Questions? Call us today: (516) 778-5639

authID Home
authID Home

Article

Top Identity Verification Service From authID

Home » Articles » Top Identity Verification Service From authID
Article by Jeff Scheidel, VP of Operations, authID

IDENTITY VERIFICATION – ARE YOU REALLY YOU?

Nobody proves their identity for a living. Identity proofing is simply a means to an end. The truly useful process of identity is authenticating, i.e. restating your already-given identity in order to gain the access needed to transact business. But the day-to-day act of authentication cannot possibly happen until that identity has been established. If one is posting pictures of their dinner, their pets doing funny things (cat videos are the empty calories of the internet), or themselves participating in flash mob dance parties, then identity isn’t a big deal.

However, even social media, depending on how it’s utilized, may require a stringent proofing process requiring a strong online identity verification service. And certainly commerce of any kind, such as buying, selling, or money transfers, must be prefaced with a definitive vetting of who a person truly is.

So to restate again, authentication is logging in day after day. But for any kind of risky transaction, whether as a consumer or member of the workforce, identity verification comes first. I verify, therefore I am.

There are multiple approaches to identity verification. But they all have the same goal: ensure that whoever is knocking is someone that should be allowed in the door.

WHAT IS IDENTITY VERIFICATION?

“Trust, but verify,” is an old saying. Performing identity verification online means proving one’s stated identity, in order to start a trusted relationship. To you, your name and your very being are your identity. But to the rest of the world outside your family, your identity is comprised of various components of data that can take various forms. Name, address, phone number, Social Security number, date of birth, IP address, device fingerprint, bank account number, and other items all make up the totality of an individual’s identity.

Evaluated individually but also in relation to each other. Any date of birth (unless it ‘s from two-hundred years ago) can be valid, but does it match the name and Social Security number? That’s a real phone number, but is it yours? And is it only a few days old? Maybe it belongs to a burner phone. You claim to be in New York, but your IP address indicates you are in California. And in fact your phone is registered to a Chicago address. There are many extrapolations.

Remember, this is all for the purpose of establishing that trusted relationship so that you can return data after day and transaction your business. An online identity verification service creates that baseline, that foundation for trust.

In general, it can include things you know, things you have and, increasingly, things you are.

DIGITAL IDENTITY VERIFICATION

When you go to the dealership to get a new car, or to the title company to sign your life away for that first mortgage, you bring a pile of documents that a real live person examines. But so much more business is transacted online, therefore we increasingly rely on digital identity verification. This is a double-edged sword. Why?

Being able to assert your identity remotely allows you to do it from the comfort of your home, submitting yourself to an identity verification service, without having to get on the road. No more driving to an office to stand in a line to present your license at a window to a stranger. And certainly there’s no Facebook office to visit. The organization you’re applying to also doesn’t want you to visit, since this means hiring more staff and executing manual processes. Verifying identity in person is expensive for both parties

But that convenience comes at a cost. It’s so much easier for fraudsters to pretend to be other people online. But just as travelers typically eschew safety for a faster line at the airport, they disdain online security in favor of ease-of-use. As was stated at a recent security conference in Chicago, “we’ll jealously guard our PII from any possible intrusion until somebody offers us a coupon for a free pizza. Because then we’ll say, here’s my DNA if you want it, just give me that pizza.”

Strong online identity verification is a must in our increasingly digitally-connected yet physically-disconnected world. COVID only hastened the rush to digital-only identity assertion.

FORMS OF ID VERIFICATION

Some think that Facebook is a good authenticator. Well, if you’re trying to create an account in a low risk situation, such as a news site, or gaming, and you don’t wish to start from scratch, Facebook or Google are often convenient options. But these are lousy verifiers. Requiring a cel number that may be a burner does not constitute an online identity verification service. The crazy number of phony Facebook accounts attests to this. There are countless millions of clearly fake names, along with clones of legit ids, and bogus accounts used for spreading disinformation. The fact that there exist social media apps that members need to pay to be “verified” makes one wonder, what about all those many other accounts?

E-signatures are useful if the recipient is already a known entity. Otherwise, they only prove that someone received an invite to e-sign.

