Join the 7/21 live chat & demo: How to turn KYB & KYC into your competitive advantage

Industry

What is selfie identity verification, and how does it work?

Learn about selfie identity verification and liveness detection, how they work together, the challenges they address, and their shortcomings.

Table of contents
Share this post
Copied
⚡ Key takeaways
  • Selfie identity verification is a verification process that requires the user to take and submit a selfie in order to have their identity verified.
  • Selfie checks can offer increased protection against database breaches and serve as an easy way to reverify users.
  • While selfie verification is powerful, it's not foolproof — it may not catch 100% of deepfakes, and some false negatives may fall through the cracks.
  • As such, selfie checks should be just one piece of your verifications toolkit.

If your business operates online, you likely already know just how important identity verification is — not only from a regulatory standpoint, but from a customer protection standpoint as well.

Unfortunately, cybercriminals and identity thieves continue to grow more and more sophisticated in their attempts to skirt verification and authentication tools and techniques. This means your identity verification processes aren’t something you can set and forget. They must constantly evolve to meet the challenges thrown at them by bad actors.

The good news is that recent advancements in biometric verification — such as the development of liveness detection — has made verification processes like selfie identity verification more powerful, sophisticated, and secure.  

Below, we define selfie identity verification and liveness detection, explain how they work together, and walk through the challenges they address. We also detail selfie verification’s potential shortcomings and outline other tools and techniques you may want to pair it with in order to form a truly robust verification process for your business.

What is selfie identity verification?

Selfie identity verification is exactly what it sounds like: a verification process that requires the user to take and submit a selfie in order to have their identity verified. It’s also sometimes known as selfie authentication or, simply, a selfie check.

Selfie verification is a form of biometric verification that is typically paired with other verification techniques — such as database verification and document verification — and rarely used on its own.

Sometimes, selfie verification will require multiple selfies — for example, a selfie looking straight at the camera, as well as profile selfies looking left and right — for additional security against photo deepfakes and other attempts to fraudulently get past the verification step. Likewise, video verification has become increasingly popular.  

What is liveness detection?

In biometrics, liveness detection is the ability to detect whether a sensor is viewing a live biometric sample — as opposed to a recording or digital replay, picture, print, mask, or other non-living spoof. This typically happens in the background, as soon as the user provides a biometric sample such as a selfie or fingerprint scan.

Liveness detection typically uses sophisticated algorithms that analyze a variety of data to reach a conclusion as to whether or not the subject is a real, living person or a spoof.

Depending on the use-case, liveness detection may leverage data such as:

  • Image data: This is the data directly contained within the image itself. Facial measurements, skin texture, various face ratios, light and shadow analysis, and depth signals all fall under this category.
  • Metadata: This is the data contained within the image file. When and where a photo was taken, for example, are important pieces of metadata that can help a system detect liveness.  
  • Challenges: Challenges ask the individual to perform a specific action — such as turning their head, making a random face, or holding a particular object within the frame of the photo — when they take a selfie or video. Because these are hard to fake, they can be very effective against stock images that may be used in spoofing attacks. Challenges are also called active detection techniques.
  • Reflexive signals: Human reflexes such as breathing, blinking, and eye dilation are difficult to fake. As such, reflexive signals can be leveraged in cases where a user submits a selfie video, as opposed to a single still image.

How does selfie verification work?

Exactly where in your identity verification process you choose to leverage selfie verification will depend on the unique needs of your business.

For example, if you work in a high-risk industry or one that is subject to intense regulatory scrutiny (such as financial services or other industries subject to KYC and AML requirements) you might require all users submit a selfie for verification as a part of the account creation process.

Alternatively, you might choose to only require selfie verification in cases where the risk of fraud is deemed to be greater — perhaps due to actions taken by the user, or because of passive or device signals (e.g. their IP address doesn’t line up with their residential address). This process, known as progressive risk segmentation or dynamic risk segmentation, can help you build a robust verification process while also minimizing friction.

