Every digital business knows the struggle between security and usability. A safe system is always a bit more difficult to use, and a user-friendly system is rarely secure. While the IT department often prefers to keep the security layer as tight as possible, the consumer department wishes to keep the user journey as smooth as possible. This constant struggle is the main challenge for product teams across all sectors – from retail and finance to media and entertainment.
Identity verification and the KYC challenge
One of the most critical components in this ecosystem is identity verification, commonly referred to as Know Your Customer (KYC). KYC processes are designed to prevent fraud, protect users, and ensure compliance with anti-money laundering regulations. However, they can also introduce complexity if not handled carefully. Modern casino platforms are increasingly investing in technologies such as automated document verification, biometric checks, and AI-driven validation to streamline these processes, reducing the time and effort required from users.Automation for Verification Highlights: Onboarding is no longer a “chunky” feature of a digital platform. Many platforms are starting to really embrace the use of automation in their verification process. Gone are the days when customers would have to submit the same information multiple times to a platform for a manual check that would result in long periods of waiting for a response. Only to give up on the platform. Fast compliance and the two have historically gone hand in hand. But we’re starting to see more and more platforms incorporate the two.
Authentication methods are evolving quickly
There is no real trust in passwords. The NCSC authentication guidance aligns with the following advice: Multi-factor authentication is a good idea; forcing password resets for minimal changes is probably a bad idea, as users tend to choose poor passwords when counts are low and the same password has to be used for a long list of sites, and a passkey or authentication token could make a good replacement for passwords.
A brief observation on digital identity and identity verification as it relates to online identity management is worth noting. A review of the NIST guidelines for digital identity reveals a particularly relevant discussion of verification levels for different activities on a site or service. The guidelines suggest that a site or service can choose a verification level appropriate for a given activity, and that this choice can vary depending on the action. For example, updating information about a low-risk account preference may not require as much verification as making a financial transaction, and a well-designed identity management system will dynamically apply the right level of verification for whatever is being done.
Design choices that reduce friction without reducing safety
Risk-based authentication is one of the more effective controls an organisation can implement. Traditional multi-factor authentication (MFA) usually applies the same controls to the same users regardless of their circumstances, which is not particularly user-friendly. A risk-based approach uses techniques such as device recognition and source IP address to determine when extra authentication is required. With a risk-based approach, users are typically challenged less when accessing from familiar, trusted devices and trusted locations. On less expected devices from less expected locations, authentication still occurs, but it is usually performed behind the scenes.
A calculated trade-off, not a simple fix
This balance can’t be determined at design time and is instead a dynamic balance. Regulations change, user experience expectations can grow, and adversaries adapt. Systems that embrace a design practice of “security as code” with a deep understanding of actual user behavior and compliance benchmarks will be in a stronger position to manage regulatory compliance and ensure high levels of user retention.
