One vendor. One contract. All the data.
A single platform to increase digital trust and mitigate fraud across all of your identities
A robust risk engine and MFA service to help build a zero trust policy for your existing authentication process
Clean up identity data and flag potential fraudulent accounts
Imagine logging into your online banking app only to find a long trail of unauthorized transactions that have drained your checking account. Or consider a healthcare provider inadvertently releasing sensitive medical records to the wrong person. With how much information is digitized today, these scenarios are increasingly likely, underscoring the importance of verifying identities online.
It’s within this context that reverification becomes important. There was a time when one-time verification could cut it—now, it’s vital to make sure the person accessing services remains the legitimate account holder throughout their relationship with an enterprise. To protect against fraud, meet regulatory requirements, and maintain trust, organizations must continuously be vigilant against account takeovers.
In this guide, we’ll cover everything you need to know about reverification, when it is employed, best practices, and how it helps solve the latest challenges in identity access management.
Reverification is the process of re-confirming the identity of a previously verified user. It’s a safeguard that ensures the person interacting with a system today is the same person that was initially authenticated.
Over time, this keeps logins and transactions secure, preventing bad actors from compromising accounts without being noticed. Verification and reverification have distinct purposes in the identity management lifecycle.
Verification: Is the initial step where an organization confirms a user’s identity when they first sign up for a service. It involves collecting personally identifiable information and ensuring its authenticity. Examples include government documents like passports and driver’s licenses, cell phone ownership, or biometric data like fingerprints or facial recognition.
Reverification: Is the process of periodically confirming a user’s identity remains consistent and that their account hasn’t been compromised. Reverification can be trigged by specific events, changes in user behavior, or simply as part of regular security protocols.
When you first create an account with an online retailer, you might be asked to verify your email address and provide payment information. That’s verification. Later, if you suddenly start making high-value purchases or log in from a different country, the retailer might request additional information to confirm your identity—that’s reverification.
Reverification should be strategically implemented to balance security needs with user convenience. Here are examples of key moments where reverification is essential:
Password Changes: Before allowing a password reset, verifying the user’s identity ensures that an unauthorized person isn’t hijacking the account.
Contact Information Updates: Changing email addresses or phone numbers can affect communication and security protocols like two-factor authentication. Reverification prevents malicious actors from redirecting communications.
Adding New Payment Methods: Confirming the addition of new credit cards or bank accounts helps prevent fraudulent purchases.
For example, if a customer updates their shipping address to a location in a high-fraud area, the system might require additional verification to ensure the change is legitimate.
Identification documents like driver’s licenses and passports have expiration dates, and passing through outdated IDs is a real security risk. When a user continues to rely on an expired ID, it can lead to compliance issues and open the door for potential fraud. For example, an expired ID might not reflect recent changes such as a new address or a name change after marriage, which could be exploited by someone attempting identity theft.
To keep everything above board, it’s important to prompt users to submit updated government-issued identification when their current documents are near expiration. This ensures that all records are current and valid, maintaining the integrity of your verification processes.
Moreover, for services that offer benefits based on eligibility—like student discounts or senior citizen perks—requiring annual proof of enrollment prevents misuse and ensures resources are allocated to the right beneficiaries.
Large Transactions: When a customer is attempting to transfer a substantial sum of money or make a high-value purchase online, it raises the stakes significantly. Such significant transactions can be red flags for potential financial fraud or money laundering activities. Fraudsters may try to make large withdrawals or purchases to maximize their gain before the unauthorized activity is detected.
Implementing reverification in these scenarios acts as a critical checkpoint. For instance, the system might prompt the user to enter a one-time password (OTP) sent to their registered mobile device or email. Alternatively, biometric verification methods like fingerprint scanning or facial recognition could be employed to confirm the user’s identity. These additional layers of security help ensure that the person authorizing the transaction is indeed the legitimate account holder and not someone who has gained unauthorized access.
Accessing Sensitive Data: Similarly, sensitive data is a prime target for cybercriminals, who can misuse this information for identity theft, ransom, or to sell on the dark web. Reverification can be prompted when a user attempts to access confidential information such as detailed financial statements, personal identification details, or medical records.
