With most businesses now looking to online as a major channel for customer acquisition, retention, and customer service, establishing trust with consumers is crucial for short-term and long-term success.
Unfortunately, public perception of the security of digital transactions is compromised every time a news story about data breaches, compliance issues, and identity theft hits the media. That’s why it’s so important to have operational processes and identity theft solutions in place to prevent your company from falling victim and compromising your customers’ trust.
The roles of verification and authentication each play a critical role in your ability to keep your online channels free from fraud, maintain compliance with identity-related regulations, and deliver a smooth and positive customer experience. However, more often than not, these terms get used interchangeably as the two worlds increasingly intertwine along the customer journey.
We’re going to clarify the differences between identity verification vs authentication, and explain how to use each to ensure safe practices for online identities and cybersecurity.
Understanding the identity lifecycle
Understanding the different stages of the identity lifecycle is the first step to figuring out when verification versus authentication is applicable. The process of establishing a person’s identity, and continuing to allow interactions at various stages based on that identity, is referred to as the “identity lifecycle”.
The identity lifecycle is not a one-time event. Rather, it’s a process that starts when a person first registers and verifies their identity, and continues with the authentication of that identity, continually allowing for updates to their attributes and credentials over time. The identity lifecycle ends when an identity record is retired or invalidated (e.g., An individual requests removal).
What is identity verification?
In general, verification refers to checking and attaining information of an individual, company, or organization to ensure they comply with the standards and/or requirements. For example, someone wants to subscribe to an email list. Verification would be sending that person an email asking them to click on a button to confirm that they made the request.
In the case of cybersecurity, verification is intertwined with compliance of regulatory standards based on industry best practices. The European Union’s General Data Protection Regulation (GDPR) and the United States Health Insurance Portability and Accountability Act (HIPAA) are good examples.
A specific type of verification that’s used within the banking industry to fight fraud and stolen identities is identity verification. This is the process of ensuring an unknown user is who they claim to be, which also includes verifying the presence of a live person. Identity verification is of particular importance during the digital onboarding stage of a customer’s online journey.
Reverification occurs when an existing user is locked out of their account. For example, they’ve forgotten their password or have a new mobile device and can’t retrieve a one-time password. Before unlocking their account, the business needs to go through a process of verifying the user’s identity again, using means such as knowledge-based authentication. Reverification may also be necessary if a business has to revoke a user’s access due to an account takeover.
What is identity authentication?
Authentication is the process of validating a known user’s identity to allow access to an account, device, or location. Common authentication types include something the user knows (like a password), something the user has (like a mobile phone or token), and something the user is (biometric data like a fingerprint).
Identity authentication is used when the authenticity of a person needs to be proved. In this case, previous personal information given is compared against. For example, if a customer has a new phone, they will need to confirm it is the same person trying to log in and additional information might be requested by the system.
Three authentication methods
Continuous authentication is when identity verification is confirmed on an ongoing basis throughout the lifecycle. A system does this by constantly measuring the probability that individual users are who they claim to be throughout an entire session, from login to logout. Data profiles communicate with the financial institution’s risk engine to provide the most accurate risk score to help detect fraud. This allows financial institutions to determine and apply authentication requirements that match the relative risk of the transaction as it is taking place.
Multimodal authentication refers to the use of multiple biometric authentication modalities for enabling user access. For example, a mobile application might layer voice biometrics and facial recognition to ensure high security with minimal friction. Note that this is separate from multifactor authentication.
Step up authentication is a way to reduce friction by only requiring an additional authentication factor when the risk level increases. Transactions that require strong authentication could include when funds over a certain amount are requested for a transfer, a request to change the mailing address on a bank account, or requesting access to certain resources.
Verification and authentication are both necessary for protecting online identities
Identification plays a big role in the financial services industry. It’s key to helping companies build trust with their customers, while also meeting compliance standards and maintaining fraud prevention. Verification and authentication are the backbones of the fight against digital identity fraud. Each is effective on its own to a certain extent, but pairing them together is the solution to building the strongest wall of security to prevent fraud.