ID Document Verification was introduced to solve many of the issues that raise from services that require higher levels of authentication. Certain services require more reliable authentication methods, which offers higher assurance of the user’s identity. However, this can cause issues, especially for users of different nationalities. Lower-level authentication methods can often be used by all users regardless of their country of origin, whereas in the case of higher-level methods, it is not always the case. However, with the use of ID Document Verification it becomes easier for all users to prove their identity. In this blog, I will explore the basics surrounding ID Document Verification and some of the main features that support these solutions.
What is ID Document Verification?
The basic concept is that – instead of using a user ID and password to sign into an eService, I identify myself by scanning my identity document and taking a selfie or a video clip to prove who I am. I can scan the document by taking a picture of it according to instructions given by the service provider. The service uses different highly sophisticated AI (Artificial Intelligence) driven technologies to verify that the person in the picture or a video matches the one shown in the document.
There are several ID Document Verification service providers in the markets and as you can imagine there are some differences in the principles of how these services function. You might be interested to know how many different countries are supported by the solution, which ID documents are accepted, whether is there a need to install an app, is ID Document chip scanning supported, where is the ID document information stored, what type of fraud detection systems the solution uses and what is the price per authentication transaction, especially during the initial registration.
The most common ID documents accepted by these services are driver’s licenses, national ID cards and passports but depending on the country I am from there can be over ten different documents including residence permits and work permits among others that I can use to prove my identity. Depending on the service provider I can scan the identity documents using a web browser-based or app-based user interface. The result is the same, after the initial ID document scanning procedure I get access to the eService. But what happens when I want to access the same eService again?
The benefit of a browser-based version is that I don’t have to install a new app on my smart device. Generally, it can be a good solution for a one-time authentication. However, if the goal is to reuse my identity again without re-registration, then my ID document information must be sent to the service provider’s servers. Even though the information is stored in an encrypted format, many users do not necessarily like the idea that non-governmental 3rd party operator stores this kind of information in their servers.
The benefit of an app-based solution is that it provides me with the possibility to store the scanned identity document information in an encrypted format on my smart device. I have the option to remove this information at any point I want. However, many eService providers do not want to ask their customers to install additional apps on their smart devices.
How reliable is the ID Document Verification?
Can ID Document Verification methods be considered strong authentication methods? Often, strong authentication methods utilise at least two factors from the list of something the user knows (e.g. password, pin code, answer to a security question), something the user has (e.g. security token, digital certificate, an ID card, a phone with a built-in hardware token, software token), and something the user is (e.g. typically biometrics such as fingerprint, iris scan, vein scan etc.).
ID Document Verification uses a variety of AI-driven fraud detection mechanisms, such as face matching to confirm that the person who took the selfie or a video is the same as on the document. Texture analysis makes sure that the pictures or videos are genuine and not copies. In addition, features such as audio processing, face tracking and mouth tracking – where they have to say some specific words, turn my head, blink my eyes etc. – can be utilised to further verify that we have the right person trying to access the service. And if the algorithm is still not sure if it is the right person, some solutions provide an option to ask a trained employee to verify the user and make the final decision. From this perspective, we can say that ID Document Verification Authentication methods can provide strong authentication.
However, as an example, in Finland the official strong authentication methods include BankID, national ID cards (requires a card reader) and Mobile PKI (Mobiilivarmenne in Finnish). These methods have gone through a complex certification process to prove the maturity of the solution. This is indicated by using a Level of Assurance (LoA) levels. LoA levels use the international 4-step scale and the EU 3-step scale in parallel in the following way:
International scale | EU scale | Notes |
LoA 1 | Not used | (EU uses 3-step scale) |
LoA 2 | eIDAS Low | |
LoA 3 | eIDAS Substantial | BankID, Mobile PKI |
LoA 4 | eIDAS High | National Identity Card |
eIDAS = Electronic Identification, Authentication and Trust Services
Since ID Document Verification method vendors are private companies, they do not have such LoA certifications. From a security point of view, it is important to make sure that the vendor follows the latest developments in the standards and technology used to identify fraudulent documents.
Also, it is good to notice that in some European countries, it is possible to open a bank account online using ID Document Verification authentication, indicating that these banks trust their selected vendor’s solution – which is a noteworthy seal of approval.