In general, verification (just like authentication) is based on:

  • Things you know
  • Things you have
  • Things you are

Things you know are the most common. You know your password, right? But in terms of verification, you are initially providing name, address, phone, SSN, etc. in order to assert your identity. But of course these things can be (and quite often are) stolen, allowing thieves to pose as you, and open up accounts, or break into existing accounts, in your name.

Security questions can be useful, but are also often stolen or guessed. This has led to people using bogus answers for their security questions (What is your favorite color? “Ice cream.”). Knowledge-Based Authentication, or KBA, can also be compromised. Information gleaned from data brokers, such as make of first car or past addresses, can be found by bad actors on the dark web and used for impersonation.

This has led to a wave of online identity verification companies providing their own services for detecting fraudulent applications, to better ensure that someone applying for a loan, an account, a credit card, or any kind of sensitive access, is in fact who they claim to be. If a name can be strongly linked to the phone, address, SSN, IP address, or some adequate combination of these, there is a far stronger likelihood that the claimant is legit. Patriot Act identity verification requirements for KYC / CIP, for example, mandate a more than reasonable attempt to verify the identity of any applicant for financial services in the US.

Things you have? Quite often in verification that is a smartphone. If I can verify that the phone number you provide actually belongs to the name provided, I can then send a text to that phone that must be replied to. Of course, there are ways around this as well. “Things you have” often only proves that you physically possess the thing, not that you’re the person it legitimately belongs to.

Another thing you have? Unstructured documents, such as utility bills, credit card bills, and other hard copy information that may need to be scanned and submitted for manual review, which can add minutes or even days to an identity verification process.

Things you are? This involves biometric verification, or the validation of physical attributes, such as face, voice, and fingerprint. We will discuss that in more detail later.

HOW IDENTITY IS PROPAGATED ACROSS PLATFORMS

Once an identity is established through an identity verification service, it must be inserted into those slots where it is to be used. Most individuals are stored in databases belonging to the platforms they have applied to. Quite often, these databases are in the form of LDAP, or Lightweight Directory Access Protocol. These are very fast, highly indexed layers on top of data that allow for quick retrieval and easy search. Directories are more organized than simple databases, and can be designed to mirror an organization in order to establish proper access. For example, people in the accounting branch of the directory may be allowed to access the general ledger, while only the Payables branch can pay the bills, and only the Receivables branch can count the revenue. Those in the customer branch can transact business, while those in the employee branch manage that business behind the scenes. And so on.

Federated identity allows users to be recognized across domains that aren’t necessarily within their own organization. Federation requires a trust between orgs, as in the aforementioned ability to create an account using Google or Facebook. These other platforms trust Facebook, therefore allowing a FB-verified identity to be used in establishing identity.

AUTHORIZATION

Another critical aspect of successfully performing identity verification online is putting yourself in line for what you’re allowed to access. Now that I’m here, what will you let me do?

Authorization is a follow-on process to any identity verification service. Access may not be an all-or-nothing proposition. Based on your identity, you may have differing levels of access. This may be role-based, merit-based, or paid access. Getting a user in the door, determining what their access should be, and creating those accounts, are the hallmarks of a full identity service platform.

For example, in the case of workforce, everyone at a company has access to email, the company directory, the app to manage 401K’s, download access for tax forms, etc. Then it gets sliced up. Accounting gets access to payables, receivables, general ledger. Human Resources can examine salaries and benefits. IT staff can set up all this access to ensure that only the right people can access the right assets.

Consumers may pay for, or otherwise earn, enhanced access, such as for silver, gold and platinum customers. Pay more, spend more, transact more, and you receive additional benefits. These kinds of enhanced access are then attached to the previously-verified identity. A user cannot be authorized until they have been verified.

The process of customer identity verification and authorization is usually automated. But within employee populations, the process is often driven by managers who presumably know their organizational members.

The actual process of creating user access in one or more accounts is called provisioning. This process requires that the central user repository has the appropriate connectors to these other systems. You’re in accounting? I’ll connect to the accounting system and create your account there.

