13 March 2023
Remote biometric verification represents the most effective and simple way to verify users of digital services that require a higher level of trust.
Digitization brings more and more services that store and process personal and other sensitive data. Verifying users of such services requires the highest level of trust, which has so far been ensured by physically recognizing users by employees of the provider or their official representatives. Providers are faced with challenges on how to support the user experience with user-friendly authentication methods.
Another challenge of digitization is the widespread use of usernames and passwords for authentication, which is far too security-deficient and practically entirely inadequate given today’s cyber threats. In fact, only uninformed users or providers and those who consciously take risks access services that store their personal data only by entering a username and password. Global providers are no exception to this, as evidenced by annual reports of millions of stolen login credentials.
There are several solutions available for identity verification or remote identity verification, as well as for secure login and use of digital services. All of them are effective, but not equally comfortable and easy to implement, nor suitable for both types of use - for registration and access to digital services.
PKI (Public Key Infrastructure) , one-time password generators...
The use of qualified digital certificates based on Public Key Infrastructure (PKI) and one-time password generators is certainly a reliable way of remote user verification. However, obtaining them requires prior personal verification, which until now has without exception been carried out physically, for example, in bank and post office branches. In addition, qualified digital certificates cannot be used on all devices, and it is also not possible to use hardware modules for generating private keys on all devices - for example, a USB key or a card reader. These devices, including one-time password generators, can also be misplaced or even lost, and they are not cheap. Many financial service providers already perform verification using mobile phone apps, sending one-time passwords via SMS, or using services such as Google Authenticator or other methods of multi-factor authentication. All these approaches require initial verification to be performed using other means, such as physical or remote biometric identification, and are suitable for logging in already registered users.
Personal documents
A person with a smartphone captures their official personal document (ID card, passport, driver’s license, etc.). Then, an information solution verifies the authenticity of the data with a trusted third party or a root trust source. Such a solution requires a connection to official databases of personal data, such as state registries, and it should be combined with other approaches, since someone else - not necessarily with honest intentions - can use another person’s ID document.
Fingerprint scans
Providers of digital services can capture and verify multiple fingerprints non-intrusively and contactlessly via a smartphone camera. This means that providers must have the fingerprints of their users previously captured and stored. Therefore, fingerprints are not used for registering into services, but as a means of verifying already registered users. One of the main problems with fingerprints is related to the storage of biometric personal data.
Voice
Analysis of voice patterns enables the creation of a unique voice signature that can be later used for identification and verification of an individual. Similar to fingerprint authentication, this approach is not suitable for user verification during registration and poses challenges for the provider in storing biometric data.
Selfie
Individual captures a selfie with their smartphone and performs a liveness detection video. This selfie is then compared to the portrait from their official identity document, such as a biometric picture. When capturing a personal document, personal data can be optically read from it and compared with the data entered by the user. This convenient approach is used by the Verified by Photko service. The advantage of this approach is that neither biometric nor scanned data is stored, but the information system auto- matically deletes them after the verification process is completed. The captured personal data can be transferred to the information system of the digital service provider.
Video
Live video chat between a person and an agent is certainly the most interactive way of capturing and verifying the identity of a digital service user. However, it is time-consuming, labor-intensive, and cannot always take place everywhere, unless the provider provides expensive 24/7 human support. Remote verification using biometric technologies is proving to be an extremely convenient and effective solution, but it may seem problematic to some. Some users are reluctant to undergo biometric face verification or participate in a biometric scheme with fingerprint or voice recognition due to the disclosure of very personal data and thus compromising their privacy. This is mainly a challenge for the provider, who must transparently demonstrate to the user at every step how and where their biometric data will be used and stored. At least in Slovenia and Europe, users can rest assured. The use of biometric data is defined under strict sanctions for violators by the General Data Protection Regulation (GDPR), and in Slovenia, by the specific Personal Data Protection Act (ZVOP-2).