Customer verification and MFA: what IAM teams need to change

TL;DR: Customer verification is moving beyond static KYC checks toward layered identity proofing, MFA, biometrics, and AI-driven risk checks as fraud, privacy rules, and user-experience expectations tighten, according to 1Kosmos. The real challenge is balancing assurance, friction, and data minimisation without turning verification into a brittle one-time event.

NHIMG editorial — based on content published by 1Kosmos: customer verification, MFA, and the trade-offs between security and user experience

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should organisations balance customer verification strength and user experience?

A: Use risk-based verification.

Q: When do OTPs and MFA stop being enough for customer identity?

A: They stop being enough when the threat model includes phishing, SIM swap, device compromise, or high-value transactions.

Q: What do security teams get wrong about customer verification?

A: They often treat verification as a one-time gate instead of an ongoing risk decision.

Practitioner guidance

• Segment verification by transaction risk Use low-friction checks for routine actions and step up to document or liveness verification only when the transaction value, fraud signal, or regulatory sensitivity justifies it.
• Replace weak knowledge checks with stronger proof signals Retire static KBA where exposed public data makes challenge questions predictable, and move toward possession-based, biometric, or device-bound evidence.
• Tie each verification step to a legal purpose Document which checks support KYC, AML, age gating, or fraud prevention so privacy, legal, and security teams can defend data collection and retention decisions.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• How the vendor frames identity verification methods across passwordless, MFA, biometrics, and liveness checks.
• The article's practical examples of KYC, AML, age verification, and customer trust controls in different business settings.
• The vendor's design guidance on balancing security, friction, and privacy in customer verification journeys.
• The implementation-oriented discussion of secure storage, access controls, and audit practices around verification data.

👉 Read 1Kosmos' analysis of customer verification, MFA, and fraud controls →

Customer verification and MFA: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →