21 May 2019|Document Authentication, Document Verification, Facial Recognition, Fraud, Hacking, Identity Proofing, KYC, OCR, Optical Character Recognition
You wish to streamline the on-boarding process for your customers, or maybe add additional Identity verification into your existing Identity assurance processes. One of the obvious routes to go down is that of Document Authentication.
What is document authentication?
Document authentication can be summarised as:
The ability to verify users by examining Identity documents against document templates, extracting data and comparing photographs against real time selfies / videos using facial biometric technology.
Before starting to discuss success criteria for choosing a solution we need to detail the components of such a solution.
Document Authentication should include the following three elements:
- Document Verification – Removes the need for a person to have present in person, scan and email documents. Document verification includes support for passports, driving licenses, voter cards, tax ID’s and more. Ensuring that consumers identities have not been forged, digitally tampered with, lost of stolen.
- Facial Recognition – Comparing a live photo or live video with a users Identity document, adds additional protection to verify a user really is who they claim to be.
- Optical Character Recognition (OCR)- Data extracted from the Identity document is compared against checksum values (if present) within the scanned document. This reduces the chance of readable data being tampered with. Identity information can then be used for form pre-fill to avoid incorrectly entered information, providing a smoother on-boarding experience.
Well, yes and no. The theory behind document authentication is sound however the technology used is often limited to the reach of a vendor in a particular region and the amount of “training” a system has received.
With this in mind their are a number of key areas to consider before deciding on a solution – or solutions to evaluate:
- On premise vs SAAS (PII considerations)
- Fraud Detection vs User Experience (Used in isolation)
- Hybrid vs Automated Models
- Identity Document Support (Regional considerations)
- Liveness support (Video and Selfie)
- API, SDK and Mobile APP support
- Confidence Scores and Acceptance Rates
From the list above we can very easily begin to define the criteria and restrict the choice of appropriate solutions on the market.
The critical piece here is the not all document authentication vendors are capable of providing the necessary touch points to provide true identity proofing and identity assurance that you would expect.
Many document authentication vendors started life as OCR solutions and as a result can extract information from Identity (or any) documents well. However under no circumstances expect this to be anything less than a MINIMUM requirement for any document authentication vendor. If the OCR results are poor, discard and move on to the next one.
Let us now examine the key areas.
Identity Document Support
The real capabilities of a document authentication begin when we look at the depth of the Identity document support in region. The ability to compare an image against a known template allows a document authentication vendor to highlight issues such as:
- Digital Tampering
- Original Document
- Colour Picture
- Document Number Format
- Data Validation (MRZ / Barcode)
- Compromised Document
- Face Detection / Picture Face integrity
- Security Features
- Photo Stitching
As you can no doubt appreciate performing the above (and more) against a large number of documents is no mean feet. This is often where you can start to easily pick off vendors based on the listed document support alone.
However – listing of the supported documents is not enough to avoid your own tests. We have seen instances of vendors claiming to support document validation against certain types of document which when we tested, to put it simply – they failed. One vendors idea of validation is not the same as another. The bulleted list above is a good place to start and set the expectation during any tests.
We recently saw a vendor that was very capable at OCR and delivered the results in very impressive times. However we were able to create simple identity documents and waltz around their document validation processes. Upon challenging the vendor, they admitted that their document validation was very basic. Test, test and test again.
The solution should also provide the necessary tools to ensure the image quality is acceptable before allowing document image upload. Glare, blur, focus and image size or items that should be checked for during the upload process. (See manual upload section later in the document).
Just as with document authentication, facial recognition capabilities vary wildly across the vendors. This is largely due to the rapidly changing technology and techniques used in this arena.
When evaluating a solution, it should have the ability to support:
- Static photos with liveness detection (not a photo of a photo or a copy or an aged photo)
- Video liveness (Video support with Audio and Visual alerts)
- Human Face detection (see pug!)
- Mobile Web, Mobile App, SDK
Lets start with the obvious:- Is the solution capable of detecting human faces? If the solution does not reject non human faces, how confident would you be in deploying in production? We would suggest that if non human faces are not flagged before matching takes place, move on to another vendor.
