Identity verification: how Strivacity simplifies sign-in journeys

Larry King
Larry King
  • Sep 26, 2022
  • 11 min read

Figuring out (and verifying) who’s on the other side of the keyboard is one of the biggest challenges when it comes to building memorable forgettable sign-in journeys.

Exactly how important identity verification is for your sign-in journeys depends on what’s on the other side of your login screen. If your customers are moving money around, accessing healthcare info or purchasing big ticket items, you probably care quite a bit.

At its core, the concept is pretty simple. Take something unique your user knows (or possesses) and compare it to a trusted source of data. If it matches, voila! We can trust that the user is who they claim to be.

Unfortunately, online identity verification is easier said than done. There are four key reasons:

  1. Finding the “trusted source(s) of data” usually requires contracting with one or more third-party data providers. That’s time consuming and pricey.
  2. There are usually multiple ID verification “tests” you’ll want to put users through and the various scenarios can get complicated to code.
  3. Inevitably, the initial flow you rollout will need some tweaks. That usually requires custom coding.
  4. Since you’re relying on so many different third parties, it’s hard to create a good user experience unless you have a team of engineers on standby.

We’ve seen these four speed bumps play out over and over in hundreds of implementations. We knew we could create a different (and better) way.

Strivacity identity verification

If you’ve tried to implement identity verification before, you’ve probably heard a lot of “no” – as in “no … we can’t do it that way.” But – like the old Burger King commercial, identity verification is something that very much needs to be “your way” if you want it to be a good experience for your customers. Good security shouldn’t have to come at the expense of a poor user experience.

There are three main things that set our identity verification capabilities apart from other approaches:

  • One-stop shopping: Since we’ve already pre-negotiated agreements with a core set of data providers for phone-, document- and knowledge-based verification you don’t have to play “requirements telephone” with vendors. They’re all bundled into the price of our service. And if you already have agreements in place, we also make it easy to integrate them.
  • Configure it with clicks (not code): We’ve distilled the key decisions you need to make down into drop-down menus and radio buttons. No need for you or your engineering team to deal with the box of Tinkertoys that other providers hand over when you try to DIY. We even give you a visual workflow.
  • Branding and user experience: You can pretty much brand and tailor most any part of the user experience to spare your customers avoid the UX whiplash that’s part of any conventional online identity verification process.

That’s all a long way of saying that with Strivacity you control the workflow, the experience and your brand. And you can refine and tweak the process with a few clicks. That lets you focus on the big decision in front of you: what risks do you need to mitigate.


Strivacity’s identity verification and fraud prevention features


What Description Purpose
Fraud prevention
Bot detection Checks login and registration requests to
see if it's associated with known bot activity
Eliminate threats from
commodity bot networks
TOR and
anonymous proxy
detection
Check's login and registration requests to
see if the source is being anonymized by a
proxy or TOR node
Eliminate threats that are
using proxies to hide their
origin
Risky phone
number detection
Allows you to exclude certain types of
phone numbers for identity verification
purposes like non-fixed VoIP and 1-800
numbers
Restricts phone types
typically used by bad
actors for fraud purposes
SIM swap
detection
Allows you to reject phone numbers that
have recently been switched from one
device to another
Eliminates a bad actor's
ability to use a stolen
phone account to commit
fraud
Identity affirmation
Phone record
matching
Affirms a customer's identity by comparing
info they present to their phone carrier
records
Provides a higher level of
assurance that a
customer is who they
say they are
Knowledge-based
questions
Affirms the customer's identity by asking
them questions based on their financial
history
Provides a higher level of
assurance that a
customer is who they
say they are
Identity proofing
Document-based
verification
Proofs the customer's identity by scanning
a government document and taking a selfie
to confirm the registrant is the person on
the ID
Proves that a customer is
who they say they are
with a high level of trust


What’s happening under the hood?

The real magic in our approach to identity verification lies in the “how” (hint: it’s super simple). Our clicks-not-code philosophy is core to how we’ve built our platform – and it really shines when it comes to identity verification. You control which layers of verification to include, which order to perform them in and how to route failures and successes.

Strivacity visual workflow editor

For example, as in ^this^ diagram, which shows the Strivacity identity verification workflow editor, you could start with a phone record match step. If that check passes, you can pass the customer on to the next registration step. If it fails, you could use knowledge-based questions as a backup method to give the registrant another chance to prove their identity before falling back to a customer service call.

