9-Step Guide to Choosing the Best Identity Verification Software

If you ask any forensic expert how to verify ID documents reliably, they will likely give you the following answer: first of all, make sure you have a physical document at hand. The reality, however, is often far from such ideals. In the face of digital transformation, the capture process largely determines the check’s credibility.

At the capture stage, an identity verification solution should cope with two things:

• recognize the submitted document

• and assess its quality.

The thing is that software solutions use the capabilities of the user’s device, and rely on the user’s accuracy at taking photos. A bad camera, poor lighting, glares, or a skewed image make it difficult to read the information. This may lead to either errors or asking users to re-take photos over and over again until they meet the quality requirements.

The best solutions can assess an image's quality and fine-tune it if necessary: adjust brightness or contrast, remove glares, or deskew the photo if it was shot at an angle.

As for document type recognition, it’s mostly a matter of UX. Unfortunately, many identity verification solutions still add two extra steps in the user journey: “choose your document type” and “choose your country.”

You can avoid making your users do extra clicks and typing by choosing a solution that identifies the document type and its origin country. As simple as it sounds, such capabilities require the vendor to invest a lot of time, money, and effort into creating a comprehensive document template database (we’ll discuss it in detail in Step 5). For now, let’s just make a mental note that, ideally, your identity verification solution should do most of the work automatically.

• Does your solution identify the document type automatically?

• Does it assess the document image quality? What are the criteria?

• Can it enhance the image’s quality to improve the data's readability?

Identity verification solutions must comply with ICAO and BSI guidelines for checking international documents, visas, etc. For domestic ID documents, though, there may be their own variants of execution of security features that require specific checks.

Ideally, an identity verification solution should offer a check for each aspect: both standardized international features and local characteristics. The denser the coverage with checks, the more credible the conclusion about the authenticity and validity of the document.

You can judge a vendor to provide first-class performance when their solution performs a long list of checks, plus runs massive cross-checks comparing the data from different elements to make sure they match.

• Automatic document type identification

• Visual inspection zone verification

• MRZ validation

• Barcode type and format reading and validation

• Document liveness check (includes checks of holograms and screenshot detection)

• RFID chip detection and reading

• Crosschecks of the data fetched from different elements

Download the full list of required document checks [PDF, 6 pages, 337Kb]

A radio-frequency identification—or simply RFID—chip is a tiny device that modern electronic ID documents contain. RFID chips store document holders’ data. The ICAO (International Civil Aviation Organization) strictly regulates the exact list of the data encoded in the chip. 

Usually, reading this information entails using special passport readers or NFC technology built into mobile phones. You should be especially careful if it’s the latter. In the case of a remote process, there’s a risk that fraudsters can intercept and modify verification results. That’s why a good vendor needs to practice a zero-trust-to-mobile approach.

In practice, the data needs to be re-verified to ensure the chip is not cloned or its data manipulated.

Here’s an example of how Regula tackles this issue. RFID sessions can be re-verified on a server side in addition to the checks conducted on mobiles. Thanks to this, the data of the check is impossible to compromise. All this is done strictly on-premises: the results of the verification session are stored on a customer’s server, so it’s possible to get back to them afterward. This approach is considered the most reliable and secure way to verify a document with an NFC chip.

• Does your identity verification solution read and verify an RFID chip?

• Can it read the information encoded in the chip?

• Do you apply a zero-trust-to-mobile approach? If so, how exactly it works in your solution?

Validating the ID document is just a part of identity verification. Another part is ensuring that the person submitting it is the legitimate holder. That’s done with the help of biometric checks.

Biometrics is a broad term that may imply a wide range of checks: face, fingerprints, voice, or even iris recognition. Most of them are overkill for regular business’ digital onboarding, but state authorities can require them, for example, when you apply for a visa. The most common way to run a biometric check for business is by using face biometrics.

The process is simple: the user takes a selfie, then the technology matches that photo with the photos in the submitted ID document (e.g., in the visual inspection zone and the RFID chip), and flags if there’s anything wrong.

The essential feature of a proper face recognition module is liveness detection. That means you need not only to determine that it’s the same person in the photographs, but also to make sure that the selfie is real. Sometimes attackers try to pass off an edited photo as a real selfie. Sometimes, they might use various masks and even deepfake technology. A good identity verification solution should be able to detect such issues.

There are two types of liveness verification: passive and active. A passive liveness check implies the use of a static selfie, while active liveness requires the user to perform a series of simple movements: rotating the head, moving closer or further away, etc. Naturally, an active liveness check is a more advanced and reliable method.

• Do you have biometric authentication? 

• What components does it include (face detection, face matching, face search, age verification, etc.)?

• Do you provide active or passive liveness checks?

• What PAD (biometric fraud) do you protect from?

Cutting-edge technologies on their own aren’t enough for thorough identity verification. The most reliable IDV requires a deep knowledge of identity documents. This usually comes in the form of a document template database containing detailed information for every document: layout, fields, data recording methods, security features, and more.

Gathering such a collection requires tremendous resources and a solid background in document forensics.

