Identity Evolved: The Rise of Multi-Factor Verification

Identity verification has traditionally played an important but limited role in the world of identity and access management (IAM). To establish someone’s identity, you need to prove that they are who they say they are, linking  their digital identity to their real-world identity. For employees, this verification typically occurs during onboarding; for customers, it happens when they open a new account. Once validated, they receive credentials, are granted appropriate authorizations, and enter the vast identity access flow universe — with identity verification rarely called upon again.

This system is fundamentally flawed.

Help desk social engineering, synthetic identities and AI-powered attacks are exploiting inadequate identity verification systems to completely circumvent IAM security. The $100 million attack on MGM resorts occurred when attackers impersonated an employee, convinced the IT help desk to reset credentials, and then escalated privileges until gaining control of the entire system. Just a few months later, a finance worker at a multinational firm was tricked into wiring out $25 million when cybercriminals posed as senior executives using video and audio deepfakes. In fact, 78% of organizations were targeted by identity-related attacks last year.

Unmasking Social Deception

The industry urgently needs to evolve its approach to combat these modern threats. Multi-factor verification (MFV) offers the answer. A recent article by Susan Morrow makes the case  eloquently — I highly recommend the read. Multi-factor verification moves beyond relying on authentication as the primary gatekeeper, making identity verification that uses multiple verification factors and risk assessment, an intrinsic part of daily access flows.

This transformation is the next step in identity security maturation, similar to authentication’s progression from passwords, to multi-factor authentication, to phishing-resistant MFA and passkeys. Authentication had to adapt to combat escalating phishing and password-related attacks. Multi-factor verification is essential to stem the onslaught of sophisticated social engineering threats.

Fake Passport Used to Bypass Crypto Exchange IDV System. Image Source: 404 Media

The Current State of Authentication vs. Verification

To understand what makes multi-factor verification such a powerful tool, it’s helpful to go back to IAM basics.

What Is Authentication?

In the digital world, authentication is the process of confirming the identity of a user before allowing them to access a device or account. Note that I say user, not person, because that’s what they are in this process — a user in the system. Common authentication factors are something the user knows (like a password), something the user owns (like a mobile phone or hardware security key) or something the user is (biometric data like a fingerprint). Multi-factor authentication (MFA) requires two or more factors from different categories to confirm identity.

What Is Identity Verification?

Also referred to as identity proofing, identity verification makes sure a person is who they claim to be, and that the identity is genuine. Verification can be done in person or digitally, using various methods, depending on the level of identity assurance required. Methods include location checks, comparing user-supplied person information against official databases, examining government issue documents, matching a selfie against an official ID and personal interactions, among others.

Authentication vs. Verification

In a nutshell, verification involves establishing a legitimate, proven user identity in a system. Authentication is about keeping unauthorized users out of the system.

What Is Multi-Factor Verification (MFV)?

Today, access to an organization’s systems and resources is primarily controlled by the authentication process. Yes, there are variations and layers — adaptive authentication, risk-based authentication, access controls like RBAC and PAM — but essentially the act of providing the right combination of credentials gets you through the door. Multi-factor verification (MFV) brings deeper identity verification checks and risk assessment into this daily access process.

Multi-factor verification integrates multiple verification factors dynamically and contextually throughout the user session. This approach combines continuous verification with authentication mechanisms so that you are not just validating the user, you are validating the human.

Multi-factor authentication vs. multi-factor verification

How MFV Works

Today, comprehensive identity verification checks are generally performed only at specific points in time, such as when opening a new account or beginning a job. At other critical moments, such as resetting a credential or registering a new phone, most organizations rely on knowledge-based answers or calling the helpdesk, which are notoriously vulnerable to social engineering.

Anatomy of the Help Desk Social Engineering Attack on MGM Resorts

By contrast, MFV continuously verifies the person's identity based on a combination of factors such as behavior, context, and biometrics. This dynamic verification adapts in response to behavior anomalies, device telemetry, environment and other risk signals, making it more difficult for attackers to exploit. By integrating these factors in real-time, MFV offers a secure, fast and less intrusive verification process.

Benefits of Multi-Factor Verification

Nearly 4 in 10 organizations name identity verification as a top identity security challenge. MFV addresses their pain points on multiple fronts.

Stop Social Engineering and other Identity Threats:  Last year saw a 71% increase in attacks abusing valid accounts. MFV's continuous verification significantly reduces the risk of ATO, session hijacking and other attacks. By continuously adapting to the user's behavior and context, multi-factor verification provides greater resistance to sophisticated threats, ensuring that only legitimate users can maintain access.

Improved User Experience: Most organizations struggle with real-time verification, spending more than two hours verifying identity during employee onboarding, when replacing a device, recovering an account or during other high-risk scenarios. MFV provides a seamless and less intrusive verification process, with basic checks conducted behind the scenes. Additional forms of proof are only required at times of increased risk, creating a smoother and more personalized experience.

Scalability and Flexibility: MFV is easily adaptable to different industries and use cases. Its flexibility allows integration with existing identity stacks, making it a scalable solution for organizations of all sizes.

How HYPR Uses Multi-Factor Verification

Multi-factor verification is core to HYPR’s Identity Assurance Platform. The HYPR Platform unifies  phishing-resistant passwordless authentication, adaptive risk mitigation and automated identity verification into a seamless, user-centric access flow. Organizations can easily choose and configure the identity verification processes that suit their environment and use cases. For example, secure self-service options at times of low risk, with additional steps such as live video chat in higher risk scenarios or when security anomalies are detected. They can also enforce a range of phishing-resistant authenticators including device-bound Enterprise Passkeys, hardware keys and smart cards.

Example Multi-Factor Verification Flow With HYPR

Toward Identity-Centric Security With MFV

Organizations worldwide have an identity problem. The vast majority of breaches today are related to identity issue. As Gartner’s Cybersecurity Chief of Research, Mary Ruddy, pointed out, “Digital security is reliant on identity whether we want it to be or not. In a world where users can be anywhere and applications are increasingly distributed across datacenters in the multi-cloud, identity IS the control plane.

Current access processes are no match against attackers’ nimble and incessant tactics. Initiatives like FIDO’s recently announced identity verification certification program bring critical advancement, but are just part of the answer. Multi-Factor Verification (MFV) marks a major leap forward in identity security, offering stronger protection and a better user experience. As organizations plan to build a more identity-centric security approach, it’s imperative they include MFV in their identity security protocols. Emerging technologies like decentralized identity systems hold promise for even more secure and efficient verification methods. Continuous innovation will drive MFV’s evolution, ensuring it remains a strong defense against emerging threats.