Blog post

Trends in the Identity Proofing Market

By Akif Khan | September 15, 2020 | 0 Comments

Security and Risk Management Leaders

Proving the identity of customers in digital channels is hardly a new activity, but with the urgent focus on digital channels driven by the COVID-19 pandemic, it is more important than ever.  For some businesses, such as banks, the digital channel was considered to be one of many channels.  What the pandemic introduced was the realisation that a set of circumstances could arise in which physical branches weren’t open and telephone channels were crippled due to contact centre closures, and hence the digital channel could be left as the only channel.  If you weren’t able to verify the identity of customers and board them via digital channels during the lockdown days, then you weren’t able to board customers at all.

Traditionally, most online identity ‘proofing’ has consisted of asking customers to provide PII data such as name, address, phone number, social security number etc. and then checking this static data against so-called authoritative sources such as a credit bureau.  The challenge here, is that all you’re doing is checking the data entered into the form. Several different people could all enter the same valid identity data and it would pass static data checks every time – but that doesn’t prove that the genuine owner of the identity was entering the data.  Other techniques can be layered in here, such as device identification to try and spot anomalies in the interaction (have you seen the same device make multiple applications with different identities?), or assessment of digital attributes like email address (is there evidence out in the wild of the email address presented with this identity having been used with it before?).  Ultimately, none of these techniques prove the identity of the person interacting with your business online. These are now classed as identity affirmation techniques by Gartner – they aren’t identity proofing in themselves, but they can provide supporting evidence to the identity proofing process.

So what does count as identity proofing?

Well, Gartner now defines identity proofing in the following way:

Identity proofing is the combination of activities during an interaction that brings an identity claim within organizational risk tolerances, such that:
  • The real-world identity exists.
  • The individual claiming the identity is, in fact, the true owner of that identity and is genuinely present during the process.

Pragmatically, what this means in digital channels is what we formally call document-centric identity proofing, but which I informally refer to as the ‘ID+selfie’ process……….customers need to take a picture of their photo ID document (e.g. driving licence, passport etc.) and then take a selfie of themselves.  The process of taking the selfie should involve testing for genuine presence (also commonly referred to as “liveness detection,” more formally as presentation attack detection).

And so whilst the checking of static data is relying only on “something youbut-not-only-you know”(stating a name, address, SSN…), the document-centric checking is relying on both “something only you have” (e.g. your passport) and “something only you are” (i.e. your face).  And so a higher level of identity assurance is achieved.

I have definitely seen an increase in client calls on the topic of introducing the “ID+selfie” process into digital channels since the pandemic started.  Such solutions are not a silver bullet though, and taking things one step further, I see the rise of vendors who focus on orchestrating the identity proofing journey.  These vendors offer a single API connection for you to deal with, and in turn connect to dozens and dozens of other vendors within the identity proofing and affirmation ecosystem.  Workflow capabilities allow you to design and orchestrate the entire identity proofing and onboarding workflow.  For example, choosing vendors who specialise in covering particular regions to offer better acceptance rates for customers from those regions.  Or configuring fallback vendors to use in the event of latency from a primary vendor.  Or where results are not conclusive, invoking additional vendors to increase confidence levels.  The possibilities for A/B testing to find the best vendors, and for optimising cost and efficiency, should be obvious.  Once again, I find myself saying that orchestration is the strategic value proposition that clients are seeking.

To read more about these and other trends in identity proofing, take a look at our latest Market Guide for Identity Proofing and Affirmation.  Let me know what you think.

Leave a Comment