Combining biometrics with NFC for maximal trust
A better way to carry out identity verification is becoming available for a growing number of people as passports embedded with ICAO 9303-compliant NFC chips roll out around the world.
This evolution has prompted Inverid (the new name for Dutch tech company InnoValor) to combine NFC scanning with biometrics and the accompanying technologies that allow people to carry out this improved process for remote identity verification.
NFC provides certainty in document authenticity, Inverid Co-founder Wil Janssen explains in an interview with Biometric Update, while biometrics provides probabilistic certainty in verifications of the person holding the document. The strongest possible degree of trust, he says, is created by using them in combination.
Bringing certainty to remote identity
Government-issued ID document are the basis for most identity checks that must meet regulatory standards, whether for crossing a border or performing know your customer checks to open a bank account. Chipped passports are the most secure documents available, and scanning the chip provides higher assurance of their authenticity than is possible through any other means, such as visual inspection.
Part of what makes these chipped documents so secure is the use of advanced cryptography to ensure that the chip cannot be scanned unless the passport is open to page displaying the machine-readable zone.
“From those two or three lines our ReadID technology can compute the key to access the chip,” Janssen says. This ensures that scanning is always carried out with the cooperation of the passport bearer.
ReadID also ensures that the information scanned is correct. The data is checked against hash codes for manipulation, which Janssen says will not match if even a single piece of data or pixel in the facial image is changed. The authenticity of the passport and the data it holds is checked with the issuer using the country certificate.
“So we know the data is real, you collaborated with the check, it comes from an authentic country, and you also checked, with another more complicated protocol, that we did not scan a copy of the chip,” Janssen says.
Another popular method is optical verification of authenticity features. However, optical verification is vulnerable to manipulation, Janssen says. Inverid offers optical scanning through partners as a fallback for those without passports or ID cards, like the newest generation issued in EU countries, that can be scanned with NFC.
In contrast, the biometric data embedded in the chip prevents document fraud through presentation attacks.
“It was invented to be so secure that it would allow for self-service travel,” Janssen points out. He refers to the capability of smartphones equipped with Inverid’s ReadID software as “an e-gate your pocket.”
Reinforcing one with the other
Optical scanning, or OCR, provides a probabilistic judgement about the veracity of the document and the data it holds, which combined with another probabilistic judgement in the form of a biometric match, provides significantly lower assurance.
The technology used in document fraud has made fakes easier and more scalable to create. From synthetic identities to stolen personal information and presentation attacks with overlayed photos, there are a range of potential vulnerabilities that OCR systems are ineffective against. An accompanying face biometric check will not flag a match against a doctored photo as long as it matches the supposed face of the person holding the document.
“We get through some solutions with a printed stocking over your head,” Janssen reports. “If you see it as a person, it makes you laugh immediately, but algorithms often fall for it.”
Inverid provides liveness checks from leading biometrics vendors like iProov, with the distinctive flashing colored lights clearly visible in the demonstration performed by Janssen.
Regulators are catching on, Janssen notes. The Swiss Financial Market Supervisory Authority (FINMA) approved the use of NFC scanning instead of video verification or sending small payments as a means of increasing the assurance of online identification last year. In Austria, NFC scanning will be compulsory for online biometric KYC checks beginning on January 1, 2023. The UK’s HMLR has introduced a “safe harbour” provision for businesses facilitating property purchases in which the buyer’s identity is confirmed through NFC scanning.
“They are nudging, and sometimes it’s not even nudging, it’s kicking companies towards better means of identity verification,” Janssen says.
Implementations of ReadID allow customers to ingest, use and store the data that they need to carry out transactions, while Inverid forgets all end-user data.
“It’s their use case and their context that determines what is legitimate to use,” Janssen says. “What’s proportional, what’s allowed under GDPR or whatever privacy regulation you’re under.”
An OCR verification flow can be used as a fallback option, with Inverid recommending measures to mitigate the reduction in certainty compared to using NFC.
The growth of Inverid into a global identity verification provider is based on the immediate success of ReadID, and the path of expanded capabilities and applications it has gone through since. InnoValor Advice is continuing to provide its consultation services to the Dutch market.
“Our scope has broadened from just ReadID to the whole world of identity verification,” Janssen says.
Inverid is now ready to bring the certainty of NFC document scans to the biometric identity verification market.