One-time authentication codes through SMS (text messages) have been used for a while as a method of ongoing authentication, but have traditionally been of little use for verifying the identity of a new consumer. The lack of value for identity verification has been rooted in the typical approach: a consumer provides a phone number and by providing the code sent to that number you confirm they actually do have control of the number they provided as described below:
- Consumer claims to be John Doe, with a phone number of (222) 222-2222
- A code is sent to (222) 222-2222
- Business knows the consumer has control of (222) 222-2222
By adding one additional step, namely verifying that the number provided belongs to the individual that the consumer claims to be, the one-time authentication code can serve as a factor for identity verification.
- Consumer claims to be John Doe, with a phone number of (222) 222-2222
- Business verifies that (222) 222-2222 belongs to John Doe
- A code is sent to (222) 222-2222
- Business knows the consumer has control of John Doe’s phone (and is therefore likely to be John Doe)
As consumers within the US become more accustomed to using their phone for authentication and payments, this approach becomes more definitive (more consumers secure their phone with PIN, biometric, or other authentication). When combined with additional data points (verified consumer address, DOB) or authentication methods (Knowledge Based Authentication), this approach offers a very strong multi-factor approach to verifying the true identity of consumers that are performing remote transactions.
EVS has recently incorporated this functionality as a component of IdentiFraud Consumer+, providing a remarkably simple and flexible way for clients to implement this approach within their overall identity verification strategies.