🔔 Prepare for eIDAS 2.0 now: with workshop & live testing of your use cases.

Deepfakes as a catalyst for digital identity

Blogbeitrag: Auswirkungen für Ident-Verfahren und Onboarding

Share

Deepfakes as a catalyst for digital identity: challenges and opportunities

As early as 2021, there were prominent examples of deepfakes. For example, there was a video by comedian Jordan Peele in which he used real footage of Barack Obama but superimposed his facial expressions and voice over it to publicly warn against deepfake videos. In February 2022, a deepfake video of Tom Cruise caused a stir.

That was a few years ago, and artificial intelligence has since developed at a breathtaking pace. This rapid development is also accelerating deepfake technologies, which intensifies the challenges in the practice of remote digital identification. The world of digital identification is at a turning point. Established methods rely primarily on a combination of biometric recognition of individuals and optical validation of ID documents – both aspects are severely threatened by deepfake attacks, among other things.

The growing threat of deepfakes

Biometric modifications, such as those achieved with the help of professional make-up or face masks, have been known for a long time. Masks like the ones shown in films like ‘Mission Impossible’ are actually available to everyone today in very good quality. Now, deepfakes, i.e. deceptively real digital manipulations of image, video and voice material, are being added to this, and these are becoming increasingly difficult to recognize as such – by humans as well as by systems. A considerable amount of effort is still required to create usable digital forgeries by manipulating documents, faces, photos or videos in a relevant way – and, of course, the appropriate criminal energy is needed. And optical-based ID procedures currently still offer a very high level of reliability in detecting such attempts at misuse. However, 100% security was and is not guaranteed.

Automated or photo-based identification procedures, which are fully automated and based on the digital transmission of photos, very short video sequences of ID card recordings and selfies, and, in some cases, voice samples, are constantly challenged to systematically ward off the most modern types of attempted fraud. The algorithms are constantly being adapted and optimized to do so, and it’s a race that’s hard to call. While on-site systems, such as those used at border controls, can use highly developed cameras and sensors, remote identification is limited by the user’s hardware. With the addition of a review of the digitally captured materials by a trained agent, additional cases of doubt can be clarified and further security levels established – but counterfeits that do not arouse any doubts in the automated system or that cannot be spontaneously recognized by humans are not excluded.

Video identification procedures rely on a longer video call between the agent and the customer, which makes attacks more complex but does not rule them out. Deepfake technologies now enable attackers to manipulate not only the actual ID documents, including the security features, but also the appearance, gestures, facial expressions and voice of the person in real time, which makes detection in a live video call considerably more difficult. Today, it is still possible to detect, for example, graphical discrepancies when moving from the person to their surroundings, as well as unnatural movements, skin colors or eyes. A trained agent in a video call can take all factors into account and often also integrate appropriate fraud detection technology live. Nevertheless, creating a live video that is so deceptively real that it can convince in a video call – that is a question of time, not a question of feasibility.

Impact on identification and onboarding

Digital remote identification processes are the backbone of today’s digital economy, in regulated sectors such as financial services as well as in areas relevant to everyday life. Countless use cases use identification via the internet, from opening accounts/deposits, ordering a prepaid SIM card, accessing service portals to digital signatures – in most of these applications, the customer is required to verify their identity using one of the offered methods.

In the fall of 2022, it became apparent how quickly an established digital identification method can no longer be available for important use cases: The national agency for digital medicine, gematik, which is subordinate to the Federal Ministry of Health, banned the use of photo/video identification in the German healthcare system due to acute security concerns – and to date, the procedure has not been reauthorized.

It cannot be ruled out that in the near future other regulatory authorities for other economic sectors will also have to reevaluate their respective security assessments of established procedures due to the advances in AI and deepfakes. If this results in changes to the portfolio of approved procedures in the short term, companies should be prepared. Even in non-regulated applications, the responsibility for the use of identification procedures lies with the respective companies, so that each company is called upon to regularly evaluate the situation and the associated risks of the digital identification methods used in order to ensure the maintenance of digital offerings.

