Identity Continuity: the Best Approach to Combatting Fraud
Eliminate dangerous gaps between siloed digital identity processes and build customer journeys that create trust - not friction
May 18, 2023
When word of a fraud incident gets out, it harms a business’s reputation. This can cause existing customers to move to competitors whom they perceive to be a better guardian of their identity and account information. It can also drive away prospective customers who associate the brand with the incident, often long after the company has recovered.
But there was good news in the Javelin Strategy and Research 2023 Identity Fraud Report: total identity fraud losses fell by 17% in the past year. Those losses, however, still amounted to $43 billion, affected 40 million U.S. adults, and reflected the tremendous increase in identity fraud that occurred during the pandemic. In its 2020 Identity Fraud Report, Javelin reported total identity fraud amounted to $16.9 billion, meaning that even though fraud losses fell in 2022, they still represented a 250% rise from pre-pandemic numbers.
The costs of recovering from fraud have also risen. The 2022 True Cost of Fraud report from LexisNexis found that for retail and ecommerce, every $1 in fraud cost U.S. businesses $3.75, up 19.8% from 2019. For U.S. banks, the cost is $4.36 per $1 of loss, an increase of 22.4% since early 2020.
On the consumer side, according to Privacy Bee, the cost of account recovery for a user is “over $1K for the average incident. The crime causes victims (sic) a significant amount of money in most cases and hours and hours to clean up the mess.”
Every day, fraudsters grow more sophisticated in both their technologies and techniques. According to the National Council on Identity Theft Protection, experts believe that there is a new identity theft case every 22 seconds.
Protecting Customers and Businesses with Identity Proofing and Authentication
The traditional approach to protecting customers and businesses from these fraudsters starts with implementing an identity proofing process when users open an account or onboard. At a high level, during this step, the customer establishes a username and then provides proof that they are a real person and are truly the owner of the identity they claim to have. They also establish one or two factors that they will use to verify their identity every time they try to access their account.
The proof of identity is typically a government-issued ID, such as a driver’s license or passport. For online accounts, an image or electronic version of the ID is used.
There are a variety of factors that can be set up at onboarding to authenticate identity when the customer returns to access the account, with varying degrees of security and ease of use. These authentication factors fall into three categories:
- Knowledge-based: a thing the user knows, such as a password or PIN
- Possession-based: a thing the user has, such as a mobile phone or computer
- Biometrics-based: a thing the user is, such as a fingerprint or facial scan
Businesses may ask the customer to provide a single identity factor from one of these categories. Or, ideally, they may use multi-factor authentication (MFA) to increase security by using two or more factors from different categories. For example, a user who enters a knowledge-based password could then be asked to enter a six-digit code (OTP, or one-time password) that has been sent to their possession-based mobile phone or via email to their computer.
Commonly used identity factors
Some of the most common authentication factors include:
Passwords are among the longest-used and weakest authentication factors. Customers typically create something they can easily remember, which also makes passwords easy for cybercriminals to guess, steal, or hack. The longer and more complex a password is required to be, with elements such as capital letters, numbers, and special characters, the more security it provides. And yet 2022 research by Nordpass revealed that the top two most common passwords were password and 123456.
A personal identity number (PIN) is often used in conjunction with something else, like a debit card or password, to authenticate identity. Most are four or six digits and are created by customers. PINs have similar issues to passwords. According to Electronics Weekly, four of the most common PINs are 1234, 0000, 1111, and 5555.
Biometrics already plays a role in the lives of many consumers who unlock their computer by touching their fingerprint to a key, open their phone with a facial scan, and activate their Siri, Alexa, or Google Assistant with their voice. This familiarity makes it easy for businesses to take advantage of biometrics for account access. Because it’s based on something a customer is, biometric identity factors are inherently harder to steal or hack and more secure than knowledge-based authentication (KBA) factors.
Drawbacks of using legacy factors as single points of verification
Taking a traditional (“legacy”) approach to identity proofing and authentication – an approach that doesn’t leverage passwordless, biometric MFA in a cross-channel process – comes with a list of drawbacks that impact security, cost, and customer experience.
A key security challenge for businesses is securing customer accounts at a level appropriate to the industry and nature of transactions without making authentication so challenging that customers will avoid using their account or abandon the business’ services altogether; healthcare and financial services organizations, for example, deal with extremely sensitive data and their users need the most advanced security available on the market. Increasing the number of factors required to access customer information can result in reduced business if those authentication factors also increase customer friction. Authenticators that increase friction include legacy factors (as mentioned above) like passwords, PINs, OTPs, USB tokens, and smart cards.
When a customer or employee forgets their password or PIN, they have to reset it. When organizations use these legacy factors as single points of authentication, the customer or employee has no other way to identify themselves and, therefore, cannot access their account. Regaining access may involve calling a support contact center or emailing a helpdesk to request a reset. HYPR reports that the average firm spends $5.2 million a year on setting and resetting passwords and Forrester Research found that each individual password reset costs $70.
