
How can you be sure a user is who they claim to be?
When it’s crucial to minimize online identity fraud, governments and companies often turn to ID Verification (IDV), a process that asks a user to present both a photo ID and their face to their device’s camera for evaluation and comparison.
IDV is a strong and scalable way to fight impersonation or fake identities. Unfortunately, it’s also become a major target for account takeover attacks (ATOs), with AI providing sophisticated ways to spoof a user’s identity. One report cites a seven-fold increase of deepfake attacks on IDV systems in 2023.
In this article, we’ll explain how IDV works and where its strengths and weaknesses lie. Then we’ll look at how IDV can be part of a multi-layered approach that includes other forms of establishing trust, which can help keep bad actors out and encourage the right people to use your service.
What is ID Verification (IDV)?
ID Verification (IDV) is the term for technology that confirms a person’s identity by using their camera to capture a live image of their physical ID and a selfie, evaluating both for authenticity, and then comparing them. IDV is typically a five-step process:
- Document capture. The user holds their driver’s license, passport, or other government-issued photo ID in front of their device’s camera.
- Document assessment. The system evaluates the document’s authenticity.
- Document data extraction. The system ingests the photo, the text on the document, and the barcode (if present), and often verifies it against a database.
- Selfie capture. The user presents their face to the camera. To determine liveness, the system may prompt the user to turn their head a certain way or say a particular phrase.
- Face comparison. The system compares the selfie to the photo on the ID.
Because IDV is more expensive for companies and introduces more friction for users, it is typically used in specific cases where a high level of assurance is needed to confirm both someone’s real-world identity and their genuine presence. Examples include:
- Opening for a bank account online
- Being hired for a remote job
- Verifying an account on social media
- Using online government services
- Re-enrolling in multifactor authentication with a corporate device
How IDV resists fraud
IDV-based security systems need to be ironclad against fraud because they protect extremely valuable information. If a fraudster can break into an IDV-protected account, they may be able to drain retirement pensions, hold corporate systems ransom, or hijack social media accounts.
To resist deception, IDV typically uses several of the following techniques:
- Guided capture. Instead of letting users upload an image from their computer or camera roll, IDV requires users to use their device’s camera under the control of their website or app.
- Document verification. IDV can check bar codes, document numbers, and other datapoints against databases to ensure the information matches what the authorities have on record.
- Liveness detection. To catch spoofs like deepfaked videos or printed photos, IDV often looks for evidence that it’s looking at a real, live person. Techniques include using the device’s 3D depth-sensing capabilities and guiding the user to move their face in a certain direction or say a certain phrase aloud.
- NFC tag. A growing number of IDs, such as passports and corporate badges, have an embedded chip. Modern smartphones can read these and pass the information to the IDV service.
Challenges and limitations of IDV
IDV is becoming increasingly sophisticated, but it’s not perfect. It’s constantly under threat from ever-more powerful AI technology that can spoof a user’s identity. AI can now create convincing deepfake videos of a person and falsify government IDs. Fraudsters can inject deepfakes into IDV workflows, using browser extensions and virtual camera software to simulate real-time video and bypass liveness checks.
Here are some of the additional challenges to be aware of with IDV:
An account can be compromised later. In many cases, IDV is a one-time security check that happens during account setup. IDV doesn’t protect from future account takeover attacks that can happen as a result of phishing or stolen login credentials.
It’s expensive at scale. IDV services can cost anywhere from 25 cents to over $2 per use.
Many people avoid or drop out of the process. Some privacy-conscious users resist any collection of sensitive details. Others may abandon the procedure after experiencing technical issues, having trouble finding their ID, or simply getting distracted.
Not everyone can meet the standard. IDV may not accept certain documents if they’re easily counterfeited, compromised by corruption, in a language they can’t read, or impossible to independently verify. In one survey, over 40% of trust professionals cited ID inconsistency as a significant challenge.
Techniques for layered fraud detection and prevention
A well-rounded approach to securing user accounts could include IDV during the sign-up process or for very high-risk actions, while offering additional protections that run in the background to keep the account safe.
Here are a few strategies to consider:
- Reduce the chances that an attacker bypasses IDV with a deepfake by monitoring for other suspicious behavior — like whether the device’s IP geolocation matches what you expect.
- Detect bot-like behavior. Fraudsters commonly use bots to create fake accounts at scale, and detecting their automated activity allows you to catch any attempts at fake registration before they compromise your platform.
- Protect IDV-verified accounts from ATOs. Once verified with IDV, an account typically has a high degree of trust, making it an attractive target for attackers. Advanced device intelligence tools (like Fingerprint) can help protect against ATOs by surfacing signals that detect browser tampering, VPN usage, jailbroken devices, and more — allowing you to trigger step-up authentication when needed.
- It’s no secret that IDV is a bit of a hassle for users — so once they’ve been verified, offer them a seamless returning user experience. This can include everything from letting known users log in without requiring MFA, to personalizing your site to their preferences.
Device intelligence complements IDV
For many use cases, IDV is essential, but it’s not one-size-fits-all. To add an extra security layer to the verification process and guard against the risk of deepfakes, consider techniques that leverage the user’s device for identification — also known as device fingerprinting.
Fingerprint’s device intelligence platform expands beyond just device fingerprinting, with Smart Signals to prevent sophisticated account takeover attacks before they happen. Fingerprint can also identify returning users with industry-leading accuracy, without relying on cookies or IP addresses, so you can offer seamless login experiences for trusted accounts.
To learn more about how Fingerprint can make your user identification systems more robust, contact our team.