The Center for Data Innovation spoke to Husayn Kassai, co-founder and chief executive officer of Onfido, a London-based firm using image recognition technology to verify customers’ identities for online services. Kassai talked about the opportunities online ID verification opens up, and the challenges of dealing with forgeries over the Internet.
This interview has been edited for clarity.
Nick Wallace: Onfido uses artificial intelligence to verify customers’ identities online. Why is it difficult to authenticate identification online, and how does AI help solve the problem?
Husayn Kassai: We cover about 600 types of identity documents: all passports, the majority of driving licenses, the majority of national identity cards. To verify the user’s identity, we take a photo of the front and the back of the identity document, and an image of the user’s face, which we compare to that on the document.
The challenge is we are only doing this with a normal webcam, which makes it harder to identify fakes. When you take your passport to an airport, they often have 3M scanners that have natural light, ultraviolet light, and infrared light, so they can see if it’s been tampered with. A normal webcam doesn’t offer that, and somebody might tamper with the digital image of the document before they upload it, creating a sophisticated forgery that could fool the human eye.
This is where machine learning comes in. Our algorithms generate heat maps to identify signs of digital tampering. For example, a pixel from another part of the document may have been copied from one part of the image to another, which a human would not spot but the algorithm can. A human can then read the heat map and see that the signs of tampering appear in sensitive areas, indicating a fake.
Wallace: What stops a fraudster with a stolen card finding a photo of the owner online and using that?
Kassai: That is where the “liveness” test comes in. We have two ways of checking the photos, with a comparison and with a liveness test.
When we compare photos, on the basis of their level of similarity, we generate a confidence score between zero and one. So if I steal your driver’s license and I crop the photo, enlarge it, and hold it up to the webcam, that should give a perfect score of one. That suggests it’s not just the same person but the same photo, and that needs to be checked by a human, because such a score is an outlier: a different photo of the same person should generate a high score, but not a perfect score.
So to tackle that problem, our clients can embed our “liveness” test. Traditionally, liveness tests involve having the user blink at the camera, or look at different parts of the screen. But that can be quite easily cheated: you can take someone else’s photo, cut out the eyes, and put your own behind it. So we use multiple different liveness tests. We might ask the user to blink, but then we might ask them to move their head to the right, or to read out a randomly generated number. The user won’t know exactly what they will have to do beforehand. That’s much harder to cheat.
Wallace: Some identity documents are more secure than others. Given Onfido is an international business, how do you deal with the huge diversity of identity documents you have to process?
Kassai: Of the 600 document types that we accept, there are roughly 350 that we classify as “tier one,” which means that they have security features that we trust and know are secure, like EU and U.S. passports. Then there are the tier two documents, which have fewer security features on them. We tell the companies using our technology which they’re dealing with, so they know if a given document is easier to tamper with physically, and therefore gives a lower level of assurance. But while the document’s security features are one thing, detecting digital tampering is basically the same for either tier one or tier two documents. Obviously we prefer the more secure documents, but there is still some level of assurance with the less secure ones.
Wallace: What effect do reliable methods of ID authentication have on the kinds of services people can access online? What does it make possible?
Kassai: At the moment, almost half the world’s population—2 to 2.5 billion people—do not have access to financial services. Financial services providers want to take them on as customers online, but they can’t because of security challenges: almost 3.6 percent of world GDP is laundered money, so without a reliable means of verifying the identities of would-be online customers, taking them on is too risky. By making it possible for customers to prove who they are online, it becomes easier for people to get access to basic financial services, like savings, via the internet.
Opening a savings account is what you could call a “middle-risk” service, meaning the consequences of failing to identify the customer fully are less severe than with, say, providing a loan. But as consumers become used to verifying their identities online, we’re going to eventually unlock higher-risk services, like healthcare information, or a full bank account with access to credit. Right at the top would be online voting—we should all be able to vote on our smartphones on election day, instead of having to queue up, sometimes for hours.
There’s a whole host of sectors that will be opened up, and in our view, it’ll only two or three years before we start making payments with our biometrics. So you’re going to walk into Costa or Starbucks or any other place and you’ll only have to show your face and your ID to the webcam, and the payment will go through.
Equally, right now, if you’re on holiday in Turkey or Spain and the bank suspects that you’re a fraudster, they block your card, so you have to call them and prove your identity. That’s all going to change, because at the ATM you could use your identity document and face to go through, or if you want to call the bank, instead of going through all the security checks, they could just ask you to show your face and your card on your smartphone’s camera.
Because of what’s happened with Equifax and problems like that, all our identities are basically online now. So I could have a loyalty account with a supermarket, and a fraudster can hack it, take my data, and commit identity fraud, say by opening a bank account. The weak link in the chain is the bank, which has allowed someone to open an account in my name using data that does not prove they’re me.
The onus for preventing identity fraud is going to shift from the consumers to the merchants and the banks and those who allow fraudsters to pretend to be you. As the means for online identity verification becomes more sophisticated and uses machine learning to pick out the fakes, increasingly I as a consumer will have a choice, and I’ll say to my bank and my phone network operator, and everyone else, “if there is a payment above a certain threshold that I set, I have to show my face and my document in order to authenticate and authorize it.”
Wallace: Several European governments operate e-ID systems that let citizens prove their identity to third parties by putting their national ID cards into a USB card reader, and the British government has spent several years working on a federated system called Verify, which does not rely on ID cards. What’s your opinion of the different approaches?
Kassai: I think there are three positive trends. The first is the undocumented becoming documented by the government. There are roughly 60 countries in the world with a smart ID program. The biggest success has been the Aadhaar card in India: it’s such a large population, 1.1 billion, and there’s almost 99.9 percent enrollment now among adults. Next it’ll be Bangladesh and then there’ll be others. That is excellent, because it means individuals can have a means to verify their legal identity so they can partake in services offered by governments, businesses, and others. Services like ours sit in the middle by connecting the physical ID card at home to the online service of the government or bank or whatever. Across the world, there are roughly 2 billion people who are undocumented, and as these undocumented people become documented, services like ours will be able to help on-board them.
The second trend is that in Estonia, Sweden, and parts of Canada, you have a means by which you are verified at the bank, and the bank will help you use that identity to unlock other services. We’re part of the advisory committee on the Verify program in the U.K. too. You can go into the bank and get verified face-to-face. There’ll be a human checking your passport, and an iPad with a camera where they can check your face against the ID document. But crucially, the unbanked and underbanked who don’t have that kind of access to banks can also participate in this identity program from home.
The third trend is where you have governments that are unwilling or unable to provide an identity to people, there is a means by which we can now offer them a grassroots, bottom-up approach. We are working with a non-governmental organization (NGO) and a village in Nigeria of about 300 people, to help them issue identity documents to everyone in the village. It’s a closed-loop system, where the NGO takes a photo of each villager’s face, prints a simple ID, and laminates it. Then everyone in that village can use our ID system to gain access to a portable health clinic. The next phase next year will to be enable payments.