Imagine logging into your online banking app only to find a long trail of unauthorized transactions that have drained your checking account. Or consider a healthcare provider inadvertently releasing sensitive medical records to the wrong person. With how much information is digitized today, these scenarios are increasingly likely, underscoring the importance of verifying identities online.
It’s within this context that reverification becomes important. There was a time when one-time verification could cut it—now, it’s vital to make sure the person accessing services remains the legitimate account holder throughout their relationship with an enterprise. To protect against fraud, meet regulatory requirements, and maintain trust, organizations must continuously be vigilant against account takeovers.
In this guide, we’ll cover everything you need to know about reverification, when it is employed, best practices, and how it helps solve the latest challenges in identity access management.
What is Reverification?
Reverification is the process of re-confirming the identity of a previously verified user. It’s a safeguard that ensures the person interacting with a system today is the same person that was initially authenticated.
Over time, this keeps logins and transactions secure, preventing bad actors from compromising accounts without being noticed. Verification and reverification have distinct purposes in the identity management lifecycle.
Verification: Is the initial step where an organization confirms a user’s identity when they first sign up for a service. It involves collecting personally identifiable information and ensuring its authenticity. Examples include government documents like passports and driver’s licenses, cell phone ownership, or biometric data like fingerprints or facial recognition.
Reverification: Is the process of periodically confirming a user’s identity remains consistent and that their account hasn’t been compromised. Reverification can be trigged by specific events, changes in user behavior, or simply as part of regular security protocols.
When you first create an account with an online retailer, you might be asked to verify your email address and provide payment information. That’s verification. Later, if you suddenly start making high-value purchases or log in from a different country, the retailer might request additional information to confirm your identity—that’s reverification.
When to Reverify
Reverification should be strategically implemented to balance security needs with user convenience. Here are examples of key moments where reverification is essential:
Changes in Key Account Information
Password Changes: Before allowing a password reset, verifying the user’s identity ensures that an unauthorized person isn’t hijacking the account.
Contact Information Updates: Changing email addresses or phone numbers can affect communication and security protocols like two-factor authentication. Reverification prevents malicious actors from redirecting communications.
Adding New Payment Methods: Confirming the addition of new credit cards or bank accounts helps prevent fraudulent purchases.
For example, if a customer updates their shipping address to a location in a high-fraud area, the system might require additional verification to ensure the change is legitimate.
Document Expiry
Identification documents like driver’s licenses and passports have expiration dates, and passing through outdated IDs is a real security risk. When a user continues to rely on an expired ID, it can lead to compliance issues and open the door for potential fraud. For example, an expired ID might not reflect recent changes such as a new address or a name change after marriage, which could be exploited by someone attempting identity theft.
To keep everything above board, it’s important to prompt users to submit updated government-issued identification when their current documents are near expiration. This ensures that all records are current and valid, maintaining the integrity of your verification processes.
Moreover, for services that offer benefits based on eligibility—like student discounts or senior citizen perks—requiring annual proof of enrollment prevents misuse and ensures resources are allocated to the right beneficiaries.
High-Risk Actions
Large Transactions: When a customer is attempting to transfer a substantial sum of money or make a high-value purchase online, it raises the stakes significantly. Such significant transactions can be red flags for potential financial fraud or money laundering activities. Fraudsters may try to make large withdrawals or purchases to maximize their gain before the unauthorized activity is detected.
Implementing reverification in these scenarios acts as a critical checkpoint. For instance, the system might prompt the user to enter a one-time password (OTP) sent to their registered mobile device or email. Alternatively, biometric verification methods like fingerprint scanning or facial recognition could be employed to confirm the user’s identity. These additional layers of security help ensure that the person authorizing the transaction is indeed the legitimate account holder and not someone who has gained unauthorized access.
Accessing Sensitive Data: Similarly, sensitive data is a prime target for cybercriminals, who can misuse this information for identity theft, ransom, or to sell on the dark web. Reverification can be prompted when a user attempts to access confidential information such as detailed financial statements, personal identification details, or medical records.
A healthcare portal, for example might require patients to answer security questions or use two-factor authentication before they can view their medical history. This not only complies with privacy regulations like HIPAA but also reassures users that their sensitive information is well-guarded.
Unusual Account Activity: Activities that deviate from a user’s normal patterns can also be indicative of fraudulent behavior. Suppose a customer’s account, which typically sees minimal activity, suddenly initiates multiple international wire transfers or starts making high-value purchases in quick succession. This abrupt change could suggest that someone else has gained access to the account.
In such cases, a system might automatically flag the activity and initiate reverification protocols. The user could receive an alert notifying them of the unusual activity and be prompted to verify their identity before any further transactions are allowed. This pause not only helps prevent potential fraud but also allows the legitimate user to confirm or deny the activity.
Following Data Breaches or Security Incidents
Once a company’s security is breached, the risk of unauthorized access to user accounts skyrockets. In the unfortunate event of a data breach, reverification is an important tool for restoring trust.
