Language

28 May 20247 min readin ID verification & biometrics

The Full Story Behind Selfie Identity Verification

Andrey Terekhin

Head of Product, Regula

In April 2024, the personally identifiable information (PII) of over five million of El Salvador’s citizens was leaked on the dark web. Among full names, emails, and residential addresses, the data dump also included the citizens’ headshots labeled with their Salvadorian documents’ identification number (DUI). The incident poses many potential risks associated with identity theft and fraud, including using the PII data in scams and money-muleing schemes.  

Since the data breach affected over 80% of the country’s population, this case highlights the vulnerability of a biometric component many companies use to identify and authenticate customers online. 

Selfies have become commonplace in remote verification scenarios. However, can they be a sufficiently reliable and secure way to confirm customers’ identities? In this article, we’ll find out.

Stay Tuned!

We'll deliver hand-picked content from Regula's experts into your inbox

A short explanation of selfie ID verification

Selfie identity verification involves a person taking a photo of themselves to verify their identity remotely. In different scenarios, users can present one or several shots, or record a video by performing a sequence of tasks, such as smiling or rotating their head.  

Once the user has submitted their selfie, it is compared against a reference image from the company’s database and/or their photo in their government-issued ID. 

The technology is broadly used during customer onboarding and authentication, frequently in conjunction with database and identity document verification.

Selfie ID verification as a means for online user verification is recognized and outlined by many regulators in various countries. For example, here are some details the UK’s Government Digital Service mentions in its guide describing the process:

  • The individual must be present when their image or video is captured; i.e., a scan or an upload from a photo or video feed cannot be submitted.

  • The image or video must not have been intercepted and reused (“replayed”).

  • The image or video of the person must be compared to a genuine image or video.

  • The image or video must be shared in a way that prevents it from being fraudulently changed.

Usually, selfie ID verification is just a step in the process of identification and authentication:

Selfie verification scheme

What are the major components of the selfie identity verification process?

When zooming in, the check specifically includes at least three stages and takes a few seconds: 

  1. Selfie capture: The user takes a selfie (one or several shots) or records a video and submits it to the app or web service.

  2. Selfie analysis: The user’s selfie is matched against their reference image in the database or their ID photo. If there is a match, the user is verified as legitimate.

  3. Liveness detection (optional check): During facial recognition, it’s critical to check that it’s a real person in the selfie, and not a spoof (for instance, a deepfake, mannequin, or mask).  

Selfie verification requires a good quality image. For this reason, it’s critical to provide users with some prompts at the first stage. This helps them take an image of proper quality on the first try. Technologies under the hood of facial verification solutions, such as Advanced Image Capture, can also assist in the process. 

During selfie analysis, the software searches through a database of known faces to determine if there’s a match. This process uses a one-to-many approach (1:N), where one photo is compared to many photos in the database (N).   

Liveness checks can detect whether non-anthropomorphic attributes are in the selfie. They include, but are not limited to, 2D paper photos, human-like dolls, wax heads, mannequins, artificial skin tone, moiré noise, and unexpected shadows typical of deepfakes. 

There are two types of liveness checks: active and passive. The former, which was first employed, requires a series of photos or a video to perform a check. It also implies more engagement from the user. In passive liveness, one image is enough to perform a check. This reduces friction and makes the flow more hassle-free for customers. 

Though it is strictly optional, liveness detection is a must for establishing a secure selfie ID verification process.

Why is this technology worth using?

Selfie identity verification is a good asset to adopt among your other security measures. The benefits of the technology include: 

  • User-friendliness: Many people have taken a selfie at least once in their life. Also, many use face scans to unlock their smartphones and post front-camera photos on social media. That means that requesting a selfie during registration won’t cause a problem for most users. 

  • Smooth and quick process: Typically, the process from capturing to verification takes mere seconds. In the case of passive liveness, only one image is required. At Regula, we also provide a one-shot verification check, in which both selfie and ID are captured at once and verified immediately. 

  • High accessibility: Compared to other types of biometrics, such as fingerprints, facial recognition is one of the most accessible ways to complete verification for users from diverse demographics. 

  • Additional security layer: As just a small part of the entire IDV flow, selfie verification in conjunction with liveness detection can prevent a number of impersonation attacks in which fraudsters try to use someone’s identity to skirt security measures. 

When developing verification procedures, companies often overlook tiny details which are crucial for their customers. Discover the major IDV-related concerns of end users by reading this article: Customer Identity Verification: What Clients Really Need

What are some potential pitfalls?

As with any technology, selfie ID verification has drawbacks. Here are some key ones to consider when using this method: 

  • Low security level: When used alone, selfie identity verification demonstrates a low resistance to sophisticated attacks. For example, with the high availability of photos on social media, scammers frequently use these images during onboarding.  

  • Biased algorithms: Facial recognition still remains imperfect in terms of accurate verification of people of different nationalities and ages. This means you may face an increase in false positives when targeting specific customer groups.

  • Privacy concerns: Some clients feel uncertain when it comes to submitting their biometrics to third parties. It’s critical to ensure that their data will be stored properly. (The case of El Salvador shows these fears are far from groundless). 

Is selfie ID verification compliant with KYC requirements?

In many countries, selfie verification solutions aren’t robust enough to comply with regulators’ anti-money laundering (AML) policies and Know Your Customer (KYC) requirements. 

The US Department of Commerce, through the National Institute of Standards and Technology (NIST), defines low, medium, and high security levels for registration and proof of identity verification. While the low level doesn’t require linking the user to a specific real-life identity, both medium and high security levels imply more scrutinized verification checks. However, selfie verification alone isn’t enough to verify a user, more evidence of the person’s identity is needed: for instance, ID document(s), invoices, utility bills confirming an address, etc.

Nevertheless, selfie submission is a commonplace in the KYC procedures of many US organizations. For instance, the Internal Revenue Service requires selfie verification along with a government-issued ID to grant access to certain online resources.  

In some regions, the technology is not considered sufficient for AML/KYC purposes. In the EU, eIDAS serves as one of the leading AML/KYC frameworks. Since it implies using electronic identification (eID), selfie identity verification is excluded from the flow. To obtain an eID, customers must apply to one of the trusted eID providers, which often require in-person or video verification.

Real-life examples of selfie verification

Despite not being flawless, the technology performs well in particular use cases. Here are four common scenarios when you can rely on selfie identity verification:

  • An extra step in customer onboarding: Some digital businesses which mostly operate with small transactions, such as services companies, car-sharing and telecoms operators, can utilize selfie verification when identifying new users.

  • Check-in security enhancement: Confirming a person’s identity through a selfie check is broadly used by hotels and airlines as a part of the self check-in procedure with mobile apps and kiosks.  

  • Transaction confirmation: Completing selfie verification can also be utilized for approving payments during online banking. 

  • Instant access to digital platforms: A selfie check can be incorporated into the multi-factor authentication flow for users of online education services and marketplaces, including those who haven't logged into their account for a long time.  

Regula provides a face verification SDK that can be seamlessly implemented into your current process. With Regula Face SDK, you can build a customized flow considering the preferences and demographics of your target audience. Book a call with one of our representatives to discuss your case in detail.

Regula Face SDK

Reliable enrollment with a seamless UX

On our website, we use cookies to collect technical information. In particular, we process the IP address of your location to personalize the content of the site

Cookie Policy rules