Introduction
Identity verification is an essential ingredient for many organizations as more high-value transactions move online. Businesses need reliable ways to verify the identity of their users: whenever, wherever, and however they interact with your products or services.
Identity verification (IDV) software can automate the user verification process for a variety of use cases and ensure accurate results to prevent fraud and enable faster online transactions.
The most common use cases for IDV cover a wide range of scenarios, based on regulatory requirements, growing fraud risk, or the opportunity to provide an enhanced or more premium level of service and account protection. Some examples include:
- KYC (Know Your Customer) account openings
- Fraud prevention or escalations
- Account recovery and password resets
- Customer service and support
- Employee IT help desk support
- Transaction authorization
- Age verification
- Verified social profiles
Choosing the right software can be a daunting task. This article outlines the key considerations when evaluating IDV providers.
Background
Most IDV vendors grew up in the KYC (Know Your Customer) space. The purpose of KYC is to respond to regulatory requirements, which means that companies must have performed a plausible identity verification process to prevent money laundering, terrorism financing, and other crimes. The primary concern is not necessarily identifying an actual person with a high degree of certainty. These vendors generally do a good job at accomplishing this task with varying degrees of automation or manual intervention.
Modern IDV vendors take a fraud-first approach. They use advanced features of modern platforms to achieve high assurance, with reliable and convenient document and selfie capture that can be used across a broader range of use cases.
The end-user workflow across vendors is fairly consistent: the person provides a photo of an identity document and a photo of their face. The vendor authenticates the document to determine if it is genuine, extracts data such as name and birth date from the document, and compares the provided face photo to the photo on the identity document.
Some of the legacy vendors have more recently bolted on features that address other use cases where it is critical to know with certainty that the person on the other end of the connection is who they claim. However, fundamental design choices, which we will discuss below, have made that transition challenging for many vendors.
1. End-User Experience: How Much Friction Is There?
The first and most important factor is user experience. What will the experience be like for a user the first time you ask them for identity verification - and is it the same the second time? Balancing user experience with security and fraud prevention capabilities is critical at each interaction.
Map out your user journey and align your requirements with the various channels and business needs your provider will be required to support. Broadly scalable software should be able to generate a verification request via link, QR code, or text link on the web, mobile, chat, email, and/or over the phone without you needing to do all your own engineering development. Businesses should strive to standardize the user experience regardless of how a user accesses your product or service. Ask your vendor to walk you through an example of an ID verification workflow for each possibility you’ve outlined. For example, can they send a link to a phone number for a faster request? Do they require users to download and install a third-party app in order to achieve reusability? Do they support both Apple and Android devices? Is white-labeling an option?
Re-verification for return users is one of the hottest topics in the IDV field today because as the use cases are growing, companies find themselves needing to re-verify a user more frequently than they did for initial KYC use cases. This process often involves prompting the user for a new scan of either their document, selfie photo, or both, and matching that against what was verified in the past.
One of the biggest security challenges businesses face is also detecting and thwarting repeat offenders, which is especially difficult if you rely on usernames and passwords or 2FA codes for authentication. Some IDV tools claim to enable re-verification by having the user create a separate username and password, and then linking that to the one-time scan they performed. If these accounts are protected only by a username and password, then it eliminates the security benefits of having performed IDV in the first place because those same credentials can be lost, stolen, or exploited if someone claims to be locked out. Rather, if the vendor combines biometrics and document authenticity with modern re-verification, you can rest assured there is only one unique account holder able to recover that account. Ask prospective IDV vendors how a user would recover their identity in the event they get locked out of their tool, or yours, and who handles it. You don’t want that burden falling on you and your support teams.
If you intend to verify users more than once, find a vendor that supports a continuous ID verification approach, ideally with only a selfie on second use, to reduce friction with each re-verification.
2. Accuracy & Automation: Is the Quality of the Image-Capture and Biometrics Technology Strong Enough?
The accuracy of the software is crucial for fraud prevention. The software should be able to verify the identity of individuals with a high standard of accuracy and data quality, resulting in fewer manual reviews and lower costs for the business. A combined approach involving both document verification and biometrics is recommended by NIST - widely recognized by government agencies as the de facto standard for accessing government services.
The software should be able to detect fake or fraudulent identities, identify any discrepancies or anomalies, detect liveness, and also verify a user’s ID itself. It’s important to dig deeper and understand each vendor’s methods of collection and verification, especially if you have high-risk, anti-fraud use cases. High-accuracy outcomes require a combination of the device, document authenticity, and biometrics.
The greatest innovation in the ID Verification market in recent years derives from the debate on browsers vs mobile apps. Browser-based technology for ID Verification has been around for over a decade, but it has fundamental technology limitations in the quality and methods of information captured, which translates to false positives, more manual reviews, and requires the vendor to cross-check with external data sources.
Consider this example: desktop webcams pose a significant risk of digital manipulation because it’s far too easy for a bad actor to submit falsified or photoshopped images. The reason is that a webcam is not able to use advanced capture capabilities for things like true liveness detection and document analysis. The same applies for solutions that launch cameras to capture images via a mobile web browser. Ask prospective ID Verification vendors if they allow PDF uploads, webcam image capture, or mobile web-browser workflows – these solutions are less secure because they do not support the on-device AI and 3D cameras found in smartphones.
