The Top Trends in Identity Verification Technology
Identity verification has come a long way. In pre-digital times, establishing trust for a transaction or agreement depended on in-person interactions and physical credentials. Today, legally binding digital signature processes can provide the highest possible level of assurance that people are who they say they are—even from the other side of the world. As companies strive to make identity verification as seamless, secure and efficient as possible, further changes continue to appear on the horizon. For businesses, it’s critical to understand the rapidly evolving technologies, standards, challenges and expectations that define this critical element of cybersecurity and customer experience.
In this article, we’ll discuss six key identity verification trends that businesses need to be aware of:
- Regulatory complexity and fragmentation are growing
- Qualified electronic signature (QES) is becoming more prevalent
- eIDAS 2.0 raises the stakes for digital identity
- Blockchain will enable self-sovereign identity (SSI)
- Tension is growing between user experience and verification
- AI and biometric identification are being used to enhance accuracy and security
1. Regulatory complexity and fragmentation are growing
One in three Americans becomes a victim of identity theft at some point in their lives–one every 22 seconds, experts estimate–while the cost of cybercrime is projected to hit $8 trillion in 2023 and $10.5 trillion by 2025. In response to these rampant threats, regulators have issued a steady stream of new rules and guidance designed to prevent fraud, data theft and other breaches of trust. US state legislators proposed more than 270 cybersecurity-related bills in 2022 alone. Within the EU, the Electronic Identification, Authentication and Trust Services (eIDAS) and Payment Service Directive II regulations are forcing organizations to strengthen their identity verification capabilities to meet the highest standards of security and reliability.
As identity verification regulations grow more stringent, they are also becoming more geographically diverse. Even within the European continent, businesses must be prepared to comply with both the EU’s eIDAS and regional regulations such as in Switzerland’s ZertES. Businesses also need to consider the possibility of open banking rules in Switzerland that diverge from the PSD2 regime followed by its neighbors.
A study by Forrester confirms the impact of this trend on business operations. In the research firm’s survey, 79 percent of respondents reported a substantial increase in the number of digital transactions their organizations must process, while 76 percent saw an increase in regulatory requirements requiring strong identity verification. The study’s authors note that “As transaction volumes and regulatory requirements rise, so does the complexity of identity verification.”
Facing these developments, many companies are now struggling with a lack of standardized practices for identity verification, relying instead on fragmented approaches across countries and industries. Organizations with global operations are especially challenged because the approaches they take must conform with both local cultural sensitivities and geographic-dependent regulations. There’s no shortage of niche tool vendors and compliance providers targeting specific regions, but this piecemeal approach can drive soaring costs and inefficiencies.
As regulatory complexity and fragmentation grow, companies will need simpler, more efficient ways to address global digital signature compliance.
2. Qualified electronic signature (QES) is becoming more prevalent
Different types of agreements and transactions can call for different levels of trust. For low-risk matters such as an e-commerce purchase, a day-to-day sales agreement or the creation of a simple form that needs signing, simple electronic signature (SES) is sufficient. The most basic form of electronic signature, SES calls for equally basic identity verification measures—typically the use of an email address, phone number, or password to authenticate the user. While e-signatures offer only a low level of trust, they also allow the simplest possible user experience, making SES a suitable choice for use cases where the risk posed by fraud is relatively low compared with the increased likelihood of dropouts by users facing more complex identity verification checks.
For use cases requiring higher levels of trust, such as a bank account opening, leasing agreement, patient consent form or employee onboarding, companies turn to digital signatures, a type of e-signature incorporating heightened signer identity assurances. As part of a digital signature process, a Qualified Trust Service Provider (QTSP) issues a digital certificate that securely associates a signatory with a document, guaranteeing the signer’s identity and the document’s integrity in a recorded, auditable manner.
The most common type of digital signature to date has been advanced electronic signature (AES), which provides a higher level of assurance through additional user authentication steps. While there are multiple forms of identity verification associated with this type of signature, typically the signer uses a valid identity document to confirm that they are who they say they are, and may be required to provide a unique access code after the signing process as well. The subsequent digital certificate generated by a QTSP as part of this process is attached to the envelope as part of the transaction. The resulting digital signature is legally binding.
Qualified electronic signature (QES), the most advanced type of digital signature, offers the highest level of trust. The signer’s identity is verified through a face-to-face or equivalent process by a QTSP, and a digital certificate is created with an electronic signature device. Across all 27 EU member states, it is considered the legal equivalent to a handwritten signature and, when contested in court, shifts the burden of proof to the challenging party.
