Building confidence in the identity of a user online is a tricky business. You can ask them for their details (name, address, phone number, government ID number etc.) and check those against some third party identity graphs, maybe weave in some attributes like device identifier, but the result is still pretty probabilistic.
Next step up in gaining confidence would be to ask the user to take a picture of their government-issued ID document and a selfie of themselves. This is the process that we at Gartner formally refer to as document-centric identity proofing, but which I prefer to just call the “ID-plus-selfie” process.
The ID-plus-selfie process involves the vendor visually assessing the image of the document for authenticity, and then the selfie being biometrically compared to the picture in the document. As part of taking the selfie, liveness detection (aka presentation attack detection) is performed to ensure genuine human presence (as opposed to, say, taking a selfie of a picture).
The outcome is still probabilistic, as assessing the authenticity of the document visually is a mixture of art and science – but the probability is stacked more in your favor than simply checking user-provided PII against an identity graph. For a more deterministic approach you should only be accepting documents with chips in them and reading the data off the chip using NFC in the user’s phone.
A few years ago, pretty much all client calls that I received about ID-plus-selfie were from banks needing identity proofing as part of a KYC process. While that is still a big chunk of my calls, I see it being implemented in a much broader range of use cases now:
- Government – Using ID-plus-selfie when citizens register for services or need to prove their right to work in a country.
- Healthcare – Using ID-plus-selfie when registering for online access. For example, in the UK, you need to prove your identity this way to get full access to the National Health Service mobile app.
- HR – Maintaining the integrity of remote interview and hiring practices. Several of my clients have cited cases where they’ve hired a person online and then a different person has turned up to start work!
- Trust – Maintaining trust within a marketplace. For example, Airbnb recently announced that all users (renting, and those offering places to rent) would need to go through ID-plus-selfie to maintain trust on the platform.
- Account Recovery – Resetting passwords is a major attack vector to carry out ATO. Identity proofing can help to mitigate that risk. For example, on LinkedIn, if you can’t access your account and no longer have access to your email (e.g. you just changed job), you can take a picture of your ID document to regain access to your account.
There are many blog posts that I can and will write about the reliability of ID-plus-selfie, its long term viability in the face of digital identity wallets, and more. But for now, I think it’s worth noting that qualitatively it appears that adoption is increasing across a broad range of very interesting use cases.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed