After proving a customer is who they say they are during the sign up process, now you need to authenticate them when they log back in.
Customers nowadays expect a frictionless and convenient digital experience. But how do you know who your legitimate users are? The only way to build digital identity trust is to fully authenticate the user.
Login to authenticate
Identity verification is establishing who a customer is. They provide an email address and are asked to verify if it is correct by clicking a link in an email. Or by scanning a passport and uploading it to the site. That means you know something about them.
Authentication does not prove who a customer is, it is just proving that the same person is using the same sign up as earlier. Once an identity is verified, for example the user will be issued with an authentication token during the onboarding process, such as a password or a two-factor mechanism, all a customer has to do is provide the same email/password and that is proof that this is the same person that signed up previously.
However, there is confusion over the many passwords and usernames used on a daily basis and it can negatively impact the digital experience for customers. When a user wishes to log in to their account, they may have to go through another long process of passwords. They have to use tokens and codes sent by SMS which causes delays and increases friction. But you need to authenticate the user in order to customise the pages for the user.
Services that have a lot of customer data need to strike a balance between security and low friction to ensure high engagement from customers.
Regulations for extra digital identity protection
The revised Payment Services Directive (PSD2), which aims to better protect consumers when they pay online and they make cross-border European payment services safer, has new authentication rules. The Strong Customer Authentication (SCA) is a new European regulatory requirement in PSD2 to reduce fraud and make online payments more secure. To meet SCA requirements, you need to build additional authentication into your process.
SCA requires authentication to use at least two of the following three elements:
- Something the customer KNOWS, such as a password or pin
- Something the customer HAS, such as a phone or token
- Something the customer IS, such as a fingerprint or face recognition
A second factor is now needed to verify that a customer is who they claim to be. Under this regulation, a username and password is not secure enough. Another factor is required which can prolong the login process.
Authenticating the digital customer journey
Intelligent authentication requires you to collect data about individual customers throughout the entire digital customer journey.
The customer journey includes:
1.Knowing the user
This means bringing the person online and making sure they are who they say they are by using an email and password or scanned documents. An eID makes this step much easier. It is the information provided in this stage which allows you to authenticate the customer when they come back.
2.Validate the user
The second step is to validate the user to check if they are trustworthy. Under the Anti-Money Laundering (AML) regulations, you have to check if a customer is involved in terrorist or criminal funding and continually monitor this. Only then can you continue on to authenticate the user and do business with them
3.Authenticate the user
Make sure the customer is the same person that signed up in the first place with two-factor authentication. This needs to be frictionless and convenient for the customer as it will determine whether they continue to use the site.
4.Commit the user
If the authentication process is seamless, the customer commits to the business and makes a purchase or agreement.
As levels of authentication go up, the user experience may decrease. But if signed up with a trusted digital identity verification provider, all digital identity methods including authentication are done seamlessly. This makes the customer’s experience much better.