Initially reserved for highly regulated transactions, the use of QES is becoming more prevalent due to the higher levels of security and legal enforceability it provides. In fact, QES is soon expected to become the de facto digital signature standard in Europe, where identity verification techniques and practices have tended to advance more rapidly than in the US and elsewhere. This accelerated maturity is due in part to the development of frameworks such as the EU Electronic Identification, Authentication and Trust Services (eIDAS) regulation, which is designed to ensure secure and reliable electronic identification and trust services across its member states.
Today, US companies doing business in the EU need to be aware of the local expectations around digital signatures, understand their legal implications and be prepared to meet the higher standards required for QES. As the requirements for identity verification continue to evolve around the world, QES is likely to become a standard operating practice for highly sensitive or regulated use cases wherever companies do business.
3. eIDAS 2.0 raises the stakes for digital identity
As digital signatures have gained widespread adoption across Europe and elsewhere, the eIDAS regulation first implemented in 2014 has provided essential guidance to ensure a secure and reliable framework when it comes to things like electronic signatures. Within the EU, a QTSPs will have gone through a strict assessment process to validate that they meet high standards of security and reliably adhere to stringent requirements. Regular audits ensure that QTSPs maintain ongoing compliance.
eIDAS 2.0 is expected to come into force in September 2023. The overall goal of the updated regulation is to enable the creation of secure electronic identities (eIDS) that people can use to access public services, as well as ensuring that these eIDs will work across borders and have the same legal status as their traditional paper-based equivalents. eIDAS 2.0 includes the concept of an EU Identity Wallet, a digital platform that allows individuals and businesses to store and manage their electronic identification and trust services, including digital signatures and certificates, securely and conveniently.
This focus on convenience is a key consideration. As digital signatures become more prevalent throughout modern life, it’s essential for these processes to become as simple and seamless as possible for all parties in the agreement or transaction. By enabling a high level of trust without requiring overly burdensome processes, companies can ensure a high-quality experience for customers, employees and business partners; improve operational efficiency; and strengthen security.
Companies doing business in the EU should already be coming up to speed on the goals and provisions of eIDAS 2.0, the standards it introduces, the new technologies and practices needed to support it and how they can best be implemented.
4. Blockchain will enable self-sovereign identity (SSI)
A key element of eIDAS 2.0, self-sovereign identity (SSI) is a form of digital identity that the user has complete control over. As the owner of their own identity, the individual can decide who sees what information, when, by giving consent before any of their identity data such as passport number or banking details is shared with the vendor or third party. An SSI is made possible by enabling individuals to securely store their own identity data on their own personal devices instead of relying on a central repository under third party control.
As part of the evolution to SSI, the EU recently created an eIDAS-compatible European Self-Sovereign Identity Framework (ESSIF). The ESSIF is part of the European blockchain service infrastructure (EBSI), a joint initiative from the European Commission and the European Blockchain Partnership (EBP) to deliver cross-border public services across the EU using blockchain technology. In addition to ESSIF, key use cases for the ESBI include the notarization of documents and the certification of diplomas, making identity verification a core part of its functionality.
ESSIF dovetails with the digital wallet concept outlined in eIDAS 2.0. Individual digital wallets built on blockchain technology will be used to record and securely store personal data, including proofs of identity such as passports and birth certificates that have been verified by an authorized third party such as a government agency, university or employer. In the course of an identity verification process, users will be able to grant selective access to these documents to the requesting party, who in turn will have assurance that they are genuine and accurate. By establishing a single consistent identity for each individual, SSI will also reduce the chance of performing a verification process or background check using credentials belonging to a different person with the same or similar name.
A recent report by the European Union Agency for Cybersecurity (ENISA) shows progress on the development of blockchain-enabled digital identity systems in regions such as Latin America, the Caribbean, and Poland. Within the US, the ID2020 partnership is pursuing similar aims. The organization’s manifesto states that “We live in a digital era. Individuals need a trusted, verifiable way to prove who they are, both in the physical world and online.” Accenture, a member of the partnership, has stated that building a trusted identity on blockchain will help in areas from building more personalized customer relationships and offerings to strengthening fraud protection and maintaining regulatory compliance.
As SSI becomes incorporated into more types of identity verification scenarios in the EU and abroad, companies should study the potential benefits of such systems and explore potential tools and use cases to prepare for broader adoption worldwide.
