Considered to be a core challenge of the internet, the ability to reliably ‘know’ someone is critical to multiple interactions; from protecting online customer accounts through to meeting regulatory and compliance guidelines. How to prove an identity on the internet has changed significantly over the past 20 years, and has been approached in many ways but, until now, few have managed to fully achieve verification. How do businesses link online to offline identities? Here are the three most common ways identity validation, verification and authentication has developed over time.
- Identity Validation is what most people might associate with identity checking on the internet. Validation is where an individual’s information, such as name, address, telephone number, and email address are checked to see if they exist in the real world. This can be done by checking databases such as postal address files, telephone records or even basic credit data. Validation provide assurances that there is a real phone number, postal and email address that the customer could be associated with. It is important to note, that identity validation does not link that data to you as the individual interacting with the organisation. Upon successful completion of proving the individual exists, customers are issued a username and password to log into that site and their identity is validated. Validation provides less friction in the customer journey and is of particular use when onboarding customers for low risk products.
- Identity Verification is the much more in-depth step of linking an individual to the information that they provide. In the validation step, companies are seeing if the data is real, in this step a customer is tied directly to the information and verified as genuine by additional checks including official databases such as driver license files, electoral registers and the credit bureau. This level of check is often associated when companies have a regulatory obligation to prove that you exist – for example as part of setting up a bank account or applying for a loan. Verification has more friction than validation however this is good when more certainty is needed that the individual’s data links, e.g. their address matches their name. Experian research shows that some friction, caused by fraud controls, are valued by customers, especially when high value products are involved such as mortgages.
- Authentication is the process by which a customer’s identity is qualified against something that only the user should have or know. This process determines that the individual is who they say they are by utilising existing user-provided information, e.g. the individual is asked a series of questions which would only be known to them, that they must answer correctly to log onto an existing account, or a onetime password is sent to their mobile phone. This process can provide friction in the customer journey however developments in this area, like using biometrics, are improving the customer experience and providing greater certainty for businesses.
Let’s now focus on the advantages and challenges of these methods for identifying customers:
The identity validation approach has many benefits, but also issues. From a positive digital perspective, it is very easy for customers to move around the internet because businesses are using the information held by these organisations when identifying the customer. The problem is identity validation doesn’t provide these companies a high-level assurance that this is actually you, just that this person exists . So, an individual can set up a fake account using real data, which isn’t theirs, and log into various services to interact with them. This approach is good for low risk products, such as setting up a profile for an online retailer, as there’s less friction therefore less chance of abandonment but also the transaction is typically lower risk.
With identity verification there are positives and negatives as well. As a company, you get a much higher level of assurance that the customer exists and their information belongs to them, making it much more secure than a validation. Often though, the acquisition of this data and processes to verify it can lead to a slower customer experience as it brings friction to the journey and slows down the process. There are situations where people can steal identities and impersonate an individual to get around these checks too. An example of this could be where an individual gets hold of another person’s bank statement, which contains name, date of birth, address and bank account details, and uses this information to apply for a credit card without the victim knowing.
So, what is the answer? A lot of time and energy has been spent to make the identity verification process more secure while also making it more customer friendly. At Experian, we have developed a Risk Based Authentication approach which integrates validation and verification, but with stronger controls that authenticate too.
Through this approach the time taken to source data to validate, and verify, is minimised but the strength of checks remains high. Regardless of the risk, each transaction is checked and processed meaning low, and high risk transactions get the right security with the least friction. Through our approach, we can insert biometrics and other valuable steps in the journey helping you enhance experience, while minimising risk.