A Deep Dive Into Electronic Identity Verification (eIDV): What Makes It Tick?

The customer experience that involves turning your face in front of your phone camera or taking a photo of your ID is now more common than ever. Electronic identity verification (eIDV) is gaining momentum, but it is still farther away from universal adoption than some may think. According to a 2024 survey commissioned by Regula, 46% of businesses worldwide still verify IDs manually, even in remote onboarding scenarios—for example, via video calls or by human reviews of scanned documents.

It is clear that we are in a transition phase: while eIDV technology is available, not all organizations trust it completely or have integrated it fully. And the technology itself, while advanced, is not perfect just yet, if it ever will be. 

But what is this technology exactly? What makes it tick, and why is it consistently replacing traditional IDV? In this article, we’ll answer these questions and more, as we take a deep dive into the nature of eIDV, its components, and recent industry developments.

Electronic identity verification can be viewed as an evolution of traditional ID checks, as it employs software and devices instead of people to validate ID documents and personal data. A complete eIDV system today typically involves both identity document verification and biometric verification. 

Document verification checks the ID’s authenticity: with the help of software like Regula Document Reader SDK, the system can automatically recognize an ID’s type and country of issue, check if it is a real and physically present document, read its data (including reading the RFID chip in passports or ID cards), and detect anomalies or signs of tampering. 

Biometric verification, meanwhile, focuses on the person: confirming that the individual presenting the ID is alive and matching the document’s owner. This usually involves facial recognition technology comparing the live selfie to the ID photo. Increasingly, fingerprint or iris biometrics (for instance, reading the passport chip’s stored biometric data and matching it) can also be used as an extra layer of defence.

By traditional identity verification, we mean a human inspecting a physical ID document, visually checking security features (holograms, watermarks, etc.), and confirming that the photo matches the person. With each passing year, this method is losing out more and more in favor of automated processes that have a number of distinct advantages:

• Higher efficiency: Electronic processes can verify IDs within seconds by automatically reading document data and cross-checking it, whereas manual checks might take minutes per customer. For instance, reading an RFID-chipped passport with NFC is nearly instant, enabling e-gates at airports to clear travelers much faster than human officers.

• Ability to read all elements of a modern ID: Nowadays, there are more and more eIDs and digital IDs in circulation, which rely heavily on cryptographic safeguards that manual inspection cannot verify. A human checker might spot a fake ID by its look and feel, but an eIDV service can definitively validate the document’s chip data against signatures from the issuing authority.

• Precise biometric matching: Traditional checks rely on a person’s judgment to compare the ID photo with the holder’s face. Electronic identity verification can perform automated biometric matching to compare a live selfie of the holder to the photo stored in the ID’s chip. Some eIDs also carry fingerprints or iris data that can be matched by authorized readers—something a visual inspection alone cannot do.

• Remote verification: eIDV enables remote identity proofing—businesses can verify a customer’s identity online by having them upload scans or use a mobile app to read their document, without the need to be physically present. Now, people can authenticate themselves from home by scanning an electronic ID and letting the system perform an electronic identification check across databases and chip records.

• Higher security: eIDV implementations often adopt a zero-trust security model, meaning that data read from user devices isn’t automatically trusted. Instead, all critical authenticity checks (RFID chip verification and cryptographic signature validation) are repeated on secure backend servers.

eIDV’s potential is fully realized when more modern forms of IDs need to be authenticated. By “modern IDs,” we mean those that rely on cryptographic security—they could be either physical (ePassports, eIDs) or digital (mobile driver’s licenses, digital IDs, digital travel credentials). 

Now let’s take a look under the hood and see what makes eIDV tick.

Most electronic IDs embed a contactless RFID chip that stores the holder’s personal details and biometrics. For example, an ePassport’s chip holds the same data printed on the passport (name, date of birth, passport number, etc.) and additional info like a digitized passport photo and often fingerprints. These chips conform to international standards (ICAO Doc 9303 for passports, and ISO 18013 for driver’s licenses) and communicate via NFC at a frequency of 13.56 MHz.

Along with RFID chips, an eIDV system typically scans the machine-readable zone (MRZ) printed on the document—the two or three lines of text with chevron separators (<<) visible on passports and ID cards. The MRZ serves two important purposes: it provides the basic identity data in optical form, and its data can be used to derive access keys for the chip. Scanning the MRZ with a camera or OCR yields information like the document number, the holder’s name and birthdate, and an MRZ checksum. More importantly, with an ePassport, the MRZ data is used to compute the encryption keys needed to communicate with the RFID chip. This is the basis of the Basic Access Control (BAC) protocol, our next subject of discussion.

