Identity verification in an era of data breaches

Cyberattacks and breaches have grown in frequency, and losses are on the rise. In 2015 the number of U.S. data breaches continued to break records with 781 reported where the number of records exposed was about 169 million records, according to the Identity Theft Resource Center. For a more global view, as of the first half of 2016 there were 974 reported worldwide data breaches impacting over a half billion records where identity and PII data were the majority of the breached data. Using that trend that means 2016 should see over one billion global data records breached – a truly mind boggling number.

And these figures do not include the many attacks that go unreported or undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion.

As more than ever before, the majority of consumers’ personally identifiable information (PII), user names and passwords, and even some authentication tokens have been, or are, at risk of being compromised. The rapid surge of new and more sophisticated data thefts continues to add urgency to the need of implementing user friendly ways of protecting consumers and enterprises alike.

What does all of this mean in the context of identity verification? Data has been compromised so financial institutions cannot rely solely on “what you know” factors for secure identity verification or authentication. On the authentication side passwords are no longer secure as a sole means to authenticate a returning user to give them access to a financial account. Thankfully, the financial services industry has recognized this and has been adapting new techniques. A recent survey found that 85% of companies already use two factor authentication or plan to have it live within the next 12 months and 72% of companies more broadly will no longer use passwords to authenticate accounts by 2025– that’s too long but we see significant momentum especially in the financial services sector which is ahead of the pack where layering in behavioral biometrics, two factor authentication and even active biometric authentication is happening today. We also know that customer appreciate this. A recent Mitek survey of millennials showed that within this key demographic, who tends to be stereotyped as caring most about instant gratification, 87% are actually concerned about identity and data privacy, and this inhibits their adoption of mobile payments while they consider whether these concerns are met. So its truly a win win to move forward with a biometric authentication strategy.

But “killing the password” and overhauling the authentication or login process to be more secure is not enough. It´s worth highlighting that an updated authentication scheme is only as secure as the process that binds the identity to the account in the first place. Financial institutions should be exploring all available technologies in an effort to reduce reliance on data across the scope of identity management. With respect to identity verification, scanning for an authentic ID document as a “What you have” factor is one method that gets away from relying only on the end user entering data; data that could come from anywhere, even from the dark web. This can then be complemented by a second “What you have” factor by seamlessly verifying mobile device ownership. Or a “Who you are” factor can be also factored in by layering in a facial biometric check which compares the face to the ID document.

Considering that the data based identity verification methods most institutions rely on today are greatly weakened due to data breaching, and given the considerable advances in deep learning and other types of artificial intelligence and the maturity of mobile capture products, there is no reason to wait any longer – time is now to take identity verification to the next step and move away from already disputed “What you Know” methods.