Recently I’ve been working with a client that is on track to disrupt recruitment in the construction sector. A key part of that mission is enhancing the authenticity, security and overall efficiency of verification on a range of physical documents at scale.

By solving this problem with bringing in the next generation of automation, we are helping our client build trust and overall improve their security. As a recent survey by HelpNetSecurity shows that identity document fraud has increased by 57% since 2020. In this blog I will look at the past and the future of ID verification, and how technological advances have revolutionised it in recent years!

The history of ID Verification

Since the dawn of time, there have been many forms of identity verification — some early examples were as simple as someone you know being able to recognise you in a crowd!

Throughout history we have seen people use jewellery and even tattoos to identify their blood line and tribe.

As societies advanced in written language, some key identity enhancement started to evolve:

• In 3800BC came the first census
• In 14 AD the introductions of birth certificates
• 1414 saw the first passport
• In 1840 came the first forms of photo IDs
• And it wasn’t until 1977 the US government created a program for cross referencing ID

Why is this important?

Although the type of identity documents has changed rapidly over the years, the way we verify these documents has not accelerated at the same speed.

In today’s world we still have a reliance on a lot of paper-based documents e.g., passports, driving licenses, utility bills etc. With businesses and societies undergoing massive digital transformation and the rise of eCommerce and social networking, it is not a surprise that the creation of fraudulent documents and identity impersonation is at this all-time high!

In addition, the pandemic has also accelerated the drive and need for remote digital identity services. When it came to people needing to take out a new bank account, starting a fully remote job or taking out a new insurance plan, during the pandemic, there needed to be a way to verify people without having to see them face to face.

From banks to recruitment to e-commerce — identity plays a part in almost every aspect of our economy.

The Project

ID changes drastically across countries and even within sectors, so when building a platform for handling verification, it needed to be easily extendable.

Even if we take one single universal document type for example; passports, as we move across different countries, we know they all contain the same data, but we still see differences in how this data is displayed – especially when it comes to things like dates of birth and date of document expiry.

This goes to show just how complex building a platform for identity verification can be. Ensuring these services could be decoupled and run as a collection or independently was crucial.

To achieve this, we decided to build everything as independent microservices in an event-driven manner. This approach allowed us to control and configure the verification checks that were needed for different customers.

The technology

For all our individual document verification services we are using AWS Lambdas. You can see in the example below that there is an individual Lambda for passport checks, license checks and for right to work checks!

Each Lambda has its own machine learning logic to parse the documents and then performs the verification checks on the details retrieved.

We choose Lambdas because of their on-demand event driven nature. They can be invoked by almost anything, including API Gateway, event bridge, SQS and much more.

For this flow, you can see we are using SQS. Our document validation processor polls the queue for new messages that contain the verification configuration. The document verification processor then parses the SQS message to understand what all checks need to be ran and then triggers the required Lambdas.

Going the Lambda route has allowed us to be flexible when adding new checks.

For example, you can see here we have added in an additional checking service for proof of address, and we know it will not impact any of the individual business logic of the other Lambda checks – having code that is easily extendable allows us to be more innovative and creative when it comes to developing as we know there is less of a risk of side effects!

The fact that Lambda is also managed, means we do not have to worry about scaling as it is able to handle it for us.

It also means that the service can scale on a per verification service basis. In the scenario where we have a lot of requests for passports checks – the passport service can scale up, but the driver license service can stay as is, as it is not being used under the same load.

Our main project that uses this technology is still ongoing, and we are constantly learning. As we start to build out more verification services for our next iteration, we have been considering looking into AWS Step Functions as complexity will continue to grow between our Lambdas and the introduction of the step function state machines between Lambdas could really benefit us at scale.

Security

Since the services we have been building deal with the collection and processing of Personally Identifiable Information (PII), security has always been a major factor in all of our infrastructure decisions.

This has meant working with Virtual Private Clouds (VPC) to define and control our own networking, allowing us to define our own IP ranges for subnets and control routing between services and access to the internet.

With a lot of our services living within the VPC, we have also been able to take advantage of AWS PrivateLinks. PrivateLink allows some of our AWS resources to communicate with resources in our VPC without exposing data to the internet, which overall helps protect us from a number of common attacks.

Encryption also comes into play both in transit and at rest. For this, we utilised AWS KMS to ensure any documents stored for processing are stored in encrypted buckets.

The future

In terms of ID and verification services, as we look into the future a clear milestone that any identity company will need to face is building consumer trust! I foresee a lot more official bodies and compliance standards appearing in this area around the world in the coming years.

I don’t feel like it is safe to say we can fully move on to digitally verify all documents and that there is no need for manual checks ever again! We do not live in a fully digitally literate society and so some form of manual intervention/fallback will always be required.

Some countries have already started moving on to using digital ID cards and eliminating physical photographic IDs for nationality — I can see an increase in this in more countries in the future, but even if the ID is digital there will still need to be some form of logic to apply to it to verify it.

At the beginning of this blog, I mentioned some of the earliest forms of ID, that seemed ridiculous now.  For example, the idea of using jewellery to identify a person seems crazy — but to this day we are still technically using it in the form of dog tags for military personnel and medical alert bracelets. With this in mind, I feel like a lot of our traditional forms of ID are here for another while, but I can see them becoming more of an aid for verification but just not the whole measure!

Conclusion

Identity verification touches every industry and it’s more important than ever in an age when everything is becoming more and more digital. If you’re interested in enhancing the security and authenticity of your verification processes, consider exploring microservices, event-driven architectures, and encryption technologies like AWS KMS. And as always, stay up to date on the latest compliance standards and industry best practices to ensure you’re staying ahead of the curve.

What do you use to verify ID at the minute? Have you taken anything away from this blog about what you’ll do in future on your services? We’d love to hear from you.

Find out more about our software engineering division and get in touch with us about an upcoming project.