Skip to content
GitHubLinkedInX / Twitter

Identity Proofing is Awkward (And Still A Risk)

Know-Your-Customer, KYC, identity Proofing, Identity Verification, Identity Security, Decentralized Identity4 min read

Identity Proofing

The last decade has seen the commercialization of identity verification and proofing services known as KYC (Know-Your-Customer). These services are great for businesses that are trying to improve identity security, as it puts significant downward pressure on fraud and identity theft at a time when customers demand ease-of-access to online services.

Striking the right balance when it comes to verifying someone’s identity is tough, because we are still using fairly rudimentary techniques. We are still expected to hand over too much information to confirm who we are.

This is a cause for concern, as the verifier (e.g. a business) can sometimes wield a lot of influence in customer behavior. Not everyone is an identity security professional, not everyone knows the implications of uploading personal information to websites (as much as we try to campaign about this). But often, we as consumers are a captive market. We are cornered into situations where we are coerced into performing these counter intuitive verification processes otherwise we miss out on a required service or in some cases, a livelihood.

Recently, I had payments for an app I developed on the Android Play Store suspended. I inquired about this and was told that because I opted to sell my app in Brazil, I had to provide personal identification such as drivers license and other business information.

After resisting this request, and trying to omit Brazil as a market, I was met with confusion by the support team. It was as if nobody had challenged this before, I was told it would be best to just complete the verification. This introduces the concept of herd mentality. If everyone else is behaving this way, it must be okay and I’ll go along with it too.

This is just one example, but if your livelihood is to make app sales, and your primary source of income has just been suspended, damn right you’re uploading your drivers license. You need to put food on your table. This shows one way on how end-user behavior is formed.

So what’s the big deal? In many cases, you are probably going to be OK. But let’s take a look at the general process when dealing with a reputable identity proofing service.

  1. You are asked to upload your identification, this could be a drivers license, passport or other government issued documentation.
  2. A service provider will use their own proprietary software to verify if the document is legitimate. They claim a high degree of success on accuracy but they never claim 100%. So we’re putting a bit of trust in the service provider here. They’ve got a hard job, they need to determine if Joe Blogg’s faded drivers license is the real deal or not.
  3. They pull information from the documentation using some form of OCR (optical character recognition).
  4. They often have access to government databases to cross reference the data gleaned from the document. But this is a murky area, not every state or country will allow this, so in the absence of that, there might be less authoritative ways such as public record to verify data. Sometimes they’ll just skip this step completely.
  5. Optionally there is a liveness check, where you’ll be asked to turn on your webcam and a comparison of your photo ID will be performed against your webcam feed.
  6. The service provider will typically return to the application which required the verification in the first place using some sort of digitally signed artifact claiming a successful or failed verification.

We’re trusting that our personal information, uploaded images and recorded webcam footage is immediately purged. But these are for-profit businesses with excellent marketing designed to give you confidence, but under the hood, are we sure that no footprint is left behind in logs, backup or memory which could be compromised at a later date?

There isn’t a standard around verification, the steps listed above are general and service providers will add and remove their own special sauce that gives them a commercial edge over their competitors. In the vast majority of cases, it’ll be fine, you’ll verify your identity and move on with your life. But identity threat actors feast on personally identifiable information. It’s how they open or access bank accounts illegitimately. It’s how they improve success rates on targeted phishing scams.

As an industry this is a growth market to watch. How we adopt and implement identity verification/proofing will dictate future user behavior. We have a duty to protect customers from fraud with strong verification, but we also have a duty to protect customer information. A strong, cryptographically backed verification process will remove a lot of the awkwardness out of our current verification processes.

Fortunately there have been significant advancements in the area of identity verification. So check back soon where we will explore these new capabilities and how they can be adopted into our everyday life.

© 2024 by The Identity Citizen. All rights reserved.
Theme by LekoArts