WHEN IDENTITY MUST BE RESTATED

It is occasionally necessary to restate identity verification. If a user has been inactive for a long period, they may need to re-verify. And regardless of activity, a level of privileged access may necessitate periodic re-verification or authorization. This doesn’t mean going through an entire cycle of an identity verification service, but rather a war-up. Large organizations, especially those archiving sensitive information, will on an annual basis require group leaders to review and re-authorize user access. This process is typically called recertification.

In organizations that are segmented into smaller groups, recertification may be performed by individual line-of-business owners who are familiar with all the members of their groups. But in larger or more diverse groups, simple access may be performed without human intervention, sometimes by a process known as Robotic Process Automation (RPA) which re-ups basic authorizations in the absence of any mitigating factors or changes in access schemes.

CHALLENGES OF IDENTITY VERIFICATION SERVICES

The process of completing identity verification online is only as strong as the data provided to it. Depending on the criticality of the digital assets behind the authentication that follows verification, the requirements for proofing information will be of differing strength.

When creating a social media account, for example, a user typically says, “This is me,” and that’s it. To tamp down a potential billion new, fake accounts, some social media platforms require a smartphone number to which they can send a validation text which must be responded to. This still only validates that an individual holds a phone, not the identity of who holds it.

In fact, far too many identity verification online schemes really only validate physical ownership of something a claimant knows or holds in their hand. Even workforce verification processes are vulnerable. Companies ship laptops and/or physical tokens to new employees that can be stolen and utilized for improper access.

Even within a workforce – weaknesses of help desk and other hacks ; similar email domains; Iowa manufacturing example of scamming money xfers for raw materials

IDENTITY VERIFICATION REGULATIONS AND STANDARDS

Various countries and industries mandate their own requirements for identity verification. For example, following 9/11, the US government enacted the poorly named Patriot Act, which was meant to prevent funding from reaching terrorist groups, but which has instead been leveraged in everyday financial services id verification. The Patriot Act establishes a baseline, truly a bare minimum, for verifying the identity of any individual applying for financial services such as a loan, credit card, or bank account.

The Gramm-Leach-Bliley Act (GLBA) mandates that new account applicants should be verified through third party sources such as employers, telephone company, checking account, and other outlets to validate identity as well as to prevent fraud. GLBA identity verification gets just a little more specific.

Many organizations avail themselves of global watchlists that look for adverse media around the world about applicants. “So maybe it really is you, but you are someone I don’t wish to do business with.” If an applicant has been arrested, convicted, sanctioned, or otherwise involved with undesirable business interests or illegal activity, they may be denied even after providing legit identity information.

Very specifically in regards to image recognition, NIST puts forth Presentation Attack Detection (PAD), or attack determination methods for sussing out printed photos, masks, videos, and other techniques for thwarting facial recognition systems.

BIOMETRIC VERIFICATION

The process of biometric verification involves evaluating the validity of human attributes such as voice, face, and fingerprint. Once again, there are things you know, things you have, and then things you are.

Biometric signals have long been considered irrefutable. However, as technology evolves, so too do the methods utilized by bad actors, and this includes the ability to bypass biometric verification.

Fingerprint verification has long been used for desktop login, and even for application authentication. But fewer hardware options (including personal devices) are available for allowing users to submit fingerprints as a factor.

Voice has also been long leveraged, but now deep fake voices are increasingly easy to produce. They are also easily injected into authentication flows.

Facial matching is still the best option among biometric modalities. Liveness detection combats fraudsters who attempt to submit pictures of pictures, use masks, or inject video. Bad guys can use virtual cameras to inject fakes, but there are ways to identify those virtual cameras and defeat this type of attack.

Triangulating physical id documents (driver’s license, passport) with identity is a strong approach. Verify the document itself, that it is not tampered with, that it is not expired, and that the data on it, such as name, address, date of birth, and barcode are legitimate, is a start. Then match a selfie of the bearer with the image on the document. And don’t forget to verify the selfie itself, meaning validate that it is not a picture of a picture, but an actual live capture. This means the person is good, the document is good, and they’re good together.

One note: There is a difference between facial verification and facial recognition (one to many, based on an existing bank of faces). Facial matching or verification means saying “this person presenting at this moment is who they claim to be.” Facial recognition is “we think this anonymous person is this other person we found in a general database.” In other words, verification matches you with your own pre-established identity. Recognition is picking a random person out of a crowd.

