Principal Financial Group helps millions of people and businesses plan for the future through retirement services, insurance, and asset management. Customers trust Principal with their money, so it’s essential to keep digital channels secure.
But that trust was tested in 2023, when Principal saw a rise in fraudulent online registrations, particularly in its retirement business. Attackers had found a weak spot: unregistered customer accounts already tied to existing investments. Because those accounts didn’t yet have usernames, passwords, or multi-factor authentication (MFA), they became easy targets for takeover.
The culprit was knowledge-based authentication (KBA), a common method for proving identity that asks users to answer personal questions about former home addresses or car models. Unfortunately, that type of data is now easy for fraudsters to buy or steal from breaches, data brokers, and social media.
“We asked ourselves: How can we reduce fraud by replacing KBA with a more secure identity-proofing solution while also maintaining a seamless customer experience?” says Melanie Bergen, business information security officer at Principal Financial.
The solution was digital ID verification authentication (DIVA). This automated process combines government ID checks with biometrics such as facial, voice, fingerprint, and iris recognition to confirm that customers are who they claim to be.
In late 2023, after evaluating potential vendors, Principal partnered with Onfido, an Entrust company, to replace KBA with a DIVA platform focusing on facial recognition. By the following May, the rollout was complete.
Challenges of replacing a flawed system under pressure
The decision to switch to DIVA was straightforward, but carrying it out was more complicated. Principal faced obstacles, including:
Implementing quickly and decisively. Fraud was rising at an alarming pace, so speed mattered. Principal had to test, validate, and deploy a solution in months, not years.
Balancing security with usability. Principal needed biometric authentication that was simple enough that customers wouldn’t get frustrated and abandon the process.
Navigating uncharted territory. Principal was shifting to DIVA without a roadmap because biometric authentication has rarely been used specifically for retirement account registration.
Evaluating vendors and compliance. Principal had to carefully assess vendors that could deliver both government ID verification and real-time biometric authentication. At the same time, they had to navigate strict privacy, risk, and legal standards.
“We overcame challenges through rigorous vendor evaluations, proof-of-concept testing, and close collaboration between our security, legal, and customer experience teams,” says Bergen. “That agility allowed us to go from vendor selection to full deployment in less than five months.”
Results: Fraud eliminated, customer experience elevated
According to Bergen, the DIVA program has delivered positive results, such as:
Fraud prevention: Fraudulent account registrations—previously driven 99% by KBA exploitation—have been virtually eliminated.
Customer success: User success rates improved significantly, rising from 38% to 48%.
Lower user abandonment: The percentage of users who started authentication but failed to complete it dropped from 74% to 40%, reflecting a smoother process.
“The impact has been substantial,” says Bergen. “The DIVA system has prevented fraudulent account takeovers while making verification faster and more intuitive.”
The timing of the transition to DIVA was also critical. According to LIMRA’s 2024 Financial Crimes and Fraud Prevention Benchmarking Study, 50% of respondents saw an increase in fraud targeting seniors and vulnerable adults. In the same study, 61% of respondents reported more account takeover attempts.
By staying ahead of the curve, Principal protected customers from escalating fraud while also positioning itself as an industry leader in secure digital access.
“We’re proud to be one of the first companies in the retirement sector to use biometric authentication for online registration,” says Bergen. “It shows how we can counter security threats while still making the experience seamless for customers.”
For its biometric authentication project, Principal Financial earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value.
Lesson learned: Innovation starts with leadership
Bergen credits DIVA’s success to a combination of strong leadership and clear communication.
“One of the biggest lessons for us was how critical leadership is to driving innovation,” she says. “Our leaders embraced forward-thinking approaches and empowered teams to innovate, which gave them the confidence to move DIVA forward.”
That support was matched by early involvement from Principal’s customer experience team, which designed the biometric authentication process to be intuitive and used journey mapping to flag and fix any issues before launch.
Communication with customers also played a big role. As such, Principal employees were equipped with clear messaging to give guidance to customers not familiar with biometric facial recognition.
“By explaining the new process to customers, why it mattered, and how it protected them, we were able to reduce confusion and build trust,” says Bergen.
Advice to CISOs: Act fast, but keep customers first
For organizations wrestling with fraud fears, Bergen offers two pieces of advice:
Adopt an agile mindset. Move quickly, but validate solutions with proof-of-concept testing and live demos before full rollout. To save time, Bergen suggests running compliance and risk reviews in parallel with technical testing. This approach helped Principal complete its DIVA implementation in just five months.
Balance security with customer expectations. During deployment, think about customer needs alongside technical requirements. Bergen emphasizes that gathering customer feedback during rollout allowed Principal’s teams to spot issues early and make adjustments in real time.
“The goal is always to strengthen security without sacrificing customer experience—it’s a balance every security leader must strike as threats evolve,” says Bergen.
With retirement savings and personal data under attack, Principal’s DIVA project is a prime example of how financial institutions can move past outdated authentication to keep customers safe from fraud.
Inspired by Principal Financial’s award-winning approach to stopping online fraud with biometrics? Join fellow security leaders at the CSO Conference & Awards to explore cutting-edge strategies, tools, and innovations that protect organizations and customers alike. Register now.
No Responses