Why Phone Numbers Are the Best Path to Provable Possession
What’s the one thing you almost always have with you? Probably your cell phone. That’s one of the reasons why phone numbers are powerful and trustworthy credentials for confirming identity. While no system of identity verification (IDV) is perfect, you might be surprised to learn that your phone number may be the most secure — and convenient — option.
Let’s look at some of the challenges inherent in various forms of IDV and how, when it comes to phone numbers, Cognito gives businesses a quick and secure path to identity authentication.
Documentary verification is outdated
Documentary verification is the traditional type of IDV — and like all old methods, it adds friction for users and can deter them from finishing the sign-up process. Typically, customers are asked to present their government-issue ID, such as a driver’s license or passport.
While this can be done remotely, it requires customers to not only upload documents, but they often have to take a selfie with the paperwork to prove that it’s not a forgery. Considering the amount of glitches that can occur in a documentary verification — from overexposure to blurriness to simple document deterioration — businesses stand to benefit from leaving paperwork in the past.
Knowledge-Based Authentication has a questionable legacy
Have you been stopped by security questions when paying your phone bill or signing in to online banking? This is called Knowledge-Based Authentication (KBA), and there are two types:
- Static, where you’ve selected your own security questions and provided the answers
- Dynamic, where questions and answers are drawn from legally obtainable documentation such as credit reports, direct marketing databases, and customer surveys
Unfortunately, your static KBA questions and answers — as well as the information that dynamic KBA is derived from — are stored on databases that can easily be hacked. In fact, there are darknet markets where fraudsters can buy datasets filled with this information at minimal cost.
Not to mention, your static KBA answers can often be uncovered through a Google or social media search. Simply put, this is a surprisingly weak source of authentication.
Biometrics aren’t bulletproof
Conventional wisdom might hold that biometric verification is best: common methods include fingerprints, facial recognition, voice recognition, retina scans, or iris scans. The big selling point is that these factors are unique — but that’s also their biggest weakness.
Biometric data can’t simply be changed like a PIN or password if it’s stolen or replicated. And did you know your biometric identifiers can deteriorate due to physical alterations or injury?
Beyond that, biometric readers can be tricked. There’s no telling how far modern hackers will go, but in theory, anyone following you around could get their hands on your identity because no other authentication factor is physically visible and photographable in the same way.
You leave your fingerprints everywhere you go. They can be lifted from a glass or a door handle, and researchers have been able to generate fake fingerprints, building an identity-hacking “master key” with a success rate of one in five.
Biometric systems are also in an arms race against hackers, as synthetic videos and media — known as deepfakes — create more convincing simulations of faces and voices. Even iris scanners have been fooled by covering a detailed picture of an eye with a wet contact lens. The bottom line is that even if biometric data seems more secure than other factors, it can still be replicated and stolen by nefarious parties.
The power of the phone number
In the past, phone numbers have been problematic for identity verification because they can change or be stolen in data breaches. But when used properly, they can prove more secure than other IDV methods.
Phone numbers can be used to unlock a wealth of data from official, regulated sources. Connecting the dots of this data, the Cognito API forms a complex user profile for your customers, while remaining compliant with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.
With these additional layers of assurance taking place behind the scenes in real time, Cognito helps businesses reduce fraud, actively flagging suspicious activity. By implementing a one-time passcode to authenticate a device, companies can use the Cognito IDV product to confirm users are who they say they are — and are in possession of their phones at the time of sign-up.
When you only have one data source to rely on, there are serious risks to your identity verification capabilities — but by connecting a variety of regulated, authorized sources of information, a phone number is your best bet for secure, frictionless, and real-time IDV.
Protect your business with the only identity verification service that starts with just a phone number. To learn more, get in touch — we’re here to answer your questions.