Security

Secure through NFC and SaaS

Inverid handles the privacy sensitive data of your customers. Security is therefore of the utmost importance. Electronic identity documents form the basis of our security. Secure hosting, best in class certification and best-of-breed partnerships cater for the rest.

NFC technology explained by Maarten Wegdam

Chipped identity documents are very secure

Modern passports (e-passports) and similar identity document have a contactless NFC chip. This chip is standardised as part of Doc 9303, Machine Readable Travel Documents, by the International Civil Aviation Organisation (part of the United Nations).

The information on the chip is digitally signed by the issuing country and has protection against cloning. ReadID provides the complex cryptography that is needed to verify the authenticity of and information on the chip. It provides a smart and simple way to verify the authenticity of the identity document within seconds (passive and active authentication). This way, we can detect if a chip was copied.

Trusted identity verification

Many organisations require NFC for trusted identity verification, such as the UK Home Office or the HM Land Registry. Analysts like Gartner advocate the use of NFC for trustworthiness.

ReadID technology supports ICAO 9303 and ISO 18013 compliant identity documents. We can orchestrate with optical verification partners for non-chipped documents. This is a good alternative for data extraction, no for guaranteed document authenticity.

Security by design

NFC based identity documents

The NFC chip in electronic identity documents allows for the most secure identity verification. Optical solutions are not secure enough as the documents can be manipulated and copied.

SaaS architecture
preferred

We use a SaaS architecture, as client-based solutions are not secure enough in general. Client-only can be used on controlled devices, e.g., for face-to-face use cases

Face verification based on high-res photo

The personal image in the chip cannot be manipulated and has a higher resolution than the printed face image. A much stronger basis for facial verification than optical solutions.

“Even trained persons or good AI algorithms are not able to check identity document security features based on video.”

Kalev Pihl

CEO SK ID Solutions

Watch our interview with Kalev where he explains why SK ID Solution has chosen ReadID.

The value of certification, as discussed with Clemens Wanko (TÜV Austria)

World-unique certification package

The technology is secure, as is our company. We are the most certified in the identity verification industry: ISO27001, ISO27701 and eIDAS compliant certified under ETSI EN 319 401 and ETSI EN 319 411-1/2 standards. We are SOC2 Type 2 compliant and have Cyber Essentials. We are regularly audited and pen tested, and comply with EBA outsourcing guidelines. Inverid is based in the EU and is GDPR compliant. Our software works according to the WCAG accessibility guidelines.

99.97%

availability of our SaaS services, as measured in the Home Office EU Settlement Scheme

Read the full story

Securely hosted

We provide ReadID technology in two different versions: SaaS and client-only. For the SaaS version, the client-side runs on the smartphone, sending the information being read to the server side, where it is read and verified. The server side is hosted by Inverid in a public cloud: the SaaS version. Since ReadID is provided as SaaS, our customers do not have to worry about updates and security. ReadID SaaS is highly scalable.

The second version is the client-only version, where all functionality runs on the smartphone. For most customers, and especially for self-service onboarding use cases, the SaaS version is best suited since this is more resilient than the client-only version against compromised smartphones.

Client only solutions depend upon the security of the device. Smartphones can be tampered with if not under strict control of the company. Client only should not be used in remote use cases, only in controlled face-to-face situations.

Country Certificates create trust

The information on the chip is digitally signed by the issuing country. Document verification, also known as passive authentication, depends on a store of trusted root certificates.

The authenticity of a document can only be established if the document is (ultimately) signed using a private key of which the corresponding certificate is known. These root certificates are called Country Signer Certificate Authority (CSCA) certificates. Although the CSCA certificates are public, there is not one single public source for CSCA certificates.

Inverid integrates several existing sources of CSCA certificates and is able to integrate with non-public sources depending on your situation.

Learn more

In our blogs and white papers we dive deeper into how we create security and how electronic identity documents work.

Go to our blog

gartner-2021-nfc-identity-proofing_Tekengebied 1

Gartner on why NFC is preferred

In April 2021, Gartner released its Buyer’s Guide for Identity Proofing, by analysts Akif Khan and Jonathan Care. It helps organisation in the steps to select an identity proofing solution. Gartner definitely takes a document-centric approach.

Security of ePassports

In series of blog posts, we have provided an overview of the security mechanisms that are commonly found in ePassports, namely privacy, authenticity and cloning detection mechanisms.