This is why browser-based IDV vendors will also cross-reference external data sources, in order to compensate for the lower-fidelity way in which the photos were captured. The challenge is that it is nearly impossible to find a reliable external data source that verifies a user's biometrics because there are very few international databases (and none in the US) that have a user's photo to verify against.
App-based IDV vendors, on the other hand, allow for a faster and higher-fidelity method of capture because they use the advanced cameras and security features built into mobile phones. Yet, most companies don't want their users to encounter the friction of downloading a separate mobile app. Recent advances from Apple and Android, however, now offer a fundamental breakthrough in user experience. Apple “App Clips” and Android “Instant Apps” provide the same security features of a full app, but without the added friction of visiting an App store to download a full mobile app. If you haven’t seen this in action, it’s worth asking your vendor for a demo.
3. Implementation and Integration: How Much Work Does it Take?
The software should be easy to implement with out-of-the-box functionality for faster time to value, and also easy to integrate with existing systems and processes for future automation.
The software should provide pre-configured templates and reports, and also be flexible to customize for non-technical stakeholders. An out-of-the-box offering provides an easy way to accelerate your onboarding and integrate the software in phases over time.
When doing more custom implementations, some vendors use proprietary APIs, while others implement standard interfaces such as OAuth 2.0. Therefore, the software should be API friendly so that your engineering teams can integrate with existing systems and processes for greater automation and decision making. Consider whether your vendor offers workflow design tools, pre-built SDKs for mobile app integrations, API documentation and knowledge or experience integrating with support ticketing systems (e.g. Zendesk), CRM systems (e.g. Salesforce), and Directory Management systems (e.g. Active Directory) for employee use cases. Ensure the software can be customized to the specific needs of your business.
Organizations with a global user base must also consider the library of documents each vendor supports. The software should be able to verify a range of domestic and international documents, including passports, drivers licenses, and local identity cards issued by a government agency.
4. Cost: Pay Per Verification, or Unlimited per User?
The cost of the software is a key consideration for any company in today’s economic climate. If your use cases focus on one-time verifications, you should be able to estimate that cost based on the current volume you see for that specific use case in your organization. Nearly all providers offer a transaction-based fee structure, with a cascading tier linked to the volume of requests needed.
If you anticipate users coming back for the same or multiple different use cases, then you’ll want to consider unlimited use models based on the number of customer or employee users in your environment. For example, if the same user makes multiple purchases each year, or happens to get locked out of their account several times per year, you may be better off having an unlimited model where that user can re-verify themselves every time they transact or need to reset their account. Consolidating multiple verifications with a single vendor also provides the opportunity for greater cost efficiencies through standardization and volume-based cost savings.
It’s equally important to weigh the costs against the desired outcomes for your business. Consider how the software can make your teams more efficient, how it can reduce fraud, and positively impact your user experience. This can be as simple as calculating the number of tickets your helpdesk and support teams can automate with a self-service password reset experience, the efficiency gain for your support escalation teams, or outlining how ID verification software can reduce the likelihood of insider threats from manifesting into a breach or major fraud loss.
5. Security, Privacy, and Compliance: How Is User Data Managed and Stored?
IDV touches on a dizzying array of ever-growing and changing requirements, and vendors with forward-thinking approaches can help your business reduce your regulatory and privacy risk.
Given that IDV software derives personally-identifiable information from identity documents and an individual’s biometrics, businesses must evaluate whether they want or need to store this new level of Personally Identifiable Information (PII) that is collected.
A vendor that empowers end-users to manage consent of who has access to their personal data (and how long it’s shared) can help businesses meet GDPR, CCPA, Biometric Information Privacy Act (BIPA), and other privacy requirements. Advanced vendors will provide flexibility and give businesses the option to choose what end-user data is shared, as well as where and how it is stored. For example, you may only need a person’s legal name and proof that their identity was verified to achieve your business outcome - without storing the underlying data. The vendor should provide options that suit your risk tolerance and data requirements, while also meeting vendor security requirements like SOC 2.
Beyond privacy, IDV software can help achieve your compliance - and trust and safety - agenda too. For example, IDV software can help businesses meet online safety and age verification requirements. It can also help security teams implement multi-factor authentication on top of identity verification to meet NIST, PCI, PSD2, IAL2, and other compliance objectives.
Conclusion
Choosing the right ID verification vendor can be a catalyst and key differentiator for any business enabling more user transactions online. Traditional ID verification vendors focus predominantly on meeting KYC requirements during onboarding - a single verification. Modern ID verification vendors will provide continuous fraud prevention and added compliance benefits, efficiently re-verifying the user each time they transact with your company, without compromising on fidelity. The right IDV platform must balance end-user experience with security for first-time and repeat users alike, ensure high-fidelity analysis and image-capture for accuracy, be easy to implement with out-of-the-box functionality, be cost-effective, and help your business comply with applicable standards and regulations. By fully considering these factors, the right IDV platform can help your business stay ahead for many years to come.
