Thales Blog

Identity Proofing: The New Foundation for Every Digital Identity

November 30, 2021

Hsin Hau Hanna Hsin Hau Hanna | Identity & Biometrics Solutions, Thales More About This Author >

Know Your Customer (KYC) has become one of the most prevalent terms in the post-pandemic digital identity world. For every enterprise’s digital initiatives, Identity Proofing must become the foundation of KYC whether they are on-boarding new customers, partners or employees.

During the Thales Trusted Access Summit 2021, I discussed how advances in identity proofing such as biometrics and smartphone technologies are enabling organizations to deliver KYC effectively by offering a quick, frictionless, and secure identity proofing environment.

Setting the scene

In the post-pandemic business world, digital identities have become even more important in the context of remote interactions, especially if we consider trends like working from home, branchless services and touchless journeys. The proliferation of digital identities has been enabled by the ubiquitous smartphones, and the casually enrolled “social logins” with little to no identity vetting.

Although authentication technology has come a long way, identity verification is still at the verge of “crossing the chasm.” Identity document verification is reaching a maturity level, supporting unsupervised and real time proofing. Data aggregation verification is gaining traction, while biometrics are intuitively replacing passwords.

Finally, in the sector of identity proofing one needs to consider the unique place of physical identity documents, since almost everyone has one issued by local governments, which provides credence, while these documents offer a reference for facial biometrics.

Identity verification is widely applicable across many use cases and markets, including:

  • Touchless and biometric passenger verification for air travels
  • Premium automotive apps
  • Remote check-ins at hotels
  • Registration and medical data access in healthcare
  • Enrolment and remote access to government services such as social security, tax, etc.
  • Secure online services for retailers

The user identity verification journey

When citizens are presenting a physical identification document, like a passport, to an authority, the following steps take place:

1. The document is automatically captured using AI-based identity detection or NFC reading.

2. Passive liveness detection and selfie capture checks whether the individual is alive or not.

3. The document is verified by checking the embedded security features.

4. Finally, a facial verification takes place by matching the identity portrait with a live selfie.

Although technology has automated the identity proofing process for in-person verifications, the key question is how to provide a seamless, frictionless process in a remote identity verification setting. Relying parties need to have confidence on the verification of the presented identity document without harming the experience and consuming the time and effort of the end user.

This is where identity proofing solutions come in handy; they try to alleviate the workload of law enforcement authorities at the border or at the airports for confidently verifying the physical identity of any citizen.

Threats to identity verification

One of the key aspects of remote identity proofing is not only to verify the authenticity of the document, but also to check that the person presenting the document is the right holder. This is particularly important considering the sophistication of identity verification frauds, which include:

  • Presentation attacks, where the attacker creates spoofs or fakes by targeting the video camera.
  • Deep fakes and photo morphing
  • Video injection and replay attacks

Considerations for a reliable remote identity verification

When designing and implementing a dependable and effective remote identity proofing system, there are certain considerations to be acknowledged.

From the point of the end user, the system needs to be:

  • Fast, with minimum waiting and a frictionless process flow.
  • Convenient, offering intuitive user interface and a great user experience.
  • Privacy preserving, with clear data usage and protection requirements.
  • Fraud resilient, to instill confidence in the process and minimize false positive failures.

At the same time, the relying party and law enforcement authority needs:

  • Performance, to fulfill the proof of big volume of identities with high availability, speed and accuracy.
  • Cost effectiveness.
  • Integration with current infrastructure, flexibility and scalability to accommodate future requirements.
  • Compliance with current regulatory regime, certified in accordance with established criteria for data privacy protection.

To ensure meeting these considerations, a remote identity proofing system must be based on three pillars:

  • Trust to ensure transparent data management of where and how personal data is processed and stored.
  • Robust security checks on visual elements and data integrity, strong detection of tampering and presentation attacks, supported by a multi-layered cybersecurity strategy.
  • Security and privacy by design to meet regulatory and compliance requirements such as GDPR, CCPA, ANSSI Remote Identity Proofing Service Provider and ETSI Specifications.

As digital identities proliferate in the post-pandemic environment, the ability to proof remotely physical identities has become of critical importance. Technology advances have enabled the emergence of software solutions that facilitate a smother and more reliable identity proofing while mitigating threats like deep fakes or presentation attacks.

Dive deeper into Identity Proofing technologies, in our new webcast.