If your business operates online, you likely already know just how important identity verification is — not only from a regulatory standpoint, but from a customer protection standpoint as well.
Unfortunately, cybercriminals and identity thieves continue to grow more and more sophisticated in their attempts to skirt verification and authentication tools and techniques. This means your identity verification processes aren’t something you can set and forget. They must constantly evolve to meet the challenges thrown at them by bad actors.
The good news is that recent advancements in biometric verification — such as the development of liveness detection — has made verification processes like selfie identity verification more powerful, sophisticated, and secure.
Below, we define selfie identity verification and liveness detection, explain how they work together, and walk through the challenges they address. We also detail selfie verification’s potential shortcomings and outline other tools and techniques you may want to pair it with in order to form a truly robust verification process for your business.
What is selfie identity verification?
Selfie identity verification is exactly what it sounds like: a verification process that requires the user to take and submit a selfie in order to have their identity verified. It’s also sometimes known as selfie authentication or, simply, a selfie check.
Selfie verification is a form of biometric verification that is typically paired with other verification techniques — such as database verification and document verification — and rarely used on its own.
Sometimes, selfie verification will require multiple selfies — for example, a selfie looking straight at the camera, as well as profile selfies looking left and right — for additional security against photo deepfakes and other attempts to fraudulently get past the verification step. Likewise, video verification has become increasingly popular.
What is liveness detection?
In biometrics, liveness detection is the ability to detect whether a sensor is viewing a live biometric sample — as opposed to a recording or digital replay, picture, print, mask, or other non-living spoof. This typically happens in the background, as soon as the user provides an image, such as a selfie.
Liveness detection typically uses sophisticated algorithms that analyze a variety of data to reach a conclusion as to whether or not the subject is a real, living person or a spoof.
Depending on the use-case, liveness detection may leverage data such as:
- Image data: This is the data directly contained within the image itself. Facial measurements, skin texture, various face ratios, light and shadow analysis, and depth signals all fall under this category.
- Metadata: This is the data contained within the image file. When and where a photo was taken, for example, are important pieces of metadata that can help a system detect liveness.
- Challenges: Challenges ask the individual to perform a specific action — such as turning their head, making a random face, or holding a particular object within the frame of the photo — when they take a selfie or video. Because these are hard to fake, they can be very effective against stock images that may be used in spoofing attacks. Challenges are also called active detection techniques.
- Reflexive signals: Human reflexes such as breathing, blinking, and eye dilation are difficult to fake. As such, reflexive signals can be leveraged in cases where a user submits a selfie video, as opposed to a single still image.
How does selfie verification work?
Exactly where in your identity verification process you choose to leverage selfie verification will depend on the unique needs of your business.
For example, if you work in a high-risk industry or one that is subject to intense regulatory scrutiny (such as financial services or other industries subject to KYC and AML requirements) you might require all users submit a selfie for verification as a part of the account creation process.
Alternatively, you might choose to only require selfie verification in cases where the risk of fraud is deemed to be greater — perhaps due to actions taken by the user, or because of passive or device signals (e.g. their IP address doesn’t line up with their residential address). This process, known as progressive risk segmentation or dynamic risk segmentation, can help you build a robust verification process while also minimizing friction.
In either case, selfie verification typically works like this:
- The user takes and submits a photo of their government-issued ID, such as a driver’s license, mobile driver’s license (mDL), or passport.
- The information from the ID is cross-checked against official databases as well as other user-supplied information to check for discrepancies.
- To confirm that the user is in fact the person on the ID, the user is asked to take and submit a selfie or series of selfies.
- The user-submitted selfie or video is then analyzed for liveness detection and cross-checked against the photo in their ID.
What challenges does selfie identity verification solve?
In most cases, selfie verification is used as a second layer on top of other verification techniques, such as document verification and database verification. This second verification layer allows you to take a more holistic approach to identity and reduce the incidence of spoofing and identity fraud in online transactions.