Before an RFID chip shares any personal data, the reader must establish a secure channel, and early eIDs implemented Basic Access Control (BAC) to serve this purpose. In BAC, the key to unlock the chip is derived from the document’s MRZ text. The logic is that if you are physically holding the document (and can read the printed MRZ), only then can you access the chip, which helps prove the document is present and not just a skimmed copy. Once the reader computes the key from the MRZ and successfully opens a secure session, the chip’s data can be read.

However, BAC has some limitations: it uses symmetric cryptography and relatively short keys, making it vulnerable if someone can guess or brute-force the MRZ-derived key. That’s why newer documents have moved to Password Authenticated Connection Establishment (PACE). PACE is an improved protocol that uses stronger, asymmetric cryptography while still using something known to the holder (MRZ data or a shorter printed code called a Card Access Number) to establish the connection.

Reading data from the chip is only half of electronic identity verification—the next step is confirming the data’s authenticity. Every electronic ID’s chip data is digitally signed by the issuing authority, so a Document Security Object (SOD) file is created on the chip which contains the signature as well as hashes of all the data groups. 

The signing is done with the help of two critical certificates: the Document Signer (DS) certificate and the Country Signing Certificate Authority (CSCA) certificate. Each country has their own trusted CSCA that issues the DS certificate, which is then used to digitally sign the SOD during issuance.

Passive Authentication is the process of validating the signature to confirm that the data on the chip has not been altered and indeed comes from a legitimate source. The software recalculates hashes of each data group (DG1, DG2, etc.) and compares them to the stored hashes in the SOD. It then verifies the SOD’s signature with the DS public key, which itself is verified against the trusted CSCA certificate.

While passive authentication secures the data’s integrity, it does not itself guarantee that the chip is original. This is the reason why eIDs also have Active Authentication as an anti-cloning mechanism, which involves proving the chip’s uniqueness in a challenge-response test. During Active Authentication, the reader sends a random challenge to the chip, which the chip must sign with a private key that is stored internally and never disclosed. The reader then checks that signature against the chip’s public key.

What’s more, a newer mechanism called Chip Authentication is now superseding Active Authentication in many eIDs. Chip Authentication does more: it not only detects cloning, but also establishes a fresh session key for a more secure information exchange.

Last but not least, biometric matching is a core part of eIDV when the goal is to confirm that the document’s rightful owner is present. The most common biometric used is the facial image: eIDs store a high-quality digital photo (often in JPEG2000 format) in the RFID chip.

The person undergoing verification is asked to provide a live facial capture, either by looking at a camera in an automated gate or using their smartphone for a selfie. The system then performs a face recognition match between the live capture and the chip’s photo to ensure they are the same person. Advanced solutions like Regula Face SDK also incorporate liveness detection during this step, meaning they check that the live image is indeed from a real person present at that moment (and not a photo of the ID or a screen replay).

To illustrate a typical electronic identity verification workflow, we can use the example of remote customer onboarding using an ePassport:

1. Document capture: The user scans their passport’s MRZ with their phone camera or enters the passport details. The eIDV solution reads the MRZ to derive the chip access key for establishing a secure communication channel (for BAC or PACE). Alternatively, some IDs use a short numeric Card Access Number (CAN), printed separately on the document, to be scanned for that same purpose.

2. Chip reading: The user taps the passport against their smartphone (or uses an external reader). The app establishes a secure connection to the RFID chip using BAC or PACE protocols, preventing any eavesdropping. The chip’s data (personal info, photo, etc.) is then read.

3. Passive Authentication: The solution performs Passive Authentication—verifying the SOD signature and hashes using the issuer’s public keys. This confirms the data hasn’t been altered.

4. Active/Chip Authentication: The solution checks that the chip is not cloned by doing an Active Authentication challenge or Chip Authentication exchange (if supported). A match here indicates that the chip is original and the data is genuine.

5. Biometric check: The user is prompted to take a selfie. The system compares the live face to the chip’s stored photo (after ensuring liveness). If the facial biometrics match with high confidence, it confirms that the person is the document owner.

