Identity verification: Staying ahead of post-breach era consumer preferences
In the wake of numerous high-profile data breaches and privacy incidents, consumers are increasingly concerned about the security of their identities and what companies are doing to keep them safe. Ultimately, there is a strong need for bi-directional trust between consumers and businesses: Consumers must trust that businesses will protect them, and businesses must trust that they’re dealing with legitimate consumers.
A recent consumer identity verification survey conducted by our team at IDology reveals four key trends that illustrate how recent breaches and shifting consumer behaviors are impacting the way businesses approach identity verification.
1. Consumers place a premium on security
Businesses want to ensure that the account opening experience is both seamless and positive. Up until now, conventional wisdom suggested that consumer preferences placed ease and speed over security, but this may have recently shifted. The study found that what is most important to American consumers during the account opening process is now security (88 percent) followed by ease (72 percent), low effort (63 percent) and speed (62 percent).
The threat of data breaches has shaken the trust of American consumers and, as a result, the identity verification process, once considered a behind-the-scenes step, is now a front-end consumer consideration and competitive differentiator. In fact, 56 percent of respondents said they would be more likely to choose a financial institution if it used highly advanced identity verification methods to keep account origination secure.
2. Trust what you know
The top three digital identification methods that consumers believe to be most secure are biometrics, Knowledge-Based Authentication questions and one-time passcodes used for two-factor authentication. Consumers frequently use these methods to unlock their phones and open or access online accounts, so it’s not surprising that they are also the most trusted.
In reality, there are pros and cons for each method. Biometrics are useful as a password replacement, especially on mobile devices, but they can’t be used to verify an identity during account origination. One-time passcodes sent to a phone are convenient but are vulnerable to interception and can be taxing if a consumer has to toggle back and forth between screens on their device because they can’t remember the whole code. The point at which a consumer is interacting with a business (account origination vs. authentication), the device or path they’re using (desktop, mobile or call center) and other factors all help determine which methods are best to deploy.
When it comes to Knowledge-Based Authentication, there are multiple types but, unfortunately, they all tend to get lumped together. The two primary categories are static KBA (commonly called “shared secrets”) and dynamic KBA (which are randomly generated). Within the category of dynamic KBA questions, there are two main types of questions: credit questions and demographic questions. Consumers prefer demographic KBA questions by two-to-one compared to credit questions, and feel both confident and comfortable answering them, perhaps due to the relevancy of the questions. Eleven percent more of the consumers surveyed were “extremely” or “very” comfortable answering demographic questions compared to credit questions. They are also more confident answering demographic questions, with 13 percent more of them saying they were “extremely” or “very” confident they could answer them correctly compared to credit questions.
This clear preference can be partially attributed to the data source and how easy it is to recall certain types of information. A dollar amount for a mortgage payment is often more difficult to recall than the name of a street—particularly if the payments are automatic.
3. Password practices are vulnerable
Despite increasing concerns, many consumers still use vulnerable password practices, heightening the need for businesses to take extra measures and evaluate multiple, diverse consumer attributes to safely verify customer identities. When asked how often they change their passwords, 76 percent said once a year or less, while one in six admitted they never change their passwords unless forced to do so. Consumers are open to using more secure methods of authentication for online accounts, but transition pains are inevitable as new technologies take hold.
4. Consumers are concerned about mobile security
As mobile fraud continues to rise, businesses must consider the major risks presented by mobile malware that can steal personal information and intercept text messages directly from a consumer’s smartphone. Almost half (47 percent) of respondents were “extremely” or “very” concerned about mobile malware. With regard to consumers who were only “somewhat” or “not at all” concerned (24 percent), there may be a lack of understanding about the risks of mobile malware and the methods deployed by criminals to infect mobile devices.
While smartphones can serve as a means for businesses to quickly identify and verify consumers, they also present another fraud front. Numbers can be ported or spoofed, and even legitimate customers can make it difficult for businesses to identify and authenticate their digital device identities by frequently changing phone numbers, providers and/or devices.
Within the last 12 months, 47 percent of consumers (or an estimated 100.6 million mobile phone owners) experienced at least one “change event”—38.7 million changed mobile phone service providers (18 percent of respondents); 90.3 million purchased or upgraded their mobile phones (42 percent); 25.8 million changed their mobile phone number (12 percent); and 12.9 million had their mobile phone lost or stolen (six percent). As a result of these mobile change events, it becomes difficult for certain mobile identity methods to be effective without requiring additional re-authentication, potentially creating friction for the customer or false positives when assessing fraud risk.
This new era of data breaches and privacy failures has had far-reaching effects. Personal information is packaged, sold and distributed on the dark web and consumers feel on-edge and insecure. This is why safe, comprehensive and robust identity verification is becoming a competitive differentiator for businesses. Employing a multi-layered approach to identity proofing that validates “under the covers” and applies friction only when needed can elevate customer trust, facilitate onboarding and engagement, increase business identity assurance and help to deter fraud.