Most of us have experienced signing onto a site and the site offers to give us a password we will never remember, so we often take an easy way out and use existing passwords. How would a layered approach help with this situation?
The first layer should be a risk assessment for digital identity. Imagine this as being an entry checkpoint as you begin to access your services. What is the risk right at the beginning? This is an invisible digital identity check, or the gathering of user interactions in digital environments without interrupting their activity.
That leads to the three layers – a multi-layered approach: Physical identity assessment. Historically, identity verification meant validation of physical customer identity data. You verified a person’s physical documents. However, as more transaction channels have been adopted, physical documents alone aren’t enough. We know that physical identifiers could be compromised, or even synthetic.
To gain a more holistic view of the identity, risk and opportunity you must combine physical identity verification with digital identity proofing solutions. You need intelligence related to devices, locations, identities and past behaviors to accurately distinguish between trusted and fraudulent users. Authentication. With this in mind, an authentication layer such as a username and password can help further validate. This approach is sufficient if we can see that the user is accessing with their usual device in their usual location, and that they get their username and password correct. However, if the risk assessment early on has highlighted some discrepancies or concerns, then extra layers of authentication can be added. This may include sending a one-time password or asking a series of knowledge-based authentication questions or out-of-wallet questions, which are not based solely on identity data, for example. Investigation and review layer. The last layer is typically for a very small percentage of high-risk events that are placed in a “holding pattern” or on a temporary block while the person is validated in a different way. Or, they may be allowed entry but an alert is sent internally for someone to physically validate– especially if it’s an onboarding process when someone is registering for a new service, in order for a human to review, as well and not allow it to be fully automated.
One last point on this: LexisNexis Risk Solutions publishes a True Cost of Fraud Study every year where we look at the financial impact of fraud and how to prevent it. The two graphs above show the difference between using a single or limited layer for prevention approach versus a multi-layer approach using the layers we’ve described. It’s clear that if you’re using a multi-layered approach, you can not only reduce the number of successful fraud attempts, but you can also reduce the actual cost of any fraud that still actually gets through. It’s quite clearly defined across the different industries that we mentioned that having a layered approach can be financially valuable to agencies.