5. Tension is growing between user experience and verification
As the development of SSI and the provisions of eIDAS show, companies and regulatory agencies around the world recognize the importance of ensuring a high-quality user experience for identity verification. However, the reality on the ground shows that this remains very much a work in progress.
As with many aspects of digital life, a high-friction user experience for identity verification is bad for business. Customers today demand fast, seamless and convenient ways to interact and transact online, and they’re quick to abandon experiences and companies that can’t meet their expectations. Employees and partners can be alienated by experiences that seem outdated, inefficient, overly manual and time-consuming, reflecting poorly on the organization and its brand.
A cumbersome identify verification process is especially problematic for companies with high-value use cases such as:
- A communication service provider (CSP) signing a new customer to an ongoing agreement
- A customer opening a new bank account or processing a mortgage application
- A real estate agent finalizing a rental agreement
- An insurer issuing a new insurance policy
- An HR staffer onboarding a new employee
The need in such situations to verify a user’s photo identification or other type of government or electronic ID can mean imposing additional steps that increase drop-off rates—especially if the user is required to download a third-party app.
As Forrester noted in a recent white paper, “Slow verification leads to business loss. Customer abandonment rates during the identity verification process are still much higher than most organizations would like, due in large part to overly long and complicated verification processes. … The implications of increased abandonment rates stretch from delayed agreements to loss of business.” In fact, the firm’s research found that abandonment rates rose to 32 percent after 10 minutes.
At the same time, a better user experience can’t come at the expense of security. In another study, Forrester found that while 77 percent of financial services decision-makers emphasize the need to deliver a secure, high-quality customer experience for identity verification, the same number feared that “the better they make the customer experience of identity verification, the worse the security becomes, and vice versa.”
The challenge facing companies is deceptively simple to state—and often exceptionally difficult to address: improving the identity verification experience without increasing risk. Overcoming this challenge needs to be a top priority for vendors–and a key selection criterion for businesses.
Businesses need to spend time assessing vendors to establish how they overcome this.
6. AI and biometric identification are being used to enhance accuracy and security
Biometrics have already become a familiar part of daily life for many consumers, incorporated into actions as simple and routine as unlocking a smartphone screen. To date, these methods have tended to focus on morphological identifiers such as fingerprints; the shape of a hand, finger or face; or patterns in a user’s veins, iris or retina. Now, biometrics is progressing to encompass certain behaviors as well, from voice recognition and liveness verification to signature dynamics such as the pen’s speed, accelerations, inclination or pressure exerted.
Biometrics can be a highly effective way to improve user experience for identity verification—provided that it’s secure. In discussing the use of biometric authentication for identity validation in banking, Frost & Sullivan notes that “In addition to showing that their solutions can decrease the number of fraudulent transactions and lower the time it takes to verify a user, [solution providers] must also offer increased accuracy and precision to make it easier for valid users to conduct transactions while accurately detecting fraud actors in real time.”
ENISA recently warned companies about one such hazard: face presentation attacks in which photos, videos, 3D masks or deepfakes are used to impersonate users. One way to counter such attempts is through liveness detection measures—additional steps that a user must take to prove that they are real and present in that moment. These can include passive facial liveness analysis to determine whether a face is real without requiring movement; active facial liveness screening in which specific actions must be done in a predetermined order; live voice recitation of a phrase; or requiring the entry of one-time passcodes or randomized PINs.
Artificial intelligence offers another path to lower risk. As biometric scans are incorporated into verification processes, advanced AI can both enhance the accuracy with which the live user’s biometric data is matched to their stored equivalents and perform more effective liveness detection. AI and machine learning algorithms can help refine behavior-based identity verification measures as well as detecting anomalies that can flag suspicious behavior.
As such work continues, the use of biometrics in identity verification remains highly appealing to businesses, government agencies and individuals alike. Forrester has found that “in an ideal world, 40 percent of financial services respondents noted their companies would implement biometric data for customer identity verification.” In Pakistan, the country’s National Database and Registration Authority (NADRA) has launched a service to allow citizens living abroad to verify their identities using biometrics to exercise power-of-attorney privileges. More than 8,000 applicants have already processed power-of-attorney applications from the UK and US, and roughly 1.5 million Pakistanis abroad have accessed the power-of-attorney site to date.
As these trends make clear, identity verification is a fast-evolving space. Read more about identity verification on the DocuSign Blog.