We like dogs, we really do. This is a simple test to see how robust and mature a vendors facial detection algorithm is. Failing this test should be considered a fail – period.
Face matching between two identical photos also does not qualify. An example such as this should be considered a spoofing attempt in the context of document authentication. In other words the image on the document should never be a match against the live captured image. It’s amazing just how many times we have seen this simple check not flagged by the document authentication vendors, leading to concerns that an understanding of the use cases and classic fraud cases are not catered for.
Selfies and Videos
What is the expected user experience? This has a huge impact on the technology used to verify the users face. The recommendation is to allow live video flows during the face capture process. This allows the capture of a realtime video of the user while requesting and capturing the responses to audible and visual patterns – such as
- Move head to the right side
- Repeat the three digit number displayed on the screen
This adds additional protection and prevents old videos being used. Again if the document authentication vendor lacks this functionality, move on.
Selfies on their own are an important piece of the solution. They allow for the proofing processes to be rolled out where video may not be available. However, the image should be captured real time using a mobile app or SDK integration. If the selfie is uploaded manually there are obvious risks associated with this. For standalone document authentication solutions, the recommendation here would be to always use Video where possible, if not possible force the users to take the selfie real time using a smartphone camera.
If the document authentication solution is not standalone but part of a layered verification process, it could be considered possible to allow for manual upload. This is a result of the other verification layers providing the additional assurance needed to offset the increased risk of manual selfie upload.
If manual selfie upload is allowed, then liveness detection is even more important. Can the solution detect aged photos, copies of the original or the original photo?
Does the manual upload integration allow for blur, glare, focus and overall image quality checks? These are must haves and would normally be provided natively by the vendors app or made available through their SDK.
If such checks are not available – move on to another vendor. The user experience will be very poor as false rejection rates will be high due to low image quality.
Total Turn Around Time (TaT)
During the selection process you have found a vendor that provides robust document validation, good OCR results and robust facial recognition practices. Importantly offering the integration and deployment options you require. Great. We now come to one to of the most important areas of document authentication selection: The TAT.
There are essentially two main areas to consider (in terms of solution).
- Full Automation
- Hybrid Model
Full automation means no human involvement in assessing the document images, OCR or facial images. Therefore machine learning and large volumes of documents / selfies for a particular region are critical to a solutions ability to detect valid and invalid attempts.
The benefits of fully automated solutions are typically quicker TaT’s, normally capable of end to end decisions within 30 seconds (document, OCR and face). However the risk here is increased false rejection rates due to lack of training of the model and the fact caution needs to be applied to any automated solution.
Hybrid solutions offer a good balance. Where Identity documents are valid and facial images are of good quality, a hybrid solution will typically utilise a fully automated approach and perform just like an automated solution. The difference here is when a decision cannot be made, it is marked for manual review. The manual process can take longer (SLA dependant), however such a model is far more likely to catch fraud attempts while reducing false rejection and false acceptance rates.
The choice of automated or hybrid depends on the workflow required, the vendors coverage in region and the balance needed between speed and fraud detection. The recommendation is to look at solutions from vendors that provide both models and make a decision based on true results.
As testing is such a big part of the document authentication selection process we are not going to delve into testing processes (feel free to ask us for our methodologies). We are going to say one very important thing though. Do not only rely on testing using the vendors app. Always ensure the tests are performed using the API’s. Experience has taught us that the apps are often used to cover gaps in a vendors solution. The API’s quickly allow any gaps to be exposed, especially if the testers are used to evaluating document authentication solutions.
We have touched on some of the areas to consider when selecting and testing document authentication solutions. This is a large area and the solutions available do vary wildly, something that is not always clear until you get under the hood.
Here at ThreatPoint our team of consultants has evaluated and implemented many of the leading document authentication solutions. We know the tricks and techniques used by fraudsters to manipulate documents, selfies and videos.
Using this experience we can streamline your selection process, highlighting areas to focus on given your requirements and the items to test. Ensuring you select the correct vendor for your business.
Document Authentication is an exciting area and one that can add huge improvements to your customer application, on-boarding and login processes. If you select the right solution, you will have happier customers and a valuable addition to your Identity assurance and proofing processes.