Identity Verification Solution Features & Functionality
All too often, organizations evaluate vendors on a limited set of purchase criteria (e.g., price per verification, geographic scope). But, there’s a fair amount of nuance in what different solution providers bring to the table. At Jumio, we want to make you a smarter, savvier buyer. Explore the following features & functionalities to learn what Jumio has to offer and what we think you should look for in a reputable solution.
- Machine Learning @ Scale
- Data Tagging
- Audited Data
- Liveness Detection
- Geographic Coverage
- ID Version Support
- Expired IDs
- KYC, AML and BSA Compliance
- Human Review
- Trend Spotting
- Omnichannel Support
- Blur & Glare Detection
- Barcode & MRZ Scanning
- PCI Compliance
- Black & White Detection
- Document Verification
- Getting a Definitive Answer
Machine learning (ML) is used by many ID verification solutions, so you often have to dig into their process for training the algorithms. It starts with the size of their database of good and bad (i.e. fraudulent) transactions. The larger the dataset, the smarter the algorithms. Machine learning models can be created for many different use cases, such as blur detection and bad image quality detection which requires a large volume of good transactions to better train the algorithms.
Some solution providers literally fake the data and will use computer programs to take a single sample image and then make hundreds of variants of that ID (which, unfortunately, do not simulate the real world). Make sure you understand the volume and scope of an identity verification provider in terms of the number of global verifications they have performed.
While big data is important, you also need to have the data intelligently tagged. Some vendors leverage verification experts to tag IDs—both good and rejected images—to help train ML algorithms, tagging the images based on:
- Was the image scuffed?
- Was the ID hole punched?
- Which country was the ID from?
- Was there glare?
- Was part of the picture obscured by a thumb?
By tagging tens of thousands of IDs in this manner, the algorithms that feed machine learning get smarter, faster and learn how to recognize these patterns automatically.
Without auditing the verification history, the only way to know if they’re getting it right is by having their customers catch and notify them of incorrect verifications. Look for solutions that audit 10-20% of transactions to ensure that their verification engine is correctly flagging fraudulent IDs and green-lighting your good customers in a timely manner. With machine learning becoming so integral to modern verification solutions, the audit serves as a powerful check to improve system accuracy and ML algorithms.
Increasingly biometric facial recognition is being used to combat fraudsters who attempt to use static images or a pre-recorded video to “fake” their identity. A common problem with smartphone-based solutions is fraudsters can simply take a picture of an ID and using that image as proof of their identity. With biometric facial recognition and liveness detection better identity solutions can combat fraudsters who attempt to use static images to “fake” their identity.
It’s important that these liveness checks don’t take too long or become too onerous for legitimate users.
By embedding liveness detection into the account setup process, financial services organizations can significantly impact fraud without impacting the customer experience. Just the requirement of taking a selfie will often have a chilling effect on would-be fraudsters who don’t want their actual likeness captured for posterity.
Depending on the geographic diversity of your user base, this may or may not be an important consideration. What’s important is whether your provider can support the countries, languages, and ID types of your user community. It’s not just a matter of driver’s licenses and passports, you may also want to support ID cards as well. Most of the larger identity verification players can support multiple countries because they can read the MRZ on passports, but many of them cannot support other ID types (e.g. ID cards).
Another important consideration is a solution provider’s ability to support all the possible versions and permutations of a particular state’s driver’s license. In some cases, there may be as many as 15 versions of a particular driver’s license—some issued 5 years ago, some issued 10 years ago, some printed in landscape, some in portrait, some for commercial drivers and some for driver’s permits—each with their own unique set of security features.
Many DMVs and passport offices use a hole punch to mark a license or passport as invalid. The most common time this is done is when you renew your license/passport, and they punch the old one.
Since the one you’re looking at is not expired, it’s been invalidated for another reason. Most likely, the license was suspended and the individual was issued a non-driver ID or a restricted DL in its place. The department punches holes in your invalid passport before sending it back to the user, officially canceling it. A canceled and returned passport cannot be used for identification in any circumstance, including passport renewal. Unfortunately, many ID verification solutions cannot detect hole punches in drivers licenses and passport because of the limitations of their ML algorithms. The lesson is, make sure your identity verification solution can detect and invalidate IDs with hole punches.
New regulations not only accept that electronic means of ID verification are as valid and trustworthy as in-person identity verification, but stresses the advantages of electronic ID and identity verification for account opening, record keeping, and high-value transactions monitoring.
When done via a smartphone or desktop webcam, identity verification based on ID document authentication presents an elegant solution for complying with Know Your Customer (KYC), Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) regulations without inconveniencing customers. Modern online identity verification solutions go beyond verifying the authenticity of a government-issued ID. They confirm the presence of the account holder. When the customer takes a selfie with their smartphone, the selfie image is compared instantly to that of the ID document tying the ID to the owner in real time, at any time and from anywhere.