One way to improve the reliability of the scanning procedure is to scan the microchip in the ID Document. The chips inside of passports and national ID cards include user-specific certificates that are very difficult to forge, thus they can be used to increase the reliability of the document verification procedure. To do this, I have to make sure I have an NFC (Near-Field Communication) chip in my smart device. In addition, some solutions can run backend queries to external databases to validate documents’ ID attributes and execute fraud evaluation against fraud databases.
Which services can use Identity Document Verification?
While ID Document Verification authentication methods have often been used in banking services, there are also many other services where they are very useful. This is especially useful where the eService requires a higher assurance of identity verification but the users cannot use the official strong authentication methods of the given country.
One good example of this is the universities. Very often these educational institutes have foreign students and teachers who need to authenticate themselves to access the university eServices to attend online lectures, examinations etc. Username and password methods are just not strong enough in these cases, but reliable online authentication methods are not available. This type of issue can be solved with ID Document Verification Authentication. Notice that the new European Digital Identity (EUDI), which is a part of the eIDAS regulation will allow EU-level cross-border strong authentication services. It will solve this issue for people who have EU-level digital identities. Read more about it here: https://www.ubisecure.com/standards/introducing-european-digital-identity-eudi/
In addition, several other eServices can use ID Document Verification for more convenient, passwordless authentication. Instead of writing my username and password I can just take a selfie (biometric facial recognition) or scan a QR code to access the service. Also, if the service has a password, I could reset it by taking a selfie.
Integrating an ID Document Verification Authentication service with a CIAM (Customer Identity and Access Management) solution such as Ubisecure’s Identity Platform makes the onboarding of new users frictionless. This type of solution can utilise the registration form autofill feature during the initial phase of the procedure. Many of the required attributes can be scanned directly from the ID document, thus users do not have to type them in manually.
The integration procedure can be established using the tools provided by the CIAM system. If the ID Document Verification Authentication service supports standard authentication protocols, such as SAML or OIDC, then it is a very straightforward procedure. If the service uses proprietary APIs, then a separate adapter needs to be created to establish communication between the CIAM and the service. This type of solution allows you to easily take the ID Document Verification Authentication service to use for all of your eServices with just a few mouse clicks.
Pros and cons of ID Document Verification
Below, I have listed some positives and negatives of the ID Document Verification Authentication services. It is good to remember that the solutions vary between different vendors. So, depending on your needs you can choose a vendor that fulfils your requirements.
Positives | Negatives |
+ International authentication method, not limited to one national ID | – Chip scanning requires a phone with NFC functionality |
+ Passwordless authentication utilising: + QR-codes + Selfies + Videos
| – Initial registration can sometimes be cumbersome |
+ Difficult to forge (especially the methods based on chip scanning)
| – Not all countries have centralised registries for attribute verification
|
+ Possibility to confirm scanned information from external registries
| – Cannot cover 100% of customers. Some manual customer service processes still required for certain users – The service can cover a maximum of just over 200 countries at best (depending on the service provider) – Not all users have the smart devices required available – Not everyone has the documents required – Not everyone has the know-how to complete the registration process
|
+ The possibility of doing a password reset using a recheck of a selfie or a video
| – Initial authentication can be a bit expensive (for the eService provider)
|
+ Frictionless onboarding of new customers with registration form auto-filling when combined with CIAM
| – Some solutions require the user’s ID Document information to be stored in an external DBs
|
+ Good for services that are subject to stringent KYC (Know Your Customer) and AML (Anti Money Laundering) requirements. | – There can be differing levels of accuracy different skin tones, genders and ages, enquire with your vendor about bias mitigation. Listen to Evaluating face recognition biometrics with Mei Ngan, NIST to find out more. |
As we have seen, the official strong authentication methods are usually national-level solutions. Even with the EUDI service, we can offer only EU-level solutions for the problem. The ID Document Verification Authentication services can offer an option for strong authentication for global users. In addition, it can simplify the onboarding processes and provide passwordless sign-in to eServices. Its AI-powered biometric identification engines for facial recognition and anti-spoofing technologies make it a safe option for a variety of eServices.
Contact us to discuss ID Document Verification Authentication and how this could help your organisation.
About The Author: Sami Lindgren
As Sales Engineer at Ubisecure, Sami supports technical aspects of sales activities regarding Identity and Access Management (IAM) products.
More posts by Sami Lindgren