NOT LICENSED FOR DISTRIBUTION Top Trends Shaping Identity Verification (IDV) In 2018 Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements by Andras Cser and Merritt Maxim March 29, 2018 Why Read This Report Key Takeaways In the face of increasing identity theft, stricter IDV Based On Credit Header Data Will Become compliance regulations, and the push for online Weaker — Get Ready To Fight Back customer acquisition, reliable, accurate, cost- After the 2017 Equifax breach, we entered a new effective, and easy-to-use identity verification era in which credit header data for IDV solutions (IDV) is becoming a core building block of any and knowledge-based authentication (KBA) customer or employee identity and access are inadequate for reliable identity verification. management (IAM) system. This document Firms will have to adopt new lower cost and less highlights the key trends shaping the IDV market intrusive IDV technologies, such as those based in 2018 and beyond and helps security and risk on device reputation or phone number. pros adapt their strategies, vendor selection, and Social And Behavioral IDV Will Lower Costs implementation. And Improve Accuracy Social IDV, based on comparing identity attributes to profiles on social media, and behavioral biometrics, verifying identities based on how a user moves the mouse or touches the screen, will lower the cost and improve the accuracy of day- to-day IDV across all verticals. FORRESTER.COM FOR SECURITY & RISK PROFESSIONALS Top Trends Shaping Identity Verification (IDV) In 2018 Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements by Andras Cser and Merritt Maxim with Stephanie Balaouras, Madeline Cyr, and Peggy Dostie March 29, 2018 Table Of Contents Related Research Documents 2 Without Reliable IDV, Trust Erodes And The Forrester Wave™: Customer Identity and Everyone Suffers Access Management, Q2 2017 2 Evolving Your IDV Strategy In 2018 Now Tech: Identity Verification, Q1 2018 10 Supplemental Material The Strategic Role Of Identity Resolution Vendor Landscape: Identity Verification Solutions Share reports with colleagues. Enhance your membership with Research Share. Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com © 2018 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS March 29, 2018 Top Trends Shaping Identity Verification (IDV) In 2018 Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements Without Reliable IDV, Trust Erodes And Everyone Suffers In 2015, cybercriminals gained access to the tax returns of approximately 104,000 individuals via the US Internal Revenue Service’s Get Transcript application.1 With in-depth knowledge of compromised consumer identities, the attackers created Get Transcript accounts for various taxpayers and successfully completed the identity verification process. This breach shined a spotlight on the importance of IDV and the consequences of poor IDV. Subsequent IDV failures, which have facilitated terrorist attacks, cybercrime, and terrorism, have served to further undermine trust in traditional methods while the global movement of goods, services, labor, and people have also shown these methods to be ineffective and unreliable for today’s businesses.2 S&R pros will need to evolve their IDV strategies sooner rather than later because: › The Equifax breach has accelerated the erosion of trust. With the recent Equifax breach, it’s safe to assume that fraudsters can gain easy access to a US-based victim’s actual name, address, date of birth (DOB), and Social Security number, thereby creating a “perfect identity” to steal.3 As a result, people are worried that their personally identifiable information (PII) is publicly available and are now more reluctant to provide it for IDV purposes. The loss of trust is actually bidirectional: 1) Firms trust their customers less when customers sign up for digital services, and 2) customers trust their service providers and vendors less with safeguarding their PII. › Tougher compliance laws will strive to regain some of it. Compliance mandates are getting more numerous and complex: Firms find it increasingly difficult to comply with PSD2, GDPR, 5AMLD, and other regulations without additional IDV investment. IDV is important for these compliance mandates because financial services institutions prefer to keep money launderers and fraudsters outside of their gates. Privacy and regulatory requirements also mandate disclosing the PII attributes a financial services institution maintains on a consumer — but have to authenticate the consumer before disclosing the information. Evolving Your IDV Strategy In 2018 It’s time to overhaul your existing, less secure, and less reliable IDV processes. To do so, you’ll have to take into account and adapt to ongoing trends and shifts in technology, architectures, and the vendor landscape. Trend 1: IDV Consolidates Into A Hub-And-Mesh Ecosystem Today’s organizations typically use one or only a handful of IDV methods to verify their potential and existing customers — with the most trusted IDV methods being email address, name, phone number, address, and ZIP code (see Figure 1). As fraudsters get smarter and gain access to more identity information, this reduces the effectiveness of only one IDV method. © 2018 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS March 29, 2018 Top Trends Shaping Identity Verification (IDV) In 2018 Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements › What you need to know. Forrester’s interviewees indicate that no single source of information is sufficient to establish a 360-degree view of any given customer. However, connecting the dots between the offline and online data available on a customer and using behavioral modeling to discover normal behavior and proactively intercept abnormal behavior of people and entities gives rise to a new delivery method of IDV service, called the IDV hub (see Figure 2). All vendors — while they maintain their core flavor of IDV — are moving toward providing, buying, and reselling data for their own and into each other’s hubs. › What you should do about it. Inventory and then revise your existing IDV portfolio and find out if you have all your bases covered. After it failed to detect money laundering early enough, a North American bank expanded its existing IDV services based on credit header data to include Experian’s IDV services based on device ID reputation — resulting in a 15% higher identity theft detection rate. Further, Forrester expects consolidation in the market, and, to some degree, all specialist vendors will either: 1) offer IDV hub services or 2) be acquired by IDV hub vendors (see ThreatMetrix’s acquisition by RELX in January 2018).4 FIGURE 1 Most Trusted IDV Methods “Which of the following data does your organization collect for identity verification (IDV)?” Email address 60% Name 54% Phone number 49% Address 43% ZIP code 41% Connecting phone and online 32% systems within the organization Social Security number 31% Device ngerprint or 30% device reputation Base: 1,097 network security decision makers (20+ employees) Source: Forrester Data Global Business Technographics® Security Survey 2017 © 2018 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3 [email protected] or +1 866-367-7378 FOR SECURITY & RISK PROFESSIONALS March 29, 2018 Top Trends Shaping Identity Verification (IDV) In 2018 Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements FIGURE 2 The Emerging IDV Hub Ecosystem Credit headers Blockchain Device IDs transaction-based Identity Behavioral verification Email and biometrics hub age of customer (aggregator) Social media/ Physical document/ self-asserted facial recognition MNO information Trend 2: Banks Will Continue To Rely On IDV Based On Credit Header Data In spite of the Equifax breach and its fallout, the entire US financial institution (FI) community still relies on the credit header-based IDV system. And since two-thirds of the US economy is based on consumer spending, it’s highly unlikely that we will see any major change in the current stance and policy of how customers can use their PII and credit information to apply for more credit. › What you need to know. While we’d like to see a quick move away from credit header-based services (traditionally the bread and butter business of the credit bureaus Equifax, Experian, IDology, LexisNexis Risk Solutions, and TransUnion and their data resellers and OEM partners), these data sources are here to stay for the next three to five years. In fact, many players in the IDV ecosystem (e.g., ID Analytics, Neustar, etc.) will likely seek to OEM this data to embed it in their services. Beyond five years, as other IDV methods not based on credit header evolve, Forrester expects this method to decline. › What you should do about it. If your firm uses these services for initial customer onboarding,