ID-Pal CTO and Co-Founder, Rob O’Farrell | What is Identity Verification Series
So far in this series we’ve addressed how humans establish trust in a person’s identity (The Foundations of Identity Verification: Trust and it’s Pillar’s) and the challenges and opportunities computers face when performing the same task (Computerized Trust: How Machines Establish Our Identity). In this third part of our five-part series, we move into some of the actual techniques that are prevalent in the identity verification market today.
Spoiler alert: the fifth and final article in this series will then address some of the challenges and opportunities we face now, and in the years to come.
What are you trying to prove?
Computers generally perform Identity verification in three steps which are based on two of the Three Pillars discussed the first article in this series:
1. Something you have: Have you got a verifiable credential that claims an identity?
a. Generally this is a government-issued ID but could be any number of things like a work badge
2. Something you are: Are you physically present?
a. This is known as a “liveness” test
b. This ensures that the person claiming ownership of the identity is actual present at the time
3. Something you are: Are you the owner of the credential?
a. This is a biometric test, tied to the liveness test that can be matched to a biometric recorded on the credential
The goal for the computer is to prove that it is dealing with a verified identity, that you are the one claiming it and that you are the true owner of that identity. Pretty robust, right?
What tests should we consider?
There’s an endless array of tests that a computer can do. The key point is to identify the set of tests that give you a level of trust sufficient for the level of risk you are taking. We will cover a few of the options in the remainder of this article and in the next. This list is by no means comprehensive:
- ID Document verification
- eVerification (Proof of Identity, Proof of Address)
- When good data goes bad… (Deceased Register Checks, PEPS and Sanctions checks)
- Fraud prevention
- Who were you expecting?
Is this document trustworthy?
Computers have multiple options to verify documents. In this section we’ll give a quick, but not exhaustive summary of those options.
Humans assess a document’s authenticity through certain familiar features and security markers. Computers can follow a similar approach: Classification and Authentication. In Classification, the computer attempts to match the document in the image received to a set of templates. This is basically asking questions like “has the document got this emblem in this exact position on it?”. This allows the computer to know, for example, “this is a Spanish Passport”. In Authentication, the computer then looks at the list of visual security features that it expects the document should have. It verifies their presence and that they don’t appear to be tampered with. In this way we can gain a strong degree of confidence that you have a true, government-issued document.
Another visual approach to verifying documents focusses in on detecting tampering with documents. To a human, these may seem like the same thing, but to a computer this is a very different approach. It includes tests like checking if the document is physically present (it’s not a photo of a photo), and ensuring that fonts appear consistent, decreasing the likelihood of tampering. We’ll address this in more detail in the final blog in this series.
eVerification of the Document Data
In some cases, it is possible to electronically verify the contents of the document against government databases. This adds another layer of trust to ensure that what you are receiving is Authentic and hasn’t been tampered with. However, such databases are not consistently deployed at present. That may change in the not-to-distant future but that’s another day’s conversation.
NFC Chips – Cryptographic Verification
Some documents, such as passports, contain a Near Field Communication (NFC) Chip. This allows you to read the information using most common phones, and to verify using a “digital signature” that the data has not been tampered with. This is a very strong verification, but not without challenges due to the user experience and hardware requirements in reading the chip. Some examples of challenges include the sensitivity of the chip reading process to movement (such as a shaky hand), the varying location of the chip in different documents and the fact that some documents don’t have a chip.
We’re well on the road to understanding the steps a computer uses to establish trust in an identity. We’ve covered document verification and next we’ll discuss everything from ensuring the individual is present in real-time, to mathematically matching faces. Each step ensures the digital realm mirrors the very human essence of trust we’ve relied upon for ages.
Connect with Rob on LinkedIn