Beyond this, selfie verification can specifically be used to solve a number of verification challenges, including:
Protection against database breaches
Identity verification typically requires an individual to submit sensitive information — such as their Social Security number, date of birth, driver’s license number, etc. — which is checked against official sources, such as a third-party database or a photo of a government-issued ID. Unfortunately, all of this information can be subject to database breaches. SSNs, dates of birth, legal names, and even photos of IDs themselves have all been stolen from databases by hackers in the past.
For this reason, in cases where an individual has had their information stolen in a database breach, catching instances of identity theft or fraud using standard verification methods can be especially challenging.
In these cases, selfie verification with liveness detection provides an extra layer of security. Even if a hacker has stolen sensitive information; even if a hacker has stolen a government-issued ID; even if a hacker has a photo of the individual — it’s extremely challenging to fool well-implemented liveness checks.
As discussed above, selfie verification can be leveraged not only during the account creation process, but also for periodic reverification — such as when a user logs in, fails an authentication check, or initiates a high-risk action.
The best part is, when used in this way, selfie checks don’t just improve the security of your users’ accounts; they also do so in a way that minimizes friction.
No one wants to be asked to re-scan an ID or re-enter sensitive information as a part of a reverification process. Doing so can be tedious and time consuming. But taking a selfie is fast and easy, allowing selfie reverification to bolster security without negatively impacting your user’s experience.
Is selfie verification foolproof?
While selfie verification can be a powerful tool, it’s unfortunately not foolproof.
Potential for false negatives
Selfie verification relies on facial recognition and other related technologies. While these technologies have progressed rapidly in recent years, there is evidence that they are not free from bias, nor are they 100% accurate — even with liveness detection. For example, someone’s eyeglasses may fool the system into thinking it's a reflection on a screen, or a low-resolution photo may trick the system into thinking it’s a digital replay. These shortcomings may increase the risk of false negatives during the verification process, which may result in legitimate users being denied verification.
The rise of deepfakes
While selfie verification and liveness detection can be extremely effective at identifying and stopping a variety of spoofing techniques — such as recordings, digital replays, masks, prints, etc. — deepfakes do present a challenge.
Deepfakes are digitally created images, video, or audio of individuals saying or doing things that they haven’t actually said or done. While early deepfake attempts were rather rudimentary, they have grown increasingly sophisticated in recent years, and can sometimes get past selfie verification.
For these reasons, it’s crucial that your identity verification processes include a variety of different verification technologies and techniques.
Just one piece of your verification toolkit
If you are considering incorporating selfie verification into your verifications toolkit, incorporating additional verification solutions can help you cover the blindspots discussed above and build a truly robust process. These include:
- Document verifications: Document verification typically requires a user to take a photo or upload documents such as a government-issued ID, business documents, or other supplemental documents. This usually forms the bedrock of most verification processes.
- Database verifications: Database verifications allow you to cross check user-supplied information against third-party databases, such as DMV records and IRS records, which can help you determine whether the individual exists in these databases.
- Device signals: Device signals such as the user’s IP address, device fingerprint, meta data, GPS data, and whether or not a user is leveraging a VPN to mask their location can all offer additional insight as to whether the person is who they say they are.
- Biometric authentication: In instances where selfie verification is used for identity authentication purposes, it may be prudent to pair it with other forms of biometric authentication.
- Behavioral signals: This includes signals such as hesitation or distraction events, mouse movement, keyboard strokes, and the use of developer tools like copy and paste, each of which helps to inform the system as to whether or not an action is being completed by a living person.
Incorporating selfie verification into your processes
Here at Persona, we understand both the value offered by selfie identity verifications, as well as its potential limitations. We’ve baked this understanding into our Verifications solution in order to offer the most robust tool possible.
Verify your users and customers in the way that makes sense for your business, whether that involves selfie verification or not. Leverage Dynamic Flow to implement progressive risk segmentation and introduce (or scale back) friction on a case-by-case basis. Automate as much or as little of your processes as you see fit.
Interested in learning more? Start for free or get a demo today.