Who are you?

woman looking at tablet

Identity authentication continues to evolve – from signatures to tokens, biometrics and beyond

There is no rest for those in financial institutions tasked with safeguarding personal information. Even though the concept of identity authentication – confirming that online systems users are who they claim to be – remains fixed, the measures taken to ensure this outcome must continually change. There will always be the need for a newer, safer approach to account security as technologies continue to shift and criminals persist.

Strong identity verification has evolved to a combination of something a user knows (password, personal data) with something they possess (key, documentation, software token) or, in the strongest scenarios, with something they are (biometrics such as a fingerprint or facial recognition). For some users, these increasingly personal measures can feel invasive, and a step too far.

But understanding where we’ve been, what has changed and where we’re headed can help provide some context and assurance for change-weary accountholders.

Knowledge-based verification

In the predigital world, determining identity was a manual process. People presented documents, such as a driver’s license, to apply for a loan or make a purchase. Verification was subject to the skill and integrity of the person reviewing the document. Signatures were an important indicator of identity. Banks and credit unions wouldn’t cash checks if the signatures didn’t match those on file. But better methods were needed as the speed and volume of individual transactions increased, and processing became automated.

When personal computers became as common as a major kitchen appliance, knowledge-based methods such as passwords became standard. Proof of identity was also knowledge-based, in the form of security questions. According to the Fast Identity Online Alliance (FIDO), weak passwords cause over 80% of data breaches. This is due to the rise in increasingly sophisticated cybercrime tactics and the fact that many people use the same passwords for multiple applications, making it easier for threat actors to access other accounts. 

Object-based verification

In the 1970s, federal regulations such as Know Your Customer (KYC) required financial institutions to establish stronger measures to defend their customers against data breaches and theft. In addition to encouraging stronger passwords, financial institutions began implementing multifactor authentication (MFA) to ensure legitimate identity. This extra layer of security requires users to provide an additional piece of information, such as a PIN or randomized, one-time password (OTP) sent to an object (an individual’s phone or computer) in the form of an SMS or email.

Security tokens – physical hardware such as a fob, USB drive or keycard – are also highly effective security tools. These connectionless devices, which cannot be duplicated, remotely hacked or spoofed, are activated in person and provide two-factor authentication by generating a new OTP for each login. The disadvantage of object-based verification is the possibility of loss, theft or damage, and the inconvenience of deactivation and replacement.


Currently, the highest form of security is biometrics. A personal device (such as a phone) is the token, and the verification is a unique biological trait (fingerprint, voice sample or facial feature) or a behavior (typing rhythm, signature dynamics or voice pattern). In addition to the strength of security they offer, biometrics provide significantly less friction; users no longer have to remember passwords or safeguard physical items.


While the specificity of biometrics makes it difficult to impersonate an accountholder, the risk of biometric data breaches still exists. It is crucial that organizations remain vigilant in their efforts to provide the highest level of security. It’s the only way to stay ahead of increasingly sophisticated cybercriminals seeking to exploit weaknesses in new software, platforms and devices.

What’s next?

New identification technologies are entering the development phase all the time. Some may never gain traction in the marketplace, while others will prove to be the right solution at the right time. Many will likely harness emerging technologies such as AI and biometrics for use in common applications, such as cameras and recording devices, to confirm identity and detect anomalies. Tech giants such as Google and Apple are working together to create stronger solutions to eliminate as much uncertainty in authentication as possible. Those new approaches include ways to identify users through a web browser.

In a fast-paced environment that requires both proactive strategy and flexibility, the core of identity verification is trust. Financial institutions that educate accountholders about the necessity of continuously evolving verification technologies will help address concerns and ease customer resistance to “what’s next.”

Learn more about providing ongoing protection from harm: