3 Best Practices for Identity Verification and Authentication in Financial Services

Concerns about fraud, omnipresent in financial services, are at a higher level than ever before. The 2023 Federal Reserve Financial Institution Risk Officer Survey showed external fraud was the top operational concern for risk leaders in 2023. Experian found that deposit and checking account fraud was one of its most impactful fraud trends in 2023, noting, “The Treasury Department reports complaints doubling YoY, after increasing more than 150% between 2020 and 2021.”

In its 2023 True Cost of Fraud Study, LexisNexis reported that for Financial Services and Lending, the actual cost of fraud was 4.41 times the lost transaction value in the U.S. and Canada, €4.12 for every Euro lost by French financial institutions, and R4.52 for every rand lost by South African institutions.

As banking and financial services have become increasingly digital, stolen and synthetic identities factor more frequently into the growth of fraud. And the only way to mount a strong enough defense against the insidious power of fraud and the increasingly sophisticated bad actors behind it is to implement identity verification and authentication backed by biometrics.

Why is identity verification (IDV) important in financial services?

While financial institutions must comply with Know Your Customer (KYC) regulations, inadequate IDV can result in successful new account fraud, account takeovers (ATO), and data breaches that can lead to even more identity data and credentials being stolen.

New account fraud happens when a criminal uses stolen credentials, or a synthetic identity that combines details from real people with false information, to open a financial services account and then use it for nefarious purposes. In its 2024 State of Omnichannel Fraud study, TransUnion reported that 13.5% of all global digital account openings were suspected to be digital fraud. The study also found $3.1 billion in lender exposure to suspected synthetic identities for U.S. auto loans, credit cards, retail credit cards, and personal loans.

During IDV, or onboarding, cybercriminals may also attempt to spoof verification systems via synthetically generated audio and visual content (like deepfakes). This can include voice recordings, still or live images, video recordings, and forged documents (either stolen or created with AI-enhanced design tools), all of which attempt to imitate a genuine user. Generative AI has made the creation of manipulated content both widely accessible and cheap, only further underscoring the importance of advanced document verification and liveness detection – key components of identity verification – as critical technologies in any organization’s security posture.

ATO attacks typically target authentication processes and can unfold in several different ways. An ATO attempt can happen when a fraudster gains access to an account using the existing login credentials, typically stolen through social engineering – though, recently, fraudulent AI technology is becoming another avenue to access customer data. The fraudster then changes the credentials, taking over the account and getting access to all sorts of sensitive information, granting them the ability to transfer funds and make decisions that can have devastating effects.

The second most common ATO method is when a criminal requests a reset of credentials. This method is an easier target for a hacker, because they usually only need to know a single authentication factor, like an OTP, to authorize the change.

A third ATO scenario occurs when criminals take over a session after a legitimate user has successfully logged in via digital identity authentication. In its article, “2023 Fraud Highlights: Check Fraud, Scams, Account Takeovers,” BankInfo Security wrote, “Banks and other financial institutions are expected to continue to struggle with account takeovers as fraudsters have changed their modus operandi, making it difficult to track fraudulent proceeds.” Security.org found that banking accounts were the second most-likely account type to experience an ATO and that “70% of victims reported that their compromised accounts didn’t have unique passwords, making them susceptible to having multiple accounts stolen.”

While IDV can be used to help prevent ATOs – for instance, requiring full identity verification to change credentials – server-side biometric face authentication is the more common deterrent.

Much of the personal information and credentials used by fraudsters are exposed through data breaches. The 2023 Data Breach Report from the Identity Theft Resource Center revealed a 72% increase in data breaches over the previous all-time high in 2021, with financial services reporting the second-highest number of compromises, after healthcare. According to Security Magazine, Bank of America suffered a security breach in November 2023 that exposed the sensitive information of over 57,000 customers when an unauthorized third party accessed the systems of a service provider. Governing reported that, in 2023, 349 million people were affected by data breaches – a huge figure, and one that underscores how it’s not only identifying information available to the person’s organization that can cause a breach. Buyers on the dark web can easily access PII (personally identifiable information) to wreak financial and reputational havoc.

With the wide increase in stolen and synthetic credentials, it’s more important than ever to ensure that customers, employees, third-party vendors, relying parties, and anyone else who can create or access accounts and systems is truly who they claim to be.

3 best practices for IDV and authentication

When it comes to IDV and authentication solutions, there are several factors to consider, including: the size of your IDV deployment, the security/risk level(s) of identity assurance required, and the role users themselves will play in protecting accounts and data (on-device biometrics vs. on-server biometrics, for example). It’s also important to implement identity assurance across the user lifecycle, from onboarding (verification) to authentication to account recovery – and every interaction in between.

Here are three best practices to inform financial institutions during due diligence and to help strengthen the security of their identity verification and authentication solutions.

Use and combine multiple factors

There are three types of identity factors that can be used as credentials for account access:

• Something a person knows (knowledge-based), such as a password or PIN.
• Something a person possesses (device-based), such as a smart card, fob, or an authenticator app on a phone, tablet, or laptop.
• Something a person is (biometrics), which encompasses both physical and behavioral traits such as a fingerprint, facial scan, voice, gait, typing speed, or eye tracking, respectively.

