Foundations of secure remote automated identity verification by IDnow

Remote identity verification is currently one of the key elements of digital customer onboarding in industries such as banking, fintech, telecommunications, leasing, or insurance. It also forms the foundation of the process for remotely issuing qualified electronic signatures. This is a particularly sensitive area, as any error in the process may result not only in financial loss but also in legal or reputational risk for a company or an individual user. Therefore, the security of the process and the system it is based on is of critical importance.

At SIGNIUS, we cooperate with IDnow, Europe’s leader in digital identity and fraud prevention. Their AI-driven, eIDAS-compliant verification technology powers the identity layer behind our document signing platform, ensuring every signature is backed by a verified, trusted identity. In this article, we present the key aspects of onboarding process security and data protection in the  automated identity verification method used on our platform, covering both biometric checks and document verification.

The article was created in cooperation with our identity verification partner, IDnow.

Maximum security and a positive user experience

To begin with, it is worth emphasizing that the IDnow’ s automated identity verification solution was designed to reconcile two goals: maximum security and a positive user experience. The foundation of this approach lies in a multi-layered security architecture that protects the entire process – from document verification and biometrics, to data protection after the verification is completed.

A multi-layered approach to security

Security in IDnow’ s remote identity verification is not based on a single mechanism, but on a combination of several layers, each addressing a different type of threat. As a result, even if one layer fails, the others continue to protect the process.

“Our automated identity verification solution doesn’t rely on a single check — it layers document forensics, biometric liveness, chip authentication, and injection attack detection to close every door fraudsters might try to open,” comments Christoph Bruetting, Director of Product at IDnow.

Identity document verification

The first and fundamental step is the analysis of the identity document. The system does not simply read the data, it performs multi-level authenticity verification, including:

• identification of the document type(e.g. ID card, passport),
• reading the MRZ (Machine Readable Zone) using OCR,
• checking expiration dates and data integrity using checksums.

This makes it possible to detect basic fraud attempts, such as expired or forged documents. The solution also recognizes fraud attempts involving presenting a photo of a document on a phone screen or using a printed copy instead of the original document.

Dynamic analysis

A static image of a document is not enough to confirm its authenticity. Therefore, the solution uses real-time video analysis. The user is asked to slightly tilt the document, which allows for detecting elements visible only in motion, such as holograms or optically variable inks. This is a key safeguard, as such features are extremely difficult to replicate in forged documents.

Cryptographic chip verification

In the case of modern electronic documents (e-passports, e-ID cards), the highest level of security is provided by a cryptographic chip. IDnow’ s identity verification solution verifies the chip from various perspectives, ensuring the highest available level of confidence in the document’s authenticity. Forging the chip without access to the issuing country’s private key is practically impossible.

Biometrics and liveness detection

Even if the document is authentic, it is still necessary to ensure that the person using it is its rightful owner. Therefore, the system uses face matching (selfie vs. document) and biometric analysis. A key element here is liveness detection. The system analyses a short video (less than 2 seconds) to check whether there is a real person in front of the camera, and not (for example, a photo, a 3D mask, a video recording, or a deepfake). In the era of generative AI, this element has become one of the most important safeguards in the entire KYC process.

Human quality control in borderline cases

The IDnow’s solution also anticipates situations where human assessment is required. In borderline cases, manual verification is carried out by trained specialists. In addition, quality assessment is performed on completed verifications. This ensures a balance between automation and the contextual factors that an algorithm might not capture.

Data protection after identity verification

Security does not end with identity verification. What happens to the data afterward is equally important. IDnow’s solution is based on various pillars of data protection, including:

• encryption of data in transit,
• encryption of data at rest,
• an infrastructure based on two data centres in active-active mode,
• data fully stored within the European Union,
• full control of data access (principle of least privilege, mandatory two-factor authentication (2FA), and the “four eyes” principle for administrative operations).

“All identification data is stored within the European Union. IDnow uses only certified hosting providers that comply with industry standards and EU regulation” says Christoph Bruetting, Director of Product at IDnow.

Data retention

The issue of data retention after identity verification is very important. Crucially, identification data is not stored indefinitely. The standard data lifecycle includes:

• 60 days of production data retention,
• 30 days for backups.

Certification

The level of security and data protection of IDnow’s solution is independently confirmed through internationally recognized certificates, external audits, and continuous testing programs. This provides customers with objective and independent confirmation of IDnow’s identity verification security standards.

The system complies with requirements such as:

• ISO 27001,
• ISAE 3402,
• GDPR.

Penetration tests and vulnerability scanning

Penetration tests are conducted annually by qualified external security specialists. These tests simulate real attack scenarios to identify vulnerabilities before they can be exploited. In addition, quarterly vulnerability scans are performed for all external IP addresses, ensuring continuous monitoring of the publicly accessible attack surface.

Summary

IDnow’s remote automated identity verification is a complex security ecosystem in which each element plays a different, important role. The strength of the IDnow’s approach lies in the fact that it does not rely on a single data protection mechanism, but on a multi-layered fraud resilience system that combines AI, cryptography, biometrics, and human oversight.

As a result, IDnow’s identity verification process is both fast and convenient for the user, as well as secure and resistant to modern forms of cyber fraud – from simple forgeries to advanced attacks based on artificial intelligence. Thanks to encryption, strict access control, and regulatory compliance, user data remains secure at every stage of its lifecycle.