The Spectrum Of Identity Assurance
In today’s digital landscape, organizations face the critical challenge of ensuring online users are genuinely who they claim to be. Robust identity verification processes are essential across industries to prevent fraud, protect sensitive data, and maintain digital ecosystem integrity.
To address these challenges, we developed the three-part Spectrum of Identity Assurance series. This comprehensive guide provides insights to help organizations select appropriate assurance levels for various use cases when designing and implementing identity verification processes.
By understanding the spectrum of identity assurance, businesses can strike the right balance between security, usability, and compliance – fostering user trust while mitigating identity fraud risks.
To address these challenges, we developed the three-part Spectrum of Identity Assurance series. This comprehensive guide provides insights to help organizations select appropriate assurance levels for various use cases when designing and implementing identity verification processes.
By understanding the spectrum of identity assurance, businesses can strike the right balance between security, usability, and compliance – fostering user trust while mitigating identity fraud risks.
Download The Spectrum Of Identity Assurance Report Series
This comprehensive guide is divided into three downloadable papers, each focusing on a crucial aspect of the identity verification landscape:
Paper 1: Spectrum of Identity Proofing
This paper focuses on the initial establishment of trust during the onboarding process, and explores the various methods and technologies available for remote identity proofing, including database verification, biometric verification, and document verification. It discusses the strengths and limitations of each approach and provides guidance on selecting the appropriate level of assurance based on the specific use case and risk profile. Click the button below to download.
Spectrum of Authentication
Building upon the foundation of identity proofing, this paper delves into the ongoing authentication of users throughout their journey with an organization. It examines the different authentication factors, such as knowledge-based, possession-based, and inherence-based factors, and discusses how they can be combined to create strong and resilient authentication schemes. The paper also explores emerging technologies, such as passwordless authentication and continuous authentication, and their potential to enhance security and user experience.
Spectrum of Biometrics
The final paper in the series takes a deeper dive into the use of biometric technologies for identity verification and authentication. It examines various biometric modalities, including face, fingerprint, and palm biometrics, and discusses their strengths, limitations, and potential applications. The paper also addresses important considerations surrounding their development, deployment, data privacy, security, and user acceptance.
By understanding the spectrum across these three papers, organizations can make well-informed decisions when designing and implementing secure, user-friendly identity verification processes tailored to their specific needs.
Spectrum of Identity Assurance Content Hub: What’s This Page About?
While the three-part Spectrum of Identity Assurance paper series provides a comprehensive overview, some technical topics require more in-depth exploration. To ensure both breadth and depth of coverage, we’ve created this dedicated webpage.
Here, you’ll find expanded sections that dive into the intricate details and nuances of various identity verification technologies, methods, and processes. This allows us to provide a thorough yet accessible resource – giving you the option to read the high-level concepts in the main papers or explore the finer technical points as needed.
On this page, you can expect to find detailed breakdowns, illustrative examples, and deeper analysis. To explore a specific topic in detail, simply select it from the toggles below to reveal the information.
Paper 1 (Spectrum Of Identity Assurance) Topics
What Is Identity Proofing?
Identity Proofing is the process of establishing and verifying the identity of an individual, ensuring that they are who they claim to be. It involves collecting and evaluating various pieces of evidence, such as government-issued identification documents, biometric data, or personal information, to determine the authenticity and legitimacy of the claimed identity. The goal of identity proofing is to mitigate the risk of fraud, prevent unauthorized access to sensitive information or systems, and establish a reliable and trustworthy link between a real-world identity and a digital or online persona. Identity proofing is a crucial step in many onboarding processes, particularly in industries with strict regulatory requirements, such as financial services, healthcare, and government.
What Is Identity Verification?
Identity Verification is the act of confirming that an individual is indeed who they claim to be. It is a subset of the identity proofing process and focuses on validating the information provided by the individual against reliable and authoritative sources. Identity verification involves checking the authenticity and validity of identity documents, comparing biometric data, or verifying personal information against trusted databases. The purpose of identity verification is to ensure that the claimed identity is genuine, up-to-date, and belongs to the person presenting it. This process helps prevent identity fraud, unauthorized access, and other security risks associated with false or stolen identities. Identity verification is an essential component of various business processes, such as customer onboarding, access control, and transaction authentication.