In either case, selfie verification typically works like this:

  1. The user takes and submits a photo of their government-issued ID, such as a driver’s license, mobile driver’s license (mDL), or passport.
  2. The information from the ID is cross-checked against official databases as well as other user-supplied information to check for discrepancies.
  3. To confirm that the user is in fact the person on the ID, the user is asked to take and submit a selfie or series of selfies.
  4. The user-submitted selfie or video is then analyzed for liveness detection and cross-checked against the photo in their ID.

What challenges does selfie identity verification solve?

In most cases, selfie verification is used as a second layer on top of other verification techniques, such as document verification and database verification. This second verification layer allows you to take a more holistic approach to identity and reduce the incidence of spoofing and identity fraud in online transactions.

Beyond this, selfie verification can specifically be used to solve a number of verification challenges, including:

Protection against database breaches

Identity verification typically requires an individual to submit sensitive information — such as their Social Security number, date of birth, driver’s license number, etc. — which is checked against official sources, such as a third-party database or a photo of a government-issued ID. Unfortunately, all of this information can be subject to database breaches. SSNs, dates of birth, legal names, and even photos of IDs themselves have all been stolen from databases by hackers in the past.

For this reason, in cases where an individual has had their information stolen in a database breach, catching instances of identity theft or fraud using standard verification methods can be especially challenging.

In these cases, selfie verification with liveness detection provides an extra layer of security. Even if a hacker has stolen sensitive information; even if a hacker has stolen a government-issued ID; even if a hacker has a photo of the individual — it’s extremely challenging to fool well-implemented liveness checks.

Low-friction reverification

As discussed above, selfie verification can be leveraged not only during the account creation process, but also for periodic reverification — such as when a user logs in, fails an authentication check, or initiates a high-risk action.

The best part is, when used in this way, selfie checks don’t just improve the security of your users’ accounts; they also do so in a way that minimizes friction.

No one wants to be asked to re-scan an ID or re-enter sensitive information as a part of a reverification process. Doing so can be tedious and time consuming. But taking a selfie is fast and easy, allowing selfie reverification to bolster security without negatively impacting your user’s experience.

Is selfie verification foolproof?

While selfie verification can be a powerful tool, it’s unfortunately not foolproof.

Potential for false negatives

Selfie verification relies on facial recognition and other related technologies. While these technologies have progressed rapidly in recent years, there is evidence that they are not free from bias, nor are they 100% accurate — even with liveness detection. For example, someone’s eyeglasses may fool the system into thinking it's a reflection on a screen, or a low-resolution photo may trick the system into thinking it’s a digital replay. These shortcomings may increase the risk of false negatives during the verification process, which may result in legitimate users being denied verification.

The rise of deepfakes

While selfie verification and liveness detection can be extremely effective at identifying and stopping a variety of spoofing techniques — such as recordings, digital replays, masks, prints, etc. — deepfakes do present a challenge.

Deepfakes are digitally created images, video, or audio of individuals saying or doing things that they haven’t actually said or done. While early deepfake attempts were rather rudimentary, they have grown increasingly sophisticated in recent years, and can sometimes get past selfie verification.

For these reasons, it’s crucial that your identity verification processes include a variety of different verification technologies and techniques.

Just one piece of your verification toolkit

If you are considering incorporating selfie verification into your verifications toolkit, incorporating additional verification solutions can help you cover the blindspots discussed above and build a truly robust process. These include:

  • Document verifications: Document verification typically requires a user to take a photo or upload documents such as a government-issued ID, business documents, or other supplemental documents. This usually forms the bedrock of most verification processes.
  • Database verifications: Database verifications allow you to cross check user-supplied information against third-party databases, such as DMV records and IRS records, which can help you determine whether the individual exists in these databases.
  • Device signals: Device signals such as the user’s IP address, device fingerprint, meta data, GPS data, and whether or not a user is leveraging a VPN to mask their location can all offer additional insight as to whether the person is who they say they are.
  • Biometric authentication: In instances where selfie verification is used for identity authentication purposes, it may be prudent to pair it with other forms of biometric authentication. This can include fingerprint or retinal scans, amongst other techniques.
  • Behavioral signals: This includes signals such as hesitation or distraction events, mouse movement, keyboard strokes, and the use of developer tools like copy and paste, each of which helps to inform the system as to whether or not an action is being completed by a living person.

