Identity verification has gone far beyond its traditional stronghold in fintech and banking, with increasing demand from various sectors, including online marketplaces and e-commerce platforms. As businesses recognize the need for secure and trustworthy digital transactions, the field of biometric identity verification is advancing rapidly. Significant developments are occurring in the standards and technologies used to ensure effective identity verification. During a recent presentation titled “Exploring the Spectrum of Identity Verification Technology Testing,” Dr. Chris Allgrove, director and co-founder of Ingenium Biometric Laboratories, discussed the complexities and advancements in this area.
Understanding Identity Verification
Identity verification serves the crucial function of linking an individual to their identity evidence. This process involves the authentication of identity documents, which can vary widely in type and quality. Allgrove highlighted that differences in biometric reference images and the quality of data collected can significantly affect verification outcomes, especially when comparing documents with embedded machine-readable chips to those captured optically.
The Remote Identity Verification Process
The remote identity verification process encompasses several critical checks, including assessing biometric data quality, presentation attack detection, the genuineness and integrity of the document, and the biometric matching process. Reference images obtained from electronic chips tend to have consistent quality due to established minimum standards for image size and preservation during digital transmission. However, Allgrove cautioned that these images remain two-dimensional, which can pose challenges for matching selfies to biometric data.
The ultimate goal of biometric testing is to evaluate risk. Inaccurate processing of documents or biometric mismatches can jeopardize the system’s ability to securely bind individuals to their identities.
Testing Components in Identity Verification
Allgrove categorized the tests for identity verification systems into two main elements: functional and security components. Security tests focus on protecting against presentation and injection attacks related to both documents and biometric data. In contrast, functional testing assesses accuracy in matching and reliability in data capture.
Established Standards and Emerging Guidelines
Allgrove discussed several established standards, including ISO/IEC 19795, which relates to biometric performance, and ISO/IEC 30107, which addresses presentation attack detection (PAD). These standards are regarded as “mature” and provide a foundational framework for testing, though they do not specify what needs to be tested. Following these guidelines can establish a robust foundation of trust in identity verification systems.
The presentation also covered various test schemes, such as those from the FIDO Alliance and common criteria biometrics evaluations, which aim to create a level playing field for technology providers.
Gaps in Document Authentication Standards
While several standards exist for biometric testing, Allgrove pointed out that there is currently no comprehensive framework for testing document authentication. National guidelines for conformity assessments are the closest alternative available. However, performance testing standards for document authentication are in development. The FIDO Alliance has published new document authentication requirements that define assessment criteria related to document security features and performance measurements. Although FIDO’s current focus is on optical document capture, plans to include NFC scanning are underway.
A practical challenge in document authentication testing is the legality of possessing forged identification documents, complicating testing efforts.
Emerging Threats in Biometric Testing
One of the pressing concerns highlighted by Allgrove is the rise of injection attacks and the threat posed by deepfake technology. While current deepfake capabilities for documents may still be developing, the potential for more sophisticated attacks in the future necessitates ongoing adaptations in testing methodologies.
Overall, the landscape of identity verification is continuously evolving, and stakeholders must remain vigilant in updating standards and testing practices to address emerging challenges effectively.