What is Remote Onboarding?
Remote Onboarding refers to the process of enrolling and integrating a new user, customer, or employee into an organization’s systems and services without requiring their physical presence. It enables individuals to complete the necessary registration, authentication, and verification steps remotely, typically through digital channels such as websites, mobile applications, or video conferencing. Remote onboarding has gained significant importance in recent years, driven by the increasing digitalization of services and the need for convenient and accessible solutions. It allows organizations to expand their reach, improve user experience, and streamline their onboarding processes. However, remote onboarding also presents unique challenges, particularly in terms of identity proofing and verification, as it relies on digital methods to establish trust and mitigate fraud risks. Organizations must implement robust remote onboarding solutions that balance security, compliance, and user experience to ensure the integrity and reliability of the process.
Obtaining Evidence
This step involves collecting relevant evidence from the individual to support their claimed identity. Evidence can include government-issued documents, such as passports or driver’s licenses, as well as digital evidence like utility bills or bank statements.
Checking Evidence Validity
Once the evidence is obtained, it must be validated to ensure its genuineness and authenticity. This involves examining the security features of physical documents, verifying the integrity of digital evidence, and checking against authoritative sources for lost, stolen, or expired documents.
Confirming the claimed identity’s existence over time
To mitigate the risk of synthetic identities, organizations should confirm that the claimed identity has existed over a period of time. This can be done by checking for a history of interactions with other organizations or through electronic footprint analysis.
Database Validation (Medium-High Security)
- Example: During the onboarding process for a financial service, the user’s provided information, such as name, address, and date of birth, is cross-referenced against trusted databases like credit bureaus, government records, and utility providers. The system validates the accuracy and consistency of the information across multiple sources to establish the existence of the identity.
- Security – Medium Database validation offers a medium level of security by validating user information against reliable third-party sources. It can be performed entirely online, streamlining the identity-proofing process and reducing manual intervention. When combined with other verification methods, it provides a comprehensive view of an individual’s identity.
- Usability – High (for users with established credit/digital history) However, database validation may not be suitable for users with limited credit history or digital footprint, such as younger individuals or recent immigrants. Its effectiveness relies on the accuracy and security of the accessed databases, and incomplete, outdated, or compromised data can lead to false rejections or potential identity fraud.
Biometric Verification (Medium-High Security)
- Examples: Facial (High), fingerprint scanning (High) During the onboarding process for a mobile banking app, the user is asked to take a selfie and capture a photo of their government-issued ID document. The app uses facial biometrics to match the user’s selfie with the photo on the ID document to verify their identity. While biometric verification can be done using fingerprints, this method is not widely used as fingerprints are not prevalent as a comparator. For example, in a biometric passport, fingerprints are either not present or stored in a location only accessible to the government. Therefore, facial biometrics are considered the most accessible and convenient biometric modality.
- Establishes a strong link between a real identity and a digital identity – essential for mobile Driving Licenses (mDLs) and electronic Identities (eID) as well as mobile wallets.
- Levels of assurance vary based on technology and anti-spoofing measures
- Usability – High
Document Verification (Medium-High Security)
- Examples: NFC-based verification of ePassports and optical verification of identity documents. A financial institution requires new customers to provide a copy of their government-issued ID document (e.g., passport or driver’s license) during the onboarding process. The institution uses automated document verification technology to check the authenticity and validity of the ID document.
- Provides a high level of assurance by verifying the authenticity of government-issued documents
- Adoption varies by geography based on document security features (e.g., NFC availability)
- Usability – Medium
More on OCR and NFC
Optical Character Recognition (OCR):
- Security Level: Low to Medium – OCR can automate the process of extracting text from captured images of identity documents. Its accuracy and reliability depend on several factors. The quality of the captured image plays a crucial role in the success of OCR. Low-quality images, such as those with poor lighting, blur, or glare, can significantly impact the accuracy of the extracted text. Additionally, OCR may struggle with different fonts, handwriting styles, or languages, leading to potential errors or inaccuracies in the extracted data. These limitations can result in false positives or false negatives during the identity verification process, compromising the overall security.