Incorporating selfie verification into your processes

Here at Persona, we understand both the value offered by selfie identity verifications, as well as its potential limitations. We’ve baked this understanding into our Verifications solution in order to offer the most robust tool possible.

Verify your users and customers in the way that makes sense for your business, whether that involves selfie verification or not. Leverage Dynamic Flow to implement progressive risk segmentation and introduce (or scale back) friction on a case-by-case basis. Automate as much or as little of your processes as you see fit.

Interested in learning more? Start for free or get a demo today.

Frequently asked questions

What is biometric verification?

Biometric verification refers to verification processes that process a user’s physical traits in order to verify and authenticate their identity. Biometric verification can be completed with a variety of data points, including, but not limited to:

  • Facial scans
  • Fingerprint scans
  • Retina scans
  • Voice prints
  • Signature comparison

These data points are then typically compared against official records such as driver’s licenses or, in the case of identity authentication, data that was previously supplied by the user.

Selfie verification is a form of biometric verification. It allows you to cross check a user-supplied selfie against the photos contained within their government-issued ID. Depending on the system that you use, for example, you might compare the facial geometry contained within a selfie against the facial geometry contained within a driver’s license or passport.

What are passive signals?

Passive signals, also known as device signals, are signals provided by a user’s device in the background as a part of identity verification. They can be an effective means of analyzing risk.

Passive signals may include things like the user’s IP address, location data, device fingerprint, browser fingerprint, various metadata, and whether or not a user is using a VPN to artificially change their IP address.

What is a selfie document?

A selfie document, also called selfie ID verification, is a form a identity verification that requires a user to take and upload a selfie while they are holding a government-issued ID such as a driver’s license. Typically, the government-issued ID will be next to or below the user’s face in the selfie.

This form of selfie verification serves two purposes. First, it allows for a rapid comparison between the selfie and government-issued ID. Second, by asking the user to complete a specific action — holding their ID in a particular way — while taking the selfie, it combats spoofing attempts that may rely upon artificially generated images or those taken from social media.

What is a real-time selfie?

A real-time selfie is simply a selfie that an individual captures and uploads at the moment that it is requested for identity verification, as opposed to a previously-captured selfie that the user selects and uploads from their gallery. Real-time selfies are also sometimes called real-time photo verification.

Requiring real-time selfies as a part of your verification process can help to combat spoofing attempts that leverage selfies taken from social media or elsewhere on the internet.

Table of contents

If your business operates online, you likely already know just how important identity verification is — not only from a regulatory standpoint, but from a customer protection standpoint as well.

Unfortunately, cybercriminals and identity thieves continue to grow more and more sophisticated in their attempts to skirt verification and authentication tools and techniques. This means your identity verification processes aren’t something you can set and forget. They must constantly evolve to meet the challenges thrown at them by bad actors.

The good news is that recent advancements in biometric verification — such as the development of liveness detection — has made verification processes like selfie identity verification more powerful, sophisticated, and secure.  

Below, we define selfie identity verification and liveness detection, explain how they work together, and walk through the challenges they address. We also detail selfie verification’s potential shortcomings and outline other tools and techniques you may want to pair it with in order to form a truly robust verification process for your business.

What is selfie identity verification?

Selfie identity verification is exactly what it sounds like: a verification process that requires the user to take and submit a selfie in order to have their identity verified. It’s also sometimes known as selfie authentication or, simply, a selfie check.