A healthcare portal, for example might require patients to answer security questions or use two-factor authentication before they can view their medical history. This not only complies with privacy regulations like HIPAA but also reassures users that their sensitive information is well-guarded.
Unusual Account Activity: Activities that deviate from a user’s normal patterns can also be indicative of fraudulent behavior. Suppose a customer’s account, which typically sees minimal activity, suddenly initiates multiple international wire transfers or starts making high-value purchases in quick succession. This abrupt change could suggest that someone else has gained access to the account.
In such cases, a system might automatically flag the activity and initiate reverification protocols. The user could receive an alert notifying them of the unusual activity and be prompted to verify their identity before any further transactions are allowed. This pause not only helps prevent potential fraud but also allows the legitimate user to confirm or deny the activity.
Once a company’s security is breached, the risk of unauthorized access to user accounts skyrockets. In the unfortunate event of a data breach, reverification is an important tool for restoring trust.
After a breach, one of the first steps should be confirming the identities of all affected users. This process prevents unauthorized individuals from exploiting compromised credentials to access accounts fraudulently.
Another essential action is prompting users to reset their passwords and update security questions. Since passwords may have been compromised during the breach, changing them reduces the risk of further unauthorized access. Encouraging users to create strong, unique passwords and avoid reusing them across multiple sites enhances overall security.
Selecting the appropriate reverification method depends on the context, risk level, and user expectations.
Reassessing submitted documents ensures that the information on file is current, accurate, and still valid. Common documents include:
This can involve confirming possession of a device that the legitimate user owns or asking questions that only the legitimate user would know.
Ongoing assessment without direct user input enhances security while minimizing friction.
Implementing reverification is not without hurdles. Generally, the most significant challenge is balancing the need for enhanced security with the desire to provide a smooth, hassle-free experience for users.
Additional verification steps can feel like friction. If the reverification process is too cumbersome, users might abandon their transactions or even switch to competitors offering a more streamlined experience.
Since requiring full reverification for every minor transaction would more likely than not irritate users, it’s important to apply it contextually. An effective reverification flow reserves extra security steps for high-risk situations such as account recovery or large transactions.
Scalability is another concern. As the user base grows, systems must be capable of handling increased verification demands without performance degradation. Implementing advanced verification systems often requires significant upfront investment in technology. There are also ongoing operational costs to consider, such as system maintenance, updates, and staffing for security teams. For many organizations, the cost to build a scalable #verification tool is prohibitive, given the technical challenge of building an identity orchestration engine and contracting the attribute data needed to verify identities accurately.
To implement reverification successfully, businesses should adopt strategies that enhance security while maintaining a positive user experience. Here are some best practices to consider:
Tailoring verification efforts based on the level of risk associated with user actions is an effective way to balance security and usability. This approach, known as risk-based authentication, involves adjusting the intensity of verification depending on the transaction’s risk profile.
For example, a small purchase from a familiar device might require minimal verification, such as entering a password. In contrast, a large transaction from a new location would trigger more rigorous checks, like multi-factor authentication or additional security questions.
Providing clear, step-by-step instructions makes the reverification process smoother and less frustrating. Additionally, offering support through customer service channels can assist users who may have questions or encounter difficulties. Including a brief message like, “For your security, we need to verify your identity before proceeding,” can help users feel more comfortable and cooperative during the verification process.
Educating users also empowers them to participate actively in their own security. You can inform users about common threats like phishing to increase their vigilance, and include messages in your portals that encourage best practices like creating strong passwords and enrolling in multi-factor authentication.
Sharing fraud prevention tips and advice on recognizing and reporting suspicious activity helps protect both the user and the business. Regular newsletters, in-app messages, or educational resources are all effective channels for user education.
Leveraging external expertise can enhance security measures without the need to develop solutions in-house. Third-party providers offer specialized verification technologies and services that can be integrated seamlessly with existing systems, minimizing disruptions.
By partnering with a trusted identity verification service, businesses can access advanced tools and insights that might be costly or time-consuming to develop internally. For example, a financial institution might collaborate with a leading identity verification provider to enhance its KYC compliance and strengthen its overall security posture. This approach allows businesses to benefit from cutting-edge technologies and expertise without diverting resources from their core operations.