- OCR technology alone does not verify the authenticity or integrity of the identity document itself. It simply extracts the text from the image without assessing the document’s security features or detecting potential forgeries. Therefore, it should be used in combination with other verification methods, such as document authentication techniques or biometric comparison, to enhance the overall security of the identity verification process.
- Accessibility and Inclusion: High – OCR can be performed on a wide range of identity documents, including passports, driver’s licenses, national ID cards, and other government-issued identification. This versatility makes OCR accessible to users with various types of identification, regardless of their country of origin or the specific document type they possess.
- OCR does not require specialized hardware or equipment, making it highly accessible to a broad user base. It can be easily integrated into mobile applications or web-based platforms, allowing users to capture images of their identity documents using their smartphone cameras or scanners. This eliminates the need for users to physically present their documents or visit a specific location for verification, enhancing the convenience and accessibility of the process. OCR is performed using natural light, though document verification with specialist equipment in a physical location can support tri-light checks which a smartphone cannot.
Near-Field Communication (NFC) Chip Reading:
- Security Level: High – Modern passports and some national ID cards are equipped with embedded NFC chips that store cryptographically signed data. This data typically includes the document holder’s personal information, biometric data (such as a facial image or fingerprints), and digital security features. The cryptographic signing of the data ensures its integrity and authenticity, making it highly resistant to tampering or forgery attempts.
- When an NFC-enabled device, such as a smartphone or a dedicated NFC reader, is brought into close proximity to the document’s NFC chip, it can securely read the stored data. The device can then verify the cryptographic signature using the issuing authority’s digital certificates, ensuring that the data originated from a trusted source and has not been altered. This process provides a strong assurance of the document’s genuineness and the identity of the document holder.
- NFC chip reading also enables the verification of additional security features, such as active authentication, which proves that the chip itself is genuine and not a cloned copy. This further enhances the security of the identity verification process, making it extremely difficult for fraudsters to create counterfeit documents with functional NFC chips.
- Accessibility and Inclusion: Low to Medium – While NFC chip reading offers a high level of security, its accessibility and inclusion may be limited due to several factors. One major constraint is the requirement for specialized hardware to read NFC chips. Not all smartphones or devices are equipped with NFC capabilities, and dedicated NFC readers may not be widely available or affordable for all users. This limits the accessibility of NFC-based identity verification to those who possess compatible devices or have access to the necessary hardware.
- Additionally, the adoption of NFC chips in identity documents varies across countries and regions. While some countries, such as many European nations, have fully implemented NFC chips in their passports and national ID cards, others have not yet adopted this technology. This lack of standardization limits the global accessibility and inclusivity of NFC-based identity verification.
- Risk assessment: This involves evaluating the potential risks and impacts of identity fraud for each specific use case. By understanding the level of risk associated with different scenarios, organizations can make informed decisions about the level of assurance required to mitigate those risks effectively.
- Regulatory compliance: Many industries, such as financial services, have strict regulations and guidelines that must be adhered to, such as Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. Organizations must ensure that their chosen level of assurance meets or exceeds these regulatory standards to avoid potential legal and financial repercussions.
- User experience: While implementing high levels of assurance is essential for security purposes, it is equally important to balance this with usability, and user demographic. A solution that is too cumbersome or time-consuming may lead to user frustration and abandonment. Therefore, organizations should strive to find a level of assurance that provides robust security while minimizing friction and encouraging user adoption.
- Cost implications of implementing and maintaining: Higher levels of assurance often require more advanced technologies, specialized hardware, and ongoing maintenance, which can result in increased costs. Organizations must carefully evaluate the implementation and ongoing costs associated with each level of assurance and weigh them against the benefits and risk mitigation they provide.
Bank Auth Verification
- Bank Auth verification, also known as bank account verification or bank account authentication, is a process that confirms the ownership and validity of a user’s bank account. This method typically involves the user providing their online banking credentials or account details, which are then securely verified with the respective bank. Bank Auth verification offers a high level of assurance, as it establishes a strong link between the user’s identity and their financial institution.