6. Verification outcome: If all checks pass—the document is authentic and valid, and the biometrics match—the identity is verified. If any check fails (e.g., wrong chip signature, face mismatch), the process is halted or flagged for manual review. For additional security, all captured verification data can also be transmitted to a backend server. There, it can be processed again to confirm that the data wasn’t modified at any point on the client side.

Electronic identity verification is rapidly moving from a niche technology to a core part of modern businesses—and we’re seeing how the world is changing around it, as well. New ID concepts, new regulatory frameworks, and new industry guidelines have surfaced over the past couple of years and will soon be commonplace.

For travel documents like ePassports, the gold standard is set by ICAO’s Doc 9303. It defines the specifications for Machine Readable Travel Documents (MRTDs), including the data format for chips, the PKI (public key infrastructure) for passport signatures, and the required security protocols. 

Building on that, ICAO and national governments are now exploring Digital Travel Credentials (DTC) as a complement or eventual replacement for physical passports. In 2023–2024, ICAO released specifications for DTC types: 

• Type 1 allows travelers to generate a digital passport clone on their smartphone by extracting the chip data from their physical passport (with the caveat that the physical document must still be carried as a backup). 

• Type 2 and Type 3 DTCs involve the issuance of a digital passport by authorities, with Type 3 being a fully digital passport that could one day eliminate the need for a booklet altogether. 

It has been reported that tests for DTC Types 1, 2, and 3 are ongoing; however, the varying degrees of success of these tests suggest that completely passportless travel is not in the picture for the next couple of years.

Similarly, another major trend is the growing presence of digital identity credentials beyond travel. With a digital ID at their disposal, a user can just share a QR code or cryptographic proof from their smartphone for virtually any ID verification procedure.

This trend has accelerated with initiatives like the European Union’s new Digital Identity Framework (eIDAS 2.0). The EU’s updated regulation entered into force in May 2024 and mandates that all member states provide citizens and residents with a European Digital Identity Wallet (a mobile app for official digital ID) by 2026. These wallets will allow people to identify themselves to both public and private services across Europe and to store and share electronic documents (e.g., diplomas, licenses) securely. Many other countries around the world are also launching or expanding digital ID programs, from national ID smartphone apps to state-issued mobile driver’s licenses (mDLs) in the United States.

For businesses, this means a future where more customers will present a digital credential rather than a paper or plastic ID. The key difference here is that verifying a digital ID can be less about forensic document inspection and more about cryptographic validation—checking that the credential was issued by a trusted authority and hasn’t been revoked or tampered with.

The United States, through NIST (National Institute of Standards and Technology), publishes influential Digital Identity Guidelines (SP 800-63), which affect how government and industry approach eIDV. 

In 2023–2024, NIST updated these guidelines to Revision 4, with notable changes to accommodate remote identity proofing and new technologies like mobile IDs and digital wallets. For instance, they added recommendations on how to trust digital wallet credentials (in SP 800-63C for federated identity) and on using document authenticity checks plus biometric comparison to reach high confidence in remote scenarios.

Overall, the most significant aspect of NIST’s guidance is discouraging sole reliance on any single method. A live selfie match alone may not be sufficient, while combining document authentication with biometric verification of the person is the more preferred method. And though NIST guidelines are not laws, they are known to heavily influence best practices and regulatory requirements.

The coming years will likely see eIDV become even more commonplace. With regulations like eIDAS 2.0 pushing digital identity wallets, and the rollout of mobile driver’s licenses and digital travel credentials, individuals will have more convenient options to identify themselves electronically. 

Regula is proud to be part of that innovation, offering comprehensive eIDV solutions for all organizations, combining document forensics, chip reading, and face recognition.

Regula Document Reader SDK processes images of documents and verifies their real presence (liveness) and authenticity. The software identifies the document type, extracts all the necessary information, and confirms whether the document is genuine. On top of that, the SDK leverages mobile NFC verification and complete server-side verification to confirm the genuineness of the RFID chip.

At the same time, Regula Face SDK conducts instant facial recognition and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks.

Regula boasts a database worth 15,000+ identity documents from 251 countries and territories, enabling our solutions to support many known eIDs and Digital IDs. We also offer the unique NFC TestKit service, providing you with ID samples with NFC chips for more efficient testing and shorter time to market.

Let’s drive the future—together. Book a call to learn more about our solutions!