Selfie verification is a form of biometric verification that is typically paired with other verification techniques — such as database verification and document verification — and rarely used on its own.

Sometimes, selfie verification will require multiple selfies — for example, a selfie looking straight at the camera, as well as profile selfies looking left and right — for additional security against photo deepfakes and other attempts to fraudulently get past the verification step. Likewise, video verification has become increasingly popular.  

What is liveness detection?

In biometrics, liveness detection is the ability to detect whether a sensor is viewing a live biometric sample — as opposed to a recording or digital replay, picture, print, mask, or other non-living spoof. This typically happens in the background, as soon as the user provides a biometric sample such as a selfie or fingerprint scan.

Liveness detection typically uses sophisticated algorithms that analyze a variety of data to reach a conclusion as to whether or not the subject is a real, living person or a spoof.

Depending on the use-case, liveness detection may leverage data such as:

  • Image data: This is the data directly contained within the image itself. Facial measurements, skin texture, various face ratios, light and shadow analysis, and depth signals all fall under this category.
  • Metadata: This is the data contained within the image file. When and where a photo was taken, for example, are important pieces of metadata that can help a system detect liveness.  
  • Challenges: Challenges ask the individual to perform a specific action — such as turning their head, making a random face, or holding a particular object within the frame of the photo — when they take a selfie or video. Because these are hard to fake, they can be very effective against stock images that may be used in spoofing attacks. Challenges are also called active detection techniques.
  • Reflexive signals: Human reflexes such as breathing, blinking, and eye dilation are difficult to fake. As such, reflexive signals can be leveraged in cases where a user submits a selfie video, as opposed to a single still image.

How does selfie verification work?

Exactly where in your identity verification process you choose to leverage selfie verification will depend on the unique needs of your business.

For example, if you work in a high-risk industry or one that is subject to intense regulatory scrutiny (such as financial services or other industries subject to KYC and AML requirements) you might require all users submit a selfie for verification as a part of the account creation process.

Alternatively, you might choose to only require selfie verification in cases where the risk of fraud is deemed to be greater — perhaps due to actions taken by the user, or because of passive or device signals (e.g. their IP address doesn’t line up with their residential address). This process, known as progressive risk segmentation or dynamic risk segmentation, can help you build a robust verification process while also minimizing friction.

In either case, selfie verification typically works like this:

  1. The user takes and submits a photo of their government-issued ID, such as a driver’s license, mobile driver’s license (mDL), or passport.
  2. The information from the ID is cross-checked against official databases as well as other user-supplied information to check for discrepancies.
  3. To confirm that the user is in fact the person on the ID, the user is asked to take and submit a selfie or series of selfies.
  4. The user-submitted selfie or video is then analyzed for liveness detection and cross-checked against the photo in their ID.

What challenges does selfie identity verification solve?

In most cases, selfie verification is used as a second layer on top of other verification techniques, such as document verification and database verification. This second verification layer allows you to take a more holistic approach to identity and reduce the incidence of spoofing and identity fraud in online transactions.

Beyond this, selfie verification can specifically be used to solve a number of verification challenges, including:

Protection against database breaches

Identity verification typically requires an individual to submit sensitive information — such as their Social Security number, date of birth, driver’s license number, etc. — which is checked against official sources, such as a third-party database or a photo of a government-issued ID. Unfortunately, all of this information can be subject to database breaches. SSNs, dates of birth, legal names, and even photos of IDs themselves have all been stolen from databases by hackers in the past.

For this reason, in cases where an individual has had their information stolen in a database breach, catching instances of identity theft or fraud using standard verification methods can be especially challenging.

In these cases, selfie verification with liveness detection provides an extra layer of security. Even if a hacker has stolen sensitive information; even if a hacker has stolen a government-issued ID; even if a hacker has a photo of the individual — it’s extremely challenging to fool well-implemented liveness checks.