- One of the key advantages of Bank Auth verification is its ability to leverage the existing trust and security measures implemented by banks. Financial institutions have stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures in place, which means that a successful Bank Auth verification can provide a high degree of confidence in the user’s identity. Additionally, this method can be performed entirely online, making it convenient for users and reducing friction in the identity-proofing process.
- However, Bank Auth verification also has its limitations. Some users may be hesitant to share their online banking credentials due to security concerns, which can lead to user drop-off. Moreover, the success of this method relies on the user having an existing bank account and the willingness of the bank to participate in the verification process. Despite these challenges, Bank Auth verification remains a valuable tool in the identity-proofing ecosystem, particularly when used in conjunction with other verification methods to create a robust, multi-layered approach to identity assurance.
Government-issued Identity
<<< Diagram of the below >>>
- Security Level: High – Verifying user-provided information against government-issued identity databases, such as those maintained by the Department of Motor Vehicles (DMV) or the Social Security Administration (SSA), offers a high level of security. These databases contain records that have undergone thorough identity verification processes and are regularly updated, making it difficult for fraudsters to create fake identities or impersonate others.
- Accessibility and Inclusion: Medium – While government-issued identity databases are comprehensive and cover a wide range of the population, some individuals may face challenges in being successfully verified against these databases. This can be due to various reasons, such as inconsistencies in personal information, recent changes in name or address, or limited interaction with government agencies. Additionally, certain marginalized groups or individuals with unique circumstances may encounter difficulties in being accurately represented in these databases.
Credit Bureau
- Security Level: Medium to High – Verifying user-provided information against credit bureau databases offers a medium to high level of security. Credit bureaus maintain extensive records of individuals’ financial histories, including credit accounts, payment histories, and public records. These databases are regularly updated and can help identify inconsistencies or red flags in a user’s provided information. However, the security level of credit bureau database verification depends on the accuracy and completeness of the records maintained by the credit bureaus and the possibility of identity theft or fraud.
- Accessibility and Inclusion: Medium – Credit bureaus generally have very high population coverage, but within that, they may have “thin-file” users. A thin-file user is someone who has a limited credit history, which can be problematic for credit scoring, verification using Knowledge-Based Verification (KBV), and fraud-risk indicators (e.g., evidence of activity over time). While credit bureaus’ coverage is usually high for validating an identity, it can suffer from lag because they are reliant on source data to be updated.
- Additionally, some individuals may have limited access to credit due to socioeconomic factors, which can further impact the inclusiveness of credit bureau database verification. Young adults who have not yet established a credit history, recent immigrants who have not had the opportunity to build a credit profile in the new country, or individuals who primarily rely on cash transactions may have limited or no presence in credit bureau databases. This can result in challenges when attempting to verify their identities using credit bureau data alone.
Utility bill
- Security Level: Low to Medium – Verifying user-provided information against utility bill databases offers a low to medium level of security. While utility bills can provide proof of address, the databases that store this information may not have the same level of security and accuracy as government-issued identity or credit bureau databases. Utility bill databases may be more susceptible to errors, outdated information, or fraudulent entries. Additionally, utility bills themselves can be relatively easy to forge or manipulate, which can compromise the security of the verification process. The security level can be enhanced by cross-referencing information from multiple utility bills or combining utility bill verification with other verification methods.
- Accessibility and Inclusion: Low – Utility bill database verification may not be as accessible or inclusive as previously thought. Household bills tend to be addressed to a named individual, which means that anyone else in the household may be excluded from this verification method. This is not limited to college students living in dormitories; many rented properties have utility bills in the landlord’s name, whether the utilities are included in the rent or paid separately by the tenant. Even mobile phone contracts don’t necessarily tie to the end-user, as in the case of parents paying for their children’s bills.
- In these situations, utility bill database verification may not be a viable option for a significant portion of the population. This can result in challenges when attempting to verify the identities of individuals who do not have utility bills in their name. Furthermore, homeless individuals or those in transitional housing may lack access to utility bills altogether, further limiting the accessibility and inclusiveness of this verification method. To ensure accessibility and inclusion for all users, alternative verification methods may need to be considered in conjunction with or as a replacement for utility bill database verification.
