How to verify a digital identity

  1 2 comments

How to verify a digital identity

Contributed

This content is contributed or sourced from third parties but has been subject to Finextra editorial review.

In May 2024, the European Union’s Digital Identity Regulation came into force – requiring member states to offer at least one EU Digital Identity Wallet to citizens, by 2026.

Given digital identity is a relatively new theme in Europe, the uninitiated’s perception of it will be prejudiced by the representation in films – whether it be Ethan Hunt and the fingerprint-taking vinyl in Mission Impossible, or Edna Mode’s retina scanner in The Incredibles.

So, do these interpretations have any bearing on reality? How exactly is digital identity verified today?

Biometrickery in The Incredibles

Thanks to Hollywood, the most iconic means of digital identity verification has become biometrics. Like in the movies, the technique leverages physical authentication strategies to discern an individual’s true identity.

By this point, in the reader’s mind may be conjured the image of an LED-lensed chrome console projecting from the wall in Edna Mode’s house, before it takes a photograph of her retina and grants access to the secret bunker. While today’s financial institutions opt for less of a sci-fi approach, the biometric principle is the same; face or voice recognition, iris scanning, fingerprinting, and behavioural analysis all remain on the table as viable options to tell customers apart.

Facial recognition, for example, relies on artificial intelligence (AI) to pull visual information from a photograph or video of a customer. It does this by making a map of a person’s face – including data on eye size, feature positioning, scars, mouth shape, skin colour, and so on – before comparing it against the bank’s database of faces. If a match is found, the identity is confirmed.

The first example of this in wide use was the iPhoneX, when Apple enabled users to unlock their smartphones – and gain access to digital wallets – via facial recognition. Apple says that the technique is so secure, “the probability that a random person in the population could look at your iPhone or iPad Pro and unlock it using Face ID is less than 1 in 1,000,000 with a single enrolled appearance.”

Biometric payments are becoming an incredibly common use case – letting consumers deduct monies from their accounts at speed.

Encryption and The X Files

Another pricey verification recourse is encryption – the process of securing access to information via mathematical models that scramble data. This is used to verify digital identity because it can be set so that only the parties with the secret “key” can unscramble the information.

The concept of encryption was bent to breaking point in The X Files when Arlene Pileggi hacked into the United States’ proto-internet portal, Arpanet, to read a classified document of Susanne Modeski’s. When printed, the text was unreadable, since it had been translated to the American Standard Code for Information Interchange (ASCII) format – a common character encoding format for text data in computers.

Had Arlene possessed what is known in cryptography as the ‘key’ – typically a string of numbers or characters, of indeterminable length, that are stored in a file – she may have had a shot at reading the document. In ‘symmetric cryptography’, one key both locks and unlocks the data, whereas ‘asymmetric cryptography’ has two different keys.

This means of digital identity verification is used by banks in the back office, to prevent bad actors from reading customer data, even if they manage to break through the first line of defence.

HSBC, for instance, makes clear on its website that it uses “128-bit Secure Socket Layer (SSL) Encryption” over all its personal internet banking applications and online application forms, converting customer information into “an encoded form before it is sent over the internet”.

The Great Escape’s ‘presentation of object’

Surrendering official documents is a time-honoured means of proving one’s identity – cast your mind to The Great Escape, when Big X and MacDonald (futilely) attempt to gain access to public transport by handing their forged passports to two German guards. “Good luck” getting through borders via today’s eGates with those.

After the war, with the rise of credit cards from the late 1950s, these ‘financial documents’ also became a valid method of identity verification – and this trend has continued, all the way past the growth of online shopping at the dot com boom in the early noughties.  

This brings us to the verification of identity via the presentation of a card online. A good example would an everyday, online retail purchase that is relatively high-value, or via an outlet which the consumer’s bank does not recognise.

First, the customer enters her card details into the retailer’s purchase portal. If the details match, a secure notification will be sent to her mobile, which she must use to log in to her banking app and confirm the payment. This is a first-line defence against stolen cards. Notifications can also be sent to consumers via text, which will include a one-time verification code that acts in the same was as a personal identification number (PIN) entry on a card reader would, in person. If all goes to plan, the identity is confirmed, and the transaction is processed by the issuer and the acquirer.

