Danny Bluestone, CEO of UX-driven digital transformation agency Cyber-Duck, looks at key trends in online identity verification.
The Internet was once a more anonymous space. People hid their real identities, coming up with unique and sometimes bizarre pseudonyms to represent themselves on specific websites.
As services and socialising shifted online, identifying each other digitally has become increasingly important.
How can we do this securely, without impacting users’ experience? I’ll explore the trends in online identity verification, looking at the key solutions and implications for businesses and users.
Using our ‘real’ identities online
Online anonymity is waning. A user’s digital behaviour never used to be closely connected across the web, nor did it connect to their offline lives.
Technically, there were also fewer plug-and-play solutions like Facebook Connect, which can follow and connect users’ activities across the Internet.
The desire for anonymity hasn’t completely disappeared. But, as the social web has grown, people have become happier to use their ‘real’ identities online. Some social networks are even throwing their influential power behind ‘authentic’ identities to make their platforms more credible and secure.
For instance, Twitter issues verified account status to key individuals and brands who are highly sought after. This helps users differentiate and validate if specific accounts are credible.
Furthermore, the boundaries between social and commercial websites are blurring. Some users submit real-name reviews on Amazon and other ecommerce sites like Etsy, where authenticity can increase sales by generating confidence from customers.
The rise of identity verification services
So, identifying people online – and confirming that information against their ‘real’ selves – is becoming increasingly important.
Verification is required by a surprising amount of digital businesses: from purchasing products and applying for services, to social networking platforms, where users’ authenticity is built into the experience.
It’s consequently no surprise that the technology behind identity verification services is constantly evolving, while balancing two critical, and often competing, factors: security and user experience.
Last year alone ecommerce fraud rose by 19% and online banking losses soared by 64%, compared to 2015. High-profile data breeches at TalkTalk and Sony have made consumers more aware of the security threats.
Yet users are still incredibly fickle. They will go elsewhere if the verification stage of a purchase or online account setup is too lengthy or rigid regarding which proofs of identification are acceptable.
Trends in verification solutions
Exposing more personal information about ourselves and revealing our true identities online opens up great opportunities and risks. Organisations must navigate (and mitigate) these for their users.
Consequently, a number of solutions have emerged to validate who we are online.
Creating a username and password to access specific websites is the most familiar online identity system. But, we’ve known it’s a broken process for years.
It’s too difficult to create and manage unique, elaborate passwords for each online account we have. And even the idea that a ‘strong password’ can protect us is now a fantasy, with hackers regularly breaking into computer systems and releasing username and password data.
Worse than this, plenty of us daisy-chain accounts to our main email address; creating a single point of failure for hackers to exploit, gaining entry to countless more with ease.
The most common solution is two-factor authentication: requesting knowledge (such as an alphanumerical ‘secret’) and possession (adding a physical level) for a user to verify themselves. Cash machines were the original implementation of this idea, requiring possession of a physical card and remembering a secret PIN.
The trick is establishing a second, physical authenticator that is secure, but doesn’t inconvenience the user.
For example, many companies have avoided the delay and cost of issuing unique physical tokens (such as a key fob, or card reader); instead, asking users to add a mobile contact number and enter unique codes sent via SMS.
Biometric technology can streamline the second step in two-factor authentication. Fingerprint data is the clear favourite, as a particularly elegant solution for unlocking smartphones.
Promoted by Apple and Samsung, it requires investment from device manufacturers to install the sensors and secure partners willing to use the channel for purchase, like PayPal.
Concerns about storing such sensitive data has been addressed with both companies storing an encrypted mathematical model instead of the fingerprint images. But as a Mashable hack revealed, people leave copies of their fingerprints everywhere – and lifting a copy can be used to unlock devices.
To set up Apple’s TouchID, users repeatedly tap the phone’s sensor so it can map a single fingerprint that will unlock the phone.
Some businesses are even exploring more outlandish models. Amazon recently filed a patent application for payment by selfie.
Preventing fraudsters using a photo to pose as another, the proposed system would involve its own two-step process. One photo would be taken to confirm identity. Users would be asked to subtly adjust their position, then a second photo would ensure their proximity to the device.
MasterCard has already trialled facial recognition technology, ensuring users are actually there with a blink instead. 83% of those tested believed it felt secure.
The company has even proposed heartbeat recognition as an alternative, integrating sensors that can read people’s electrocardiogram, or the unique electrical signal their heart produces.
MasterCard’s selfie pay system was available to test at Mobile World Congress, Barcelona.
National service verification
Demand for access to government services online is rising – but verification is particularly critical for national schemes.
CitizenSafe, one of GOV.UK’s certified identity verification providers commissioned a YouGov survey that found 61% of full-time workers (and 64% students) believed online identity verification was the most convenient option for them.
Hailed by the UN for providing the world’s best e-Government content, Estonia’s service provision rests on centralised unique personal identification codes, given at birth. Microchipped ID cards with this code enable users to sign things online and use a range of digital services from online banking to voting.
But, such comprehensive nationalised schemes have faced concerns from privacy and civil liberties groups.
Instead, countries like the UK and US are adopting a verification approach that checks who the user is against physical sources, such as passports, utility bills or drivers licence. These sources aren’t centrally stored, so no department or individual knows everything about you.
Transitioning from public beta to live next month, GOV.UK Verify is the UK’s solution to accessing national services easily (yet securely) online. GOV.UK certified a variety of identity verification companies, like CitizenSafe, to verify users’ identities on the Verify portal.
GOV.UK Verify empowers you to choose from a range of certified companies to verify your identity.
Users complete the online verification process just once to create an account they can use to quickly and easily access a multitude of government services, such as tax returns, benefits and allowances.
Furthermore, two-factor authentication is used when users login to their online account, needing to enter a user ID and password as well as a code sent to a stored phone number.
New data storage solutions
Whatever identification solution is used, a critical question remains around how personal data is stored to safeguard it against hackers.
Even if hackers can’t access your credit card details, obtaining your home address, date of birth, contact details and other personal data could give them enough to access, change or use a multitude of your online accounts, posing a serious risk.
One of the recent solutions to overcome this issue is blockchain technology. Initially developed as a ledger for bitcoin transactions, blockchain is an incredibly secure distributed database where no single organisation (or individual) holds all information.
Blocks of data are added sequentially, embedded using a ‘hash’ of the block just before it. CoinDesk explains how this acts as a ‘digital version of a wax seal’, confirming data is legitimate and hardening the chain against tampering and revision.
Connecting our digital services and activities with our ‘real’ offline identities has significant implications for our safety.
Leveraging the myriad of new technologies and systems available, businesses have some choice and must balance the security of user data with providing a seamless service, or users will look elsewhere.
Whatever approach you choose, communication with customers throughout their experience is the key. For instance, users may be reluctant to give you their mobile number during an online sign-up if you don’t explain that it’s for a two-step identity verification process that will protect their identities.
Carefully considered communication, on the other hand, is likely to make users tolerate a slightly more elaborate on-boarding process in the interest of keeping their data safe.