This is the first part of the article our founder wrote even before this website launched. It briefly covers the identity verification process and what workflow helps achieve the proper protection level.
Remember the good old days. Well, you asked the new customer to come by the office and grill him with forms and signatures and asked him to bring a passport to prove it was him. Research shows that the whole process could take several weeks. And yes, the good old days were just three years ago. But, unfortunately, the world changed us, so we also had to change.
Three years ago the world suddenly got much smaller. People were forced to work from the home. People changed and expectations changed too. So organizations had to adopt as well. The world also got more insecure, identity theft and fraud and scams are growing at an alarming rate.
So what to do?
“ Seeking high confidence in the identity of customers continues to remain an imperative in the regulated and even in the non-regulated market. Identity proofing is the combination of activities during an interaction that brings an identity claim within organizational risk tolerances, such that:
The real-world identity exists.
The individual claiming the identity is, in fact, the true owner of that identity and is genuinely present during the process.”
Real-world identity exists!
When does a real-world identity exist? Well, luckily enough, there is a globally recognized standard for that. A standard also protected by local laws in 194 countries. Officially it’s called an MRTD, or for us, the people, we call it a passport. More than 5.5 Billion people carry around such an official identity document.
To distinguish real from counterfeit, these documents have security attributes. We all know some of them.It’s the coloring, the “dots, ” lines, watermarks, and holograms. It’s an interesting test when you take your passport and try to find these security attributes on your passport. Try to find at least 12 of them, most passports have more but they are challenging to find.
Now imagine doing the same with a passport from a neighboring country! Now the fun starts. It’s getting more complex. Now do that for others as well. It’s getting more complicated. The number of possibilities is endless.
At the moment, we counted more than 20 million different passports that are valid and authentic. The devil is in the details, as we say.
So how do countries distinguish real from fake in the budget of time they have? Well, the answer is very simple. Since 2009, a passport must have a chip essential for the E-Passport. This NFC chip is protected and can be verified using NFC.
The chip’s content is protected using PKI technology, asynchronous cryptographic protection using two different keys, the so-called private- and public keys. With PKI technology, it is possible to prove mathematically that a passport is authentic. The content is also protected against changes using PKI technology, so the integrity can also be verified.
The beauty of it is that it’s a global standard and protected by all countries who recognize them (194) in their respective local law. So this is the only security attribute on a passport and ID card that is protected by law and globally recognized!
There still is a challenge to solve. Every country has its own (PKI) signatures. So how do you know if the signature is authentic? Well, you look it up and compare them. When they are the same, you see the signature is genuine. Simple? Well, it depends.
Nowadays, the smartphone is the instrument of choice to authenticate an identity document.
You have two options.
The first one is, and most use this approach, to download the keys to the phone and let the app on the phone do the judging. Sounds simple? Well, ask yourself if you know what software is running on your client’s phone and what it is doing. Are you 100% sure you can trust that device? I guess not.
So you want to check it in an environment you trust. Well, again, if it was only that simple. The question remains where did you get your keys from? It must also come from a trusted source, and for compliance purposes, you must always be able to prove your verified identities using trusted sources and processes. This standard for passports is called the Public Key Directory (PKD).
The second option is to use AI and make the machine hypothesize if the identity document is real or fake. Most suppliers use this approach.
Remember that there are more than 20 million different identity documents globally. Go to the supplier’s website and see how many documents they recognize. You would be surprised. Yes, a large part of the passports of one country look optically the same so that an AI can use that, but still 20 million!
The other thing is that AI never states a fact. It gives you an opinion. It’s an honest opinion, but still, it’s an opinion. When PKD is used, you can prove the identity document is authentic and not compromised by a mathematical method. It’s even protected against spoofing and copying.
Public key cryptography – Public key cryptography (also known as asymmetric encryption) is a cryptographic method that uses a key pair system. One key, called the public key, encrypts the data.
The other key, called the private key, decrypts the data. Public key cryptography can be used to ensure confidentiality, integrity, and authenticity. Public key cryptography can:
- Ensure integrity by creating a digital signature of a message using the sender’s private key. Ensuring is done by hashing the message and encrypting the hash value with their private key. By doing this, any changes to the message will result in a different hash value.
- Ensure confidentiality by encrypting the entire message with the recipient’s public key. Only the recipient, who owns the corresponding private key, can read the message.
- Verify the user’s identity using the public key and check it against a certificate authority.
In future articles, we will look at biometric verification of identity verification, which allows us to confirm the document owner and compare different verification methods.