How to Build an Identity Verification System

The first step in building your identity verification system is to establish a secure method of gathering identity data from your customers. This foundational process sets the tone for the entire system, influencing its accuracy, security, and reliability.

The primary question is:

How exactly to collect the data necessary for the verification process?

Two primary avenues exist for that: prompting users to send their photos and scans of their identification documents, or integrating specialized components into your application for real-time data capture.

While seemingly straightforward, this method introduces a significant challenge—the lack of control over how the data was obtained. This becomes a critical concern when ensuring the liveness of documents and the authenticity of the person behind them.

When data is submitted from external sources—for example, passport scans simply sent over email—the probability of fraudulent attempts significantly increases. With a visual editor, document templates available on the web, and AI tools, you can easily create a convincing image of a document that is indistinguishable from the real one. That’s an issue that goes hand in hand with technical advances. 

Without a controlled capture environment, ensuring the reliability of the data—and, consequently, the integrity of the entire process—is impossible.

This approach provides a more controlled environment, ensuring that the data is collected instantaneously as users present it. Note that if you need to obtain any official certifications—for example, if you need to comply with ETSI identity proofing requirements—real-time data capture is a must-have feature for you. 

Typically, real-time capture goes hand in hand with liveness checks. This means you need to confirm three things: your customer is a real existing person, their ID documents are real documents (not some edited re-prints), and they actually belong to that customer.

Integrating real-time ID and face biometric capture functionality into your app requires careful planning and implementation. 

For those who love DIY, the top-of-the-mind option would be implementing some OCR functionality. However, ordinary OCR is of little help when it comes to identity documents. The reason is that ID documents contain plenty of non-text data sources, such as barcodes and RFID chips.

Plus, If you're planning to develop your own identity verification system in-house, it's crucial to consider right from the outset what channels your users will use for undergoing verification. This involves strategizing and visualizing how your solution will function across web and mobile. Cross-platform compatibility is a great thing, but it requires resources to develop and maintain.

Another challenge lies in the fact that you cannot trust any verification result that was obtained on a user’s device. Since it’s out of your direct control, it’s too easy to tamper with verification results, hence, compromising the whole process. 

That’s why you’ll need to ensure the safe transportation of data from the user’s device to your backend where it’ll be then processed. That’s not an easy task either, as you need to protect data during transit, mitigating the risk of interception.

Also, you’ll need to think over the verification scenarios for different types of ID documents: the ones with an electronic chip and the ones without. 

If your users submit electronic documents (eMRTD), such as passports and ID cards with an embedded RFID chip, the whole verification process will be handled, from verifying to re-verifying the chip data. 

In the absence of a chip, the backend processing steps become more intricate. Dynamic document protection features and liveness checks take center stage. Collecting metadata about the user’s document submission—details such as where and when the document was captured, the number of attempts made, and historical interactions with the system—is also vital.

Once identity data is collected, the pivotal decision of whether to store or discard it takes center stage. This involves establishing a robust database infrastructure, storage policies, and geographic considerations to ensure compliance, security, and seamless global accessibility.

The geographic location of your company and your customers plays a pivotal role here. Different regions have distinct data protection laws and regulations, such as the GDPR in Europe or the CCPA in California. If your business caters to users from diverse locations, you’ll need to address two important concerns:

• Performance optimization: Geographic distribution of database instances enhances response times for users accessing the system from different parts of the world. This ensures a seamless and efficient experience, which is a critical factor in user satisfaction.

• Data residency compliance: Certain regions mandate that the data of their residents must be stored and processed within the geographical boundaries. By establishing instances in different regions, you’ll avoid potential violations and legal complications related to data residency requirements.

Distributing database instances strategically mitigates these risks, ensuring a harmonious balance between efficiency and compliance.

Identity documents, such as driver’s licenses and passports, are regularly updated with new security features to stay ahead of counterfeiters. The flip side of this is that it is also a challenge to keep your system up to date.

To address this, you should establish a process for regularly updating your system with the latest information on new IDs and recognizing the latest security features. 

In this particular area, any type of DIY is hardly possible. The process usually involves cooperation with government agencies or third-party organizations that can provide you with the necessary updates and insights.

Building an in-house identity verification system is not a one-time task. It requires ongoing monitoring and continuous improvement to stay effective and secure.

One of the most challenging tasks at this step is setting thresholds and adjusting decision frameworks used for categorizing verification outcomes. 

All the results can be divided into three conventional groups:

• Authentic — All the checks have been passed, and there is no need to manually review the case.

• Fake — Any sensitive checks have failed, and there's not much point in manually double-checking it.

• Not sure — Everything in between, when the system can’t be 100% sure about whether the result is authentic or fake. These cases require manual review.

A proper IDV system should give you the capabilities to manage this process. It may come as an operator panel where these “not sure” attempts are submitted for further manual inspection, thus allowing you to streamline this process. 

Also, some kind of reference resource for operators who are in charge of the review would be of great help. It also comes in handy when your system can run a quick check to see whether someone else used the same photo before, or submitted the same documents but with a photo of another person.

This step isn’t something specific to identity verification, but is rather commonplace for most IT solutions. In a world where a million users can flood your system at any given moment, scalability is important for any IDV system’s reliability—no less than authentication mechanics. 

The challenge lies not just in scaling up, but in doing so judiciously.

Ideally, you need to allocate resources dynamically based on demand, scaling up or down as needed. This involves introducing smart rules for scaling based on parameters like CPU load, or even proactively warming up instances before expected traffic spikes. The goal is to ensure optimal performance during peak usage hours, but prevent unnecessary expenses during quieter times.

If you operate globally, you also need to distribute your system across regions to minimize delays for users accessing services from various parts of the world.

They say if you want to go fast, go alone. But this is poor advice when it comes to implementing identity verification. Being a high-stakes task, identity verification requires a unique skill set and deep expertise in narrow fields, such as document forensics and biometric checks. That’s why we believe that choosing a reliable partner who already knows the field inside out is key to success.

If you treat identity verification as more than just a box to check, then look for a reliable SDK or API provider with a proven track record in identity verification. This choice can help you steer clear of various pitfalls, from avoiding the need to manually brush up on a ton of data to detecting imposters and other types of identity fraud. 

Another benefit of opting for a ready-made solution is cross-platform compatibility. This means you can sidestep additional expenses associated with developing separate solutions for web and mobile platforms.

If you’d like to learn more about how you can create an identity verification process with Regula and what makes it a game changer, get in touch with us today and book a personalized demo.