The fact is humans can often see patterns that automation and machine learning can’t. But, there’s a pretty steep learning curve when it comes to visually inspecting IDs from around the globe. Just consider the number of global IDs, each template embedded with a unique set of security features, data positions, font types (and font size), and other distinct characteristics. This expertise takes time to learn, so make sure to ask how large is the verification team, how experienced, how are they trained, and how long has the team been in place.
In addition to understanding the makeup of the manual verification team, you should also ask how long does it take, on average, to complete manual/human review. Unfortunately, for many solution providers new to human review, these teams can take hours—not seconds or minutes—to successfully complete a manual review. This is critical to onboarding new customers and new bank accounts with minimal abandonment during the signup process
Let’s say a fraud ring figures out how to doctor Nepalese driver’s licenses. For most automated solutions, it would take some time to hard code the logic into its algorithms. The more transactions captured by a identity verification provider, the more business intelligence baked into their solutions, and the more nimble the solutions (in terms of processes to alert human reviewers), the faster these companies can identify and respond to fraud patterns. Global solution providers that verify millions of transactions each year are better positioned to identify these patterns in real-time and adapt quickly since the verification teams can be instantly alerted to pay special attention to Nepalese driver’s licenses.
Many ID verification solutions only support smartphone image capture and exclude other channels such as desktop webcams. By excluding webcams, these vendors are excluding large market segments who are more comfortable on their desktop and laptop computers. A significant share of online verifications are based on images can be captured by webcams depending on the application and use case.
Being omnichannel also means supporting API-based, mobile web and native mobile implementations. For companies looking to cast the widest possible net, including some older people who may not be comfortable with newer technology, it just makes sense to ensure that your identity verification solution offers the broadest number of channels to your users.
While the cameras embedded within today’s smartphone provide crisp, high resolution pictures. Unfortunately, this is not true for older phones or for photos captured with many webcams. If you allow webcams for image capture, you need a way to alert your users/customers when the image is blurry, fuzzy, or just has too much glare so they can retake the picture and course correct. Blur detection provides that functionality and lets financial service organizations modify thresholds to meet their needs.
Most ID and Identity solution providers can read the barcode on the backside of driver’s licenses and the MRZ (machine readable zones) on passports. A user’s first and last name, date of birth, and contact details can quickly be extracted from the barcode/MRZ. But, how well does your identity provider read these areas if the barcode or MRZ is damaged or unreadable? Does the identity vendor check to make sure the data extracted from the barcode/MRZ matches the information on the front side of the ID and/or match the picture to the selfie taken?
The Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit cards to host the data securely with a PCI-compliant hosting provider. Unfortunately, only a handful of verification solution providers are PCI compliant and have had their policies, processes, and controls independently tested to ensure that credit card or PII data is handled in a secure manner. This also means that the verification vendor extracts, redacts (masks), and stores merchant’s credit card information while adhering to PCI DSS, reducing customers’ internal processing and operational costs.
Over the years, the regulatory authorities have tried all manner of tactics to combat fake driver’s licenses and passports. Holograms. Water marks. Since all legitimate IDs are issued in color, it’s important to only accept colorized IDs and be able to detect which ones are, in fact, black and white. Black and white images are often copies of the original ID but can be doctored.
NOTE: Some government IDs may use sepia or black and white photos, but the IDs themselves are always in color.
While most of the leading identity solutions can distinguish black and white images from color images of government-issued IDs, it’s important to make sure this box gets checked too.
Online document verification allows businesses to quickly extract data from supporting documents such as utility bills and credit card and bank statements using their smartphones. This information can add an additional layer of identity proofing and ensures that a user is who they claim to be. Look for solutions that can extract data in less than ideal circumstances like scanning crumpled documents. Better solutions have the ability to extract Latin-based (including those written in English, French, Spanish and Italian) and Chinese characters to include broader document support.
Most organizations don’t have the personnel or requisite skillset to get a list of suspect transactions. What most companies want, and usually demand, is a definitive “yes” or “no” that tells whether they should accept or reject the user. More importantly, better verification solutions will return additional information about why an ID was rejected (e.g., because the photo taken was a photo of a computer screen) or why an selfie was not accepted (e.g., because the selfie is actually a photo cropped from the physical ID).
These extra details are exceedingly valuable for banks and financial service organizations to improve conversion rates and lessen the friction of its users. Without a simple “yes” or “no” solution, these good users would be rejected out of hand without given the chance to course correct. Unfortunately, many online solutions return only a score. For many automated solutions, online verifications fall into three categories—clearly good, clearly bad, and a large middle-ground of gray (or “iffy”) transactions. Better hybrid solutions rely on human review to better verify the suspect transactions and improve overall verification accuracy.