Knowledge-based factors, like passwords, are the weakest form of security. Because they must be remembered, people usually make passwords and PINs simple to recall, often integrating elements like pet names, addresses, and important dates in their lives (weddings, birthdays, etc.). Much of this information is readily available online, making accounts relying on KBA (knowledge-based authentication) extremely easy to hack. People also reuse passwords across accounts, which makes all of their accounts and data vulnerable if any single account is compromised.

Adding a possession-based element, such as a smart card or mobile phone, increases the likelihood that the person seeking account access is the legitimate user, since it’s unlikely that a fraudster would have the physical object or device. However, it’s still quite possible for hackers to bypass possession: SIM-swapping, ATO, and other forms of fraud prey on the digital interception of credentials during a socially engineered account interaction (like one that requires speaking to an agent, for example) to steal users’ data. There is only one (basically) foolproof way to practice security in this risky modern age that we live, play, and do business in: biometrics.

Biometrics, also known as physical- or inherence-based factors, offer the strongest level of security available today. They cannot be hacked, forgotten, or stolen. Today’s biometric identity assurance solutions for financial services include AI-powered algorithms that enable systems to recognize attempts to use still images, videos, or voice recordings (like deepfakes) and to reject synthetic identities. Behavioral biometrics, which identifies a user by how they type, move a mouse, swipe between screens, or take other actions, can help to guard against ATOs – something possession- or knowledge-based factors cannot.

By combining two or more of these factors with a multi-factor authentication (MFA) solution, financial services organizations can better protect themselves and their customers against fraud, credential stuffing attacks, and breaches.

Emphasize data safety

Employers, customers, and authorized third parties all play a role in the security of any financial institution. It’s important to ensure that third parties whose employees can access accounts and systems have rigorous security standards equal to the institution’s.

If a password is part of the multi-factor authentication system in place for a business, the guidelines should be set to require at least eight characters, including upper and lower case letters, numbers, and special characters. The difference in hacking time for an eight-character password that follows these guidelines vs. one that only contains numbers is 12 years compared to one second.

It’s important to warn customers, employees, and third parties about phishing. Many people fall prey to these emails or voice messages that seem to come from trusted sources, such as an email bearing the name of the financial institution or an employee’s manager requesting PINs, account and credit card numbers, or credentials. But as many of us know (sometimes due to learning the hard way), the emails actually come from fraudsters. Phishing attacks rose 58% in 2023 and, according to egress, 94% of organizations had email security incidents and 79% of ATO attacks started with phishing.

The good news is that users want to help with security. Our survey found that 54% of consumers believe that companies and consumers hold an equal responsibility for protecting consumer identity. Additionally, 91% are willing to take extra security measures to prove their identity on an ongoing basis to protect their information and accounts.

Continuously improve and adapt

Fraudsters continually evolve the ways they attempt to gain account and data access, so identity assurance and those who implement digital security can’t afford to not do the same. Staying on top of identity security means continuously evaluating and improving the verification, authentication, and account recovery processes.

One way to do this is to take full advantage of the latest technologies. For example, as AI puts more power in the hands of criminals, adopting the latest AI-backed security technologies won’t just increase the defense capabilities of your efforts: it also can provide real-time risk assessment that helps to thwart fraud as it’s happening, often without the need for any human interference. During IDV, using the most enhanced technology is critical for any organization (and especially for finservs), as AI-powered spoof attacks carried out against traditional verification processes will undoubtedly win out. Leveraging good AI to fight bad AI, such as through enhanced liveness detection and document verification, is the best way to stop criminals before they can even begin to thwart your system.

Listening to (and eliciting!) user feedback can pinpoint places that increase friction during the customer identity journey. A common occurrence is customers who try to circumvent the authentication process or turn off MFA altogether due to the clunkiness of traditional factors like passwords and PINs. Forgotten passwords are not only costly to recover for businesses – they can also cost an organization its reputation. Continuous monitoring of digital identity security methods and how they are being used can help to ensure your financial services organization stays on top.

Balancing security and user experience

Customers want both the highest level of security to keep fraudsters out of their accounts and quick and easy access for themselves. Employees want to maintain security without wasting time whenever they need to access systems and applications. It’s more important than ever to find the right balance between safety and UX.

Incorporating biometrics into an MFA solution covers all the bases. Every day, customers and employees worldwide conveniently (and securely) unlock their devices by placing a finger on a reader key or scanning their face. When these users onboard, a template of their biometric factor (face, finger, or voice) is created with just enough data to authenticate identity when the customer or employee presents the live fingerprint, face, or voice during future interactions. So, even if a fraudster breaches the database or device where these templates are stored, unlike with passwords, PINs, or other known credentials, the templates cannot be used to access the account without the live biometric factor.

Biometrics also offer the added convenience of being impossible to lose or forget, and never having to be reset, updated, or replaced. Our Zero Trust Consumer study found that 54% of consumers still use a password to access their financial accounts, and that 81% of those willing to take extra security measures would be willing to use face or voice recognition when accessing accounts to better ensure security.

For financial services organizations, everything depends on digital identity assurance. Why risk it all? See how Daon’s digital identity verification solutions for financial services can provide the protection and ease customers and employees want while stopping fraudsters in their tracks.