As part of the KCL Product Management course, Docusign presented an employer project based on their findings in the identity verification sector. Knowledge Based Authentication (KBA) is a security mechanism to verify the identity of a person based on their knowledge of certain information. It relies on the assumption that only a legitimate user would know the answers to a specific question. KBA is offered to Docusign’s customers only in the USA where much information is kept on public record such as previous vehicle or home ownership.
Docusign provided data that showed a decline in users electing to use KBA as a result of a reduction in trust with the solution. As individuals become more comfortable sharing their personal information online through social media channels, they felt that the questions asked by KBA could be defeated by social engineers accessing data breaches or uncovering information on social media. However, as the solution still remained financially viable to the business, they were looking to rebuild trust in the verification method and extend its product lifecycle.
Looking into the market for competitors and alternative identity verification technologies, there are industry trends towards multi-factor authentication where users would have to use a combination of processes or devices to verify their identity and also towards biometric verification. KBA also had limitations where users who had no previous history in the USA e.g. a new migrant with no public record available.
The proposed solution to build trust and improve security was to ask users questions more specific questions - this would work well for financial service applications where they could be asked about standing orders, or in the event that the user has no background with the specific financial institution, information available from a credit check e.g. what retail store credit cards are available. To complete these questions, users would need to complete a biometric verification using a webcam or a front facing camera on the phone - here, they would be asked to complete a randomly assigned action e.g. nod head based on the validity of the statement and the image could also be verified against an ID on file. Improving the security was key to building user trust and ensuring that it would be more challenging to defeat especially with the advent of deepfake technologies. The solution also relied on Docusign’s existing biometric verification technology.
Undertaking user research, issues were identified and then iterated on - further user research on the new improvements reduced the time taken to complete the steps to reduce the friction in the process. Accessibility was also a key consideration for the product, where users could select an alternative action or choose another identity verification method if they were unable to complete the assigned random action.