This service is a biometric identity platform. Biometrics provide greater security and assurance that users are who they say they are, and so they are an integral feature of most of our products and services.
Customer organisations can choose certain features of Doc Scan that involve biometrics.
Doc Scan contains a biometric consent step if customers need it.
Biometrics is the measurement and analysis of unique physical characteristics and behaviour, such as a face, fingerprint, voice, the way someone walks, the way they use their phone and so on.
Legally, biometrics is defined differently in different laws, but the common factor is that you are identified or authenticated through your unique physical characteristics or behaviour. Not all services use this data to identify or authenticate. However, to make things easier to understand, we have called all the physical characteristics and behaviour data ‘biometrics’.
There are a range of different technologies that are considered biometrics. Not all of them identify or authenticate.
Detection: Is there a face in this picture? Is it a human face?
What can I determine from this face? (Examples: age; biological sex; mood.) Is this a real person?
Temporary unique identifier
What is this person doing in a limited context for a limited time? Have we seen this person before, within a limited timeframe?
Is this person who they are claiming to be? Are the two images of the same person?
Authentication 1: many
Is this person entitled to do what they are trying to do? (Example: entering a venue or restricted area) Does this biometric exist in the database?
Verification or identification 1: many
Is this person known to us? Does their biometric match to information we already have about this person and who they are? This kind of software can determine who this unknown person is.
Some service uses of data might involve, for example, a face or elements of a face, but without identifying the person. For example, we have developed technology to check if a face presented is real, or if it someone wearing a mask. This activity doesn’t identify the person in any way, it checks if the image is genuine or not.
When biometric are used to identify a person, the characteristics are compared to a pre-existing list or database of characteristics and other information. For example, if a shop allowed you to pay with your face, or if a casino used facial recognition to identify and help people who had added themselves to a gambling exclusion list.
When biometrics are used to authenticate a person, there are two main ways this is done. The most common approach compares two examples of a characteristic to see if they match. For example, when your bank uses voice recognition for telephone banking the technology checks if your voice matches the sample held on your account. Or where you use your face or fingerprint to access your phone. This use of biometrics allows you to prove it’s really you by comparing your characteristics with a template you have already set up or that has been created for you automatically. The template once created is stored securely and then each time you need to prove that you are really you, your information is compared against the template to see if it matches.
The other way is to compare a characteristic to a pre-existing list or database of characteristics, but there doesn’t need to be any other information about you. For example, if an office used fingerprints to access a certain area that only certain people could access. The technology would match your fingerprint to all the pre-registered templates to see if yours is there. If it is you are allowed access.
Instead of having to remember PIN numbers, or usernames and passwords (which may be guessed or hacked), biometrics uses something unique to a person that only they have, like a face or fingerprint. Many companies, such as banks, are using biometrics like voice recognition to make sure only the account holder can access the account. Biometrics are often used with other information, like a pass card or a PIN number, where more than one security measure is needed.
The service is an identity platform and uses biometrics as a security and fraud prevention measure.
The biometrics are a key part of making sure we keep out fake identities and documents. The biometrics to authenticate individual users prevent fraudulent use of the service and protect user data by making sure that it really is that user taking an action.
Detecting a face is the first step in the process. The technology examines the image it gets and works out which bit of it is an actual human face. Only this portion of the image is then used. This stage also allows for basic error checking: if the system can’t find a face in the image (for example, because the individual didn’t position themselves properly in front of the camera, or some inappropriate object is put there) then the system can return an error message instead.
Checking it’s a real person:
This technology does not identify or authenticate. It determines if the image presented is genuine and of a real person, or if it is someone wearing a mask or otherwise pretending to be someone else. We use different technologies for these checks. Some ask individuals users to take an action, such as moving the phone towards their face or recording a short video of themselves saying a few words. Some happen in the background automatically. We use the information from these checks to make sure the user is a real person. We can’t provide any more details about how this works, as we don’t want people to be able to get round our checks.
Face match authentication (1:1):
This technology compares two examples of a face to see if they match.
When individual users set up Doc Scan, we take a scan of their face to create a biometric template, which we store securely. A biometric template is a digital map of the face.
We do a face match when users provide an ID document for Doc Scan. We compare the document photo with the photo taken to make sure users only upload their own documents. Customer organisations can also request a face match as an additional security measure when their users / customers share identity or age attributes with them.