It looks good too! No matter what your workflow is, our brand editor makes it easy to match your brand. You can see live previews of changes as you make them to ensure your precise brand specs are reflected in all your login and registration flows. Those same brand configurations also apply to identity verification workflows— no extra effort required.

Multi-layered identity verification

Now that you have a sense for what identity verification is all about and how we approach it, let’s dive into the bits and bytes we offer. Keep in mind that the specific techniques (and the sequence) will depend entirely on the risks you want to mitigate.

Bot protection

Step 0 is making sure that the person on the other end of the keyboard is, in fact, a person – and not a bot. There are a few ways we do that (and they don’t require Captcha clicks on stoplights and crosswalks).

First, we block known bots before they even hit your registration page. Our bot feed database tracks IP addresses that are associated with fraudulent bot activity and shows them the hand. It's kind of like having your own personal Yoshimi fighting evil robots for you.

We can also block anonymous proxies and Tor exit nodes to add a layer of protection from bad actors who are trying to cover their tracks.

Consent

Capturing consents are key to any identity verification process since you’re sharing your customers’ data with a third party. Our built-in consent management system lets you define and track consent acceptance (including consent receipts) for each account.

SIM swap

Determined attackers will often try to switch a victim’s phone number to pair it with their own device and then receive SMS texts so they can foil two-factor authentication. These SIM (subscriber identity module) swap attacks are usually carried out by researching a customer’s personal information via social engineering and then convincing a carrier’s customer support to switch the SIM to the malicious device.

By matching the phone numbers your customers provide against our phone threat feed, our identity verification capability weeds out numbers whose SIM association has recently been changed so you can foil SIM swap attacks.

Risky phone numbers

Another favorite tactic of scammers is to use non-fixed VoIP numbers that they can easily change. We let you filter out these types of risky phone numbers that aren’t associated with a fixed street address, which greatly reduces phone fraud during the verification process.

Phone record matching

If you want to step things up a level our passive phone record verification techniques take customer-provided info and match it against the phone carrier database. This is a friction-free way to increase assurance that the person presenting the data is who they claim to be. The customer only needs to provide their name, phone number, address, and consent. Since you’re likely already asking for this info, phone matching can be a user-friendly way to make sure your customer is, in fact, a customer.

Knowledge-based verification

When passive techniques fail (or you need a higher level of assurance), knowledge-based questions can provide an additional layer of trust. These questions sourced from credit bureaus, ask users for info based on their credit history. and can provide a higher level of assurance that a person is who they say they are.

Document-based verification

The highest level of assurance that we offer – sometimes called identity proofing – is document-based verification. It asks the customer to scan a government ID and prove they are the person presenting the document by taking a selfie of their face with their smartphone. We also do various levels of fraud checks to ensure the document is real, and the document is indeed the person who is presenting it.

BYO data provider

Already using a vendor for identity affirmation? No problem! Strivacity’s orchestration capabilities make it easy to layer in other providers (or your own in-house data sources). Our lifecycle event hooks, hosted on the Strivacity platform, eliminate the need for you to host and manage those integrations elsewhere.

What happens when things go off script?

When customers run into dead ends and can’t finish the verification process they usually track down the phone number for a human on your customer support team. Strivacity offers your support representatives a portal to quickly get the info they need so they can provide outstanding customer support – including looking up a registration attempt, diagnosing where the customer abandoned or failed the verification flow and manually verifying a customer’s identity and resolving their issue. All of these features are accessible via our admin API, so you can integrate it with your customer support solution if needed.

Remarkable customer journeys are forgettable

Nobody can make identity verification perfect. That said, we’ve put a lot of care and thought into our verification workflows to ensure your actual customers can log in easily (and the bots and fraudsters do not pass go or collect $200). That translates into a much lower burden on your customer support team and increased (real) user growth.

So, now that you know a bit more about what can (and does) go on behind the scenes, take note the next time you have to prove who you are online. Maybe it’s during tax season, or perhaps the next time you open a financial account from your phone or laptop.

Think about the experience. How do they know you are who you say you are? Did it feel invasive, or welcoming? Was it a pain or did everything go off smoothly? What could have been better? These are the questions we ask every day when building customer’s journeys for our clients.

And we’re trying really hard to make them as forgettable as possible – for you and your customers.