We believe the ability to trust that consumers are who they say they are is critical for businesses. Unfortunately, identity proofing, or the attempt to validate legitimate user identity, has become more complex as fraudsters are circumventing knowledge-based authentication (KBA) using stolen personal identifying information (PII) that can easily be found online.
Gartner’s Market Guide for Identity Proofing and Corroboration report focuses on the current challenges related to identity proofing and the acceptable means of confirming, or corroborating, a user’s identity claim in an increasingly digital world. We’ve identified the key takeaways from the report, along with our own insights as to how to apply them.
Our key insights and takeaways from Gartner's Market Guide for Identity Proofing and Corroboration report
- Identity proofing and corroboration (IPC) is complex, and doing it successfully will likely require multiple vendors and solutions. Creating a single orchestration hub for identity proofing is key for a frictionless workflow.
- Companies need to find ways to keep customer accounts secure without putting the customer experience at risk. Those investing in technology that keeps security invisible while simultaneously delivering a low-friction customer experience are seeing the benefits.
- Due to increasing fraudster capabilities and know-how, security and risk management (SRM) leaders should combine multiple forms of identity proofing to separate the good customers from the bad. These include knowledge-based authentication, document-centric identity authentication, digital attribute risk assessment, behavior analysis, and reputation and link analysis.
Centralize IPC methods with an orchestration hub
Corroborating and establishing identities is complex. As more tools are required to establish or corroborate identity, it’s increasingly important that they work together through a central orchestration hub. It’s also critical that these tools are set up so that outputs are properly weighted and applied to a “context-based decision process,” to avoid high false-positive rates and a negative customer experience.
The lines between online fraud detection, identity proofing and user authentication use cases are increasingly blurring with regard to the techniques that can be applied to increase trust in an identity assertion and better identify malicious or anomalous activity"Gartner
In our opinion, Gartner recommends that SRM leaders start with an inventory and analysis of current IPC methods and other forms of risk management. From there, build your orchestration hub to seamlessly combine complementary tools and solutions, making sure it includes the following:
- Integration of multiple fraud prevention tools that align with your business needs
- Ability to customize how these tools and capabilities are applied, as well as the ability to apply logic when certain conditions are met
- Ability to reach a decision based on the outputs
Invest in the balance by protecting and growing your business
Consumers care about security, but not at the cost of a high-friction experience – and businesses who don’t address this balance are at risk of losing good customers and potential customers to competitors.
Keeping this in mind, fintech and mobile-first businesses are finding ways to prioritize both security and a positive customer experience by investing in technology that keeps security as invisible to consumers as possible. According to Gartner, “this investment results in higher conversion and customer engagement, as well as higher rates of detection of sophisticated fraudulent and malicious activities.”
In our opinion, Gartner recommends that SRM leaders understand where their identity proofing solutions might create a poor customer experience, and then invest in the right technologies to strike the balance that best suits their business needs.
Increasing fraudster know-how requires a new IPC playbook
From the report, we inferred that the theft of personal identifying information has increased significantly over the last decade, thanks to hacking and social engineering efforts – and when equipped with enough critical information, fraudsters are able to bypass PII-centric identity-proofing methods by successfully impersonating people online and over the phone. Unsurprisingly, this has led to a significant increase in fraudulent activities like account takeover, new account fraud and synthetic identity theft, and as a result, companies that used to have high-capability maturity scores for security and risk management are now citing the loss of millions of dollars due to fraud.
There is no one-size-fits-all approach for successfully identifying customer identity, since effort, resources, and use cases are all specific to the company. Instead, consider corroborating several types of identity proofing, and making specific selections based on your business needs:
Knowledge-based authentication (KBA)
While sales and risk management (SRM) leaders are likely to move away from relying solely on KBA and static data for corroborating identities, these methods still meet many existing requirements for demonstrating compliance, and should not be ditched altogether.
Document-centric, real-world identity authentication
We believe that Gartner is seeing an increase in companies seeking vendors that offer remote identity document verification solutions, in which end users can remotely scan and submit identifying documents like their passport or ID, along with a selfie of the person submitting them.
Digital attribute risk assessment
Another way to corroborate an individual’s identity is by assessing the person’s digital presence, which could include an email address, a social profile, or device identifiers.
The process of assessing consumer devices usually includes ‘device fingerprinting’ – but some solutions can lead to undesirable customer friction. It’s important to find a trusted identity proofing vendor that is skilled at gathering and analyzing device attribute data, identifying the device against a collection of trusted data from client organizations, and detecting fraud and attack patterns immediately – all without putting the consumer experience risk. Gartner cited iovation as a vendor that has achieved “a sufficient level of trust in a modern identity proofing and corroboration use case.”
This includes user behaviors such as mouse movement and placement, typing, scrolling patterns, time spent on a page, etc. While these are not standalone identity proofing solutions, they can assist in tipping the scale toward concluding that an identity is either risk-free or potentially fraudulent.
Reputation and link Analysis
The most successful reputation and link analyses factor in two things: real-world identity attributes, plus analytics-based relationships and risk of digital attributes. These tactics have proven success in detecting certain types of fraud that often go undetected, such as synthetic identity fraud, first-party fraud and sophisticated identity theft – and thanks to the rapid adoption of machine learning techniques that can automate the analyses of multiple data sources, this is a quickly-growing space.
It’s clear that identity proofing isn’t going anywhere. Our world is continuing to move in an increasingly digital direction, and with it is the need to confirm the identities of customers, partners and employees using optimized workflows and low-friction methods. To learn more about how orchestration hubs and the consumer experience are affecting the way companies manage identity proofing and corroboration, download Gartner’s report today.