In addition to the issue of needing to balance security and ease of access, rigid identity authentication factor requirements can frustrate customers. For example, if they can only use a password to access their account and they are somewhere where typing is inconvenient, it would be helpful to be able to also authenticate their identity using a facial scan or fingerprint. In addition, passwords are the weakest and least-trusted security factor. When companies do not offer choices when it comes to how users authenticate themselves – the kind of choices that an MFA strategy offers – they are creating unnecessary friction and security risks for themselves and their customers.
Balance Security and UX with Identity Continuity
Identity continuity is Daon’s market-leading approach to establishing lifelong trust with customers throughout their entire digital identity journey.
Identity continuity means saying goodbye to thinking of each account interaction as a discreet transaction with rigid verification requirements, implementing siloed processes behind proofing, authentication, and recovery, and the adoption of a one-size-fits-all mentality towards customer experience.
With identity continuity, identity experiences are treated as journeys that are as unique as each individual customer and tailored to fit the needs of each use case. Identity continuity is as an end-to-end service across a customer’s entire lifecycle with any company, in any industry.
The foundation of identity continuity is the concept that each customer uses a single identity, established once and seamlessly authenticated going forward, that is viewed wholistically by the organization to which they wish to onboard or access an account with. Their identity is accessible through any channel – web, apps, contact centers, kiosks, in-person – any time, with low friction and seamless movement between channels.
Identity continuity allows any customer, anywhere to register the use of multiple authentication factors (MFA) for use throughout their customer journey. These authenticators include an array of highly secure biometric factors for advanced security and simple, fast customer experiences. Identity continuity eliminates dangerous gaps between siloed identity proofing and authentication strategies that often rely on multiple vendors and systems, which creates space for fraudsters to infiltrate IAM/CIAM and wreak havoc on a brand’s reputation.
How it works
Identity continuity starts with identity proofing and verification. When a new customer attempts to open an account, in addition to submitting a government-issued ID, they are asked to provide a selfie. This is checked via liveness detection to protect against fraudsters attempting to use still images or captures from a video to pass themselves off as a genuine user. Liveness detection compares the captured image against the image on the ID document, creating a unique, basically un-hackable facial biometric that’s securely stored for future authentications.
This, along with sophisticated document verification techniques, allows any business to have a high level of confidence that a user is a real person with a genuine identity, whether the person is opening an account in-person or using the web, their mobile device, or calling a contact center for account registration.
The customer’s facial biometric is verified and can be used for future authentications to grant account access. Depending on a business’s security guidelines, the customer can also establish any number of other authentication factors – from PINs and passwords to authentication apps they use on known devices, to fingerprints and voice biometrics – when they onboard or any time thereafter. The fact that each of these factors is connected to the same account ensures a smooth experience whenever a customer returns, and in whatever channel they use.
With identity continuity, businesses can still implement different levels of security for different channels by requiring specific or multiple authentication factors to gain access. But the idea is: through any channel, a customer has their choice of several factors they can use to fit their location or situation. This ensures that a customer can access their account, no matter where they are or what technology they are using, by providing one or more of the authentication factors for that channel.
Benefits of Identity Continuity
By taking a new approach to familiar processes, identity continuity offers businesses the opportunity to improve customer satisfaction and security while reducing costs – all without any heavy lifting.
Enhanced customer experience
By establishing a single identity that the customer can access using whichever factor is convenient at the moment, businesses make their accounts and sites easier to access without compromising security.
Identity continuity provides organizations with greater control of and visibility into their customers’ identity journeys and interactions with their brand. By adopting a single, central view of the customer, a business can determine the unique behaviors and needs of that person to better serve them, improve their business’s reputation, lower abandonment rates, and enjoy key insights that can be used for targeting services to what customers are really doing or really need through journey personalization.
Together, these benefits undoubtedly point towards improvement in customer experience. According to Forbes, customers with excellent customer experiences spend 140% more than other customers. Better customer experience also improves customer retention, and Business.com reports that returning customers spend 67% more than new customers.
By leveraging biometrics and AI-driven technologies during the identity proofing process, identity continuity reduces the potential for fraud from the moment a customer opens an account.
By establishing a single identity, identity continuity closes gaps and discrepancies between customer accounts that can provide additional points of entry for criminals and increase fraud, such as through account takeovers (ATOs) and synthetic fraud attacks.
Identity continuity minimizes the need for and costs of password or PIN recovery. A customer who has forgotten a password or PIN can use another factor, including their initial facial scan, to access the account. From there, they can reset the password or PIN themselves.
Most customers would prefer not to call for help, so the ability to provide secure self-service increases customer satisfaction even as it eliminates the overhead costs of account recovery.
Learn more about how your business can benefit from identity continuity with Daon’s newest platform, TrustX™.