Lukas Han
Apr 24, 2024
What is eKYC?
eKYC, or electronic Know Your Customer, is a digital process carried out by companies to verify the identities of users seeking access to their services.
Recently, eKYC solutions have been widely adopted across various sectors as a way to streamline and increase the efficiency of online service usages. However, even with its advancements, the current eKYC system still carries unresolved issues and risks. In this article, we will dive into these vulnerabilities and explore ways to build a safer and more reliable eKYC system.
💡 eKYC(electronic Know Your Customer) is used interchangeably with various terms such as IDV (Identity Verification), KYC (Know Your Customer), and CDD (Customer Due Diligence), depending on the region.
While the term ‘eKYC’ most commonly refers to the non-face-to-face identity verification process in the financial services sector, in this article, we will use the term in a broader sense to refer to all online identity verification processes.
The current eKYC process is broken
The existing system requires users to take pictures of their identification documents and submit them online. Upon receiving the photo, service providers verify the ID, completing the identity verification process. However, such a process is problematic in many ways:
Oversharing of personal information
First and foremost, the process forces users to share excessive personal information online. Since a photocopy of the entire identification document is to be submitted, users are left with no choice but to disclose all of their personal details even when unnecessary. All of the users’ sensitive information, including their date of birth, address, and personal identification number, becomes shared with someone or some company they know nothing about.
As a result, users always carry a sense of unease about how their submitted information will be managed and used, regardless of whether a leak occurs. This uncertainty generates mistrust and angst from the outset of using a service, hindering the overall user experience from the very beginning.
Not sanctioned by government
Another issue with the existing eKYC process is that it is not government-sanctioned. Most eKYC services are currently operated by private companies, and with the absence of regulatory oversight, the reliability and integrity of these eKYC services remain uncertain.
However, seeking government approval every time identity verification is needed is also not a viable option—such a scenario is not only practically impossible but also highly undesirable. Moreover, this approach expands privacy concerns by introducing the ‘Phone-Home Problem.’ The government, who is the issuer, would have access to detailed information about all verifications, including when they happened and who requested them. Big Brother would become a reality!
Deepfake accelerates the downfall
To address such issues, eKYC service providers continuously introduce new verification tools into the field—parameters that confirm the authenticity of ID photos or video calls that check users’ faces live are prime examples.
However, the effectiveness of these tools is being threatened by evolving AI and deepfake technologies. Deepfake technology has advanced to the point where it is indistinguishable to the human eye whether a video or image is real or artificially generated. The democratization of such technology only exacerbates the situation by allowing individuals to create deepfakes at their discretion, whenever they choose.
Gartner’s VP analyst Akif Khan expected that “by 2026, attacks using AI-generated deepfakes on face biometrics will mean that 30% of enterprises will no longer consider such identity verification and authentication solutions to be reliable in isolation.” The issues with the current eKYC process will only deepen over time.
Decentralized Identity (DCI) solves it all
Then what are some ways of building a safer and more reliable eKYC system? Hopae suggests keeping an eye on the following concepts and technologies:
Decentralized Identity: Putting Users in Control of Their Personal Data
Decentralized Identity (DCI) is an emerging paradigm that enables users to directly control and manage their own digital identity information. By resolving the inherent problems of centralized digital identity management systems, which force individuals to rely on central authorities to access their own personal data, DCI liberates individuals from privacy breaches and security concerns.
DCI utilizes Decentralized Identifiers (DID), which are unique identifiers assigned to each individual and stored in a distributed database like blockchains. Individuals are able to manage their identity data, which are linked to their DIDs, on their own and choose which data they hope to disclose and which not to. DIDs also enable users to safely search for metadata such as public keys or service end-points on their own during the Identifier Resolution process instead of having to ask centralized authorities.
Selective Disclosure and Verifiable Credentials: Enhancing Privacy and Trust
Selective Disclosure is also a key component when it comes to DCI. With Selective Disclosure, users are eligible to share their information selectively, only disclosing the details they choose to reveal. This is similar to the concept of presenting an ID offline, where you only reveal the necessary parts and cover the rest with your hand.
