Stories and insights from the world of digital identity
Many companies in the identity space talk of NIST certification. What does this mean for you as a user of identity services and what does it mean for your customers? Who is NIST? NIST is the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. NIST’s remit is to create and certify measures, standards and technology to enhance trade and productivity. Formed in 1901, their remit is to provide standards and certification for business. At first this included clocks and thermometers, all kinds of ‘weights and measures’. But over time the agency has grown to include tech, such as election technology and, of interest to us, cybersecurity. What is NIST compliance? Broadly, NIST certification means the product in question meets defined standards. Liveness is an anti-spoofing process that checks to ensure we are dealing with a real person. Not someone who is, for example, wearing a mask or using a photo or image of someone else. We use it across our suite of solutions including identity verification, digital ID and age verification. What does NIST certified liveness mean? NIST provides a framework for testing performance levels of liveness. NIST Level 1 involves testing using things that could be found in a normal home or office. Materials used for testing should not cost more than $30. Masks are excluded. To pass NIST Level 1, you must detect every attack and limit false negatives to less than 15%. NIST Level 2. Involves testing against more specialist attacks, such as latex facemasks or 3D printers. Materials used for testing should not cost more than $300.To pass NIST Level 2, the you must detect 99% of attacks and limit false negatives to less than 15%. Once a liveness service has passed testing, they will be issued with a Presentation Attack Detection (PAD) Confirmation letter that provides results and methodology used and what product was tested. To learn more about our liveness products, please do get in touch.
1st February 2023, London, UK – Digital identity company Yoti has launched eSign with Selfie, a new product feature on their digital signing platform. In an industry first, Yoti is the first company to integrate selfie verification directly into the signing process. This new feature allows individuals to confirm their identity with a selfie before signing a document. This reduces the risk of impersonation and fraud, and provides transparency and confidence that the correct person has signed the document. The whole process can be completed in seconds, in one seamless flow: Signees take a selfie Yoti’s proprietary NIST-certified passive liveness technology, MyFace, confirms they are a real person MyFace checks that the selfie is captured from a live person by detecting different presentation attacks, such as printed and digital photos, videos and masks Once the liveness check is complete, individuals sign the document The selfie image is cryptographically linked with the signature, providing a very high level of assurance over who has signed the document. Robin Tombs, CEO at Yoti said, “There is a growing trend towards identity linked signatures as they are more secure and robust than a standalone signature. eSign with Selfie provides a high level of confidence and transparency over who is signing a document, whilst offering a faster, more frictionless experience than a separate, full ID verification check. Identity driven signatures through eSign help businesses fight fraud, meet compliance and regulatory requirements, and create more trusted business interactions.” Companies can manage all documents from one digital platform and then email (or text) them out for signature – requesting selfie verification as part of the signing process, if required. Notes to editors Yoti’s liveness technology – MyFace – is certified against the NIST standards by iBeta. The difference between passive and active liveness: Active liveness requires the user to take a video of themselves performing certain actions. For example, moving toward and away from the camera, or repeating random words. This then uses AI and / or manual review to complete the check. Passive liveness can be achieved from a single selfie. Passive liveness reduces friction for users, thereby reducing drop off and speeding up the journey of verifying genuine users.
The Disclosure and Barring Service (DBS) has updated its guidance on how to check someone’s identity for a criminal record check. Previously, the process was only possible by seeing physical documents. During the pandemic, employers enjoyed relaxed rules which allowed them to do this via video call. However, the government has now updated their guidance to allow for digital ID verification technology. This means candidates can prove their identity online, which is an absolute game changer for employers grappling with a remote-first world. But how does the process work and should you use it? Here’s our guide to digital ID for DBS checks. What is a DBS check? A DBS check allows employers to see any criminal convictions a candidate may have on record. In some jobs, this is a legal requirement, particularly when working with vulnerable people, such as in healthcare or childcare. The check itself is processed by the Disclosure and Barring Service (DBS) and was previously called a CRB check. There are four types of DBS checks: Basic: shows unspent convictions and conditional cautions Standard: shows spent and unspent convictions and cautions Enhanced: shows the same as a standard check plus any information held by local police that’s considered relevant to the role Enhanced with barred lists: shows the same as an enhanced check plus whether the applicant is on the list of people barred from doing the role Anyone