They say data is the new oil. We’d add, “identity data.” The data that lets us cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice. It’s identity that opens the doors. And as our online presence is only growing, the identity verification challenges loom large.
What will an effective identity verification solution look like in 2023? Will governments and businesses ditch paper IDs in favor of digital ones? How to make sure you aren’t talking to an imposter in the age of deepfakes? To get answers to these questions and learn more about what businesses can expect in 2023 and beyond, Regula held an internal panel discussion.
Below, we’ve compiled nine expert opinion-based identity verification trends to watch and leverage in 2023. Let’s dive in.
(No time to read? Download the report)
Trend #1: More steps in the verification process and more friction for customers
Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. Fun fact: criminals often prefer to target consumers directly (over the phone, email, social media, etc.) as they’re easier targets than businesses. Although it’s end users who lose money, huge reputational risks will make companies add new security layers.
Gone are the days when a single check that verified a single parameter of a person was enough. The experts agree: there will be more checks, and they will be more complicated. Nowadays, you can only trust the results if all the checks match. As a result, multi-factor authentication, which in addition to verifying IDs includes biometric checks, SMS, passwords, recent transactions checks, etc., is gaining even more importance. Such mechanics won’t only affect already highly regulated segments, such as government or finance, but will likely appear in areas where they haven’t been widely used before, e.g., telecoms.
Extra security measures will create challenges not only for IT teams: many product marketers will also be caught between a rock and a hard place. Identity verification often happens at the customer onboarding stage, so every single new step in the process might result in lower conversion rates. However, it might not be that bad. We expect to see users tolerate multi-step identity verification processes which take longer but provide a higher level of security.
Trend #2: Liveness checks are a must
This point is closely related to the previous one. As the number of tasks that can be accomplished online is growing, we need to have comprehensive tools to make sure that submitted ID documents are valid and really exist, with an emphasis on the latter.
As we said above, there will be more identity fraud attempts in the digital space due to the higher accessibility of technologies. However, most of them will fail when it comes to the creation of a physical document. There is huge variability in documents with their own specifics—there are over 20 variants of driver’s licenses in California alone—so it’ll take serious expertise (and money) to make them look genuine. That’s why a comprehensive liveness check which concludes if there’s a real person or a passive fake—an image or recording—is a priority. Fortunately, such technologies exist, but businesses still need to take deliberate steps to implement them.
Properly accepting documents online is more than just asking customers to send an image of their passports; it requires changes in the workflow. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few. Its image has to be taken using methods so that these elements can be captured and verified. If a company wants to protect itself against fraud, they have to take action to implement those methods.
Trend #3: A rise in amateur scam attempts
AI, ML, Quantum Computing, and advanced printing are no longer technologies that are available only to a selected few. The flipside of democratization is more ways for bad actors to enhance their fraud attempts by enabling deepfakes, synthetic identities, and more. Experts say there’s both good and bad news in this regard.
The bad news is the extra load for IT teams and infrastructure caused by a wave of scams using these new technologies. More people will believe that they can cheat the system and more will give it a try, as all sorts of apps for creating realistic models and simulations are literally two clicks away. The matter is complicated by the various document templates available for sale on the web which you can fill in with your details, and they look pretty credible in a digital space.
On the bright side, there’s a big gap between accessing the technologies and knowing how they work. Most users have a very vague idea and only see the result: a believable picture. However, most of the alterations are easily detected at the very first inspection: for example, finding the original data under the changed top layer of a PDF document is really easy.
From my experience, 90% of fraud is very basic. It often happens when someone wants to cheat small, but due to a lack of knowledge, such attempts are obvious for experts. Still, there are people who do scam professionally. It's important to always be on guard and not to lull yourself into a false sense of security.
Trend #4: A new take on digital hygiene
Statistically, the more data that is transmitted over the internet, the greater the chance for it to leak. So it’s a natural consequence that the amount of data for sale on the black market nowadays is increasing. One of the latest cases in Australia with the hack of the nation’s biggest health insurer, Medibank, demonstrates how vulnerable users are in the face of such attacks. Over nine million users are on high alert now as cybercriminals have started leaking stolen sensitive medical information on chronic conditions, such as heart disease, cancer, mental health conditions, and others.
There’s a paradox: service providers are trying to collect as much personal data as possible in order to cross-check it through different channels, but for a consumer, it’d be safer to provide a minimum of data, as it could potentially be leaked or stolen and used against them.
But there are nuances. For example, attackers aren’t so much interested in stealing and selling a single (albeit important) piece of information, but in collecting as much different data about one person as possible: credit card data, passport scan, social security number, etc. With the growing number of identity checks and ways to verify a person, such an extensive bundle of stolen identity information makes this person easier prey for an attack.
There’s a decline of trust in online services and yet users are unable to give them up. To address this, consumers will have to think more about their personal digital hygiene and educate themselves about digital privacy: know to whom they give their data, check how it can be used, and how it’ll be protected. We will see a push from users for more data protection rules, and for more transparency from service providers. For businesses, corporate digital hygiene is also essential because it's a significant part of their Digital Immune System, as Gartner calls it. There will be a need to establish and apply more such processes.
IDs and any other Personal Identifiable Information (PII) are crucial to the provision of many services. Having good personal and corporate hygiene in regard to IDs and PII will contribute to a stronger Digital Immune System. Just like in human bodies.