Electoral Roll
- Security Level: Medium – Verifying user-provided information against electoral roll databases offers a medium level of security. Electoral rolls contain information about registered voters, including their name, address, and date of birth, which can be used to corroborate a user’s identity. However, the accuracy and completeness of electoral roll databases may vary, depending on the frequency of updates and the efficiency of the voter registration process. In some cases, electoral rolls may not include all eligible individuals, such as those who have recently turned 18 or those who have not actively registered to vote. Additionally, the security of electoral roll databases may be subject to the same vulnerabilities as other government databases, such as the potential for data breaches or unauthorized access.
- Accessibility and Inclusion: Low to Medium – Reason: Access to electoral roll data is often restricted, which can limit the accessibility and inclusiveness of this verification method. In some countries, such as the United Kingdom, the unedited version of the electoral roll is only accessible to prescribed organizations, such as Credit Bureaus. This means that many organizations may not have direct access to the full electoral roll database, reducing the overall accessibility of this verification method.
- Furthermore, there are certain groups of individuals who may be excluded from electoral roll databases, even in countries where voter registration is mandatory or widely encouraged. For example, individuals who are not registered to vote, either by choice or due to eligibility restrictions, will not be present in the electoral roll. Similarly, those who have recently moved or changed their address may not have updated their voter registration, leading to discrepancies in the verification process. In some countries, certain marginalized groups may face barriers to voter registration, which can further limit the inclusiveness of electoral roll database verification.
Mobile Network Operator (MNO)
- Security Level: Medium – MNOs collect and store identity information provided by individuals during SIM card registration, including name, address, and (in some countries) government-issued identification details. This data can be used to corroborate a user’s identity during the verification process. However, the security level of MNO database verification depends on the accuracy and reliability of the MNO’s data collection and verification processes. In some cases, the identity information associated with a mobile phone number may be outdated, inaccurate, or incomplete, especially if the SIM card was registered a long time ago or if the user has changed their personal details without updating their MNO records. Additionally, the security of MNO databases may be subject to compromise, potentially undermining the integrity of the verification process.
- Accessibility and Inclusion: High – With the widespread adoption of mobile phones, MNO verification is highly accessible to a large portion of the population. However, it may exclude individuals who do not own a mobile phone or those who use prepaid services without providing detailed personal information.
Optical Character Recognition (OCR)
- Security Level: Low to Medium – OCR relies on the quality of the captured image and the accuracy of the text recognition algorithms. While it can extract data from identity documents, it does not inherently verify the authenticity of the document itself. OCR can be susceptible to errors and may not detect sophisticated forgeries or manipulations of the document’s text.
- User Accessibility: High – OCR technology is widely available and can be integrated into various user-facing applications, such as mobile apps or web-based services. Users can easily capture images of their identity documents using smartphones or other devices, making the process convenient and accessible.
- Operator Accessibility: High – OCR technology is relatively easy to implement and operate, with numerous off-the-shelf solutions and APIs available. Operators can integrate OCR capabilities into their existing systems without requiring extensive specialized knowledge or resources.
Near-Field Communication (NFC) Chip Reading
- Security Level: High – NFC chips in modern passports and some national ID cards store cryptographically signed data, including personal information, biometric data, and digital security features. This cryptographic signing ensures data integrity and authenticity, making it highly resistant to tampering or forgery. NFC-enabled devices can securely read the data and verify the cryptographic signature, providing strong assurance of the document’s genuineness and the holder’s identity. Additional security features like active authentication further enhance the security of the verification process.
- User Accessibility: Low to Medium – NFC chip reading requires specialized hardware, such as NFC-enabled smartphones or dedicated readers, which may not be widely available or affordable for all users. Moreover, the adoption of NFC chips in identity documents varies across countries, limiting global accessibility and inclusivity.
- Operator Accessibility: Low to Medium – Implementing NFC chip reading requires specialized hardware and software components, which may not be as widely available or cost-effective compared to other document verification technologies. Extracting and processing NFC chip data also requires specific technical knowledge and expertise, potentially limiting accessibility for operators with limited technical resources.
