NFC and the GOV.UK guidelines on verifying someone's identity
The UK government (Government Digital Services, GDS) has updated its guidance on how to prove and verify the identity of a customer or an employee, also referred to as Good Practice Guide (GPG) 45. We summarize this guidance here and explain how ReadID’s NFC-based identity verification fits in this guidance.
The British ‘identity checking’ process consists of five parts:
- Get evidence of the claimed identity;
- Check the evidence is genuine or valid;
- Check the claimed identity has existed over time;
- Check if the claimed identity is at high risk of identity fraud;
- Check that the identity belongs to the person who’s claiming it.
Each part produces a score (1 to 4) and the different combinations of scores are known as ‘identity profiles’. An identity profile relates to a level of confidence: low, medium, high, and very high. The aim is to get a higher level of confidence in someone’s identity if the service involved is at high risk of identity-related crime.
Please note that although the guidance states it aligns with EU’s eIDAS regulation, the levels of confidence differ from those in the eIDAS implementing act on assurance levels. Especially confidence level high seems even higher than eIDAS High. The GOV.UK Verify online identity verification scheme currently only supports the lowest two levels for public services. For most (private) service providers, levels medium and high are most interesting, as they are acceptable for services that need to comply to regulations such as KYC and AML.
The good news is that the revised guidance includes new ways of verifying identities remotely, such as NFC-chip reading of an ICAO 9303 compliant identity document. This is what we support with ReadID. More specifically, with ReadID a maximum score 4 for part (a) ‘Get evidence of the claimed identity’ can be achieved. For part (b), ‘Check the evidence is genuine or valid,’ it will result in a second highest score. In order to obtain the highest score for this part, additional checks need to be done. These checks include a confirmation that the identity document has not been cancelled or reported lost or stolen, and that the visible and UV/IR security features of it are genuine. The latter basically implies that for a 4 points score on part (b), a physical identification process is required.
‘By verifying the NFC-chip of identity documents, ReadID can help you achieve "Score 3" or identity confidence level high straight out of the box’
The third part of the identity verification process ‘Check the claimed identity has existed over time’ is out of scope for ReadID as it involves digital activities of the customer or employee such as credit card transactions, student loan repayments, mortgage payments, and gas or electricity account payments. Please be aware that it is not required to perform this part of the identity verification process to meet all the identity profiles.
Part (d) ‘Check if the claimed identity is at high risk of identity fraud’ deals with making sure that the claimed identity is not at a higher than usual risk of identity fraud or likely to be synthetic. This can be done by checking the details of the claimed identity with authoritative counter-fraud data sources, such as a national fraud database. The highest score to get for this part of the identity checking process is 3. ReadID will provide all the necessary data from the identity document to carry out further checks.
Finally, part (e) ‘Check that the identity belongs to the person who’s claiming it’, or what we usually refer to as the holder verification check, can easily be remotely executed by ReadID in combination with a selfie matching (biometric solution) provider. ReadID will read the high-resolution face image from chip to make this possible. The selfie matching provider will compare this face image with a selfie taken by the user himself. This scores at least 3 points. Solid liveness or presentation attack detection mechanisms are key here to detect fraud. We have partners with such solutions, or you can select your own favorite provider.
Summarising, by verifying the NFC-chip of identity documents, ReadID can help you achieve "Score 3" or identity confidence level ‘high’ straight out of the box for parts (a), (b) and (e). ReadID does that remotely, making it, compared to alternative technologies, highly scalable and more user convenient. Add a score 3 for the identity fraud part and you have an identity profile that meets a high confidence level. Very high cannot be reached with remote identity verification, but will rarely be requested by services.