Confusing identity verification for authentication jeopardizes customer lifetime value and increases risk of fraud loss that’s worth millions of dollars.
Confusing identity verification with authentication
Before creating a customer account, organizations in high-stakes industries — such as with financial services, insurance, healthcare, government or gambling — must check the legitimacy and interrelationship of a consumer’s identifiers. Identity verification establishes a foundational layer of trust for creating an account and can help to mitigate risk of account origination fraud and synthetic identity fraud.
Identity verification checks the legitimacy of offline identifiers provided on an account application, such as name, mailing address, phone number and email address. Identifiers associated with legitimate identities appear together over time in multiple authoritative sources, such as telephone carriers, utilities or government agencies.
Unfortunately, bad actors can acquire ill-gotten identifying information for illicit activity, such as applying for new accounts or benefits in victims’ names.[i] For example, someone else can submit an application with my address, phone number, and social security number, but that doesn’t mean they’re me. They may have simply acquired my information on the dark web or via social engineering.
Organizations need to confirm that an individual rightfully “owns” the identifiers supplied in an application; that the applicant is who they say they are. During account creation, a consumer may provide a selfie and government photo ID for a facial recognition match. We call this additional degree of rigor in the trust assessment process “identity proofing.”
For future account access, authentication checks whether individuals are who they claim to be in real time. Authentication approaches have evolved continuously in response to years of data breaches, consumers over-sharing personal information on social media and increasingly sophisticated fraud tactics.[ii]
For example, one-time passcodes (OTP) sent to consumer phones provide a trustworthy basis for authenticating consumer identity. Phone-based OTPs have been a popular second factor of authentication because consumer phones rarely leave arm's reach.[iii]
Authenticating or proofing an identity requires significantly more rigor than verifying that an identity exists. Instead of developing a more rigorous offering, however, some solution providers purposely confuse the distinction between identity verification and identity proofing or authentication to cover up for their shortcomings. The confusion endangers organizations and consumers.
The danger in confusing identity verification with identity proofing and authentication
Solutions that verify identity solely via analysis of identifiers (legitimacy and relationship) can't determine that the person supplying the identifying information is the rightful owner of that identifying information. Treating a verified identity (“this identity exists”) as authenticated or proofed (“this user is who they claim to be”) can enable account takeover fraud and usher in synthetic identities.
Likewise, in the phone channel, checking whether a call has been spoofed does nothing to authenticate the caller’s identity, and yet that is the value proposition of some caller “authentication” solution providers. Call spoofing can signal risk associated with a calling phone number. However, the absence of call spoofing doesn’t prove that the caller is who they claim to be. Call centers that accept non-spoofed caller ID as a proxy for authentication incur significant risk of account takeover fraud.
The rising frequency and cost of fraud attacks has spurred organizations to implement additional protections, which unfortunately often increase operational complexity and friction in the customer experience. Legitimate customers may fail identity verification because they forget details of their identifying information or simply make mistakes. Consumers may need personal assistance from the organization to complete the process, increasing operational costs. The jarring experiences associated with false positives and manual reviews conflict with consumers’ rising expectations for safe and smooth interactions and transactions with brands. Delaying service and telegraphing mistrust degrades customer experience. The consequences can be severe; according to TransUnion’s 2022 Global Digital Fraud Trends Report, approximately two-thirds of consumers would switch companies for a better digital experience.
Start with consumer identity across the customer journey
Organizations need confidence in identity to verify, proof and authenticate consumers in remote interactions. A clear understanding of consumer identity increases trust at each stage of the customer journey and across channels, and supports the mission to nurture deeper, more efficient and lucrative customer relationships.
To form a basis for greater trust via identity proofing, organizations need robust data, alerts on emerging fraud schemes and solutions to detect synthetic identities. Real-time analysis of these inputs helps organizations expedite approval for legitimate customers, while also applying step-up challenges intelligently and identifying fraudulent account applications.
To expedite and secure authentication experiences, organizations need robust insight into consumer device data. Authoritative linkages between consumer identity and devices enable organizations to sort users intelligently and reliably into high- and low-risk buckets. Legitimate consumers experience less friction in the authentication process, while only suspicious actors encounter closer scrutiny.
This holistic approach to consumer identity allows organizations to safely provide the ideal experience each consumer seeks. A clear understanding of identity verification and authentication sets the foundation for accelerating digital transformation initiatives and meeting increasingly sophisticated consumer expectations for remote account creation and access.
[i] Legacy identity verification approaches have become increasingly vulnerable to sophisticated identity fraud attacks because the process focuses on verification of static personal data. These data have been exposed via years of data breaches and consumers over-sharing on social media.
[ii] Goode Intelligence, The Evolution of Authentication, June 2019
[iii] Forward-thinking organizations mitigate OTP fraud by withholding OTPs from phones that signal risk of an account takeover attack in progress, such as a recent SIM swap, number reassignment, or call-forwarding request.