After a breach, one of the first steps should be confirming the identities of all affected users. This process prevents unauthorized individuals from exploiting compromised credentials to access accounts fraudulently.
Another essential action is prompting users to reset their passwords and update security questions. Since passwords may have been compromised during the breach, changing them reduces the risk of further unauthorized access. Encouraging users to create strong, unique passwords and avoid reusing them across multiple sites enhances overall security.
Types of Reverification
Selecting the appropriate reverification method depends on the context, risk level, and user expectations.
Document Reverification
Reassessing submitted documents ensures that the information on file is current, accurate, and still valid. Common documents include:
- Proof of Address: Requesting recent utility bills or bank statements confirms that the user still resides at the registered address.
- Proof of Income or Employment: Updated payslips or employment letters may be necessary for services like loans or credit extensions.
- Business Documents: For corporate accounts, verifying ownership or operational status ensures compliance with regulations.
Government ID Reverification
- Driver’s Licenses and Passports: Ensuring these documents are valid and capturing any changes in personal information, such as name changes due to marriage.
- National ID Cards: Verifying the authenticity and current status of national identification helps prevent identity fraud.
- Digital IDs: Incorporating digital identification methods can streamline the reverification process and enhance security.
Biometric Reverification
- Selfie Verification: Comparing a live selfie to the stored profile picture to confirm the user’s identity
- Fingerprint Scanning: Common on smartphones, this method ensures that only the registered user can unlock the device or app. I.e. a banking app might require a fingerprint scan before allowing transfers over a certain amount.
- Voice Recognition: Authenticating users through voice patterns adds convenience for services accessed via phone calls.
Device and Knowledge-Based Authentication (KBA)
This can involve confirming possession of a device that the legitimate user owns or asking questions that only the legitimate user would know.
- Personal Questions: Queries about personal history, like the name of the user’s first school, can verify identity.
- One-Time Passwords (OTPs): Sending a code via SMS or email for immediate verification is a widely used method.
Passive Monitoring and Behavioral Analytics
Ongoing assessment without direct user input enhances security while minimizing friction.
- Behavioral Screening: Analyzing browser behavior, detecting bots, or environmental signals around a device for fraud indictors
- Transaction Monitoring: Flagging unusual spending or access patterns for further review by security teams.
- Device Fingerprinting: Recognizing devices associated with a user and spoofed devices to prevent unauthorized access
Challenges in Reverification
Implementing reverification is not without hurdles. Generally, the most significant challenge is balancing the need for enhanced security with the desire to provide a smooth, hassle-free experience for users.
Additional verification steps can feel like friction. If the reverification process is too cumbersome, users might abandon their transactions or even switch to competitors offering a more streamlined experience.
Since requiring full reverification for every minor transaction would more likely than not irritate users, it’s important to apply it contextually. An effective reverification flow reserves extra security steps for high-risk situations such as account recovery or large transactions.
Scalability is another concern. As the user base grows, systems must be capable of handling increased verification demands without performance degradation. Implementing advanced verification systems often requires significant upfront investment in technology. There are also ongoing operational costs to consider, such as system maintenance, updates, and staffing for security teams. For many organizations, the cost to build a scalable #verification tool is prohibitive, given the technical challenge of building an identity orchestration engine and contracting the attribute data needed to verify identities accurately.
Best Practices for Effective Reverification
To implement reverification successfully, businesses should adopt strategies that enhance security while maintaining a positive user experience. Here are some best practices to consider:
Risk-Based Authentication
Tailoring verification efforts based on the level of risk associated with user actions is an effective way to balance security and usability. This approach, known as risk-based authentication, involves adjusting the intensity of verification depending on the transaction’s risk profile.
For example, a small purchase from a familiar device might require minimal verification, such as entering a password. In contrast, a large transaction from a new location would trigger more rigorous checks, like multi-factor authentication or additional security questions.
Clear Communication with Users
Providing clear, step-by-step instructions makes the reverification process smoother and less frustrating. Additionally, offering support through customer service channels can assist users who may have questions or encounter difficulties. Including a brief message like, “For your security, we need to verify your identity before proceeding,” can help users feel more comfortable and cooperative during the verification process.
Educating users also empowers them to participate actively in their own security. You can inform users about common threats like phishing to increase their vigilance, and include messages in your portals that encourage best practices like creating strong passwords and enrolling in multi-factor authentication.
Sharing fraud prevention tips and advice on recognizing and reporting suspicious activity helps protect both the user and the business. Regular newsletters, in-app messages, or educational resources are all effective channels for user education.
Partnering with Trusted Verification Services
Leveraging external expertise can enhance security measures without the need to develop solutions in-house. Third-party providers offer specialized verification technologies and services that can be integrated seamlessly with existing systems, minimizing disruptions.
By partnering with a trusted identity verification service, businesses can access advanced tools and insights that might be costly or time-consuming to develop internally. For example, a financial institution might collaborate with a leading identity verification provider to enhance its KYC compliance and strengthen its overall security posture. This approach allows businesses to benefit from cutting-edge technologies and expertise without diverting resources from their core operations.