WHO USES IDENTITY VERIFICATION?

There are obvious requirements across all industries, all verticals, all user scenarios for identity verification. No one can reasonably expect to execute any kind of transaction requiring even the slightest measure of trust without verifying their identity.

Banking is an easy one. Opening an account, transferring money, or requesting a loan are all predicated on presenting a verifiable identity. Financial services in general are drivers of strong identity verification services. In the US, they must comply with the Patriot Act and meet KYC (Know Your Customer) requirements before performing any financial transactions. Fintechs, mortgage companies, lenders, credit card issuers, credit unions, money transfer companies, and their contemporaries not only need to verify identity to prevent fraud, they are legally required to do so. In addition, it is often necessary to validate users relative to the bank accounts they claim to control.

Call centers have long been targets of fraudsters. Bad actors have on countless occasions impersonated legit users over the phone and gotten away with it. Late in 2023, call centers were talked into providing privileged access to social engineers who then perpetrated multi-million-dollar ransomware attacks. By requiring not only identity verification but also follow up identity authentication, call centers can avoid being a conduit for fraud.

Car (and other equipment) rental outfits leverage identity verification to help ensure that only authorized consumers can pick up whatever they claim to have rented. This kind of fraud results in all manner of hard assets disappearing each year.

Online dating fraud can lead to multiple types of fraud and peril for its victims. Proper identity verification services for this industry can safeguard people from money loss and worse.

Even notary services have migrated online, with the advent of COVID and remote work. Given that notaries vouch for users’ documents, they need to first work with verified individuals. In fact, any kind of digital, remote signing requires the trust of whoever claims to be putting down their mark.

Any organization in healthcare must ensure that only authorized patients receive surgery, treatments, and pharmaceuticals. It sounds absurd, but fraudsters impersonate veterans in order to receive free surgical procedures at the VA.

The insurance industry must verify the identities of not only those applying for policies (especially the quickie kind where travelers want fast coverage for the assets they cart around) but those making claims against those policies.

Retail outlets have long needed to identify those who shop online, and therefore perform identity verification online, but even those who apply for store credit cards at the point of sale. Fraud is less likely at the register, but it does happen.

Dangerous mishaps have led to biometric identification of both riders and drivers in the rideshare business. Is that the right person picking me up? Is that the right person I’m picking up? This is obviously more real time but just as critical since it’s human parties interacting, and even lethal encounters have occurred.

Public agencies that serve citizens have been conduits for fraud, and have also been targets. The IRS has been compromised, allowing bad actors to take citizens’ tax refunds. Other agencies that provide benefits have also been clobbered. COVID relief was stolen to the tune of hundreds of billions. Various solutions that claim to service these agencies have fallen short.

This is precisely why identity verification companies exist.

HOW TO CHOOSE AN IDENTITY VERIFICATION SERVICE

In its simplistic form, choosing a provider for identity verification services is no different than buying a car: determine your use case(s). Have a family and a dog? Do you do a lot of off-roading? Long distance trips? Or just to and from the grocery store? These determine the size and cost of your vehicle.

So now, how to choose good identity verification tools? Ask analogous questions.

Point of sale? Digital onboarding? Are your users consumers or employees (or both)? How much information do you require from your users? Are they digitally savvy? Do you have a help desk, or is it totally hands off? Do you have compliance requirements? There’s a definite difference in how you perform online identity verification as opposed to in person, since in the former you don’t get device or IP address, and geolocation is moot. The best identity verification software will adapt to different entry vectors.

With any provider of any service or product, history is a great sign. Somebody selling what appears to be the best identity verification software in the world but who has only been in business for a month is possibly suspect. They might get there, but they aren’t there yet. Tech companies with positive analyst coverage have an advantage, such as when they’re included in identity verification software reviews, but there is not a single analyst that doesn’t accept some sort of compensation from deep pocketed vendors in exchange for that coverage.

So, back to those use cases. For full KYC capabilities, you gather a full suite of data, send it off, and have it checked for not only viability of individual attributes (is that consumer using a commercial address, or is that phone a burner) but also their connectivity (does that name match that address or DoB or SSN?).

