RIP while alive
One of the major values in events like Trustech, happening now at Paris Porte de Versailles, is the opportunity to provide an overview of multiple topics that are relevant to our industry. Yesterday, EESTEL – European Experts in Secure Transactions – was making a presentation about Remote Identity Proofing.
In our online world, proving one’s identity online is an often repeated challenge. It is needed at onboarding stage for many services, for KYC needs and at verification stage to grant access to public or private online services. Identity proofing requires a verification that the identity document presented by the user is authentic and that the user is the legitimate holder of the identity document.
Numerous solutions have been developed for both needs, leading to more difficulty in understanding the exact performance of each solution. Many fully automated solutions have been developed: the user presents an ID document in front of the camera, along with a photo or a video, and the systems verifies optically if the documents is deemed authentic and if the photo matches the portrait on the document. Verification include three steps: ID document remote verification, authentication and liveness detection. Experts have developed digital facial biometric solutions including passive liveness detection and face match algorithms that are able to deliver a verification result in seconds. Fully automated solutions are widely used in the commercial world for banking, eKYC, SIM enrolment, ID verification in various contexts, etc.
However, fully automated solutions lead to a risk of accepting false identities. For instance, it is estimated that 6% of identity documents in France are either forged or used illegally. Consequently, government authorities, regulators and cyber defense agencies jump in, in order to bring more legibility to this market.
Human verification is considered more reliable than fully automated systems. In this case, a human operator remotely verifies the document before granting access rights. The National Cybersecurity Agency of France (ANSSI - Agence Nationale de la Sécurité des Systèmes d'Information) published last year its first version of requirements for remote identity verification service providers. The goal is to bring Remote Identity Proofing to the same level of certainty as face-to-face identity verification.
The ANSSI establishes two levels of verification, under the eIDAS security framework:
Assurance level substantial, which “must guarantee equivalence in terms of reliability with a physical face-to- face meeting carried out in the context of access to a public or private service requiring proof of identity” and “withstand an attacker with a moderate attack potential,”
Assurance level high, which “must guarantee equivalence in terms of reliability with a physical face-to-face meeting carried out in the context of issuing an identity document” and “must be able to withstand an attacker with a high attack potential.”
Such verification set its goal to prevent all identified risks associated with ID verification, including identity theft, the use of counterfeit identity documents, the use of falsified identity documents, the injection of fraudulent data, the use of a physical mask, the use of make-up, generation of a constraint on the user forcing them to identify themselves remotely …
In a service called “synchronous with human interaction,” the ANSSI specification defines the role of an operator, in charge of verifying the identity of users, the authenticity and consistency of documents, the adequation between the photo on the document and the evidence provided by the candidate and the liveness of the person in order to decide whether the verification is “successful” or “unsuccessful.” They also define the role of a Biometrics fraud officer, who is responsible for the whole operation of the system.
Identity verification is still not an exact science. A combination of automated processes and human intervention will lead to improving results and allowing the development of more online services.