True identity verification should require a human

In my post on passwords, I said:

As it stands today, the real challenge is the initial identity verification. There is no single good way for, say, a banking application, to confirm the identity of the user opening the banking app for the first time on their smartphone other than with shared secrets like passwords and keywords.

Today I want to talk about one idea for initial identity verification involving sensitive applications. I am going to use banking as an example.

1. The user opens a bank account

Banks require multiple forms of identification to open an account. At this stage, the bank does some background checking and identity verification and records copies of the documents for their records.

The bank should offer the user to install the bank’s mobile app at this point.

2. The user installs and opens the banking app for the first time

The user goes to the App Store and installs the online banking app. They open the app for the first time, and the first thing that happens is a request to scan a QR code.

The only way the user can scan this QR code is by visiting the bank branch. Doing so while opening their bank account saves the extra trip.

The clerk verifies the identity of the user and presents them with a QR code. This code is short-lived and expires after a couple of minutes. An approval from the clerk is required to refresh it.

The user scans the QR code, and the banking app confirms biometric identification.

At this point, we know two things: the user’s identity was verified in-person at the bank branch, and the smartphone can confirm the user is who they say they are via biometric markers.

3. The user wants to install the banking app on another device

Assuming their first device is still with them, they do not need to go to the bank branch to install the app on a new device.

They open the app on their first device and pull up the QR code. They scan the QR code with their new device, and the process continues like in the example above.

If the user does not have their first device anymore, they need to go to the branch.

What about web-access?

I wouldn’t offer it. I would only offer app access. The reason is that apps delivered via app stores are cryptographically signed and can include certificates to sign API requests.

Some final thoughts

The approach I described above is significantly more secure as access to the private data requires either an in-person verification by the bank or explicit approval by the account holder. I admit that it is impractical. In the upcoming posts, I will discuss more practical ways of securing sensitive data.