Executive Summary
BixeLab conducted an independent assessment of NABβs end-to-end remote identity verification system, supplied by Daon. The evaluation covered:
- Presentation Attack Detection (PAD)
- Document Authenticity Detection (DAD)
- Injection Attack Resistance
- Biometric Impostor Resilience
Key Positive Outcomes
- Β
- β Injection Attack Detection: All biometric injection attacks using a virtual camera were successfully blocked during the liveness check.
- β Biometric Impostor Testing: 20 out of 21 biometric impostor attempts were denied.
- π§ 1 case is currently under investigation
- . β Bona Fide User Performance: 83% success rateΒ (148 out of 178 participants were successfully verified). β Remote PAD Performance: BPCER: 1.1%, demonstrating strong resistance to fraudulent face presentations.
Identified Issues & Risks
Presentation Attack Vulnerabilities β APCER: 1.6%
- 9/560 presentation attacks bypassed PAD
- 4 Level A (printed selfie)
- 5 Level C (live face morph)
Document Authenticity Weaknesses
β 6.2% false acceptance rate (51/825 fraudulent document attempts).
β Expired documents DFAR: 14.7% (elevated risk).
β Glossy-paper copies & altered cards bypassing checks.
False Rejects for Genuine Documents
β DFRR: 26.7% (lab), 11.2% (remote with retries).
β High rejection rates impacting user experience.
System Errors Impacting User Experience
- 30/193 remote testers encountered document-related system errors.
- 2 participants faced face-related errors.
- 10 results excluded due to watchlist mismatches/conflicting logs.
Limited Biometric Impostor Testing
- Initial results suggest no major vulnerabilities.
- Recommendation: Conduct large-scale βcross-matchβ testing.
- Ensure robustness across diverse demographic groups.
Recommendations & Next Steps
1. Enhance Document Authenticity Detection
π Improve detection for glossy paper copies & altered physical cards.
π Strengthen expired document detection (reduce 14.7% DFAR).
2. Expand Biometric Impostor Testing
π Conduct large-scale cross-match testing for enhanced security.
3. Establish Continuous Performance Monitoring
π Implement annual & upgrade-triggered re-testing.
π Track in-service performance vs. test results.
4. Develop a Permanent Test Environment
π NAB should establish a dedicated testing environment.
5. Improve Output Transparency
π Develop a clear understanding of system outputs & risk interactions.
Conclusion
BixeLab commends NABβs proactive approach in commissioning this evaluation.
By addressing identified gaps, NAB can:
β Strengthen identity verification security.
β Improve user experience for genuine customers.
β Stay ahead of evolving threats.
Text
Copy of UNHCR and MOSIP
By Ted Dunstone
Copy of UNHCR and MOSIP
- 129