The Problem Overview
Remote identity proofing (RIDP) and protocols similar to Know Your Client (KYC) invoked the need for laws and initiatives that would standardize the procedure of verifying a person's identity in online transactions. One of the best-known initiatives is the eIDAS Regulation established by the European Union in 2014. eIDAS or Electronic Identification, Authentication and Trust Services, focuses on creating a safe digital environment by providing reliable remote identification protected with biometric spoofing detection.
Standards and regulations aim at selecting the best tools and methods to prevent potential fraud. For instance, the requirements dictate that:
- A person’s authentication cannot be limited to still images.
- ID check should be performed both by a human operator and a machine (can be used in anti-spoofing for IoT, among all else).
- Liveness detection must be implemented to exclude Presentation Attacks (PAIs).
- Uninterrupted video stream of appropriate quality capturing a person’s face should be the main authentication method.
The last requirement is especially vital, since digital face manipulations are often used by malicious actors to trick identification solutions used in banking applications, telehealth, automatic border-control (ABC), and other such systems. Other biometric parameters — iris, fingerprints, voice — can also be replicated for remote identity fraud. Therefore, an additional set of regulations regarding these parameters is expected to be developed as well.
Liveness Standards & Requirements
While the European Union Agency for Cybersecurity (ENISA) and eIDAS regulation outline the basic principles for secure remote identity proofing, more detailed antispoofing frameworks are proposed on national levels.
A good example is the Remote Identity Verification Service Providers (PVID) standard, which is basically a guideline that determines:
- How to verify a person.
- How to assess the validity of their identity document.
The standard was developed by France's National Information Systems Security Agency (ANSSI) and proposed in 2021.
In essence, PVID is based on the Know Your Client protocol, as well as Anti-Money Laundering and Combating the Financing of Terrorism international directives. It is noted that one of the main reasons behind PVID development was rapidly growing digitalization caused by the Covid-19 pandemic.
PVID offers a baseline suitable for e-commerce platforms and various other entities that operate online: banks, digital identity and gambling providers, etc. The baseline includes three central coordinates:
- Remote verification service definition. Here, a remote verification service is described, as well as its principal components: acquisition of identification data, verification of this data, evidence file elaboration, and submission of the verification results.
- Evaluation methods. In this coordinate evaluation methods are explained, as well as PVID qualification and certification. It lists the 910/2014 European Regulation, which is mandatory for all entities that employ remote identification. The coordinate also mentions how remote services should be certified.
- Requirements. Finally, requirements are given, which all service providers should comply with: appropriate data encryption, liveness taxonomy, risk estimation, remote identity verification policy, etc.
Even though the PVID standard operates on a national level in France — making ANSSI the first public entity to propose such a standard — it was designed to fit in a more global ecosystem as it meets security objectives set by eIDAS.
BSI is Germany’s Federal Office for Information Security, which offers a similar antispoofing solution dubbed Technical Guideline TR-03147. Similar to PVID, it follows general guidelines set by ENISA, while suggesting its own detailed algorithm of remote identity proofing.
The guideline includes:
- Requirements. To verify a person, the following items are needed: valid ID, reliable transmission channels, correct ID registration, integrity of the entire process, etc. These are general requirements explained in the subsequent paragraphs.
- Threats. Primary threats include expired documents, forgeries and tampered IDs etc.
- Threat detection. Attack scenarios and attack assurance levels are specified in this paragraph.
- Ownership assessment. It should be checked whether the ownership of a document is legitimate or not, for which assurance levels are proposed.
- ID attributes registration. This stage focuses on the functional quality of the verification system rather than on security. Specifically, it pays attention to data capture and potential errors that can occur during the process.
- Safeguarding integrity. To avoid possible threats, the protocol recommends to keep traceable documentation of all ID checks performed and comply with the ISO/IEC 27001:2013 and ISO/IEC 27002:2013 security standards.
Among other things, TR-03147 explores the attack potential regarding target of evaluation (TOE), provides technical terminology, and defines the successful attack criteria: "only if an illegitimate proof of identity is provided and the implemented ID check does confirm the illegitimately claimed identity".
Liveness Certification in Europe
Despite the abundance of standards, regulations, initiatives and international agreements, there is still no universal landscape for identity proofing and liveness certification. By far, the only attempt to introduce such a landscape is reflected in ENISA’s extensive report on remote identity proofing.
The primary certification that underpins standards like PVID and BSI TR-03147 are:
- ISO standardization.
- NIST standards 800-63-3 and 800-63A.
- M/460 standardization mandate applied to electronic signatures.
- Electronic Identification, Authentication and Trust Services (eIDAS), and others.
Other than these, a glossary developed by the Public Register of Authentic travel and identity Documents Online (PRADO) provides detailed examples and description of the security elements used in document protection: barcodes, fine-line patterns, and others.
Anti-Money Laundering directives also play a major role in European liveness certification. For instance, the Fifth AML directive was integrated into France’s Financial and Monetary Code, which allows French companies to perform online client onboarding with greater flexibility. (Online and face-to-face verification methods were acknowledged as equally secure).
Currently, a group of European countries transpose eIDAS Regulation into their national legislation. For instance, Albania has partially integrated laws On electronic signature and On electronic identification and trusted services. Austria is quite limited in remote identification having only one law Online Identification Ordinance issued due to AML introduction. The country still mainly relies on human operators and physical ID documents for emote identity proofing.
Finland has its own legislation regarding online identification, which complies with eIDAS requirements for the most part. Italy does not have any laws on remote identification whatsoever, except for the A/V remote identification procedure. Luxembourg made one of the earliest attempts at formulating laws regarding remote identification in 2000 and introduced a QTSP Procedure n° 005A in 2020, which details requirements for RIDP.
Currently, there is no European country where complete RIDP legislation exists, except for a number of guidelines, which often focus on Qualified Electronic Signatures (QES). France, Germany and the United Kingdom spearhead this legal innovation with PVID, TR-03147, and British Guidance on how to prove someone’s identity.
Are there any biometric liveness standards of online person verification in the European Union?
Just a handful of countries address the legal status of biometric liveness.
The European Union Agency for Cybersecurity (ENISA) provides an extensive report on vulnerabilities, threats and countermeasures regarding Remote Identity Proofing (RIDP). Specifically, the paper focuses on facial recognition spoofing and Presentation Attacks (PAs) that are commonly used by fraudsters.
The report lists attack types and suggests facial liveness standards: metadata checking, usage of liveness detection, setting stringent requirements for ID photos, detecting visual artifacts left by digital manipulations, while also explaining passive/active facial, etc.
- eIDAS Regulation
- Workshop on remote identity proofing featuring ENISA’s representatives
- Types and sources of identity proofing proposed by ENISA
- European Union Agency for Cybersecurity
- Remote Identity Verification Service Providers (PVID)
- What does the PVID baseline mean and what are its challenges?
- Functional view of a remote verification system proposed by PVID
- Technical Guideline TR-03147
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013
- Technical terms related to security features and to security documents in general by PRADO
- PRADO - Public Register of Authentic identity and travel Documents Online
- Official Journal of the European Union
- Financial and Monetary Code
- The Qualified e-Signature (QES): what is it and what is it used for
- Guidance on how to prove someone’s identity