In some country regulators require the use of video identification for remote identity verification. Germany a prime example thereof.. BaFin in Germany (Bundesanstalt für Finanzdienstleistungsaufsight), the financial authority, prescribes the use of video identification for remote identity verification and also Austrian FMA allowed video identification. FMA is now moving to NFC-based identity verification (compulsory from 2023 onwards in banking), and rightfully so: evidence that video identification is not secure is growing steadily if not combined with NFC.
In 2015, the German government Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI, questioned the fact that video verification was as trustworthy for remote as face-to-face verification. In 2019 they even recommended not to use video identification. Still, video verification remains popular in Germany and is part of the BaFin standard. Since then the quality of video manipulation software and deep fake software in the open source has grown tremendously, making it easier than ever to spoof video verification solutions. Real-time facial replication via the use of holograms is even possible.
Picture: Example of combining source document and new biometric data (Chaos Computer Club, 2022)
In August 2022 the German Chaos Computer Club published a report where they give a detailed explanation on how they were able to pass video identification with fake documents, including more complicated steps such as putting fingers on the document as part of the process. They showed in practice that they were able to pass more than six different video verification solutions of suppliers based within and outside of Europe. The results do not come as a surprise, given earlier criticism as mentioned above. Their goal was to show that it can be done without big investments in hardware or software and that it can be done systematically. The report is well-written and leaves little room for debate. It led to substantial turmoil in Germany but no formal reactions from, for example, BaFin as yet.
Video identification: Why wait for the next hack?
It is no longer a question of if regulatory authorities should switch to alternatives over video identification, but merely when. Video identification is not only insecure, it is very costly and intrusive. Moreover, the alternative already exists. NFC-based identity verification provides 100% certainty on the authenticity of the identity document and the personal data read from the chip. Moreover, the high resolution face image from the chip significantly improves the overall identification performance, and can readily be combined with automatic biometrics for holder verification based on face matching and liveness detection. For the latter, video identification can be used for holder verification.
NFC first for maximum security
Current biometrics based genuine presence detection solutions can, with their passive or active challenge response mechanism, far better resist video manipulation attacks such as those conducted by the Chaos Computer Club. The combination is secure, very scalable, user friendly, and cost effective. It allows to create digital identities at the highest trust level, eIDAS high.
So, why wait for the next hack?