Arrow pointing to the left
Remote identification of the citizen using facial recognition - AOC Consortium

Challenge

How can we strengthen citizen registration and remote identification using facial recognition and image recognition algorithms, so that it is more secure, easy, and generates more trust?

Problematic

Since 2016 in Catalonia we have had the digital identity called idCAT Mòbil based on a face-to-face or telematic registration process, with a digital certificate (2% of the total telematic registration) or with a registration based on information known only to the Administration and the citizen himself (98%).

Citizens value the idCAT Móvil digital identification service with online registration very positively because it is useful: quick to obtain, easy to use, procedures can be carried out immediately after registration and nothing needs to be memorized. This is backed up by the around 400.000 citizens who already use it, more than a million actions carried out and the excellent results of satisfaction surveys both in terms of its use and the initial online registration process.

However, this digital identity has some points to improve on what is being worked on:

  • According to the European standard of identification and European electronic signature and the national security scheme, this system is considered low level and there are some actions that are not recommended to do. For example, access to citizen folders. Some Catalan administration services do not use it for this reason. Currently, idCAT Mobile applies recognized identification methods with reliability issues equivalent to physical presence, which brings the service to a substantial level of security.
  • The online registration process already allows access using the DNI, the TIE or even the NIE, which expands the number of citizens who can access the service.

For these reasons, we are exploring new mechanisms to provide the idCAT Mobile online registration process with even more security, robustness and trust, with the aim of expanding the number of users who can obtain it without moving. and expand the uses in the Catalan administrations.

The private sector has made great strides in implementing secure remote identification processes using artificial intelligence algorithms, specifically facial and image recognition. The main area of ​​impetus was the banking sector as a result of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for money laundering and terrorist financing. Additionally, the SEBLAC (The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infractions) has approved several instructions on how to perform the digital identification of a user through video identification and videoconferencing mechanisms. Currently, major European banks are implementing services that facilitate remote registration using facial and image recognition algorithms.

Although in general the public sector goes, as usual, further back in the adoption of these artificial intelligence technologies, recently and accelerated by the health emergency of COVID-19, the Ministerio de Asuntos Económicos y Transformación Digital posted the"Order ETD / 465/2021, of May 6, which regulates the methods of remote video identification for the issuance of qualified electronic certificates", which contemplates the possibility of verifying identity remotely.

The AOC Consortium had already analyzed international experiences to determine the best practices to be applied to the public sector in Catalonia, and has the mobile idCAT system, which adapts and meets the requirements indicated in this order.

One of the key issues is the reliability of facial recognition algorithms in the different situations and conditions we may encounter, which can affect the quality of the captured images. Fortunately, we have the excellent studies conducted by the National Institute of Standards and Technology (NIST) on the robustness of the main facial recognition algorithms on the market, in different situations and conditions, which provide us with very valuable information to determine the quality of the algorithms and the risk levels of each one, in order to propose mitigating measures.

Applied solution

The idCAT Mobile Internet registration system uses facial and image recognition solutions, which provide evidence in the registration process that give greater robustness to the process and follow the guidelines of the regulations established by the State (Order ETD / 465/2021).

The main controls are as follows:

  • Facial recognition compares the photo of the person (selfie) who is doing the registration process with the photo of the official document that the person is scanning.
  • Facial recognition will compare a photo of the person extracted from the video of the recording process of the registration process with the photo of the official document that the person is scanning.
  • Image recognition allows you to scan an official document and verify that it is original and has not been tampered with.
  • A life test is performed on the person going through the process, asking for a gesture or movement
  • It is validated (if the person is resident in Spain) that the data in the document match the official record of the General Directorate of Police.
  • A human operator validates the entire process to achieve a substantial level of registry guarantees.

The origin of these solutions corresponds to the financial sector of the European Union, following the approval of Directive (EU) 2015/849 of the Parliament and of the Council of 20 May 2015 on the prevention of use of the financial system for money laundering or terrorist financing.

Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market had already provided for the possibility of verifying the identity of the person applying for a qualified certificate using identification methods that guarantee security equivalent in terms of reliability to physical presence.

The additional requirements that apply to the public sector are:

  • It can be done through a responsive web application or a mobile APP with high usability.
  • The service must accept the most common digital identity documents in major countries at European and global levels.
  • The process of scanning official documents will be carried out with mechanisms to control the veracity of the MZ document, watermarks, etc. and minimize the risks of impersonation, manipulation, and with the extraction of the user's photograph.
  • The process of capturing the user's selfie photo will include a life test (face gesture: closing eyes, turning head, smile,…) and a detector of the quality of the photo taken. In case of low quality, it will be proposed to take a new photo.
  • The correlation of the photo taken from the official identity document and the "selfie" will be made with an algorithm analyzed by the National Institute of Standards and Technology (USA) (NIST) in its latest report on "Ongoing Face Recognition Vendor Test (FRVT) Part 2: Identification".
  • Part or all of the process will be videotaped as evidence to facilitate monitoring, validation, and control tasks. It will not be allowed to upload a pre-recorded video or save it on a premises that is susceptible to manipulation.
  • It will verify that the disposable code sent to the user's mobile phone has been entered correctly in the registration solution.
  • Information will be added on the geolocation of the registration process and the device used, in order to apply adaptive security measures.
  • Recorded documents and evidence of the process will be kept, properly signed with a digital certificate and AOC time stamp, for a minimum period of one year.
  • The application of management for the public employees (back office) will facilitate the supervision and / or validation of the registries realized by the citizenship.
    • The validation period for a registration process by an operator must be a maximum of 10 minutes (from the end of the scanning and video process).
    • The validation service will be available, at least, in the following time slot: from 9 am to 17 pm.
    • Operators performing validation will be properly trained.
  • SEPBLAC regulations will be complied with in relation to video-identification procedures for clients in non-contact operations, in the field of the fight against terrorism and the prevention of money laundering.
  • The information systems associated with this service will be hosted by the European Union.

Additionally, the following advanced requirements are being assessed:

  • Have an integration with the DNI-e 3.0 SDK to extract the photo saved on the ID card via NFC. This functionality can only be available via an APP.
  • Verification that the scanned official identity document has a hologram.
  • Regulatory compliance regarding:
    • External audit report on compliance with the eIDAs - ENS, with its corresponding Certificate of Conformity.
    • Solution incorporated in the CCNCERT ICT Security Product Catalog as a qualified product or is a certified component according to the ENS.

An example of the process would be:

The use of facial and image recognition algorithms may be extended in the future in many other scenarios:

  • Performing procedures and actions, without the need to generate any prior digital identity.
  • Electronic voting in participatory processes or by citizens abroad. The current process is very cumbersome and means that a small percentage of citizens with the right to vote exercise it.

Status of the project

  • In production.
  • Indicators: more than 21.000 video identifications made (January 2022)
    • 88% requests accepted and 12% rejected

More information