can request a Basic DBS check on themselves directly through the government website. Employers that want to request a Basic DBS check on an employee must use a ‘responsible organisation’ (RO), which is a company registered with the DBS to submit checks. To request a Standard or Enhanced DBS check on an employee, employers must use a company known as an ‘umbrella body’. Employers that process over 100 checks a year can also choose to register with DBS. Verifying identity for DBS Before a DBS check can be processed, you first need to confirm the identity of the person being checked. Until this year, this relied on seeing original documents. However, the new guidelines now allow employers to collect and verify documents digitally. For candidates, this is as simple as submitting their documents and a selfie online. The verification process is mostly automated and uses facial matching to compare a selfie to an ID document. In addition, checks are done to make sure the image is of a real person and that the document is genuine. In addition, further checks are often completed to reach the correct level of confidence under GPG45 as required by DBS, such as a check against data held by credit reference agencies. Employers don’t have to use digital identity verification but if they do, it must be undertaken by a certified identity service provider (IDSP). Make sure you check with your chosen DBS provider if they accept digital identity checks. GPG45 for DBS When done digitally, the identity checking process must follow the government’s Good Practice Guide (GPG)45. This involves gathering evidence that supports someone’s identity and is split in five parts: Get evidence of the claimed identity Check the evidence is genuine or valid Check the claimed identity has existed over time Check if the claimed identity is at high risk of identity fraud Check that the identity belongs to the person who’s claiming it Each step in this process is scored and combined to reach a level of confidence. There are four levels of confidence: low, medium, high and very high. The levels of confidence required for DBS are: ‘Medium confidence’ for DBS Basic ‘High confidence’ for Standard and Enhanced Identity profiles for DBS There are many ways to reach a GPG45 level of confidence, depending on how each step of the identity checking process has been carried out. Different types of evidence are scored differently. For example, an ePassport scores more than a non-electronic passport or a driving licence. Similarly, the way you collect evidence is important. You can gather and verify proof of address from a driving licence or typed in by the individual and checked with a credit reference agency. The different ways you gather and check evidence to reach a specific level of confidence are called ‘identity profiles’. There are lots of identity profiles and IDSPs must be audited for each one they offer. Not all IDSPs will offer the same number of identity profiles, which means some providers will offer candidates more flexibility and less friction than others. Should you use digital identity for DBS? Digital identity is a game change for remote and hybrid working practices. Not only does it allow you to onboard employees from anywhere in the world, but it also helps you stand out in a competitive marketplace with an unbeatable candidate experience. In addition, for organisations that need to prove right to work eligibility and carry out a DBS check, some IDSPs like Yoti and Post Office are certified for both. This means you can use the same ID check for both processes, allowing you to streamline your internal practices. Of course, digital isn’t for everybody. We believe in choice and inclusivity. Candidates that would like a little assistance can verify their identity at a Post Office. Their data is digitised and returned to the business in the same way as in the online service, only they haven’t had to touch a keyboard. How Yoti and Post Office are digitising the DBS process Yoti and Post Office were the first government-certified IDSP for both DBS and Right to Work. Since the change in guidance, we’ve helped some of the UK’s biggest background screening companies make huge efficiencies in their processes. We’ve continued to add more identity profiles to our Identity Verification Service, to give candidates more flexibility and less friction over the documents they use. For DBS basic, candidates can complete the process using just their UK driving licence. To meet the required ‘medium’ level of assurance, we run an activity history check without adding any friction to the user experience. For DBS Standard and Enhanced, candidates can complete the process using an ePassport or a non-chipped passport. This new profile opens up the process to a wider range of ID documents and customers across the globe. Candidates can also prove their identity for a DBS check using our reusable Digital ID app. Alternatively, candidates that prefer some human assistance can verify their identity in-person at a Post Office. Digitise the ID process for DBS It’s been a really exciting time for Yoti and Post Office as we see what happens when innovation meets legislation. And we’ve loved hearing the feedback from valued partners like David Hutchinson, CEO at PeopleCheck: “I want to applaud your internal teams with how they have been supporting and working with the PeopleCheck tech team. The result is an exceptional candidate journey and a great product. This is a significant game changer for both on-site and remote hiring – with companies now being able to fully outsource UK Right to Work credibly and compliantly, at scale and at speed.” If you’re looking to digitise the DBS and right to work process, get in touch and we’d be happy to help.