Machine Readable Zones (MRZ) reading
- Security Level: Medium – MRZ is a standardized format that includes error detection mechanisms, making it more reliable than plain text recognition. However, MRZ data can be copied or altered, and the presence of a valid MRZ does not guarantee the authenticity of the entire document.
- User Accessibility: High – Similar to OCR, MRZ reading can be easily performed using readily available devices such as smartphones or dedicated document scanners. Users can capture images of the MRZ on their identity documents without requiring specialized equipment.
- Operator Accessibility: High – MRZ reading technology is widely supported and can be integrated into various systems and applications. Operators can leverage existing libraries and tools to implement MRZ reading capabilities without significant complexity or cost.
Barcode reading
- Security Level: Low to Medium – Barcodes can store encoded data, but they do not inherently provide strong security features. Barcodes can be easily replicated or manipulated, and the presence of a valid barcode does not ensure the authenticity of the entire document.
- User Accessibility: High – Barcode reading is a common technology. Users can easily scan barcodes on their identity documents without requiring specialized equipment or technical knowledge.
- Operator Accessibility: High – Barcode reading technology is extensively supported and can be readily integrated into various systems and applications. Operators can utilize existing libraries and tools to implement barcode reading capabilities with minimal effort and resources.
QR code reading
- Security Level: Low to Medium – QR codes can store more data than traditional barcodes, but they face similar security limitations. QR codes can be easily generated or manipulated, and the presence of a valid QR code does not guarantee the authenticity of the entire document.
- User Accessibility: High – QR code reading is widely supported by smartphones and other common devices. Users can easily scan QR codes on their identity documents using readily available apps or built-in camera functionality.
- Operator Accessibility: High – QR code reading technology is extensively supported and can be easily integrated into various systems and applications. Operators can leverage existing libraries and tools to implement QR code reading capabilities without significant complexity or resource requirements.
Mobile document verification (this method is implemented in mobile Diving License (mDL), eID (electronic Identification), and other Wallets, such as Google and Apple)
- Security Level: Medium to High – Mobile document verification leverages the security features built into mobile devices and digital wallets, such as secure element storage and biometric authentication. The digital documents themselves can incorporate cryptographic signatures and other security measures, enhancing their resistance to tampering or forgery.
- User Accessibility: High – Mobile document verification allows users to store and present their digital identity documents using their smartphones or other mobile devices. This provides a convenient and readily accessible method for users to manage and share their identity credentials.
- Operator Accessibility: Medium to High – Implementing mobile document verification requires integration with mobile platforms and digital wallet providers. While there are established frameworks and APIs available, operators may need to invest in development resources and ensure compatibility with various mobile devices and operating systems.
Visual Security Feature Validation
- Security Level: Medium to High – Visual security features, such as holograms, micro-printing, and UV patterns, are designed to be difficult to replicate or manipulate. Validating these features can help detect counterfeit or altered documents, providing an additional layer of security beyond data extraction alone.
- User Accessibility: High – Visual security feature validation can be performed using high-resolution cameras on smartphones or other readily available devices. Users can capture images of their identity documents without requiring specialized equipment or technical expertise.
- Operator Accessibility: Medium to High – Implementing visual security feature validation requires computer vision algorithms and machine learning models trained to recognize and validate specific security features. While there are existing solutions and frameworks available, operators may need to invest in developing or adapting these models for their specific use cases.
Facial image extraction
- Security Level: Medium to High – Facial image extraction allows for biometric comparison between the image on the identity document and a live selfie or previously enrolled image of the user. This helps establish a strong link between the document and the individual claiming the identity, reducing the risk of impersonation or fraud. Security levels depend on the performance of the facial biometric technology used.
- User Accessibility: High – The decision to create a biometric template for ongoing and wider uses with verified organizations is at the discretion of the individual. Users can easily capture images of their identity documents and provide live selfies for comparison, making the process convenient and accessible.
- Operator Accessibility: Medium to High – Implementing facial image extraction requires computer vision algorithms and facial biometric technology. While there are various available solutions, operators may need to invest in developing or integrating these capabilities into their systems. Ensuring the accuracy, fairness, and legal compliance of facial biometric technology can also add complexity to the implementation process.
