Part 1: Remote Identity Verification – Cryptography vs. Artificial Intelligence
May 21, 2019
Artificial Intelligence (AI) has become a central component for innovating in a large number of applications. As computing power becomes cheaper and more easily available, we are witnessing a proliferation of Machine Learning (ML) use that has not been possible in the past.
One application where ML is particularly useful is Remote Identity Verification, especially when it is combined with Computer Vision (CV) to solve problems like object identification, facial recognition, security feature detection and Optical Character Recognition (OCR).
Before we dive into some of the specifics around how ML works in conjunction with CV for ID verification, it is important to understand why those are needed. ML is a compute-intensive approach that is needed for more nuanced issues, but there are several problems that are straightforward and do not require ML. One could even argue that the current state of identity document issuance and adoption, especially in the United States, dictates the need for an ML-based approach. However, with an increase in sophistication in ID documents, verification could be solved using cryptography in a simpler and more scalable manner.
For quite some time we have seen documents with embedded electronic chips capable of performing cryptographic operations that can be used to verify authenticity. When used, they give the documents the following properties:
- Machine Readable: Allows a computer (or smartphone) to reliably capture data from the document.
- Digital Signature: Used to verify that the document is actually issued by the corresponding authority, without requiring connectivity with such authority. With a digital signature, it is also possible to verify the integrity of all the information in the document, including biometric data, effectively becoming a tamper-proofing mechanism.
- Replay Prevention: When documents are used in verification flows, special precautions are taken at the protocol level to prevent an attacker from capturing messages from a session, and reusing them in a different verification session.
At the time of this post, the only practical form of identification that meets all of the above requirements is the e-Passport. A good example of using these properties above are the self-service passport verification solutions deployed at airports. However, in order to leverage the same benefits in a mobile application for instance, the following hurdles have to be overcome:
- Only about one third of the people in the United States have a passport. For most consumer-facing applications, requiring a passport for ID verification would exclude a large user base.
- Even people that have a passport don’t usually have it with them at all times. The state-issued driver’s license or ID card is generally the form of ID most Americans carry with them regularly. Requiring a passport in an application onboarding scenario imposes an unreasonably high level of user friction.
- At the time of writing, Apple’s iOS mobile operating system has not exposed the interfaces necessary to communicate wirelessly with an electronic passport. Using an Android-only ID verification solution is usually not a viable option given the large iOS market share, especially in the U.S.
In the future, it’s not unreasonable to expect that Apple will eventually open its Near Field Communication (NFC) interfaces. It is also likely that some states will incorporate electronic chips into their issued IDs, effectively overcoming the hurdles above. However, that does not change the fact that businesses that need to deploy ID verification today will, in most cases, need a different solution.
Read other blogs in this series:
Part 2: Computer Vision Alternatives to Cryptographic Verification
Part 3: Privacy Implications and Enhancements in Identity Verification