There’s no denying we’ve moved most of our lives online, and the majority of the time, our phones are the instant portal we use to get us there. They’ve become our personal shoppers, our social life planners and documenters, our music, films and books all in one. With everything already in the palm of our digital hand, it makes sense that the way we prove our age and identity should be too. A Digital ID is your ID on your phone, replacing physical documents with a smarter, instant way of proving who you are. We think it’s the future but understand why some people might not be quite ready to leave the past behind. In an age of unconsulted data collection, and subtly curated Instagram pages, why trust another thing on your phone that’s asking for your personal details? We’ve been listening to the concerns out there and we’re ready to bust some of those myths about our technology. It’s government controlled This is not true. We’re a private company and our Digital ID app is voluntary – you can back out at any time if it’s not for you. It’s not designed to push society towards mandatory Digital ID cards. Instead we give individuals the choice to create and use a Digital ID. It’s not for us to say how you prove your age or identity – that’s up to you. This is the start of a surveillance society While we’re shaping the future of digital identity, we’re not trying to create a state of surveillance. In fact, quite the opposite. The Yoti and Post Office EasyID apps are built to make it safer and more private for people to prove who they are. We can’t and never will identify people sharing age or identity information, and we can’t track them once they’ve downloaded the app. No-one else can access your data – not even Yoti. The only person that can share and access your data is you, because that’s how it should be. This is just a marketing ploy While we’re our technology’s own biggest fans, it doesn’t mean you have to be. We’ll never tell you it’s the only option as we think there should always be a non-digital alternative. We believe that it should be your choice to use a Digital ID. That’s why Yoti and EasyID are completely optional. Digital IDs aren’t private or secure A Digital ID is actually more private than showing a physical ID document. Every time you show an ID you reveal so much personal information about yourself – your date of birth, full name, passport number, photo and so on. Our Digital ID app only asks for certain information, such as your age or ‘over 18’. You can securely share verified details at the tap of a button or the scan of a QR code. It’s an easier and more secure way to prove your age or identity. You’re also protected if you lose your phone or it ends up in the wrong hands. A Digital ID is your data in your hands, and it definitely won’t be in someone else’s hands – no-one else can access your Digital ID. This means you’re actually more protected against the risks of identity theft compared to if someone were to find your passport or driving licence. You can’t use a Digital ID anywhere We’re very proud that our Yoti and EasyID apps are being accepted at more and more places. Young people can prove their age at UK Cinemas, so they can leave their passport safe at home. The apps can also be used online or in-store at over 30,000 stores across the UK! So next time you’re buying lottery tickets, tobacco or just nipping off the street to grab an energy drink, we’ve got you covered. We’ve also been trialling the apps at a number of supermarkets for the purchase of alcohol, including Asda, Tesco, Morrisons and Co-op. We’re now just waiting for the results to come in so watch this space… Thanks to new Home Office guidelines introduced in April 2022, if you’re a UK or Irish citizen, you can also use the Yoti and EasyID apps to prove your identity for Right to Work checks. A much simpler way to prove your Right to Work, identity details can be submitted online, perfect for a hybrid workplace, or where an organisation may have locations nationally. This will exclude those that don’t use a Digital ID Our Digital ID doesn’t exclude or discriminate against those that don’t use it. We believe there should always be an alternative for those who still want to prove their age or identity by whichever way feels familiar and comfortable to them. A Digital ID is just a photo of your ID on your phone Not quite. It’s true you need to take a picture of your government-approved ID but this is just to create your Digital ID. Once you’ve finished setting up your account, you can then use your Digital ID to just share specific information – this could be just your name or your date of birth. By sharing data piece by piece, you can control the specific details you share rather than showing a full ID. This is a more private way to do things. Is Yoti a self-sovereign app? Some of you might be wondering what that means. A self-sovereign (SSI) app is designed to “place the digital ID back into the user’s wallet” and reduce the compliance and burden of data storage for businesses. So instead of having a central database for users’ data, the individual or business has sole ownership over controlling their accounts and personal data. We do things a little differently. Although only users can access their own data, we store the data. So technically, this excludes Yoti from the SSI category. Instead, we distinguish ourselves by storing data in an encrypted vault that only the user can access with an encrypted key stored on their phone. Can I use a digital ID wherever I need to prove my age or who I am? While we admit a Digital ID can’t be used for everything just yet, the number of ways you can use a Digital ID continues to grow. If you have any other questions we haven’t answered here, then please get in touch.
