Identity verification best practices
(Last updated on September 26, 2019)
Identity verification is the process of verifying that a person’s digital identity matches their physical identity when conducting business online. It is a vital component to transaction ecosystems such as eCommerce companies, financial institutions, online gaming, and even social media.
You have likely been prompted to verify your identity when signing up for a new service, applying for a credit card, or even resetting your password. While there are many different ways to verify identity, most methods can be grouped into one of three categories.
Something you are
The something you are category, commonly referred to as biometrics, uses your own person as a means to verify you. This can include fingerprint scanning, facial recognition and even iris recognition. The method is considered to be gold standard of identity verification as it is the most secure. The downsides of biometrics are the hardware cost associated with fingerprint readers and iris scanners, as well as the challenge of resetting biometrics in the event of compromise.
Something you have
The something you have category includes things like your phone or an external device used to generate a code, primarily used for two-factor or multi-factor authentication. This includes receiving an SMS code on a mobile phone, or a hardware authentication device such as a smart card. This identity verification method is the most popular thanks to the relative low-cost for the added security, the accessibility of phone-based methods, and the ability to replace them in the event of compromise.
Something you know
The something you know category, also referred to as knowledge-based authentication, can be a password, or security questions only you can answer. This method is the most common, and the least secure. With the age of social media upon us, most answers to security questions are easily accessible through social engineering.
The verification methods have their own strengths and weaknesses. When selecting a method, consider the level of access being granted, the type of data being accessed, and the action being performed.
Access to sensitive data, such as personally identifiable information, health or financial data requires the highest degree of verification. The same can be said of users who have privileged access, or the ability to cause significant damage within a network. Users with limited system access, who don’t handle sensitive data, can use a simpler verification method.
The verification method needs to be responsive to the action performed. When a user logs onto their corporate computer from within the company network, there are low risk signals – company computer, company network. When that user tries to reset their password from an unknown device outside of the network, there are high risk signals which require more secure verification.
For optimal security, you will have to go beyond a single point of vulnerability. A multi-factor method, a combination of the verification categories, reduces the likelihood of comprise. Multi-factor authentication is widely used for online banking, and can also be enabled for many online accounts, including Google, Facebook, Microsoft, Apple. Companies are also looking to multi-factor authentication to reduce vulnerabilities associated with passwords, and security questions. Since NIST no longer endorses security questions for protecting accounts, organizations are implementing alternate solutions when verifying users through the helpdesk, or during self-service password resets.