Attacks, countermeasures and pulses of blood in remote identity proofing
The EU has produced a surprisingly readable summary of the status quo and future possibilities for remote identity proofing, from the technology to threats and defenses. Via desk research, surveys and interview with researchers, technology providers and users. Despite advances in biometric technology, the report finds that human intervention now and in the future is vital.
“Remote Identity Proofing – Attacks & Countermeasures” by the European Union Agency for Cybersecurity, ENISA, examines the growing sector of remote identity proofing – the step before biometric identification and authentication which determines that there is a real person presenting his or herself and a real government-issued identity credential.
Remote identity proofing was already becoming more common as services went online and increasingly mobile, a trend accelerated by the COVID-19 pandemic, the report notes. The technology is also important for the EU and its bloc-wide eID project based on eIDAS regulation. Europeans should one day be able to use a digital identity to access government in any member state: “Remote identity proofing is a crucial element in creating trust for digital services.”
To this end, ENISA is producing regular papers on the area, such as “Remote ID Proofing: Analysis of Methods to Carry Out Identity Proofing Remotely” published in March 2021.
The latest report focuses on face biometrics spoofing via physical methods such as silicon masks and digital attacks such as deepfakes. It finds that a wide range of measures can be taken, from checks on the environment, to organizational projects, standardization and the ongoing need for human oversight for individual proofing sessions as well as to train the artificial intelligence that underpins automation.
Simple checks on the environment of a presentation, such as the hardware, software and network of the user, as well as video and audio quality can significantly secure proof of identity. Using a dedicated application allows checks to determine that the device is a physical object and camera feed is being captured in real-time. (Although firms such as Yoti are devising ways to make web browser-based verification more secure when an app is not available.)
“The highest level of guarantee using a government-issued ID is represented by an electronic identity document equipped with an NFC chip,” states the report. The NFC chip contains the document data encrypted and digitally signed by the issuing state. If there is no NFC option, video-based verification of documents can be an alternative, but both options are only of any use if the proofing system is checking databases for credentials reported as lost or stolen.
However, even NFC security will eventually be compromised, according to the report, with advances in quantum computing being able to foil the PKI used by NFC chips. Quantum-resistant algorithms need to be developed quickly.
Presentation attack detection (PAD) is going to be continuously challenged. 8k HDR screens are getting around screen detection, meaning 3D face detection and face liveness will need to become mainstream. For video, as software rendering for deepfakes is advancing at pace, live video testing will also lose its edge.
Existing layers of security such as the flashing of random colors onto the person undergoing proofing and their surroundings to be picked up by the camera as reflections, such as iProov’s successful Genuine Presence Assurance, may be under threat. “Some of the stakeholders consulted claim it is possible to generate semi-transparent colours instantly on the deepfake puppet, defeating this liveness method,” finds the report.
The majority of respondents involved in the report see deepfakes as the biggest threat to remote identity proofing.
To tackle these issues, other biometric checks could be introduced based on “involuntary human signals such as micro-movements and changes in the human face, eye movement, pupil dilation, micro-variation in the intensity of the skin colour given by the pulse of the blood and others.”
As well as technological approaches, organizational controls can help such as creating spoof and camera bypass bounty programs to reward those who find vulnerabilities. Another strand is the use of humans in the process.
“Although many have faith in technology and believe that having a fully automated process without human intervention will not be long in coming, humans are yet to remain in the loop,” states the report.
“Algorithms cannot understand and detect new fraud on their own and human action is required to assign the correct labels to new attacks. Therefore, humans are needed to clean and tag data enabling high quality training that will result in better performances and the mitigation of adversarial attacks.”
An issue already apparent and one that could become more significant is the differences between the methods, such as biometrics capture, of remote identity proofing providers. The differences in the number of video frames, for example, can appear subtle but the results can be huge.
“Establishing a secure standardised environment for remote identity proofing could mitigate the risks but also bring benefits to organisations including better compliance, greater customer reach, competitive advantages, streamlined secure onboarding processes, whilst protecting users and their assets,” finds the report.
While there are no harmonized certification schema or benchmarks across Europe yet, certain member states have developed national standards. France has established Remote identity verification providers – Requirements Framework which stipulates minimum standards for video resolution and frame rate.
adversarial attack | biometric liveness detection | biometrics | deepfakes | digital identity | eID | EU | face biometrics | NFC | presentation attack detection | remote identity proofing | remote verification | spoof detection | standards