Executive Summary

BixeLab conducted an independent assessment of NAB’s end-to-end remote identity verification system, supplied by Daon. The evaluation covered:

  • Presentation Attack Detection (PAD)
  • Document Authenticity Detection (DAD)
  • Injection Attack Resistance
  • Biometric Impostor Resilience

Key Positive Outcomes

  • Β 
  • βœ… Injection Attack Detection: All biometric injection attacks using a virtual camera were successfully blocked during the liveness check.
  • βœ… Biometric Impostor Testing: 20 out of 21 biometric impostor attempts were denied.
  • 🚧 1 case is currently under investigation
  • . βœ… Bona Fide User Performance: 83% success rateΒ (148 out of 178 participants were successfully verified). βœ… Remote PAD Performance: BPCER: 1.1%, demonstrating strong resistance to fraudulent face presentations.

Identified Issues & Risks

Presentation Attack Vulnerabilities ⚠ APCER: 1.6%

  • 9/560 presentation attacks bypassed PAD
  • 4 Level A (printed selfie)
  • 5 Level C (live face morph)

Document Authenticity Weaknesses ⚠ 6.2% false acceptance rate (51/825 fraudulent document attempts).
⚠ Expired documents DFAR: 14.7% (elevated risk).
⚠ Glossy-paper copies & altered cards bypassing checks.

False Rejects for Genuine Documents ⚠ DFRR: 26.7% (lab), 11.2% (remote with retries).
⚠ High rejection rates impacting user experience.

System Errors Impacting User Experience

  • 30/193 remote testers encountered document-related system errors.
  • 2 participants faced face-related errors.
  • 10 results excluded due to watchlist mismatches/conflicting logs.

Limited Biometric Impostor Testing

  • Initial results suggest no major vulnerabilities.
  • Recommendation: Conduct large-scale β€˜cross-match’ testing.
  • Ensure robustness across diverse demographic groups.

Recommendations & Next Steps

1. Enhance Document Authenticity Detection

πŸ“Œ Improve detection for glossy paper copies & altered physical cards.
πŸ“Œ Strengthen expired document detection (reduce 14.7% DFAR).

2. Expand Biometric Impostor Testing

πŸ“Œ Conduct large-scale cross-match testing for enhanced security.

3. Establish Continuous Performance Monitoring

πŸ“Œ Implement annual & upgrade-triggered re-testing.
πŸ“Œ Track in-service performance vs. test results.

4. Develop a Permanent Test Environment

πŸ“Œ NAB should establish a dedicated testing environment.

5. Improve Output Transparency

πŸ“Œ Develop a clear understanding of system outputs & risk interactions.

Conclusion

BixeLab commends NAB’s proactive approach in commissioning this evaluation.
By addressing identified gaps, NAB can:

βœ” Strengthen identity verification security.
βœ” Improve user experience for genuine customers.
βœ” Stay ahead of evolving threats.

Text

Copy of UNHCR and MOSIP

By Ted Dunstone

Copy of UNHCR and MOSIP

  • 129