Mobile app – optical + Selfie

This solution comprises a mobile app that allows the user to remotely vet his identity. After installing the app on the mobile phone, the user is asked to take a picture of his identity document. This picture is sent to the app owner company for further processing. This processing includes digitizing the information on the photo (name, birth data, gender, etc.) for further automatic processing, assessing the authenticity of the identity document based on the provided photo, and checking if the identity document is not registered as lost or stolen. Subsequently, the app asks the user to take a selfie. The selfie is compared to the picture on the photo of the identity document. Usually this is done manually by the RA. Upon a positive identification, the user’s token is activated.

Compared to the vetting process for DigiD Substantial there are several differences. Where DigiD Substantial makes use of an activation code that is sent to the verified home address of the user, the optical app does not have this control feature (as reliable address information is difficult to obtain for non-government organisations). Instead the mobile optical app solution makes use of a selfie as a compensating measure. For obtaining the right level of assurance.

Particularly the authenticity check of the identity document is challenging for the mobile optical app solution. The uploaded picture of the document can be manipulated/photoshopped and it is hard to verify all of the identity document’s optical security features from a picture.

To prevent users from using a selfie of someone else, some form of liveness detection has been built in. An example of a liveness detection solution is to ask the user to execute a random number of challenges during a video session (e.g. turn head left or right, nod, smile, eye blink or speak out a certain sentence). The employee checks if the user adequately responses to the challenges. Idensys participants such as Digidentity and Morpho/SecureIdentity make use of such video challenge-response solutions. An alternative solution for liveness detection is to use flashing colours during the video recording of the user, this is offered by iProov²⁵.

25 https://www.iproov.com/

Figure 8: Remote identification via mobile app (Digidentity pictures from Google Play app store).

Sometimes a 1-ct iDEAL transaction is required to provide extra identity information, it allows the company to compare the user’s name of the bank account with the name on the identity document.

This is for instance the case for users that want to acquire an Idensys LoA 3 (substantial)

authentication solution. Digidentity is a company that offers this solution²⁶. As said before, the iDEAL transaction can in the SURFconext context be replaced by logging in with the federated institutional account.

This is how it could work:

1. The user logs in at SCSA service, selects a strong authentication token, enters his first and last name and receives an activation code via e-mail.

2. The SCSA service asks the user to install a mobile identification app. The app is bound to the user’s web session via a QR-code that is generated by the SCSA service.

3. The newly installed app asks the user to take a picture of the identity document.

4. The app asks the user to take a selfie.

5. The app does liveness detection (e.g. via a video-challenge, flashing colours or otherwise).

6. The app asks the user to enter the activation code.

7. The app communicates the output to the SCSA service.

8. The RA of the SCSA processes the obtained output, informs the user that the identification was OK, and activates the token.

The processing in the last step includes a detailed inspection of the picture of the identity documents to check if it is authentic. The RA could do this, or he could outsource it to professional companies, such as IDchecker/Mitek²⁷. These companies can also check if the identity document is not registered as stolen or lost. Furthermore, the RA (or company to which this is outsourced) must verify that if the user on the picture of the identity documents is the same user that took the selfie by comparing both pictures. This process is difficult to automate due to the low resolution of the identity document picture, i.e., there will be significant amounts of false rejects.

Despite the This solution offers sufficient protection against the MitB-attack as it makes use of a separate channel (i.e. the mobile phone) for the communication of the activation code that was obtained during registration. This code is now communicated via the mobile app and not the desktop’s web browser.

26 https://www.digidentity.eu/nl/home/#idensys.

27 http://www.idchecker.nl/.

The criteria assessment is as follows:

Criteria Assessment Score

Easy to use by user Relatively easy. According to Digidentity, an overall identification takes about 15 minutes (including a 1-ct iDEAL transaction). Just like video identification this may take too long for a substantial group of users. Nevertheless it is far more convenient for a remote user to use than to visit a service desk.

Easy to organize by institution Relatively easy to organize by the institution;

no RA functionality is required at the service desk.

Easy for the institution.

Limited impact on SCSA service

Requires a mobile app that communicates its output (picture of identity document and selfie) to SCSA service for further manual

validation/processing by a central RA. Less organisational impact compared to the video or door identification (e.g. no workflow instructions).

Straight-through processing The RA must compare the picture of the identity document with the selfie. This is a manual activity. The duration of the process is similar to that of the current solution.

Potentially, the app could do face recognition with the selfie and photo on the identity document. It, however, is questionable if this will result in reliable outcomes, i.e. the false acceptance or rejection rate may be too high for sufficient assurance²⁸. This is due to the fact that the photo on the identity document is small and of low resolution. Moreover, the quality of the camera of the mobile phone may also play a role. Manual inspection therefore is recommended for this solution.

Other aspects on the picture of the identity document like validity and name can also be processed automatically via Optical Character Recognition (OCR) but this too is not trivial.

Some manual effort still required.

Penetration rate / coverage Anyone with a smartphone can do this. Could work internationally.

Assurance level The assurance level of video identification is negatively influenced by several factors:

1. It is easy to manipulate the picture of the identity document prior to sending it.

LoA 2 is the highest achievable assurance level.

28 Authentication assurance frameworks hardly address biometric authentication solutions. E.g. it is unclear what the false acceptance rate must be for a LoA4 solution. Only the recent NIST specification addresses the topic.

2. It is difficult to assess the authenticity of the identity document based on the picture.

3. The selfie can be faked easily.

4. Liveness detection via video challenge response is not always very reliable.

Note that Idensys rates this process with LoA3.

Costs Similar as current situation as some manual

RA involvement is required.

Similar costs.

Controllability/auditability The mobile app guides the user through the vetting process in an unambiguous manner.

The app should be pentested for security vulnerabilities (one of the requirements of the eRecognition/Idensys level of assurance framework). Evidence of the identification should be recorded and stored by the RA.

Future proof Mobile app based and optical identity vetting is deployed by Idensys authentication service provider Digidentity. For higher LoA’s (3 and 4), this solution is not good enough. The biometrics part of this solution, i.e. face recognition, is expected to rise in popularity as an accepted authentication solution.