Ideally, your vendor should have seasoned forensic experts on their team to guarantee the comprehensiveness of templates and competent maintenance of the database. The importance of this cannot be overstated. If the vendor has thoroughly examined thousands of document types, its software solutions can easily distinguish one from another, fully read them, and extract the required data, therefore effectively verifying them as a result.

The database needs to be extensive, as even within one country, there can be multiple versions of a document based on the date of issuance. Considering the frequent renewal and re-issuance of identity documents, the database should be regularly updated too.

Cooperation with international organizations and security agencies is also a point in favor of the provider. Established relationships help them regularly expand the database with new document types and share the best practices in detecting document fraud.

• How long have you been operating in the identity verification industry?

• Are there experts on your team with hands-on experience as forensic analysts?

• Do you have a document template database? How many items does it include?

• If there is no document in the database, how long does it take to add?

• Is it proprietary or bought from third parties?

Reliability and completeness of checks are all good, but they won’t be of help if the integration process takes ages and blows up your budget. The pressure comes from multiple sides.

On one side, there are regulators whose requirements are better met sooner than later. Then, there’s also your product and workflows, which will likely demand some customization from the identity verification solution. Add to it a learning curve that, for some solutions, can be rather steep, hence, lengthy.

• Is it possible to build your solution into a web app?

• How fast will we be able to get up and running?

• What does the integration process look like?

• What customization options does your solution offer? Are they available out of the box, or will they require additional configuration/costs?

Regardless of the industry, safeguarding customer data is of the utmost importance. Therefore, it’s crucial to find out how your identity verification provider addresses the matter. When it comes to working with customers’ personally identifiable information (PII) during identity verification, there are two primary approaches:

1. A Software-as-a-Service (SaaS) scenario, where vendors handle the storage and processing of customer data on their own infrastructure.

2. An on-premises approach, where you store and process your customers' PII within your own secured perimeter.

While the SaaS use case can save you time and the expenses associated with securing the data on your own, it’s even more critical to thoroughly examine the vendor’s procedures for customer data security and protection. Data breaches aren’t uncommon.

An on-premises option places a higher emphasis on data privacy and security. Since no third parties have access to PII, it reduces the risk of breaches. However, extra protection comes at a price. The maintenance of infrastructure and reliability for following security policies is on you, so you’ll need to budget resources for engineering and security training for employees.

• What type of solution do you offer: cloud or on-prem? 

• Do you collect and store the personal data of end users?

If it’s cloud…

• What certifications does your service have? (e.g., SOC1 type 2, HIPAA, etc.)

• Where can I read your security policy?

• What’s your service availability time?

Salespeople might be responsive before making the sale, but a company’s true colors show when a customer faces difficulties or has a request. If a vendor can provide prompt and professional technical support, it saves you a lot of time, effort, and headaches.

Ideally, it’s good to have more than one way to contact support: by phone, email, live chat, or messengers. In most companies, additional communication channels come with the premium support option. Such support may include a dedicated manager, and the ability to communicate with the vendor’s team in real time, 24/7.

If this option is not available, pay attention to the response time SLA. This is the time in which the vendor commits to respond to a client’s issue. It’s usually defined by the support policy.

As for cases when a client needs off-hours assistance, the vendor’s website should provide all essential instructions, guides, and FAQs. Comprehensive documentation should answer 90% of questions, so pay attention to how thoroughly it is made, if it includes demo examples, how often it is updated, and if it’s localized to your language.

• What’s your response time for support requests? 

• Do you have a premium support option?

• Is support documentation comprehensive and easy to navigate?

If you made it through the nine steps above, you can confidently trust the results. Still, it’s always a good idea to look for additional social proof from companies who have already succeeded in what you’re trying to achieve. 

Here, we advise you to conduct your own research and find as many reviews about the vendor as possible. The first go-to source of information is the case study section on the vendor’s website. There, you can look for stories from customers from your niche and find relevant use cases. For example, if you’re a crypto platform on a quest to deploy KYC, then KYC-related cases from banks will also give you valuable insights.

Also, pay attention to who a vendor’s existing customers are. The presence of well-known names is a good sign. If the vendor has state-level organizations and security agencies, such as border controls, among their customers, it’s also great, because they have the strictest requirements for identity verification.

Also, you may want to research what media say about different vendors. Consider exploring not only so-called tier-one resources, such as The New York Times or Business Insider, but focus more on industry-specific publications that specialize in covering identity verification and cybersecurity. This approach will broaden your research and provide a more comprehensive understanding of different vendors' reputations. Among such media outlets are:

• Biometric Update

• Help Net Security

• Infosecurity Magazine

• Source Security

• BetaNews

• Identity Week

• Find Biometrics, and others.

• Are there any references available in open sources from customers in my industry? Can the vendor provide those references on request?

• Are there relevant use cases in the vendors’ customer success stories?

• Are there any mentions of the vendor in industry and/or tier-one media?

There you have it: our 9-step guide on choosing the best identity verification software. Now, we’d like to hear from you. 

Are there any tricky aspects you’re struggling with? 

Or maybe you have already completed some of the steps and short-listed some vendors? 

Either way, let us know by getting in touch on LinkedIn or by clicking “Contact us” right here.