Low-friction reverification

As discussed above, selfie verification can be leveraged not only during the account creation process, but also for periodic reverification — such as when a user logs in, fails an authentication check, or initiates a high-risk action.

The best part is, when used in this way, selfie checks don’t just improve the security of your users’ accounts; they also do so in a way that minimizes friction.

No one wants to be asked to re-scan an ID or re-enter sensitive information as a part of a reverification process. Doing so can be tedious and time consuming. But taking a selfie is fast and easy, allowing selfie reverification to bolster security without negatively impacting your user’s experience.

Is selfie verification foolproof?

While selfie verification can be a powerful tool, it’s unfortunately not foolproof.

Potential for false negatives

Selfie verification relies on facial recognition and other related technologies. While these technologies have progressed rapidly in recent years, there is evidence that they are not free from bias, nor are they 100% accurate — even with liveness detection. For example, someone’s eyeglasses may fool the system into thinking it's a reflection on a screen, or a low-resolution photo may trick the system into thinking it’s a digital replay. These shortcomings may increase the risk of false negatives during the verification process, which may result in legitimate users being denied verification.

The rise of deepfakes

While selfie verification and liveness detection can be extremely effective at identifying and stopping a variety of spoofing techniques — such as recordings, digital replays, masks, prints, etc. — deepfakes do present a challenge.

Deepfakes are digitally created images, video, or audio of individuals saying or doing things that they haven’t actually said or done. While early deepfake attempts were rather rudimentary, they have grown increasingly sophisticated in recent years, and can sometimes get past selfie verification.

For these reasons, it’s crucial that your identity verification processes include a variety of different verification technologies and techniques.

Just one piece of your verification toolkit

If you are considering incorporating selfie verification into your verifications toolkit, incorporating additional verification solutions can help you cover the blindspots discussed above and build a truly robust process. These include:

  • Document verifications: Document verification typically requires a user to take a photo or upload documents such as a government-issued ID, business documents, or other supplemental documents. This usually forms the bedrock of most verification processes.
  • Database verifications: Database verifications allow you to cross check user-supplied information against third-party databases, such as DMV records and IRS records, which can help you determine whether the individual exists in these databases.
  • Device signals: Device signals such as the user’s IP address, device fingerprint, meta data, GPS data, and whether or not a user is leveraging a VPN to mask their location can all offer additional insight as to whether the person is who they say they are.
  • Biometric authentication: In instances where selfie verification is used for identity authentication purposes, it may be prudent to pair it with other forms of biometric authentication. This can include fingerprint or retinal scans, amongst other techniques.
  • Behavioral signals: This includes signals such as hesitation or distraction events, mouse movement, keyboard strokes, and the use of developer tools like copy and paste, each of which helps to inform the system as to whether or not an action is being completed by a living person.

Incorporating selfie verification into your processes

Here at Persona, we understand both the value offered by selfie identity verifications, as well as its potential limitations. We’ve baked this understanding into our Verifications solution in order to offer the most robust tool possible.

Verify your users and customers in the way that makes sense for your business, whether that involves selfie verification or not. Leverage Dynamic Flow to implement progressive risk segmentation and introduce (or scale back) friction on a case-by-case basis. Automate as much or as little of your processes as you see fit.

Interested in learning more? Start for free or get a demo today.

Continue reading

Continue reading

Persona named one of the best authentication solutions by Cybernews
Industry

Persona named one of the best authentication solutions by Cybernews

See what sets Persona apart from other solutions.

What are suspicious activity reports (SARs)?
Industry

What are suspicious activity reports (SARs)?

Financial institutions must use suspicious activity reports (SARs) to report questionable activity to the appropriate body for legal investigation

CDD vs EDD: What’s the difference?
Industry

CDD vs EDD: What’s the difference?

Explore how CDD and EDD work and learn when each is necessary.

Ready to get started?

Get in touch or start exploring Persona today.