Figuring out (and verifying) who’s on the other side of the keyboard is one of the biggest challenges when it comes to building memorable forgettable sign-in journeys.
Exactly how important identity verification is for your sign-in journeys depends on what’s on the other side of your login screen. If your customers are moving money around, accessing healthcare info or purchasing big ticket items, you probably care quite a bit.
At its core, the concept is pretty simple. Take something unique your user knows (or possesses) and compare it to a trusted source of data. If it matches, voila! We can trust that the user is who they claim to be.
Unfortunately, online identity verification is easier said than done. There are four key reasons:
We’ve seen these four speed bumps play out over and over in hundreds of implementations. We knew we could create a different (and better) way.
If you’ve tried to implement identity verification before, you’ve probably heard a lot of “no” – as in “no … we can’t do it that way.” But – like the old Burger King commercial, identity verification is something that very much needs to be “your way” if you want it to be a good experience for your customers. Good security shouldn’t have to come at the expense of a poor user experience.
There are three main things that set our identity verification capabilities apart from other approaches:
That’s all a long way of saying that with Strivacity you control the workflow, the experience and your brand. And you can refine and tweak the process with a few clicks. That lets you focus on the big decision in front of you: what risks do you need to mitigate.
Subscribe and never miss out on our blog posts and latest news.
The real magic in our approach to identity verification lies in the “how” (hint: it’s super simple). Our clicks-not-code philosophy is core to how we’ve built our platform – and it really shines when it comes to identity verification. You control which layers of verification to include, which order to perform them in and how to route failures and successes.
For example, as in ^this^ diagram, which shows the Strivacity identity verification workflow editor, you could start with a phone record match step. If that check passes, you can pass the customer on to the next registration step. If it fails, you could use knowledge-based questions as a backup method to give the registrant another chance to prove their identity before falling back to a customer service call.
It looks good too! No matter what your workflow is, our brand editor makes it easy to match your brand. You can see live previews of changes as you make them to ensure your precise brand specs are reflected in all your login and registration flows. Those same brand configurations also apply to identity verification workflows— no extra effort required.
Now that you have a sense for what identity verification is all about and how we approach it, let’s dive into the bits and bytes we offer. Keep in mind that the specific techniques (and the sequence) will depend entirely on the risks you want to mitigate.
Step 0 is making sure that the person on the other end of the keyboard is, in fact, a person – and not a bot. There are a few ways we do that (and they don’t require Captcha clicks on stoplights and crosswalks).
First, we block known bots before they even hit your registration page. Our bot feed database tracks IP addresses that are associated with fraudulent bot activity and shows them the hand. It's kind of like having your own personal Yoshimi fighting evil robots for you.
We can also block anonymous proxies and Tor exit nodes to add a layer of protection from bad actors who are trying to cover their tracks.
Capturing consents are key to any identity verification process since you’re sharing your customers’ data with a third party. Our built-in consent management system lets you define and track consent acceptance (including consent receipts) for each account.
Determined attackers will often try to switch a victim’s phone number to pair it with their own device and then receive SMS texts so they can foil two-factor authentication. These SIM (subscriber identity module) swap attacks are usually carried out by researching a customer’s personal information via social engineering and then convincing a carrier’s customer support to switch the SIM to the malicious device.
By matching the phone numbers your customers provide against our phone threat feed, our identity verification capability weeds out numbers whose SIM association has recently been changed so you can foil SIM swap attacks.
Another favorite tactic of scammers is to use non-fixed VoIP numbers that they can easily change. We let you filter out these types of risky phone numbers that aren’t associated with a fixed street address, which greatly reduces phone fraud during the verification process.
If you want to step things up a level our passive phone record verification techniques take customer-provided info and match it against the phone carrier database. This is a friction-free way to increase assurance that the person presenting the data is who they claim to be. The customer only needs to provide their name, phone number, address, and consent. Since you’re likely already asking for this info, phone matching can be a user-friendly way to make sure your customer is, in fact, a customer.
When passive techniques fail (or you need a higher level of assurance), knowledge-based questions can provide an additional layer of trust. These questions sourced from credit bureaus, ask users for info based on their credit history. and can provide a higher level of assurance that a person is who they say they are.
The highest level of assurance that we offer – sometimes called identity proofing – is document-based verification. It asks the customer to scan a government ID and prove they are the person presenting the document by taking a selfie of their face with their smartphone. We also do various levels of fraud checks to ensure the document is real, and the document is indeed the person who is presenting it.
Already using a vendor for identity affirmation? No problem! Strivacity's orchestration capabilities make it easy to layer in other providers (or your own in-house data sources). Our lifecycle event hooks, hosted on the Strivacity platform, eliminate the need for you to host and manage those integrations elsewhere.
When customers run into dead ends and can’t finish the verification process they usually track down the phone number for a human on your customer support team. Strivacity offers your support representatives a portal to quickly get the info they need so they can provide outstanding customer support – including looking up a registration attempt, diagnosing where the customer abandoned or failed the verification flow and manually verifying a customer’s identity and resolving their issue. All of these features are accessible via our admin API, so you can integrate it with your customer support solution if needed.
Nobody can make identity verification perfect. That said, we’ve put a lot of care and thought into our verification workflows to ensure your actual customers can log in easily (and the bots and fraudsters do not pass go or collect $200). That translates into a much lower burden on your customer support team and increased (real) user growth.
So, now that you know a bit more about what can (and does) go on behind the scenes, take note the next time you have to prove who you are online. Maybe it’s during tax season, or perhaps the next time you open a financial account from your phone or laptop.
Think about the experience. How do they know you are who you say you are? Did it feel invasive, or welcoming? Was it a pain or did everything go off smoothly? What could have been better? These are the questions we ask every day when building customer’s journeys for our clients.
And we’re trying really hard to make them as forgettable as possible – for you and your customers.
Subscribe and never miss out on our blog posts and latest news.