The holiday season, once marked by bustling malls, has transformed into an online frenzy of clicks and carts. But while shoppers hunt for deals, fraudsters are hunting for profits...
But as new account fraud and registration bots become increasingly prevalent, verifying and validating the identity information provided by new users is crucial for enterprises to prevent promo abuse, spam, scams, platform abuse and other threats. And while traditional approaches to identity security suggest that protecting against these vulnerabilities requires a tradeoff in customer experience, it doesn’t have to be this way. Rather than introducing friction in the first, most valuable moments of customer interaction, businesses can leverage the data collected from end users during these moments in order to determine user identities without requiring any additional action from those users — a process known as passive validation.
This blog will compare two key services for determining customer identity, how to contextualize them through the lens of active versus passive validation, and the use cases for passive validation to help businesses determine when and how to use it for their business needs.
Understanding and comparing identity proofing vs. identity affirmation
Two key capabilities are crucial for evaluating account fraud and other risks from new users: verifying a user’s identity and validating the authenticity of the data they provide. The services that provide these capabilities are described by Gartner, respectively, as identity proofing and identity affirmation, as we explain below.
Identity proofing ensures that the user is the true owner of the identity and present when making requests, and is document-centric, often consisting of a scan or photo of an ID and a selfie from the user to match their identity and provide a liveness check. On the Transmit Security platform, this service is known as Identity Verification.
Identity affirmation is more data-centric, and simply verifies whether the user’s real-world identity exists or provides risk and trust signals to help support an identity claim and determine if data points are strongly correlated with the identity a customer has provided. It may consist of a range of signals, as shown in the graph below, which are provided on the Transmit Security platform by our data validation capabilities and Detection and Response services.
Crucially, although both services evaluate risk and trust signals for the information users provide about their identity, the two services have different levels of friction for the customer as identity proofing requires customers to have identity documents nearby and take action so that companies can ensure the user is both present and matches the identity on that document. As such, certain regulatory requirements in industries like finance may require identity proofing instead of — or in addition to — identity affirmation.
In addition, we can go a step further and extend the definitions of these services with additional examples of supporting data types to provide a stronger, more robust risk evaluation for account opening attempts — as is done with Transmit Security’s Identity Verification, Data Validation and Detection and Response services.
Identity proofing can be extended with additional verifications of data such as emails or phone numbers.
Identity affirmation can be extended by collecting data on interactions throughout the user journey that provide a broader context for determining the overall risk posed during the user flow.
Passive vs. active user validation
There are two approaches to validating user information: active and passive.
Active validation requires not only validating the information provided or collected from users by a service, but active participation from users, such as providing an ID or completing additional steps like entering OTPs — resulting in added friction that comes at the price of user experience.
Passive validation lets users focus on the task at hand without being asked to provide any further information or take any additional actions in order to create an account. So whether validations are performed on a phone number, physical address or other data, the user only needs to type the information in.
On Transmit Security’s platform, validation of customer data can be done both actively, using our Identity Verification service for identity proofing, or passively, via data validation or our Detection and Response services. This can be used to either strengthen the efficacy of identity proofing or enable a wider range of businesses to meet their security and compliance needs without the need for customers to take any additional action.
These services evaluate a range of data, as shown below.
Data validation connects to a range of services to automate background checks behind the scenes, resulting in a fast, simple and frictionless validation of:
Email address reputation, age, domain
Phone number reputation, age, provider
Physical address
Social security number
Date of birth
Association between user’s name and email address or phone number
Detection and Response collects and correlates a broad range of telemetry, which is analyzed to provide added assurance for user identities through a range of detection methods, including:
Device reputation
Network reputation
Behavioral biometrics scoring
Sometimes, passive validation is all that you need. For example, active validation is rarely needed to establish verified emails and phone numbers, which are primarily used for account recovery purposes. OTPs and other added friction introduced in this process can be eliminated by passively collecting telemetry on devices, networks and behavioral biometrics in order to make sure missing information has no impact on future user experiences.
Use cases for passive validation on the Transmit Security platform
Identity service providers must provide a 360-degree view of end users to support the wide range of use cases covered by the collection of popular risk signals and intelligence that are out there.
Although identity proofing can — and should — be performed in the most frictionless way possible, passive validation of identity information can also provide a high level of assurance in customer identity while reducing or even eliminating this friction altogether. This enables businesses to meet a broad range of use cases including:
Regulatory compliance: Meeting relevant geographic compliance needs, adapting to shifting global regulatory requirements and managing customer’s end-to-end journeys to satisfy location and industry-specific guidelines.
Fraud reduction: Blocking malicious bots and bad actors from signing up for new accounts to prevent direct and indirect losses associated with fraud.
Increased profitability: Reducing the time and complexity required for account opening or onboarding new customers while eliminating fraud and gaining more valid customers with greater lifetime value.
Smooth onboarding: Improving user flow on websites and reducing the time and complexity required to ensure a secure account opening and onboarding process.
Diverse business needs require a range of services that can evaluate risk and trust in new account opening and beyond. Ultimately, experienced business owners must decide if these additional steps are needed in order to securely onboard new users. To evaluate the right level of assurance for your business, read more about our data validation capabilities, Detection and Response Services and Identity Verification Services, or schedule a demo with one of our experts.
As the Director of Product Management at Transmit Security, Danny Kadyshevitch leads a team of product managers and shapes product roadmaps, overseeing the development and execution of product innovation. To ensure success, Danny works with customers to understand their identity security needs, fraud challenges, pain points and use cases. Prior to Transmit Security, Danny had extensive experience in cybersecurity, after serving in the 8200 intelligence unit of IDF and spending 7 years in Microsoft's Cloud Security division.
George Wainblat is a Director of Product Management at Transmit Security, leading the Identity Orchestration and Data Validation product lines. Prior to joining Transmit Security, George was leading product management at Kameleon, Akeyless, Unbound, ECI, SynergyView and the Israeli Air Force. George holds M.Sc. in Electrical Engineering and MBA degrees from Tel Aviv University in Israel.