Don't fight fraud with your offline brain
Why do many companies default to selfies for user verification?”
When I got this question recently, it helped me realize something about fraud prevention.
A lot of people fighting fraud in the online world are still thinking with their offline minds.
How does this bias their decision-making?
Take selfie verifications as an example.
In the non-digital world, we use faces all the time to verify someone’s identity:
Looking at someone’s face is a big part of how we “verify” people offline, and it’s usually pretty reliable and trustworthy.
If I’m comparing your face to a picture while you’re standing in front of me, unless you’re Nic Cage in Face Off…I can be pretty sure that it’s really you.
Because this face recognition method works great in real life in the offline world, my hunch is that people tend to think about digital identity verification in a similar way.
So that’s where selfie verification comes in.
It’s intuitive to imagine this method would work well online too, for pretty much any use case.
But there are two big reasons why selfies can’t be relied on as a scalable verification method.
The first is too much friction.
Recommended by LinkedIn
Looking at someone’s face in real life is passive—it doesn’t require any effort from the person you’re looking at.
On a device, it’s different. They have to aim the camera, position their face, adjust their lighting, etc.
Asking someone to take a selfie occasionally may work. But ideally for fraud prevention you should be constantly re-verifying identity, and that’s not really possible without creating an annoying, involuntary selfie-laden experience for your users.
The other problem is the lack of security inherent in selfie verification.
Mobile devices aren’t the most airtight. There are a number of ways to inject whatever image or video you want into the camera feed of a device.
If you have an image of someone’s face, you can even use deepfake tech to animate that face so you could pass both facial recognition AND liveness detection.
Here’s the takeaway:
Comparing someone’s face to their ID or to your memory is a great verification method in real life, but the online world is a different place. And selfie verification isn’t the only area of mobile fraud prevention where we should be thinking about this distinction.
We should be careful to separate the way we think about identity verification in the offline world and online world.
Otherwise, you could be exposing your platform and customers to a lot of risk.
Next time you’re assessing your platform’s authentication and verification factors, take a minute to ask yourself:
Am I trying to use my offline mind to solve online problems?
Other resources:
Dedicated to doing what is right, not what is required.
1moI like this a lot. Similar to selfie verification using your offline brain for online document verification is missing out on essentially every security feature of a government issued ID.