Community
To most organizations you interact with, your identity extends beyond just who you are. For a healthcare institution, your identity is you plus your proof of insurance. In dealing with your stockbroker, bank or mortgage lender, it’s you plus your money, your social security number, credit rating, etc. And for companies that answer to regulators, your identity likely includes your location or jurisdiction where you reside—and perhaps your age.
Think of identity as a living entity, constantly changing with time. Today, your bank may ask for basic credentials based on the Know-Your-Customer (KYC) data they have on you. Tomorrow, as cyberthreats evolve and the risk calculation changes, they may ask for additional proof of identification, like a scan of your iris.
In short, identity is a complex matter. There is no silver bullet of identity verification (IDV) to fend off all attackers. But upgrading IDV to switch dynamically between different modes of verification makes it much harder for fraudsters to anticipate. For example, a company can tailor its IDV process to ask for your password and userID as expected, and then, when a signal raises suspicion, also require a code sent to you via text.
Businesses can collect a rich assortment of data about you, from location to facial scans or spending habits. Having multiple types of data and verifications available is foundational for dynamic IDV. Flexibly combining data types requested from users in reaction to signals such as an unusual IP address, adds unpredictability for fraudsters. Counterintuitively, it can also mean fewer checkpoints are needed during a user’s journey. Using more data types can help reduce friction in certain cases.
Flexible Identity and Dynamic Flows
Key to success with dynamic IDV is an ability to change in real time which users take different, agreed-upon paths based on a variety of signals and data points. Someone buying video games from an IP address in Syria with a US credit card requires more verification rigor than a buyer in the US.
For a lender, it could work in reverse; an applicant with excellent credit seeking a large loan probably poses a higher identity risk than a small-loan applicant who admits to a poor credit history. The latter, with a low FICO score, is clearly a business risk, but a lender would have taken that into consideration. Distinguishing between users—based on perceived risk, weak spots, and live signals—enables you to create tailored approaches for a better user experience. This also minimizes the loss of customers over “IDV exasperation.” The ability to tailor this journey at scale requires a dynamic approach to IDV where risk is continually balanced against friction.
A business can leverage passive signals as a first filter in some situations, then use dynamic IDV to cut down on friction—while meeting goals for fraud control, trust, safety, and compliance. Additional verification checks are then applied dynamically where needed, such as confirming customer age when shipping alcohol with a food order.
This way, the IDV process adapts as situations evolve, balancing user experience against fraud mitigation. It is not only about authentication factors used at checkpoints. It’s also the process. The user journey for IDV is important. If the workflow they follow adapts to each user appropriately, and is unpredictable to fraudsters, IDV becomes much harder for them to crack.
An additional reason to implement dynamic IDV: changing regulations, threats, business conditions, and company policies often require shifting IDV checkpoints. It’s rarely as simple as maximizing net revenue by optimizing the tradeoffs between low-friction user experience and fraud control. There’s a more intricate balance that takes into account compliance, public reputation, the cost of remediation, and user satisfaction—alongside fraud losses and sales gains.
Like many aspects of software and web development, building the capability to switch IDV modes responsively is usually best delegated to specialists. In other words, “buy” rather than “build.” Third-party software providers are often used because handling PII is their specialty, and it’s a massive task to integrate with the different verification resources. A third-party provider can also carry out dynamic identity verifications, and make it easy and efficient to customize the supporting workflow. Providing convenience is central to their value proposition.
Reduce friction and improve security
Dynamic IDV has the potential to both improve security and reduce friction for users. An unexpected checkpoint method can catch fraudsters unprepared. Dynamic IDV could actually mean fewer checkpoints yield better security if they are surprising—and fewer stops improve the user experience.
To execute on this approach, automation is the most effective mechanism. In practice, dynamic IDV enacts decisions based on signals and data without needing a human in the loop. Automation also carries out your policies on varying the checkpoints dynamically, in reaction to user behavior and passive signals. It’s obviously far faster than humans at verifying security data. It also cuts the risk of internal attacks by reducing the number of employees and third-party reviewers needed to interact with your users’ personal data.
From the perspectives of risk management and customer experience, dynamic IDV—using automation rather than a manual approach—is the best way to handle the reality that user identity is not static. IDV needs to respond as a business evolves, as fraudsters try new methods, and new verification technologies come online.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global
25 November
Vitaliy Shtyrkin Chief Product Officer at B2BINPAY
22 November
Kunal Jhunjhunwala Founder at airpay payment services
Shiv Nanda Content Strategist at https://www.financialexpress.com/
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.