Get tips & tricks to optimize your ID verification flow
It’s true - Cognito can return a Social Security Number from a phone number. As crazy as this may seem at first, our ability to link phone numbers with real-world identity is a huge benefit to both consumers and the businesses.
In order to understand why, we need to dive into how fraudsters currently steal your identity to defraud online businesses.
The industry standard, knowledge-based authentication - sometimes also called “out of wallet questions”, uses information like your address history, your car loans or mortgage data to ask questions that supposedly only the person to whom this data pertains would be able to answer. For instance, “what color was your 2001 Toyota Corolla?”.
In theory, this is a great idea. It allows you to verify that the person is in fact who they claim to be. But in reality, fraudsters can visit darknet markets and buy bulk data sets containing exactly this data on tens of thousands of consumers and even targeted individuals. Due to the ubiquity of leaked personally identifiable information, the market price for lists of hundreds or even thousands of identities is on the order of hundreds of dollars - a small price to pay for a fraudster.
We are entering an era where simply knowing information is not enough proof that you are who you claim to be. There needs to be something more.
Cognito protects your identity by linking your phone number with your real-world identity. This phone to identity link allows us to authenticate that you and you alone are signing up for a service.
Imagine signing up for a new bank account with Acme Bank and during the onboarding process you receive a text message with a 6-digit authentication code that says “Did you just sign up for Acme Bank? Enter this code during signup: 1234”. Behind the scenes, we tell Acme bank that, yes, this phone number is associated with you and once you enter the authentication code, you verify that you meant to share your identity information with Acme Bank.
This raises the bar to steal your identity by an order of magnitude. No longer can the fraudster just buy your identity and pretend to be you. They need to either steal your phone or engage in a phone number porting attack - both of which require significant effort and have lower success rates when compared to logging into the darknet and buying new fraud opportunities in bulk.
Knowledge-based authentication (KBA) should be a last resort, not the frontlines, when defending businesses from stolen identities. Not only is Cognito lower friction than KBA, no longer requiring your users to furrow their brows deciding whether their Toyota Corolla from 2001 was purple or magenta, but it also increases the attack barrier to entry and in turn reducing the amount of fraud that businesses have to deal with.