Utilizing data alone is a gamble. Identity verification tools do not automatically equate to identity verification solutions. Don’t just tackle a problem; address the need. And data-based tools are only one piece. Just about every living person’s PII is out there on the dark web for very little money. This includes their security questions and answers. Matching the actual person to their data is far more assuring than simply processing the bits and bytes they submit anonymously.

Matching biometrics to data is a strong indicator of validity, and of course the device you use is part of that equation. You may not be able to perform all the data matching with biometrics through a single vendor, but layering integrated solutions, to create a comprehensive online identity verification platform, can not only drastically reduce fraud but also streamline the onboarding process for legitimate users. This again harks back to “what you know, what you have, what you are.”

THE FUTURE OF IDENTITY VERIFICATION SERVICES

Two things are driving the future of identity verification services.

The first is the constant leapfrogging of fraud. The bad guys are always looking for new attack vectors, leveraging weaknesses in networks, social media, corporate sign-on infrastructures, and every other layer of authentication and security. They aim to regularly defeat best identity verification software. It is necessary to, at the very least, keep up. It’s hard to design defenses against attacks we haven’t seen yet.

The other is user experience. To have total security in the skies, we’d need to spend way more time in line at the airports. Consumers (and employees) expect streamlined processes to get from the outside into the place where our digital assets live. We all want that seamless flow in conjunction with safety. And when you consider where revenue comes from, customer identity verification absolutely must be friendly.

The future of any ideal identity verification service entails getting each user into the target portal with full assurance and the least friction. And since any bad guys can learn your PII and steal your phone, biometrics appear to be the best bet. It’s who or what you are. Of course, deep fakes make even biometrics scary. So any solution using biometrics needs to be non-repudiable.

A combination of a pleasant user experiences and robust identity verification solutions equate to an end-to-end, comprehensive identity verification platform.

MAKE THE RIGHT CHOICE IN IDENTITY AUTHENTICATION SERVICES

How did we become the best identity authentication platform on the market? authID began its life as the most accurate and trusted biometric authentication platform by aiding third world countries in holding free and fair elections. We accomplished this by registering legitimate voters, then authenticating them at polling time to ensure that only those legit voters were the ones casting their ballots. Since then we have rolled out our solutions to financial services companies, workforce management companies, banks, healthcare, and other organizations who wish for only bona fide employees or consumers to access their most sensitive digital assets.

Very recently a customer won a CSO award for their use of authID’s patented technology for verification and authentication.

authID verifies the validity of physical id documents (driver’s licenses, passports, state-issued id’s, etc.), supporting over 13,000 documents from over 200 countries and territories around the world. We use dozens of security checks and markers to ensure that the document was in fact issued by the authority it claims. We then verify the user by their selfie, checking for liveness. Whether it’s the document or the person, we make sure it’s really that doc, really that person, and not a picture of a picture, not a printout, but is indeed legit. We then match up the selfie to the document image. Document good, you’re good, and you’re good together.

authID provides the best user experience on the market, with an interface that literally walks you through the capture process with virtual frames and digital guidance. And we process that data in under 700 milliseconds. Nothing friendlier, nothing faster.

Once that facial biometric is registered, all you need is your face to authenticate, day after day, on your smartphone or your laptop. If you lose or upgrade your device, all you need is that selfie once again to instantly and seamlessly recover your access. So on Day Zero we verify it’s you, and on Day One and beyond we guarantee it’s still you, and come on in.

As stated above, you need to do your research. This means taking the time to compare biometric identity authentication solutions. When you do, you will find authID in the leader’s category.

It’s the greatest level of assurance with the least friction, meaning the best identity authentication option available. To learn more about the fastest, most seamless and most accurate biometric authentication solution on the market, you can read all about us. And please reach out to us at AuthID.ai, where our friendly faces will teach you how your own friendly face can be the key to secure access.

See related articles:  

Age Verification Systems | Online Age Verification Software

Passwordless Authentication

Find the Best Digital Wallet and Wallet Authorization Info

What is a Passkey?  Find out from the Experts at authID

Identity Authentication – What is the  Best Identity Authentication?

Biometric Authentication and Biometric Identification

authID Set Up a Quick, Free Biometric Demo Form Photo