Tech’s ongoing digital identity crisis: who is going to solve it?

An analysis of ID establishment and verification in a digital age

Akshay ‘Ax’ Sharma
Jul 4 · 7 min read
Photo by Kyle Glenn on Unsplash

hat is meant by identity? Is it a name you, your friends and family call you, or what a document states as a true likeliness of you?
And if we are to believe that your identity is a document, then naturally much of the focus will be on verifying the legitimacy and correctness of the so-called ID document; your proof of identity.

Papers & Plastic

Ask someone, “What’s your name?” and the honest majority will likely answer truthfully. Those who are a tad smarter may not. This can be for reasons good or bad — a need for increased privacy and anonymity vs. a having a crooked mindset.

Then there are exceptions: for example nicknames and anglicised versions of names. For example, look at the multiple spellings of the simple Slavic name, Igor. The following are all valid variations of the same name, depending on the script and language: Игорь, Igor’, Ігор, Ihor, Ігар, Ihar, Игор.

What is your date of birth? The one known to you and your immediate family, or the one that a document states — albeit in rare cases, incorrectly so.

To avoid all of the chaos arising from these scenarios, we introduced papers:
Merely a piece of paper acting as an ID, without much regard to the possibility of its forgery. Sticking a plain old photo on top of this paper that clearly spelled out the person’s name, date of birth, and address out, and endorsing it with the issuing authority’s stamp/signature used to be it.

Security Features

Soon we realised this infrastructure wasn’t perfect — susceptible to forgeries. We got smarter by introducing UV features, security marks, holograms, inks… But what about Elisa’s lookalike sister posing to be her on the day of the driving test? This kind of malpractice still happens today by the way, in some jurisdictions (anecdotes; although I passed my own driving test, surprisingly).

Then NFC-enabled cryptographic chips which include biometrics — photo and fingerprints of the identity holder make forgery nearly impossible. If you have an ePassport, a Biometric Residence Permit (BRP) or a similar plastic document, these are digitally signed and can be reliably verified electronically as to whether they were issued by the actual issuing authority that claims to have issued them, and if the information has been tampered with — all thanks to Public Key Infrastructure.

All of this makes forging an ePassport or BRP and getting away with the fake virtually impossible. The math just won’t add up. If trying to pass a fake biometric document as a real one, you will get caught if the person looking at the document has the technology to read and verify the chip.

The best part?
Because the information is contained in the chip itself (and is decentralised), the dependence on an always-online database — susceptible to downtime and breaches, is not required. You are individually responsible for keeping your ID safe and secure.

But… if you are even smarter, you wouldn’t ever, ever forge a biometric IDentity document. You would likely use “false papers” and information to get real ones. For example, submitting a utility bill showing a fictitious address, and claiming it as your bonafide address. Or using a real birth certificate of another person whose identity you are attempting to steal — all of this was explained in my previous article:

The ‘ID Paradox’

The problem with what I call an ID paradox — a chicken and egg situation, is you need an ID document, to get an ID document. Doesn’t sound very reasonable, does it?

In 2015, I took a shot at solving this problem by launching ElectronicID.org.
The platform aimed at eliminating ID documents altogether and instead introducing a credit history-like “trust” based system. So you would start by saying “I’m John Smith,” and have a “zero trust score” in the beginning.
You would build trust over time, much like how you would build credit.
But that approach is obviously too slow for the purposes of establishing ID.

Papers in Digital Age

Even in this digital age, we rely on papers and plastic way too much. ‘Cloud Passport’ is still an ongoing experiment.

Now, there are good reasons for it. Databases get hacked. Servers go down.
Imagine being stuck in long border queues because their systems went down. At least papers and plastic would still save you. In the event of system crashes, the border agents in such a scenario, could temporarily revert to performing decades-old basic ID checks comprising shining UV light or checking MRZ check-digits. If they were to rely completely on technology — for identification purposes alone, good luck.

Then, there’s concern about privacy. An international database using DNA-based matching combined with facial recognition and fingerprinting would likely eliminate the need to carry any papers or remember any information — but that approach, albeit a sophisticated one, may be too intrusive to our privacy.

Online IDentity Verification

But what happens when you want to prove who you are online?

This is when things get complicated.

Most business-critical applications today for KYC purposes, either:

  • Ask for a scanned copy of your photo ID over the web
  • Perform Dynamic Knowledge-Based Authentication (KBA) — in practice that is giving you randomised questions based on your credit file, assuming you have one.
  • Ask you to hold your smartphone over your ID — for extensive feature-authentication, combined with taking a ‘video selfie’ for liveliness detection, calculating facial similarity between your image and that on the ID, etc.

Challenges

But the fundamental problems with all of these approaches is…

  • You cannot verify the authenticity of an ID document online in the same way you could in person. You can’t shine UV over a digital image, the security features are rendered useless: they can’t be distinguished from a forgery — you can’t tilt a digital image in 3D space and see the hologram change colours, the MRZ code — while a decent “error-checking” mechanism, can be calculated and emulated by a skilled forgery expert.
  • Embedded biometric and NFC chips need special infrastructure in order to be read. Even if the user has an NFC-enabled smartphone to read this information and send it back to you through an app, it may not be as secure as physically holding their plastic ID in your hands and verifying it with your own chip reader.
  • “Thin file” problem: For those with no credit history, KBA simply won’t work. There is not enough information to generate security questions. Very likely, this is also why the £130 million GOV.UK Verify system has been a major disappointment with only a 47% success rate.

Basically, unless an online database exists which can authoritatively verify the information on an ID, you are out of luck and have to believe the digital image in good faith. There is no global database for passports. For driving licenses, immigration documents and BRPs, this is subjective and depends on the issuing authority, which also restricts the usage of such databases for very specific purposes.

Social Media, Crypto, Blockchain…

Speaking of an “online database,” what about social media?
Is a LinkedIn or Facebook profile a reliable proof of identity? Maybe if the person seems to have a significant number of connections? What about fake profiles? What about an imposter using a fake social media profile to friend real-life friends of a person? These are all questions which make the problem even more complicated.

Blockchain — the technology behind BitCoin, and P2P systems can surely decentralise the ID data itself. But they cannot alone verify if the very data — such as a social media profile being used as the proof of identity is reliable.

A very real problem awaiting a fix.

From dating apps, to accommodation sites like Airbnb, to adult websites now mandated by law to verify the age of its users, to FinTech and online platforms selling age-restricted goods (medication, firearms, fireworks, marijuana, tobacco…), online identity verification is a legitimate problem with no reliable means existing as its ultimate solution.

And today, while companies like Yoti, Jumio or ID.me may be attempting to solve this challenge, their premise of identity verification remains relying on users presenting papers — rather their scanned copies, which are all unreliable to begin with.

Just because a scanned image of an ID “looks like the real one” does not necessarily mean it is — no matter how extensive and intelligent your AI/ML algorithms are. These systems may tell when something seems forged — if they catch it. They cannot however, outright claim ‘nothing’ is forged, unless an authoritative database can verify the information.

To find a digital ID solution which is authoritative, least intrusive, privacy-friendly, accessible and secure is a challenge waiting to be solved. Until then, the data points we have now are a rough measure of risk, i.e. do I believe the scanned image and the ‘video selfie’ to be real? Or, that the person entering the credit card number online is indeed its rightful holder?

Our comfort level with regards to how much risk are we willing to accept determines the solutions that exist today and those that will stand out.

© 2019. Akshay ‘Ax’ Sharma. All Rights Reserved.

Akshay ‘Ax’ Sharma

Written by

Security Researcher/Engineer, Digital Technologist and a perpetual learner. https://akshaysharma.net