Such protocols are set to become increasingly prolific with the advent of the third Payment Services Directive (PSD3) in 2026.  

Judgement Day: Providing confidential information

The second Terminator film’s misrepresentation of card skimming – the crime whereby a consumer’s PIN code is mined by attaching a hidden recording device in an automated teller machine (ATM) – reveals a lot about digital identity verification.

Viewers are treated to a scene whereby the young John Connor determines the unique PIN of a stolen card after inserting it into an ATM, running a ribbon cable into the reader, and plugging the other end into a laptop. A fistful of dollars is then surrendered by the machine and Connor skips off into the sunset. What this process fails to reflect, is the fact that a PIN code has nothing to do with the data on a credit card – nor is it held within the card slot. Here, we have two discreet systems that do not talk to each other. John Connor would need access to another system, or more simply, a video of the original card owner entering her PIN, to get his loot.   

Herein lies the reason PIN codes, or any other kind of confidential information – such as password, date of birth, and the answer to a pre-arranged question – are so useful; in theory, only the end-user has access to it.

The provision of confidential information is a successful method for banks to screen against fraud, though it is harder to protect consumers from transfer scams. In this scenario, consumers are contacted by criminals who masquerade as a trusted party – such as a bank, lender, or His Majesty’s Revenue & Customs (HMRC) – and encourage them to give up their confidential information, so that money can be removed from their accounts.  

To tackle this, bigger institutions like Nationwide are opting for a combination of authentication measures – including biometrics – which is so far helping them to block an additional 2000 attempted online shopping frauds per month.

The Holy Grail of verification

The techniques used to verify digital identity can be deployed to support a number of processes, such as customer onboarding, mobile banking, customer re-authentication, ATM operation, and even in-branch banking. The aim for banks is to streamline journeys and adhere to regulatory requirements, such as the Know Your Customer (KYC) and Anti Money Laundering (AML) directives.  

With the sophistication of cybercrime continually ratcheting up, a combination of several kinds of verification technique will likely become the holy grail of verification – a strategy known as multi-factor authentication (MFA).

Indeed, the use of static identifiers and physically unique attributes in situ is a defence far harder for bad actors to penetrate, when compared to the use of a single component.

When it comes to digital identity, it is time for banks to stop thinking Hollywood and start thinking holistically. Here is the new norm.

Channels

Comments: (2)

Martin Sansone

Martin Sansone Lead Architect at Sansone Projects

What a terrible title for a serious subject. None of this meandering twaddle actually provides a real answer to "How to Verify a Digital Identity".  The misleading click-bait title would be more accurate as "A Trip Down Movie Memory Lane Misrepresenting Digital ID"

John Wojewidka

John Wojewidka International Marketing Director at FaceTec

None of this works without binding a human to an account. And that CANNOT be done without determining if the person who is holding the credential or access device (phone, card, hardware key, etc.) is determined to both present at the time and - wait for it - alive. Liveness checks verify first if there is a real human asking for access, and then can make a match determination to make sure it is the legitimate human. Effective biometrics with liveness and matching ACTUALLY exist and have been successfully in operation for many years across the globe. 

Major note: Digital access is already pervasive and will only continue to gain users on every continent. As the value of access climbs, digital identity needs to be treated as THE critical component of access management, whether physical or virtual. If you cannot have an exceptionally high confidence that the person requesting access is not the legitimate account holder, the rest of what happens in a login process is still wide open to fraud, regardless of the cryptographic defenses in place. The wrong person can easily be operating a phone that will check out as legit. It happens all the time, and is responsible for nearly 85% of all ID problems.

This subject needs to be elevated to the top of the agenda and considered critical to the finance/banking biz, or these problems will not only persist, they will continue to grow - as they have for the past 10-plus years. Just check the latest reports from, for example, the Identity Theft Resource Center (ITRC - https://www.idtheftcenter.org/). The extent of this problem is much more troubling than you might think.

@Hamish Monk, you are welcome to contact me for a cold-shower report on the state of things in digital ID.

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.