The benefits of automated step-up verifications

Step-up verifications can help you supercharge and balance your fraud protection with increasingly high consumer expectations, maintaining the ability to onboard more good customers and conduct ongoing monitoring without disrupting the customer experience.

Step-up verifications reduce the risk of data breaches, identity theft, and other fraud incidents. In the simplest terms, they are used whenever there’s a need for extra security measures, especially during high-risk periods, like the recent Silicon Valley Bank shutdown, when fraudsters are more likely to attack. When automated step-up verifications are included in your workflow, they also have the ability to help you onboard customers at a faster rate, increase your chances of spotting suspicious activity at origination, and prevent account takeovers.

Stopping fraud at its source — while you provide a better customer experience — saves a ton of potential time, money, trouble, and resources, so let’s dive in and learn more about the numerous benefits.

What are step-up verifications?

Think of step-up verifications as the moat to your castle. If someone manages to get past your gates and guards, you still have your moat as your secondary line of defense against unwanted visitors. Step-up verifications add additional layers of protection against unauthorized account access and can be both preventative and reactive. For example, even if a fraudster managed to get their hands on a username and password, an additional authentication factor could prevent them from gaining access to the account. Likewise, if an account had multiple failed log-in attempts, an additional step-up verification could be required as a reaction to the suspicious activity.

Common step-up verifications include:

• Document verification to authenticate the validity of documents — such as ID cards, passports, or driver's licenses — and confirm an individual’s identity

• Knowledge-based authentication (KBA) questions like when a financial services provider asks for a mother's maiden name

• Two-factor authentication (2FA) such as when a customer is asked to submit a one-time code that was sent via text or email after they’ve entered their password

• Selfie ID verification, for example, when a customer is asked to submit a selfie so that it can be analyzed for liveness detection — an algorithm that determines whether the customer was actually present — and cross-checked against their photo ID

While both KBA questions and 2FA are pretty standard measures, widely used by banks and fintechs of all sizes, both methodologies have limitations.

How effective is knowledge-based authentication (KBA)?

KBA questions are problematic because, often, the personally identifiable information (PII) customers use in their answers can be found in a multitude of ways. This makes them susceptible to being guessed and bypassed. Even sophisticated KBA questions that ask for out-of-wallet information (i.e., information that can’t be obtained by stealing your wallet) can be just as vulnerable. How many times, for example, have you been asked for your father’s middle name or the name of your first pet? What about the first street you lived on? Rings a few bells, doesn’t it?

The crux of the problem is that KBA information is inherently findable. Full names and addresses are a matter of public record. Employment history, educational background, relationship status, and date of birth can usually be mined from social media profiles. What fraudsters can’t get from internet searches — like SSNs, credit card numbers, or payment information — they can obtain through data breaches or social engineering attempts. And while the accessibility of PII varies from individual to individual, the need for security beyond KBA is evident.

Is it possible to bypass two-factor authentication (2FA)?

In a word, yes. It is quite possible to bypass 2FA. The most common form of 2FA relies on verification codes provided via text, which is vulnerable to both SIM swapping attacks and phishing techniques. Attackers either intercept the verification codes or trick users into revealing their PII. 2FA also has a single point of failure; if a phone is lost, stolen, or experiencing a technical issue, your customer might get locked out of their account.

In addition to these vulnerabilities, a core issue of 2FA is that the methodology doesn’t allow you to spot complex patterns of atypical user behavior. It’s a stopgap that organizations use as part of a larger, broken fraud model that focuses on transactions instead of prioritizing customer identity. Successful fraud models require more stringent methods of multi-factor authentication (MFA).

What is multi-factor authentication (MFA)?

MFA provides a higher level of security that requires a combination of multiple, independent factors beyond 2FA to verify a user’s identity. Some additional MFA methodologies include:

• Device biometrics like fingerprint or facial recognition and IP geolocation

• Behavioral biometrics like keyboard dynamics and mouse movement that are unique to each user

• Device binding where authentication and access are restricted to that authorized device

• Behavior analytics like risk scoring, user profiling, and predictive modeling that identify unusual patterns in user behavior

Layering these different MFA methods into different points of your workflow provides a more robust defense against fraud attacks and reduces the risk of unauthorized access. And layering becomes much easier when you can automate step-up verifications by using an identity risk solution — an end-to-end system that provides configurable, flexible solutions to manage identity risk throughout the customer lifecycle.

Learn how Alloy’s codeless SDK can help you fight fraud

What are the advantages of automated step-up verifications?

Automating step-up verification through an identity risk solution offers quite a few advantages:

• Agility. You can customize your workflow to include intelligent triggers for additional step-up verifications instead of being locked in by legacy technology or a rigid organizational structure that prevents you from responding quickly to fraud attacks.

• Efficiency. Automation streamlines the process and reduces the need for manual reviews.

• Scalability. Automated systems can handle a larger volume of verifications simultaneously, making it easier for you to onboard more customers and consistently monitor those customers post-onboarding to quickly identify suspicious behavior and transactions.

• Stronger risk mitigation. When you leverage real-time monitoring and analysis, you’re better equipped to respond to suspicious activity.

• Better reporting. Automated systems can generate comprehensive reports of step-up verification events and create better audit trails, which are valuable for compliance purposes, security audits, and potential investigations.

• Greater ability to meet customer expectations. By implementing seamless and user-friendly authentication methods and streamlining the verification steps, you only need to apply step-up verifications on an as-needed basis. As a result, your good customers experience less friction and complete the authentication process more quickly and easily, and you maintain a good balance between their expectations and fraud prevention.

When automated step-up verifications can be integrated into workflows without disrupting your customers’ experience, it’s a win-win scenario for you both. They get better access to financial services, and you have a better chance of retaining their business.

How can automated step-up verifications help you onboard and retain more good customers?

When you have the ability to connect to and run new account applications with multiple data providers simultaneously, it means more good customers can be approved without additional friction. The data verification sources are so specific that you can:

• Check multiple facets of the applicant’s financial and digital footprint

• Ensure applicants are who they say they are

• Prevent them from going through a lengthy process of verification checks

• Gain a more accurate understanding of your customers’ behaviors and ongoing risk profiles throughout their entire lifecycle

The majority of those verification checks take place in the background of their user experience. And automated step-up verifications, particularly document or mobile-based verifications, help you take a risk-based approach to identity, better recognize good customer behavior, and provide those customers with an easier onboarding process and digital banking experience.

With an identity risk solution, it’s easier to incorporate these step-up verifications into your workflow and seamlessly switch between different data vendors or automatically waterfall to a different verification method as needed to reduce the possibility of drop-off. This not only keeps the bad customers out, it allows you to let the good ones in at a faster rate.

Don’t forget, manual review still has its time and a place

Not all cases should be handled via automation. One of the overall goals of automating step-up verifications is to cut back on the number of manual reviews and the time and resources they cost. However, manual reviews should never fully go away. They remain a necessary part of the step-up process because human judgment and intervention are essential for handling complex or exceptional situations.

On a basic level, a user might type in their credentials wrong one too many times and have their access blocked because it gets flagged for a manual review. While this scenario could be a completely innocent mistake, it could also be a fraudster attempting to hack the account. You can automate your workflow to include a step-up verification like additional document verification or a selfie ID test if the account holds, say, only $3,000. But what if it’s $3 million? In that instance, you could institute a manual callback authentication process where your team has the user confirm their identity through a pre-registered phone number.

Ultimately, automation and manual review should both complement one another and be viewed as important components of the step-up verification process.