The Evolution of User Authentication: Combining MFA and ID Verification for Enhanced Security & Experience
In today's digital age, data security and account protection is of utmost importance. As cyber attacks become more sophisticated, it's important to ensure that sensitive information is protected by robust security measures. Today’s leading options are multi-factor authentication (MFA) and ID Verification (IDV). MFA validates devices, where IDV verifies people.
MFA is an authentication method that requires users to provide two or more verification factors before granting access to an account or system. Its key benefit is increased security, often tied to a mobile device, to provide an additional factor of assurance beyond a traditional password. However, the growth of MFA has highlighted several limitations:
- User frustration: MFA can often be inconvenient for users, requiring additional steps to authenticate online. Less secure methods of MFA such as SMS codes alleviate some friction, but can be vulnerable to attacks such as SIM swapping.
- Onboarding and Provisioning: MFA can be difficult to implement, and introduces risk to ensure the right device is being configured for use. Many organizations have reverted to expensive video calls or in-person meetings to do identity verification and ensure the right person is setting up a device.
- Human Error and Lockouts: MFA can also be vulnerable to human error, such as when users misplace their hardware tokens, change devices, or forget their login credentials.
Passwordless multi-factor authentication (MFA) is an authentication method that does not rely on traditional passwords. Instead, it uses alternative methods to verify a user's identity, such as biometrics, security tokens, or one-time codes sent via email or text message. The assumption is that eliminating a password enhances security on its own and that MFA is then sufficient to provide assurance. This method is meant to enhance convenience, not necessarily to enhance the security desired by adding factors like traditional MFA. Passworless MFA adheres to a less is more philosophy of security.
An organization called FIDO has recently improved its standard for passwordless MFA approaches known as PassKeys. However, there is a fundamental misconception that this approach eliminates passwords entirely, when in fact it still requires passwords for unique devices or operating systems, so entering passwords is simply required less often. For example, if a user enables PassKeys on their Apple environment and then moves to login on a Windows computer, they will still need a password. The limitations of traditional MFA remain, including lockouts, provisioning risk and user frustration across device types.
ID verification is a popular method used by businesses to authenticate users and prevent fraud in online transactions. It involves comparing a user's personal information against a trusted source, such as a government-issued ID, to verify their identity. This method provides enhanced security benefits on top of traditional multi-factor authentication and often helps companies reduce their risk and improve compliance.
However, there are some drawbacks to using traditional ID verification. Asking a user to go through an IDV flow one time does not provide high-fidelity assurance that account credentials have not been compromised. Additionally, ID verification can be time-consuming and cumbersome for users if it needs to be done repeatedly, leading to a poor user experience and potential drop-offs.
There are also privacy concerns associated with ID verification. The method requires the collection and sharing of personal information, which can raise privacy concerns for users and increase the burden of data storage for companies. Lastly, ID verification can be costly for businesses if it is priced per transaction and there is an ongoing need to re-verify a user.
Innovation has emerged to address the challenges of traditional ID verification, using a modern approach in the form of app-based IDV. This approach combines the benefits of passwordless MFA and IDV into a streamlined and secure experience. App-based IDV vendors utilize the advanced cameras and security features built into mobile phones, providing a faster and higher-fidelity method of capture. However, most companies don't want their users to encounter the friction of downloading a separate mobile app. Fortunately, recent advances from Apple and Android, such as "App Clips" and "Instant Apps," respectively, provide the same security features of a full app, but without the added friction of visiting an app store to download a full mobile app.
In conclusion, both multi-factor authentication and ID verification provide benefits and challenges for user authentication and fraud prevention. While MFA is more focused on validating devices, IDV verifies people. However, modern mobile technology has enabled a new category that combines MFA and IDV to protect user accounts and systems from unauthorized access. App-based IDV offers a modern and efficient solution to traditional ID verification challenges, making it an attractive option for businesses looking to enhance security while maintaining a seamless user experience. As cyber threats continue to evolve, it's crucial to implement robust security measures to protect sensitive information, and a hybrid approach like app-based IDV can help achieve this goal.