There has been some controversy in Germany after a recent series of tweets demonstrated that it may be possible to tamper with real government-issed ID documents, and fool online identity checks
Die erste von Andreas Scheuer vorgestellte Führerschein-App scheiterte, nachdem @LilithWittmann und @fluepke Sicherheitsmängel fanden. Inzwischen hat @VERIMI_Now einen Nachfolger veröffentlicht. Mutig? Ja. Sicher? Nein.https://t.co/hrTMuO7gFm
— Martin Tschirsich (@mtschirs) August 4, 2022
First of all, many AV providers do not rely solely this technology – generally referred to as electronic identity validation technologies (eIDVT) – but will use it as part of a wider solution where there may be additional cross checks to other data sources and other fraud prevention measures. One large provider compares every ID it reviews with a “hashed” (anonymised) record every other it has previously reviewed to spot if an original has been copied and amended (across almost its entire customer base). Geolocation checks also offer extra assurance, for example, to check the same ID is not used it two or more places at once. And methods may be used in combination, perhaps looking at ID and then also checking to see if the user is on the electoral roll.
If eIDVT solutions have been subject to rigorous, ndependent presentation attack testing, then there is a low risk of fraudulent use such as the example above.
Many clients already require that suppliers who offer eIDVT undertake independent testing by accredited auditors as part of their own due diligence when procuring age verification solutions. This could be, for example, to the standards set out the FIDO Alliance (Identity Verification & Binding – FIDO Alliance) and BS ISO/IEC 30107/3:2017 – Information technology — Biometric presentation attack detection – Part 3: Testing and Reporting.
That said, solutions do need to be considered as a whole, and we must always consider their effectiveness in proportion to the risk of the use-case. This tends to be a lower risk for age checks than full identity checks; but where the highest level of certainty is required, the technology can deliver to almost any percentage accuracy you specify, recognising that no check, either human or digital is ever 100% perfect (but the evidence is that the technology usually beats the human eye by a large margin).
As a trade association, one of our most important goals is to promote high standards of quality in age assurance solutions, so we do monitor reports of vulnerabilities and highlight them to our members so they can check their own solutions would not be circumvented the same way. As with all technical security, no-one can stand still but vigilant providers will respond promptly and stay one step ahead of the vast majority of those who try to find ways around their systems.