What kind of automation are you using? For the most part I'd rather enter my SSN and answer a few questions about my background before uploading a bunch of government documents. There are also likely increasing regulation about having users upload some of those documents that your app won't be able to handle.
Hey, thanks for the comment. you’re right, eKYC is definitely the future of identity verification and after building the basic identity stack, we plan to add eKYC methods like verification using only the phone numbers and ID numbers.
eKYC is not in a solution that is not globally supported though, yet.
Part of our vision is to standardize this data to allow companies to partner and “vouch” for verified users - so users won’t need to send their documents all over and by doing so we may reduce leakage exposure.
About the automation part, the flows are vendor agnostic and can be connected to any vendor. we are in the process of open-sourcing a backend where you can orchestrate IDV, Risk, Fraud, Document classification, and OCR vendors.
Of course it is. They regulate what information you have to collect and then how you're supposed to collect it, while trying to make sure you don't collect too much or store it in the wrong way and that you you show the correct messages on your website.
> EU requires the submission of sensitive data in order to verify your identity
The EU created eIDAS to enable people to authenticate without submission of sensitive data by using digital signatures, based on public key cryptography, using an id card with an embedded hardware security module and a pin. Those are strong factors: "what you have" is not easily copied and "what you know" may have low entropy, but the embedded hsm has anti-hammering. When interacting with companies in a kyc flow, or to claim rights under gdpr, the people sign a statement of purpose and time, creating data that can not be reused to authenticate as them at a later time for a different purpose.
But no one implements that. Instead companies implement the worst possible authentication method from the set of allowed methods, the bottom of the barrel solution that is only still legal in the EU due to the industry lobbying for backwards compatibility with existing manual workflows from the age of snail mail: uploading photos of identity documents and smiling into a webcam. Those are weak factors: "what you have" and "who you are" using a webcam to scan documents and biometry are vulnerable to deepfakes. But most importantly this method lacks an inherent protection against reuse. This leaves the customers vulnerable to identity theft should their data ever be stolen.
In the worst case the collected data is stored raw, without any mitigation like timestamp and purpose watermarks, or those marks are easily removed. In the worst-worst case the data is also accessible by anyone with even the most far fetched claim to need to know, without rate limiting or misuse detection, so that phishing any internal account is enough to put all this sensitive data on sale at a darknet market.
I do not agree that the EU requires that. It allows it and failed to require that companies offer at least one better method as well.