18th January 2023, London, UK – Leading Muslim dating and marriage app Muzz (formerly muzmatch) has partnered with digital identity company Yoti to give singles increased confidence and transparency over who they are connecting with online. Muzz has integrated Yoti’s photo verification technology to confirm every dating profile belongs to a real person. On account creation, users are required to take a selfie, which will be analysed by Yoti’s proprietary passive liveness technology, MyFace. The technology checks that the selfie is captured from a real person by detecting different presentation attacks, such as printed and digital photos, videos and masks. If the technology detects the image is not from a real person, they will be asked to take another selfie, helping to reduce the risks of fake profiles and catfishing. MyFace only requires a selfie image to complete the liveness check, creating a smooth user experience and speeding up the process of verifying genuine accounts. Muzz has also integrated Yoti’s identity verification technology, to strengthen online safety even further. Members can verify their identity for free. Muzz will boost the verified profiles, giving these daters a higher chance of connecting with more people. “Muzz is the world’s largest Muslim marriage app, so we have a responsibility to lead when it comes to safe spaces for Muslim singles. Yoti’s ID verification and MyFace technology give our members peace of mind that their matches are who they say they are,” says Shahzad Younas, CEO and Founder of Muzz. Robin Tombs, CEO of Yoti said: “We’re delighted to announce our partnership with Muzz to give Muslim singles greater peace of mind, trust and transparency over who they are connecting with online. Muzz pride themselves on creating the safest dating platform for the Muslim community, so we are proud they have chosen our technology to enhance their existing safety measures. Our technology has seamlessly integrated into the Muzz app, showing how dating platforms can verify users, without compromising their online dating experience. Verified profiles will make it easier and safer for honest people looking for love, and create safer, positive matches.” The partnership with Yoti allows Muzz to enhance their existing safety measures, which include an all-female support team, video and phone calls within the platform so users do not have to share their phone number, and the detection and removal of nude images. Notes to editors Yoti’s liveness technology – MyFace – is certified against the NIST standards by iBeta. The difference between passive and active liveness: Active liveness requires the user to take a video of themselves performing certain actions. For example, moving toward and away from the camera, or repeating random words. This then uses AI and / or manual review to complete the check. Passive liveness can be achieved from a single selfie. Passive liveness reduces friction for users, thereby reducing drop off and speeding up the journey of verifying genuine users. About Muzz Muzz (formerly muzmatch) is the world’s largest Muslim dating and marriage app, with over 7 million members and 400,000 successes. Founded originally as a website in 2011 by former Morgan Stanley banker Shahzad Younas, Muzz has seen massive success since the launch of its iOS and Android apps in 2016. The company has over 80 team members with offices in the UK, US, France and Pakistan. About Yoti Yoti is a digital identity technology company that makes it safer for people to prove who they are, verifying identities and trusted credentials online and in-person. They now provide verification solutions across the globe, spanning identity verification, age verification, document eSigning, access management, and authentication. In the UK, Yoti has partnered with Post Office to accelerate digital identity adoption, with a national footprint spanning 11,500 Post Office branches, online and more. Over 12 million people have downloaded the free Yoti app across the world. It is available in English, Spanish, French, German, Portuguese and Polish. Yoti is certified to ISO/IEC 27001:2013 for ID Verification Services, ISAE 3000 (SOC 2) Type 2 certified for its technical and organisational security processes. For more information, please visit www.yoti.com.
We continue to invest in improving the accuracy of our world-leading facial age estimation and we will soon be releasing a new ‘Jan 2023’ model with improved accuracy across all skin tones and gender for those aged 6-70. At Yoti we constantly strive to improve all our services given our commitment to tech for good, and given the growing market importance of these services and increasing regulatory engagement. For example, coming soon we’ll be introducing multiple, concurrent age estimation models, which will help improve accuracy even further, whilst still completing a check within seconds. We will also continue to update our Yoti Age Estimation white paper, now 4 years old this month, in which we transparently publish our accuracy across age, gender and skin tones by year between ages 6 and 70. We expect to publish the updated white paper in the next couple of weeks but importantly, we can share today our Jan 2023 model further improves our accuracy and further reduces bias. Across all age ranges, gender and skin tones we are seeing a 5.1% increase in accuracy, reducing the weighted average MAE for 6 to 70 year olds from 3.0 to 2.8 years. As you can see below for this model we have been focussing on reducing the discrepancy between light skintones (tone 1) and darker skin tones (tone 3) We recognise our work is not finished in this regard. Table shows mean average error (MAE) for age range 6-70 by gender and skin tone, and the percentage improvement from our May 2022 model to our January 2023 model. So, well done for marking your own homework, you might say! But we are happy to report our May 2022 white paper has been independently verified as to the measurement methodology and accuracy of our results. On the request of one of our clients, the ACCS undertook an independent evaluation of our May 2022 white paper and had this to say: “The training, testing and results reporting presented in the whitepaper have been independently validated by ACCS, who have certified that Yoti have deployed appropriate methodologies to analyse the performance of their Age Estimation algorithm, including ensuring appropriate separation of machine learning training data, testing data and validation data.” In addition to this, we are also happy to announce that we have been invited to participate in a workshop on ICO commissioned research on the measurement of age assurance on Thursday 19th January, in London organised by ACCS and AVPA. Follow us on LinkedIn to stay abreast of Yoti news or get in touch to find out more.