SD-JWT (Selective Disclosure JSON Web Token) is one way to implement Selective Disclosure. SD-JWT stores users’ identity information in pieces, enabling users to present only the necessary parts depending on the situation. It’s like turning an ID into digital Lego blocks, where you can choose relevant pieces for different instances. If you’re interested in learning more about SD-JWT, check out our SD-JWT series.
But how can we verify the authenticity of selectively disclosed information? This is where Verifiable Credentials (VC) come into play. VCs are certificates that contain a digital signature of the issuing institution. With these signatures, anyone can confirm the authenticity of the certificate. Various identity information, including driver’s licenses and graduate certificates, can be issued as VCs, and conditions such as expiration dates or usage restrictions can be included to prevent misuse.
VCs are currently in the process of standardization. Combined with DIDs, VCs will become a crucial component in making the DCI system feasible. The issuer’s DID will enable access to the public key, and this public key will then be used to confirm the authenticity of the VC, allowing VC verification. With these technologies, you can present your digital ID everywhere, just like you do offline with your plastic ID card, in a secure and reliable way.
Building a DCI Ecosystem: Challenges and Opportunities
There are still obstacles to overcome before building a DCI-based eKYC system. The biggest hurdle is the current lack of robust technical and institutional foundations. For a successful implementation to take place, establishing an infrastructure for the issuance and verification of DIDs and VCs and ensuring interoperability with existing centralized systems are essential.
However, once these foundations are laid and the ecosystem matures, the system will have numerous use cases across sectors, from finance and healthcare to education and e-commerce. The system could be applied to any service that requires identity verification and authentication.
DCI in Action: eIDAS 2.0 and European Digital Identity Wallet
EU is at the forefront of this effort with its groundbreaking adoption of the eIDAS 2.0. eIDAS 2.0 is a regulatory framework, which aims to create a more secure and reliable digital verification system through the European Digital Identity Wallet (EUDI Wallet).
Then what is the EUDI Wallet? The EUDI Wallet is a mobile application in which EU citizens can securely store and manage their identity information. Users can issue various certificates and licenses digitally through the EUDI Wallet and selectively disclose them as needed. For instance, when opening an account online, users can choose to share only the necessary parts of their driver’s license or passport information stored in the EUDI Wallet. The EUDI Wallet is expected to reduce the risk of personal data breach significantly, given the fact that users would no longer have to submit copies of their identification documents. Furthermore, verifying the authenticity of the documents becomes much easier with the EUDI Wallet since the information stored in the wallet includes the issuing institution’s digital signature.
The introduction of the eIDAS 2.0 and the EUDI Wallet is part of an effort to establish a DCI-based digital identity verification and authentication system at the EU level. Such efforts resolve existing problems and encourage other countries and regions to consider the adoption of DCI.
Conclusion
The current eKYC system faces issues such as personal data breach and security concerns, especially amid evolving AI and deepfake technology. Given the impending risks, now is the time for an innovative approach that transcends the limitations of the current eKYC paradigm: a DCI-based system with selective disclosure and verifiable credentials.
It is undeniable that there still exist technical and institutional barriers to building a DCI ecosystem. However, with the emergence of modern regulatory frameworks such as the eIDAS 2.0 and relentless technological innovation, the implementation of the DCI ecosystem seems imminent. The digital identity revolution is not a future prospect—it is happening now, and its momentum will only increase.
Hopae Provides Solutions
Hopae is an identity verification solutions provider that leads the digital ID wallet market. The team has already proven the potential of DCI technology through COOV, a COVID-19 vaccination certificate app with 43,000,000 monthly active users. Leveraging such success, Hopae is offering a DCX Wallet Framework, which contains the core technologies needed for building next-generation eKYC systems.
If you are hoping to transform your eKYC, mobile driver’s licenses, or financial applications with our eIDAS 2.0-compliant DCI technology, DCX, book a meeting here. Let’s chat!