Reference Framework, Standardization and Legal Aspects of Facial Spoofing Detection
Remote identity verification and spoofing detection has caused a need for an appropriate legislation and standardization, which resulted in a few initiatives.
The Problem Overview
Remote identity proofing (RIDP) and protocols similar to Know Your Client (KYC) invoked the need for laws and initiatives that would standardize the procedure of verifying a person online. One of the best-known initiatives is the eIDAS Regulation established by the European Union in 2014. Standing for Electronic Identification, Authentication and Trust Services, it focuses on creating a safe digital environment by providing reliable remote identification protected with spoofing detection.
Standards and regulation aim at selecting the best tools and methods to prevent potential fraud. For instance, some of the requirements dictate that:
- A person’s authentication cannot be limited to just still images.
- ID check should be performed both by a human operator and a machine.
- Liveness detection must be implemented to exclude Presentation Attacks (PAIs).
- Uninterrupted video stream of appropriate quality capturing a person’s face should be the main authentication method.
The last requirement is especially vital, since digital face manipulations are often used today to trick identification solutions used in banking applications, telehealth, automatic border-control (ABC), and other systems often targeted by malicious actors. Other biometric parameters — iris, fingerprints, voice — can also be replicated for remote identity fraud. So, an extra rule set regarding them is expected to be developed as well.
Liveness Standards & Requirements
While the European Union Agency for Cybersecurity (ENISA) and eIDAS regulation outline the basic principles for secure remote identity proofing, more detailed frameworks are proposed on national levels.
A bright example is the Remote Identity Verification Service Providers (PVID) standard, which is basically a guideline that determines:
- How to verify a person.
- How to assess the validity of their identity document.
The standard was developed by France's National Information Systems Security Agency (ANSSI) and proposed in 2021.
In essence, PVID is based on the Know Your Client protocol, as well as Anti-Money Laundering and Combating the Financing of Terrorism international directives. It is noted that one of the main reasons behind PVID development was the rapidly growing digitalization caused by the Covid-19 pandemic.
PVID offers a baseline suitable for e-commerce and various entities that operate online: banks, digital identity and gambling providers, and others. The baseline includes three central coordinates:
- Remote verification service definition. Here, a remote verification service is described, as well as its principal components: acquisition of identification data, verification of this data, evidence file elaboration, and submission of the verification results.
- Evaluation methods. In this coordinate evaluation methods are explained, as well as PVID qualification and certification. It lists the 910/2014 European Regulation, which is mandatory for all entities that employ remote identification, mentions how remote services should be certified, etc.
- Requirements. Finally, requirements are given, which all service providers should comply with: appropriate data encryption, risk estimation, remote identity verification policy, etc.
Even though the PVID standard operates on a national level in France — making ANSSI the first public entity to propose such a standard — it was designed to fit in a more global ecosystem as it meets security objectives set by eIDAS.
BSI is Germany’s Federal Office for Information Security, which offers a similar solution dubbed Technical Guideline TR-03147. Similar to PVID, it follows general guidelines set by ENISA, while suggesting its own detailed algorithm of remote identity proofing.
- Requirements. To verify a person, the following items are needed: valid ID, reliable transmission channels, correct ID registration, integrity of the entire process, etc. These are general requirements explained in the subsequent paragraphs.
- Threats. This section lists expired documents, forgeries and tampered IDs as primary threats.
- Threat detection. Attack scenarios and attack assurance levels are specified in this paragraph.
- Ownership assessment. It should be checked whether the ownership of a document is legit or not, for which assurance levels are proposed.
- ID attributes registration. This stage focuses on the functional quality of the verification system rather than on security. Specifically, it pays attention to data capture and potential errors that can occur during the process.
- Safeguarding integrity. To avoid possible threats, the protocol recommends to keep traceable documentation of all ID checks performed and comply with the ISO/IEC 27001:2013 and ISO/IEC 27002:2013 security standards.
Among other things, TR-03147 explores the attack potential regarding target of evaluation (TOE), provides technical terminology, and defines the successful attack criteria: "only if an illegitimate proof of identity is provided and the implemented ID check does confirm the illegitimately claimed identity".
Liveness Certification in Europe
Despite the abundance of standards, regulations, initiatives and international agreements, there is still no universal landscape for identity proofing and liveness certification. By far, the only attempt to introduce such a landscape is reflected in ENISA’s extensive report on remote identity proofing.
The primary certification that underpins standards like PVID and BSI TR-03147 are:
- ISO standardization.
- NIST standards 800-63-3 and 800-63A.
- M/460 standardization mandate applied to electronic signatures.
- Electronic Identification, Authentication and Trust Services (eIDAS), and others.
Besides, a glossary developed by the Public Register of Authentic travel and identity Documents Online (PRADO) provides detailed examples and description of the security elements used in document protection: barcodes, fine-line patterns, and others.
Anti-Money Laundering directives also play a major role in European liveness certification. For instance, the Fifth AML directive was integrated into France’s Financial and Monetary Code, which allowed French companies to perform client onboarding online more flexibly. (Online and face-to-face verification were acknowledged as equally secure).
Currently, a group of European countries transpose eIDAS Regulation into their national legislation. For instance, Albania has partially integrated laws On electronic signature and On electronic identification and trusted services. Austria is quite limited in remote identification having only one law Online Identification Ordinance issued due to AML introduction. As of now, remote identity proofing there relies on human operators and physical ID documents.
Finland has its own legislation regarding online identification, though it’s in accordance with eIDAS requirements for the most part. Italy doesn’t have any laws on the topic whatsoever, except for the A/V remote identification procedure. Luxembourg had one of the earliest attempts at formulating laws regarding remote identification since 2000 and introducing in 2020 a QTSP Procedure n° 005A, which details requirements for RIDP.
A recurrent situation can be observed almost in all European states where no complete RIDP legislation exists, except for a number of guidelines, which often focus on Qualified Electronic Signatures (QES). France, Germany and the United Kingdom spearhead this legal innovation with PVID, TR-03147, and British Guidance on how to prove someone’s identity.
- eIDAS Regulation
- Workshop on remote identity proofing featuring ENISA’s representatives
- Types and sources of identity proofing proposed by ENISA
- European Union Agency for Cybersecurity
- Remote Identity Verification Service Providers (PVID)
- What does the PVID baseline mean and what are its challenges?
- Functional view of a remote verification system proposed by PVID
- Technical Guideline TR-03147
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013
- Technical terms related to security features and to security documents in general by PRADO
- PRADO - Public Register of Authentic identity and travel Documents Online
- Official Journal of the European Union
- Financial and Monetary Code
- The Qualified e-Signature (QES): what is it and what is it used for
- Guidance on how to prove someone’s identity