September 18, 2024

How to Choose Identity Verification (IDV) Software

by
Nametag Team
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Learn how

With dozens of identity verification (IDV) software options on the market, selecting the right one is crucial. Making the best decision requires a clear understanding of your needs and what each product offers. This guide offers eight key questions to ask and five critical factors to help you evaluate and select identity verification software that fits your organization's needs.

Key Considerations When Choosing IDV Software

When evaluating identity verification software, keep in mind the following:

  • Risk tolerance: What level of security risk is acceptable when verifying identities for MFA resets, workforce onboarding, or employee verification?
  • Ease of use: How much frustration will your end-users tolerate to protect our organization? This may depend on your line of business: in healthcare, for example, time spent on IDV could be time spent not delivering care.
  • Deployment: How many resources can you dedicate to implementing an identity verification system? (staff, budget, technical resources, time constraints, etc.) 

8 Questions to Ask Identity Verification Vendors

  • End-user experience: What is the average time for identity verification, and how does it impact user productivity or experience?
  • Automation: Does this solution integrate into my ticketing platform and/or provide a complete, end-to-end user experience for password/MFA resets?
  • Deployment: How much work is required to get started enrolling users or configuring my IT environment?
  • Integration: Will the solution seamlessly integrate with our identity providers and SIEM systems? Will we need to build or customize any front- or back-end elements?
  • Deepfake prevention: How does this prevent the use of AI deepfakes? 
  • Cost optimization: What is the total cost of each verification?
  • Proof of Concept: What does a POC look like for this tool?

3 Things to Look For In An Identity Verification Vendor

Look for the following in an identity verification software provider:

  • Cryptographic security: Evaluate if the product is designed for compliance (KYC) or for security, including its level of vulnerability to injection attacks and threat actors using deepfakes. Avoid solutions that rely on easily-compromised verification channels like web browsers, webcams, or document uploads. Look for specific security features such as the use of App Clips/Instant Apps and cryptography to prevent deepfake injection attacks, and spatial liveness detection and biometrics to detect deepfake presentation attacks. 
  • Easy deployment: Consider the deployment method (e.g. API vs. SaaS), how long it will take to integrate, and what resources will be required to set it up. If you’re looking for identity verification software to address an urgent threat, prioritize vendors that sell ready-to-use solutions. Avoid vendors that sell you an API and leave you to build your own user experience and data connections.
Onfido homepage
  • User experience: To ensure better security and end-user experience, choose a product that accounts for re-verification and re-binding to new devices. Avoid products which throw away the results of each verification: this approach sounds good in terms of privacy, but has major drawbacks and is often a poor choice when it comes to workforce verification use cases.

Identity Verification Market Overview

The identity verification (IDV) software market can be divided into three groups:

  1. Customer verification tools (KYC and AML): Built for compliance and revenue conversion, often relying on web-based solutions with document uploads.
  2. Consumer benefits platforms: Focused on user convenience and revenue conversion, often vulnerable to basic account takeover attacks.
  3. Workforce-grade verification platforms: Designed to prevent impersonation attacks, often more secure and resilient against AI-generated deepfakes.

Each category offers specific products for specific use cases. Beware of trying to repurpose a product built for one type of scenario into other environments.

Customer Verification Tools (KYC & AML)

Most IDV products on the market today are built for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. Critically, these products exist to turn users into revenue––not to provide the level of assurance required at high-risk moments like MFA resets and access grants.

Need proof? Just look at their websites and count how many times you see words like “customer”, “onboard”, “convert”, “compliance”, “growth” and “acquire”.

Incode homepage

This is important because KYC products make deliberate sacrifices in pricing, fraud prevention, and user experience, for the sake of converting more users.

For example, KYC tools often use web browsers and webcams to capture ID documents and selfies, but these channels are vulnerable to digital injection attacks which insert false data like deepfake images and videos. Some providers allow document uploads, letting attackers simply upload a deepfake ID or selfie.

“The images are so good that 404 Media was able to get past the KYC measures of OKX, a cryptocurrency exchange that uses the third-party verification service Jumio to verify its customers’ documents.” –– Decrypt.co, People Are Using Basic AI to Bypass KYC —But Should You?

KYC providers may charge a dollar or two per verification but throw away the results afterwards, forcing you to pay again to re-verify the same person. This means that their actual cost is typically much higher than it appears. It also creates a frustrating experience for employees who contact your helpdesk or reset their passwords/MFA multiple times, and limits the provider’s ability to detect and stop repeat fraudsters.

Consumer Shopping Providers

Some companies market themselves as IDV companies but are actually consumer shopping plays, not security products. Companies like ID.me claim to be focused on security, but in reality need to make their products as easy to use as possible because their fundamental business model is based on consumer shopping discounts

The upshot is that ID.me leaves their user account vulnerable to the very attacks the company promises to protect against. Consider that ID.me accounts are only protected by an email + password. Users are encouraged to enroll in multi-factor authentication, but they’re allowed traditional factors like SMS or email passcodes which attackers can easily intercept or socially engineer from a victim.

ID.me sign in page

At the end of the day, products like ID.me are just another type of customer verification tool: built for user conversion and compliance, not for security and assurance. If you’re evaluating one, make sure they’re actually built for your business and use case.

Workforce Verification Platforms

Threat actors are constantly attacking employees, and for good reason: taking over just one employee account can give an attacker the access they need to take down an entire business like MGM Resorts. Now, a subset of identity verification providers are building solutions specifically for workforce account protection.

Watch: Eric Richard, CISO and senior vice president of engineering operations at HubSpot, explains why his organization is using a new approach to thwarting phishing attacks against help desks developed by Nametag.

Nametag saw the flaws in KYC tools and consumer benefits companies, and built a solution. To date, Nametag is the only identity verification software that's built for employee account protection. We provide out-of-the-box solutions for self-service MFA and password resets, agent-assisted helpdesk verification, and other use cases, all built on our patented technology that prevents AI deepfakes and injection attacks by design. 

Self-service workforce account recovery with Nametag (learn more)

How to Choose the Right Identity Verification Software

Not all identity verification solutions are designed to meet the unique needs of workforce identity scenarios, such as password and multi-factor authentication (MFA) resets, helpdesk verification, and employee onboarding.

When selecting identity verification software: 

  • Prioritize vendors that offer a comprehensive solution out of the box
  • Look for a product that integrates seamlessly with your existing identity systems, and one that can be deployed quickly with minimal setup​​
  • Ensure that the solution is secure against deepfakes and injection attacks

Choosing the right identity verification software isn't just about meeting compliance requirements, it's about safeguarding your organization from sophisticated threats like AI deepfakes and digital injection attacks. Don't let a poorly selected tool expose your company to unnecessary risk. Protect your company by investing in a solution designed specifically for high-risk, workforce account protection scenarios. 

To learn more about securing your workforce accounts with Nametag’s next-generation identity verification, visit getnametag.com or request a demo today.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies