Why is mobile a good approach against deepfakes?
As digitalization moves forward, security remains a top priority for businesses and consumers alike. It's where EU regulations really shine, setting an international standard for service providers. But in reality, as regulatory measures progress, so do fraudsters. Since 2019, the amount of deepfakes on the internet increases at a fast pace. It mainly affects politics and the entertainment industry, but also causes a big threat to trust service providers. Fake accounts and legal commitments are a dangerous combination, and avoiding it takes more and more effort every year.
Even so, when it comes to remote services, having only good security measures doesn't cut it. "In the end it’s all about user experience and ease of use. That's purely where the game is", notes ZealiD's CPO and COO Tomas Zuoza. There are more than 200 qualified trust service providers in Europe today. All of them face eIDAS regulation, but do so in different ways. There is a wide range of tools and solutions that they use for identity verification. These include one-time passwords, cryptographic keys, pin codes, notarius publicus (physical identification via a notary), and so on. But as the need for fully remote services grows on, having manual steps with physical presence in the onboarding process is just not efficient any more.
"Many companies are still relying on paper processes, and the idea to send their customer to a notarius publicus in another city sounds acceptable to them. Whereas for us the point is that we want the user to be happy. We see that as a core value, so we enable the user to onboard quickly and easily from their home", remarks our Security Officer Robert Hoffmann. In the case of ZealiD, a solution that combines high security standards and user focus, is a mobile app. From A to Z, our onboarding process and user journeys rely on a smartphone - a device that most of us own and use on a daily basis.
But the advantage of driving identity verification in an app extends beyond user experience. Both Tomas and Robert agree that, compared to a laptop or a desktop, a smartphone is a powerful security tool. Taking advantage of its perks can help service providers detect and prevent the use of deepfakes in the onboarding process.
Deepfakes as a form of entertainment
Essentially, a deepfake is a falsified image, video or audio recording. It's meant to make others believe that what they see or hear is real data - when it's actually not. Deepfakes have been around since the early days of photography, but as digitalization moves forward, they are becoming more common, more advanced, and harder to detect. "Today, deepfakes are an integral part of our daily digital experiences. Take, for example, conferencing platforms that exploded during the pandemic. Most of them offer backgrounds that allow us to disguise our location by using it as a green screen for something else. That's a deepfake right there", notes Tomas. But it's not the "good" deepfakes that trust service providers find concerning. The root of the problem lies deeper: since complex software for generating deepfakes is widely available, can we even trust pictures anymore?
ZealiD's Security Officer Robert Hoffmann states the harsh truth - no, we can't. "Nowadays it’s impossible to detect a skilled attacker. When it comes to remote onboarding, the solution here is to use a combination of data sources, including biometric data, cryptographic tools and live footage. Using a variety of formats and recording patterns creates a scenario that is hard to “prerecord”, allowing us to detect deepfakes and be more confident about the users that come onboard”, he notes.
And that's exactly where smartphones give service providers the upper hand:
In contrast with smartphones, desktop and laptop computers are built as a very open platform. You can easily modify the software and use any program or operating system of your choice. In that sense, mobile phones are way more protected and closely regulated by suppliers.
That gives ZealiD a trusted computing base. As a software provider, we have our app interact directly with the user’s smartphone. It allows us to trust certain information out of the box, such as video, Face ID, fingerprint, NFC read and so on. It goes without saying that this method is not foolproof, but it’s very reliable - especially when compared to other methods that involve traditional computers and manual data uploads.
Built-in security features
Nowadays, mobile devices have way more sensors than any given desktop computer. At first glance, Face ID and fingerprint sensors make it easy for the user to protect their data and quickly unlock their smartphone. But for trust service providers, biometrics double as a strong security layer for authentication. Besides, most smartphones also come with a built-in NFC chip reader - a very powerful tool that can extract cryptographically verified information from government-issued e-passports and chip-based ID cards. In combination, these security features provide high confidence about the identity of the user and the validity of their ID.
Personal vs. common use
Putting technical comparison aside, there is a basic difference in how we treat smartphones and desktop/laptop computers as material possessions. Smartphones are very personal - we don’t really share our smartphone with other people, but we do share computers. “A family of four is more likely to have four smartphones and one or two computers than the other way around. Based on that, you can start creating a meaningful fingerprint based on how someone is using an app provided the user has given consent. That’s where behavioral security comes in: based on this pattern, you can identify if the user of a phone changes, or if they’re in an unusual location. This adds yet another security layer that trust service providers can hold on to”, notes ZealiD's CPO and COO Tomas Zuoza.
Approaching those security features in a user-centric way is a recipe for quick, smooth and completely remote user onboarding. In the case of ZealiD, the entire process takes only a few minutes and is very light on the user, only requiring a smartphone with Face ID or Touch ID and an identity document. That comes with zero compromise on security and compliance: qualified certificates issued by ZealiD go hand in hand with the eIDAS regulation. Once onboarding is complete, every ZealiD user can sign documents with their QES: the only e-signature explicitly recognized as the legal equivalent of a handwritten signature across all EU member states.