Ultimately, these methods and technologies can be used independently or in various combinations, depending on the type of identity document being verified and the specific requirements of the verification process. Organizations typically choose the most appropriate combination based on factors such as security level, user experience, and the types of identity documents they need to support.
Fingerprint biometrics
- Security Level: Medium – Fingerprints are unique to individuals and difficult to spoof, but they can be compromised if stolen from a database or replicated with high-resolution images or fake fingerprints.
- Accessibility and Inclusion: Medium – Fingerprint sensors are widely available on smartphones, making them accessible to many users. However, some individuals may have difficulty using fingerprint scanners due to skin conditions, injuries, or worn fingerprints.
Facial biometrics
- Security Level: High – Advanced algorithms, 3D mapping, and challenge-response mechanisms make it difficult to spoof facial biometrics. However, the security level can be lower if these advanced features are not implemented.
- Accessibility and Inclusion: High – Faces are used on most government-issued identity documents, such as passports, so make the link to identity-proofing with the users’ face easy. Facial biometric verification is contactless and can be used with existing cameras, making it highly accessible. It can accommodate users with mobility impairments or those who cannot use other biometric modalities, such as fingerprint.
Palm biometrics
- Security Level: High – Palm vein patterns are unique, difficult to spoof, and remain stable over time. The combination of palm veins and palm prints provides a robust security solution.
- Accessibility and Inclusion: Medium – Palm biometric scanners are less commonly available compared to fingerprint sensors or cameras and are untethered to government-issued identity documents. Some users may require training to properly position their palm on the scanner. However, new and more recent research and development has emerged, enabling users to use the camera on their smartphone to enable a palm image capture.
Additional considerations
- Accuracy and bias: Biometric algorithms may exhibit varying levels of accuracy and bias based on factors such as age, gender, and ethnicity. Organizations should carefully evaluate the performance of their chosen solution across diverse demographic groups to ensure fairness and minimize false positives or negatives.
- Privacy concerns: The collection, storage, and use of biometric data raise significant privacy concerns, as it is highly sensitive and cannot be easily changed if compromised. Organizations must adhere to strict data protection regulations and best practices, such as obtaining explicit user consent, implementing secure storage and transmission methods, and defining clear data retention and deletion policies.
- Threat Landscape: While biometric techniques aim to mitigate the risk of presentation attacks (e.g., using photos, videos, or masks), sophisticated adversaries may still attempt to deceive the system using high-quality spoofs or advanced digitally altered media (such as face swaps). Organizations should stay informed about the latest threats and continuously update their anti-spoofing measures to maintain a high level of security.
We will cover more on biometrics in paper 3 of the Spectrum of Identity – Biometric Technologies.
- Conduct a thorough risk assessment: Before implementing an identity proofing solution, organizations should assess the risks associated with their specific use cases. This includes evaluating the potential impact of identity fraud, the sensitivity of the data or services being accessed, and the regulatory requirements. The risk assessment helps determine the appropriate level of assurance needed.
- Balance security, compliance, user experience, and cost: Identity proofing solutions should strike a balance between security, regulatory compliance, user experience, and cost considerations. While robust security measures are essential, they should not come at the expense of a seamless user experience. Organizations should also consider the cost implications of implementing and maintaining different identity verification technologies.
- Adopt a multi-layered approach: Combining multiple verification methods and technologies can enhance the overall assurance level. A multi-layered approach makes it more difficult for fraudsters to circumvent the identity proofing process and provides a more comprehensive view of an individual’s identity.
- Regularly review and update processes: Identity proofing processes should be regularly reviewed and updated to keep pace with evolving threats and technological advancements. Organizations should stay informed about emerging best practices, industry standards, and regulatory changes to ensure the ongoing effectiveness of their identity verification efforts.
iProov: Trusted By
Only with Dynamic Liveness can you be sure that an individual is the right person, a real person, authenticating right now.
CERTIFICATIONS MATTER.
- eIDAS Level of Assurance High
- ISO/IEC 30107-3
- SOC 2 Type II
- UK Government Digital Identity and Attributes Trust Framework Certification
- Certified G-Cloud Supplier
- Federal Reserve SIF Mitigation Provider
- iBeta
- iRAP
- UK National Physical Laboratory (NPL)