[augustuspolius]

This looks great!

A somewhat tangential question: what are the ways KYC can be made less vulnerable to identity theft? Do people who verify the uploaded document use some automated government services to check for stolen documents?

It seems like a process like the one in this flow (upload a document and a selfie) is useless if a document is stolen (since in most cases you can just look up the person's social account and download their selfie). And even worse, it would give a badge of authenticity to the scammer.

And if the backend people do use some government service to verify the document, then what is the value of submitting a selfie?

[alonp99]

Hey, thanks for the comment.

Its true, a document and a selfie are not enough in some cases. there are a couple of technics to make a better guess if the selfie was live but they are not good as liveliness checks.

We already started to work on a liveliness step with a customizable challenge, meaning the developers can configure what action the user should perform in this step (like turning the head in a specific direction, perform hand gestures, and more).

The mobile SDK's will have more sophisticated tools to detect fraud, we will write about it soon.

[augustuspolius]

That sounds good - thanks for clarifying. Excited to see this project grow!

[skyeto]

It's not what they're doing here, but you should be able to read the biometric chip using a phone and verify the data that it contains server-side (since it's signed). Not sure how easy it is to get hold of the public keys though.

Which also would be a nice feature if it could be implemented here, might be possible with WebNFC :)

[sfritz]

Many services do some sort of “liveness check” to verify there’s a live human interacting with the webcam for the selfie.

[augustuspolius]

Hm, do they stream user's camera feed to their server? Seems like a questionable practice if the user is not made aware of that.

[tuukkah]

I've seen cool computer vision demos that run client-side in the browser, so I hope they don't stream the feed. OTOH if they do stream, warning the user would go a long way.

[brutopia]

If you send the result only it’s easy to spoof

[tuukkah]

Good point!

[ShroudedNight]

> since in most cases you can just look up the person's social account and download their selfie

Are these reviewed by a human? If so, why not 'just?' require the selfie to contain the document, some written nonce, and/or a weird body position, like a flag semaphore position?

[augustuspolius]

I like the idea of asking to hold the same document in the selfie. Not a full-proof solution but way better than asking for any non-specific selfie.