For trustworthy remote identity verification, a proof of the authenticity of the identity card and of the integrity of its contents is needed, along with reliable binding between the ID card and the identifying individual. Verification of biometric markers in a remote video identification procedure has long been undermined by deep fake technology. The recent hack of the Video-Ident procedure presents a more scalable attack and has further destroyed trust in online identity verification. A solution to this problem lies in the utilization of the NFC chip that is built into a growing number of national identity cards.
Martin Tschirsich of Germany’s Chaos Computer Club successfully attacked the Video-Ident procedure for remote online identity verification. As published in August 2022, a clever re-combination of video images of two or more real ID cards was used to prove a different, fake or real, identity to a third party that accepts the Video-Ident procedure. The attack was mounted repeatedly, to create and access a targeted individuals’ electronic health records (ePA) and to access signed customer documents including loan agreements. Altogether, attacks against at least six different providers of the Video-Ident procedure were conducted. In all cases, these attacks remained completely undetected.
Remote Identification by Video
Just like with an in-person identification at a bank or post office, remote online identity verification happens through the presentation of one’s governmental-issued ID card: Authenticity and integrity of the document and of the stored attributes are verified based on optical security features such as holograms or kinematic structures, and the photo on the ID card is compared with the face of the card’s presenter. Different from in-person identification is that in remote identification, there is of course no immediate contact with the user and no immediate access to the physical ID card. With the Video-Ident procedure, a user uploads a video recording of oneself and of their identity card to the Video-Ident provider. Upon uploading, this video is verified provider-side, by software or by an agent. Various tasks may be included with the making of the video, such as tilting one’s ID card in front of the video camera or covering parts of the ID card with one or more fingers; this is to ensure there has been no manipulation of the video image.
The thereby identified user is then able to create and access their personal electronic health record, or to create a qualified electronic signature (QES) for signing a mobile phone contract, opening a bank account, or applying for a loan, etc. In fact, almost all large German health insurance companies have offered identification services through Video-Ident to their members. The Video-Ident procedure had also been approved (in 2017) by the Federal Financial Supervisory Authority (BaFin), for example, and was used within the banking industry for millions of online verifications each year. Over the past 2 years, in face of Covid 19-related stay-at-home orders and other restrictions reducing face-to-face business, remote identification use has increased tremendously.
Long-Known Vulnerabilities, Consequences
It has long been recognized by security experts that current solutions of remote identification by video are subject to fraud due to the ease of which it is possible to make a copy of a physical identification document and present it as an original. Indeed, explicit warnings about the vulnerability of online video identification have been issued repeatedly for many years, both by Germany’s Federal Office for Information Security (BSI) and by the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Despite these warnings Video-Ident has been kept in use, justified by the assumed complexity and limited scalability involved with exploiting such vulnerabilities in real-world applications. Tschirsich’s recent attack stands out in its relative simplicity: all what is needed is some household electronics, open source-software, red watercolor, and a little bit of time and effort. As a consequence of Tschirsich’s attack, gematik GmbH, majority-owned by Germany’s Federal Ministry of Health and responsible for the digital transformation of Germany’s health care sector, has now prohibited health insurance companies to continue the use of Video-Ident. With the Video-Ident services disabled, everyone wanting to sign up to use their health insurance’s digital offerings has yet again to show up in person at the health insurance’s agency or at the post office.
Moving Forward: Utilizing Near Field Communication
The proof of the authenticity of the identity card and of the integrity of its contents to a remote identification service can be done cryptographically, by utilizing the inherent security features of biometrics documents via Near Field Communication (NFC). This assumes that the user’s identification document is equipped with an NFC or radio frequency identification (RFID) chip on which the user’s identification information such as personal data and picture is stored. This chip data is transmitted to the user terminal (such as a mobile phone) and subsequently passed on to the remote identification service through a previously established secure channel. Upon determining server-side that the ID document is authentic, a gesture challenge-response protocol utilizing the user terminal’s display and camera can be used to determine the authenticity of the user based on the image data and the chip data.
Thereby we achieve the following:
- Cryptographic extraction of the personal data, ensuring integrity and authenticity of the data.
- Proof that the to-be-identified user has physical possession of the ID, making deep-fake attacks significantly harder.
- Binding between ID document and applicant.
See also Cryptomathic patent EP3646247A1 “User Authentication Based on RFID-Enabled Identity Document and Gesture Challenge-Response Protocol” (granted in the US and the UK, pending in the EU).
Machine Readable Identification Documents on the Rise
The proportion of the EU population that is in possession of a machine-readable identification document is rapidly increasing.
In fact, Regulation (EU) 2019/1157 “on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens…” mandates that all ID cards issued by EU member states shall be produced in compliance with ICAO Document 9303 “Machine Readable Travel Documents”. This Document 9303 by the International Civil Aviation Organization (ICAO), endorsed by the International Organization for Standardization and the International Electrotechnical Commission as ISO/IEC 7501-1, specifies how electronic machine readable travel documents (eMRTDs) are to be formatted and read over NFC using the Machine Readable Zone (MRZ), which is usually at the bottom of the identity page at the beginning of a passport. We can estimate that at least 20% of all EU ID cards are already compliant with the specifications of ICAO Document 9303, and this portion will grow by a minimum of 10% each year as citizens renew their ID cards, which are valid for a maximum of 10 years. By Regulation EU 2019/1157, the migration to ICAO 9303 compliant IDs shall be finished by 3 August 2031.
All passports currently issued follow the ICAO 9303 standard. In addition, due to Council Regulation (EC) No 2252/2004, all EU ID cards are bound to be machine-readable and ICAO 9303 compliant by 2031 at the latest. Issuance of ICAO 9303-compliant ID cards has already started and is bound to increase rapidly due to the Regulation.
At the time of writing, we estimate min 60% of EU citizens have a machine-readable travel document, be it a passport or ID and this number may be higher if we look at tech-savvy business users or frequent travelers.
Sign With a Smile, designed in cooperation with Fidentity Remote Online Identification is based on this exact technology. Sign With a Smile is a convenient and secure document signing solution offered in SaaS mode where signees can visualize a PDF document, review its content, identify themselves and approve such documents with a signature equivalent to a handwritten signature, all of this in less than 3 minutes.