ID-Pal CTO and Co-Founder, Rob O’Farrell | What is Identity Verification Series
In part three of the series (Current Techniques in Identity Verification: Establishing a Chain of Trust) we started discussing the tests that computers can perform to verify a person’s identity. We ended that with a discussion of how ID document verification can be used to establish that you are dealing with a true identity. In this article we build on that and continue to complete the summary of the state-of-the-art tests available in identity verification.
Are you who you say you are?
Once computers have established that they are dealing with a real identity, they still need to establish that they are dealing with the true owner of that identity. That is generally done by performing a Liveness test and a facial match test.
Are you alive?
Computers use different types of tests to determine if a real person was physically present at the time a document was submitted. There are lots of ways to do this, which fit into two broad categories: active liveness and passive liveness. Active liveness is where you are asked to perform a task that would introduce movement in your face, like blinking, smiling, or reading some text. Passive liveness is where aspects of an image or video can be examined to determine if a person is present without asking for an action to be performed.
Liveness tests can be benchmarked for effectiveness. A trustworthy test should at least be certified to the iBeta Level 2 standard. A Liveness test meeting this standard is adept at distinguishing a real person from a video, a mask, or any other deceptive method.
Are you the person in the ID?
Computers, again, perceive differently. They rely on facial geometry to match faces – distances between eyes, the length of the nose, the depth of eye sockets and so on. Unlike humans, who often perceive faces based on symmetry and overall appearance, computers break it down to a mathematical problem, ensuring precision in matching a face with its document counterpart.
Surely we’re done now?
Computers are not perfect in the execution of these tests for the reasons discussed in the second part of this series (Computerized Trust: How Machines Establish Our Identity). For riskier use-cases you may want some additional assurance. There are some additional steps you may or may not want to do. We’ll give some of these a quick summary now.
eVerification was mentioned in the context of document verification in part three of the series (Current Techniques in Identity Verification: Establishing a Chain of Trust). That’s not where eVerification ends though. By looking up a combination of government electoral registers, credit databases, utilities company databases etc. we can verify a person’s address also. In some jurisdictions we can verify government ID numbers too.
When good data goes bad…
For an extra degree of assurance you might want to consider additional database checks. Deceased Register Checks are common. These people are, for obvious reasons, not able to make counter-claims when someone tries to claim their identity, so they are a common target for fraudsters.
What if you are dealing with a real person but your industry requires that you avoid dealing with people associated with politics? For that we use Politically Exposed Persons (PEPs) checks. This lets you know if someone is politically exposed or related to someone who is. Generally people who do PEPs checks also check if the person has been listed on any government Financial “Sanctions” list. When doing PEPs and Sanctions checks it is common to do “Ongoing Monitoring”, meaning regular checks that someone that was OK to work with when you first met them, still has a clean bill of health.
There are numerous fraud databases such as the CIFAS and Cloverhill Databases in the UK, which can be used to check if the person you are dealing with has been associated with fraud. Be fair though! Sometimes you will be dealing with the victim, not the perpetrator!
Who were you expecting?
This may sound obvious, but just because you have verified someone’s identity, that does not mean they are the person that you were expecting. If you’re expecting to work with Jane Doe, make sure you don’t accept Joan Doe’s identity! A small, but unfortunately common oversight.
There are a large suite of tests that computers can do to verify an identity. The cost of checks may escalate quickly so we generally pick a suite of tests that is appropriate to the level of risk we can accept. Each test helps increase the probability that you’re dealing with who you expect, but never forget to check you’re dealing with the true owner of that identity.
Connect with Rob on LinkedIn