04 Sep The Rise Of The Identity Orchestration Platform
Unifying Identity proofing, Authentication, and Fraud Detection
Identity proofing, compliance, authentication, and fraud detection are all becoming increasingly interconnected. This is why digital businesses need to rely on various solutions that must be stitched together to help ensure the user experience isn’t too fragmented, time-consuming, or demanding.
Today, businesses need to provide a seamless customer experience across all channels and touchpoints. To achieve it, we need to rethink creating a unified approach to managing ID proofing, KYC/AML, authentication, and security instead of a siloed approach. This is how market leaders have differentiated themselves and mastered providing smooth digital identity experiences for their customers. Let’s take a closer look at some of the trends that will help us build a modern, smooth user journey.
Frictionless Customer Journey
Modern businesses may take advantage of simple tactics that don’t require the user to do anything other than completing an online application.
- Email Verification: Many organizations will send an email to their prospective users to verify the validity or legitimacy of the provided email address. But there are third-party platforms that can be used to verify the account’s age and other characteristics.
- Phone-Based Verification: A new user’s phone number can be used to generate a variety of fraud signals. Some vendors will send an SMS message to the applicant’s phone to check that the number provided is correct. However, the phone number might give other information, such as the SIM’s age, IP address, and porting information. In addition, some vendors can link the phone number to data from carriers and telecom infrastructure providers to expose the identity of the phone number’s registered owner.
- Address Verification: One of the most basic tests is to see if the physical address exists in the real world and if the applicant lives at that location. However, because of large-scale data breaches, data-centric techniques like this may be spoofed by utilizing stolen data from the dark web.
- Bot Detection and User Behavioral Analytics: There are various solutions designed to determine if the person is human or bot by looking at clickstream analysis, application completion time, and typing cadence.
- IP Address Mismatches: By checking if the IP address of the user’s phone or computer matches the physical region reported on their application, one can see if it is from a location they should be allowed to sign in.
- Device Reputation & Risk Tracking: It’s a fraud-prevention technique that collects device fingerprints – a set of features – and compiles a picture of the device’s previous association with fraudulent conduct. It’s a simple yet effective method to catch primary forms of fraud.
- Auto-fill forms: companies can auto-fill onboarding forms to accelerate the sign-up process and improve conversion rates by leveraging mobile, document, and other third-party identity providers like a bank, mobile, or government identity.
- Bring your own Identity(BYOI): utilize social login or leverage platform IDs like Apple, Google, and then do progressively profiling to do additional identity checks based on the trust level of the identity provider. For example, a bank or mobile identity may have higher confidence than social identity.
As a best practice, many companies correlate these digital attributes with real-world identities to help increase the levels of identity assurance.
Online identity verification is often required to verify remote users with higher levels of assurance. In this context, identity verification refers to the combination of capturing a government-issued ID and a corroborating selfie that includes a liveness check to make sure the user is physically present during the account creation process. This approach serves as a powerful disincentive to would-be fraudsters.
This document-centric approach entails testing for genuine presence, and so it meets Gartner’s definition of identity proofing when deployed correctly.
Not surprisingly, Gartner anticipates significant growth in this category: By 2023, 75% of organizations will be using a single vendor with strong identity orchestration capabilities and connections to many other third parties for identity proofing and affirmation, which is an increase from fewer than 15% today.
Added to this, not only is identity verified but the customer information is checked against the AML watchlist to ensure that the customer was not involved in any historical criminal activity. Also, AML screening solutions must verify each new customer against many sanction lists, politically exposed persons (PEPs), and adverse media databases issued by global watchdogs and regulators. Businesses also need to monitor customers on an ongoing basis to ensure they don’t become financial crime risks after onboarding.
Other Identity and Risk Checks
There are many risks, financial, and identity attributes considered from third-party sources and service providers. Therefore, verifying identity-centric data should always be in the context of use case and transaction type. In some cases, it is basic document-based identity verification, while in other cases, enhanced due diligence is required.
However, additional risk and assurance checks are necessary if you offer any financial services, payments, or in a particular regulatory industry. These may include a credit check, asset, employment, income verification, bank account ownership checks, identity theft or fake identity risk checks, and other transaction-specific risk checks.
With data breaches, credential stuffing attacks, and the dark web becoming more prevalent, the need for more robust account security has never been greater. It’s critical to ensure your accounts are secure and necessary to prevent fraudsters from creating new accounts resulting in cybercrime.
Industry leaders such as Google, Amazon, and Apple are leveraging multiple authenticators such as TOTP, FIDO, security keys, in-app push notifications, and many other secure login methods available. Implementing such authentication methods results in a better customer experience and reduced password resets, among others. However, companies need to build a privacy-first approach to device fingerprinting and step up as needed.
Added to these security challenges are account takeover (ATO) risks. ATO is made possible because people use the same password across multiple websites. So any website that relies on a simple username and password could easily fall prey to account takeover. Also, password reset is considered the weakest link for spear phishing and social engineering to take over user accounts. However, companies can implement self-service account recovery to tackle this challenge by leveraging multiple authentication methods such as automated ID proofing and verifying user accounts.
These are why organizations need to take a holistic and unified approach towards managing identity, authentication, and fraud detection to mitigate risks associated with ATOs.
Many companies are also exploring biometric-based approaches to user authentication—to provide an extra layer of security for individuals who’ve already been onboarded. For example, when a high-risk transaction is initiated (e.g., a wire transfer or a password reset), the user only needs to take a selfie and go through a liveness check to quickly unlock their digital identity.
First-generation of Identity Orchestration:
To date, only a few large digital businesses and banks view identity as a strategic core to their business. And, they have invested millions of dollars in building their own in-house orchestration tools, leveraging many point vendors’ limited workflow and hub capabilities. This approach worked well as it solved the problem (maybe temporarily). However, it slows down time-to-market and quickly leverages more modern identity proofing, authentication, and fraud detections capabilities.
Building an orchestration platform in-house often requires alignment between product, IAM, risk/security, and development team. And, then they need to manually integrate to 3rd party providers and continuously maintain them, which often results in forced vendor lock-ins. This developer-centric approach is not only unsustainable, but it also limits the agility to innovate, improve ID proofing coverage and respond to evolving fraud techniques.
As businesses expand globally and become digital, investing in a future-proof identity strategy is critical. This will help get customer identity management to drive top-line growth and reduce operating, fraud, and licensing costs.