Trend #5: Development of more realistic biometrics-related fraud
Unlike with documents, people’s faces are quite similar in terms of their structure. What’s more, there’s plenty of data on human faces collected on the web that can be used for neural network training. These two factors combined will lead to us witnessing more efforts in the direction of developing biometric technology and attempts to use them for fraudulent purposes.
Let's take for example an innocent-looking attraction where a person gets a 360-degree shot. The person has fun, posts it online, and gets plenty of likes from friends—all while the organizers get an object for an attack. With such a high-quality image of a person, it’s easy to build a 3D model using quite affordable software. This model will move, open its eyes and mouth, and do whatever else they want. Then there may be an attempt to pass off this model as a real person, for example, at a job interview or during various liveness checks. Although there are effective methods to identify it, we can expect further development and more attempts to fine-tune this sort of fraud.
Or deepfakes. There’s a lot of fuss about the technology that allows you to swap people’s faces in images and videos. However, deepfakes are a small percentage of threats to a small percentage of organizations, at least for now. This is to a large extent because of the cost and the amount of effort needed to produce them. But it’s very likely that things will be moving toward and becoming more dangerous, and, sooner or later, companies will have to add protection against this type of fraud into their toolkits too.
Minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of resources. As soon as fraudsters are ready to spend significant sums per deepfake, it’s a problem that requires interactive multi-layered solution.
Trend #6: Growth of the IDV market
The number of companies providing identity verification solutions is growing, and there is a simple explanation for that. There are millions of businesses in the world, and many of them are moving online. The shift is driven not only by cutting costs but also by consumers who’ve realized that they can live and work remotely. Even though this process seems to be fast-paced, there’s enough work to last for years.
Also, there will be more new local KYC service providers in every country who are aware of local specifics that provide compliance with watchlists and local regulations. Although identity verification is not the main job for such providers, it’s a prerequisite for their operations, so they’ll need a reliable IDV solution that ensures maximum coverage and accuracy too.
The additional driver that is yet to gain momentum is the demand for digital IDs. Some countries, for example, Belgium, Canada, Singapore, and others, have started to create their own digital IDs. Some financial organizations, like the ones using the Czech Bank identity, have started to do it too.
Given all these reasons, the experts agree that the IDV market will continue to grow; and, most likely, it hasn't even started growing exponentially yet. The growth will be proportional: with the increased number of users, the number of businesses will increase as well as the amount of fraud and its variability.
Trend #7: Multiplication of “single” sources of truth
In the ideal world, most of the issues with fake identities would disappear if we had a highly secure single source of truth like a universal digital identity. In reality, this is going to take a significant amount of time to create and gain broad acceptance and implementation. What we can see now is that every company is trying to become this single source of truth.
Some companies are more successful than others. For example, there are over a billion verified users of Apple devices, so we can trust operations performed with Apple ID. The same goes for Facebook and Google, who also have huge bases of verified users. Similarly, every KYC provider is dreaming of becoming the “one ring to rule them all.” As a result, there are too many sources to call any of them single, but this isn’t a challenge for private businesses alone.
The most reliable source of truth is naturally the government. It has the most complete database of documents and tax records. With access to such a database, verifying a person would be a piece of cake. For example, compare a person with a photo under a certain ID document/number. If this happens online, then the only thing to do next would be a liveness check. These two processes would allow us to exclude paper documents: sending a request directly to the publisher and verifying if such a person really exists and looks like that.
Unfortunately, we can hardly expect authorities of different countries to come to a full agreement to move in the same direction. So there still will be a huge variety of all sorts of ID documents with different local security features that need to be verified. For businesses, gaining access to government databases is also anywhere from hard to impossible. So tokens in the form of physical documents will be in use for many years ahead.
Trend #8: Intro of end-to-end IDV platforms
As for identity verification technologies, they will likely repeat the path of computer processors: engineers added more and more GHz to make computers more powerful until they reached the limit and began to multiply cores. The same goes for IDV.
Several technologies and features have already appeared, and now they're going to be combined in complex platforms. For example, there are different biometrics verification technologies: face, fingerprints, and voice recognition. Now people will expect them all in one solution in addition to comprehensive document verification.
The future lies in Platform as a Service. There will be more and more vendors who will aggregate solutions from different developers into one platform to offer a comprehensive solution that verifies a person on many various parameters.
Trend #9: Tightened regulation
This trend is hardly new. There are a lot of problems in the world with personal data leaks, misuse, and different hacks for stealing personal data to further sell it on the darknet.
Currently, there are already a lot of regulations in terms of personal data: how to deal with it, and how to protect it. Nevertheless, regulators will likely continue to tighten the screws in terms of identity verification. The experts expect the penalties will be larger, and the number of lawsuits from consumers will increase.
What’s not a trend?
Above, we’ve put together a list of the top trends in the IDV field for the year to come. Still, there were more topics on the radar, which, however, haven’t yet taken off.
One of them is a decentralized identity that excludes centralized third parties from the equation. Decentralized identity systems are built on blockchains that allow users to control their digital identifiers. Still, with power comes weakness.
As no one controls it centrally, then no one will be responsible for it in case of any problems. Plus, there is the matter of trust. Blockchain is strongly associated in people's minds with crypto, and the FTX crash that has happened in the last couple of months has severely undermined people's trust in it. So, the idea of decentralized identity is going to be held back for some time.
If we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter. New challenges require well-thought-out solutions which can’t appear out of the blue in such an expertise-demanding area as identity verification.
Do you already have a plan on how to address these trends? Do you expect any other trends to emerge in the near future? If so, we would love to discuss it on our LinkedIn. Feel free to connect and share your thoughts with us!