It is important that the mere recognition of persons and documents in the course of identification procedures is not considered in isolation in the risk assessment. Depending on the level of trust required, further security features can be integrated into the optical-based procedure, such as checking the location, the integrity of the end device used, the validation of a phone number or the sending of a second factor. In this regard, smartphones usually offer more options than pure web applications. In addition to the identification process, further aspects are usually added throughout the onboarding process, which is why circumventing an identification process alone does not necessarily lead to the immediate misuse of a customer account or the opening of an unwanted customer relationship. Independently collected and queried attributes, such as address, email, phone number or even customer reference/customer access/login, form additional elements on a first level to validate the authenticity of the onboarding in the combinatorics.

In many sectors, the cost-benefit ratio also plays an important role in risk assessment, which is why a few successful cases of fraud do not always have to lead to the immediate termination of an entire identification procedure. The damage resulting from the fraud is weighed up in relation to the costs of further security steps for the entire onboarding process. By comparison, physical identification processes on site, e.g. in the company’s own branch or via corresponding service providers, also always harbor potential for abuse and error, so that absolute security cannot be guaranteed on any channel.

Outlook on further developments

Optical-based identification methods such as Auto-/Photo-Ident and Video-Ident are widely used today and are particularly popular with customers and companies in their largely automated form. In view of advances in AI and deepfakes, they have natural limits in terms of security level – these will be reached sooner or later, which means that alternative solutions are required for many applications.

The eID-Ident and Bank-Ident procedures, in particular, do not require optical verification and can therefore offer significantly higher protection in the long term:

  • eID-Ident is based on the chip of the ID card and, as a cryptographically secured procedure, offers the highest level of technical security. The extent to which the cryptography or the chip itself could become the subject of attacks is not to be examined here.
  • Bank-Ident works by using the usual secure login to online banking – and thus accesses identity data that has already been validated by multiple measures taken by the banks in a trusted ecosystem, not just through pure identification. It is a very simple and at the same time very secure procedure, which is familiar to a great many customers through its use in online banking.

Both identification methods can be supplemented by optical recordings, e.g. of the ID document, to address specific requirements of a business transaction (e.g. image of the customer, signature sample of the customer) without affecting the integrity of the identity verification. Both methods are resistant to identification against KI & deepfake attacks. Risks in the matching of additionally optically captured features and fundamental aspects, such as social engineering or phishing attacks on personal access data, remain unaffected.

Connection to the EUDI Wallet

The future EUDI wallet will have the eID, i.e. the online ID function of the ID card, as a requirement for access and use in Germany. This requirement also creates an initial barrier, since currently in 2024 only about 22% of citizens have used the eID at least once.

Thus, for both security reasons and in preparation for the EUDI wallet, it makes a lot of sense to quickly expand the distribution and acceptance of the eID-Ident in Germany. The draft bill of the Federal Ministry of Finance “Regulation on identification by video identification for money laundering purposes” from spring 2024 is a step in the right direction in this aspect, as it is intended to oblige BaFin-regulated companies in the financial industry to accept the eID in addition to video identification even before the EUDI wallet is launched – which means that the business processes of the respective companies will also be adapted to accept an eID identity.

The use of the eID therefore requires the user to have the physical ID card with a chip and a PIN. The transmitted identity data from the eID is then securely stored on the smartphone in the EUDI Wallet app – for subsequent retrieval, the user needs their smartphone and authentication – access via Face ID or fingerprint, for example, opens up biometric attack vectors. It is therefore to be expected that at least for ID retrievals for security-relevant applications, additional safeguards will be integrated, e.g. by entering a PIN. An example of such a differentiated protection of retrievals, depending on the security level of the addressed application, is the health ID in Germany.

Challenges & preparation

AI and deepfakes are developing rapidly and will push optically based identification methods to their limits ever faster. Additional safeguards are possible as described above, but they require further investment and queries in the user experience. Over time, the procedures will therefore become less attractive for companies and users compared to relevant alternatives such as eID-Ident, EUDI-Ident and Bank-Ident.

A major challenge for economic actors can arise if the tipping point of the procedures is reached earlier than alternative procedures such as eID-Ident and Bank-Ident are integrated for their own use cases. In regulated sectors, the challenge will grow if – following gematik – further regulatory authorities are forced to prohibit the use of the currently very popular procedures at short notice due to acute AI & deepfake abuses.

It is therefore very important for all companies that have integrated ID processes into their use cases to prepare for the upcoming transformation at an early stage. Simply waiting for the EUDI wallets to be accepted, which may be mandatory, is not recommended.

Digital identity verification made easy!

We have summarized all the important information about the identification methods for you.