Choosing a Certified Biometric Solution to Strengthen Digital Identity

Digital identity has become a critical component of today’s digital journeys. From remote account opening and KYC procedures to electronic signatures, access to sensitive services, and online recruitment, the ability to verify that a person is who they claim to be is now fundamental to building trust.

At the same time, fraud is becoming increasingly sophisticated. Identity theft, synthetic identities, deepfakes, and video injection attacks using virtual cameras are now directly targeting remote verification systems. What worked yesterday is no longer sufficient today.

In this context, biometrics, particularly facial biometrics, is emerging as a key solution. However, not all solutions offer the same level of security. To truly strengthen digital identity, biometric systems must be rigorously evaluated, tested, and certified against recognized standards.

Why Biometrics Has Become Central to Digital Identity

For years, authentication relied on three main pillars: something you know (a password), something you have (a phone or a card), and sometimes human verification. These methods were effective in a world where interactions were mostly physical and fraud was relatively limited.

Today, passwords are frequently compromised in large-scale data breaches. SMS codes can be intercepted or bypassed. Identity documents can be forged or reused. More importantly, fraud attacks are now automated and industrialized.

Traditional approaches often rely on a declarative model: users state their identity, and systems verify supporting elements. But when those elements can be copied or manipulated, the entire trust model breaks down.

Biometrics fundamentally changes this approach. Instead of relying on claims, it provides proof: verifying that a real person is physically present and matches the identity document being presented. When properly implemented, it enables:

• stronger binding between an individual and their identity (holder binding),
• real-time verification of presence (liveness detection),
• reduced reliance on easily replicable credentials.
  

However, biometrics alone is not enough. It must be capable of resisting modern attack techniques, and that resilience must be objectively demonstrated.

Understanding Key Biometric Certifications

Defending Against Presentation Attacks

The ISO/IEC 30107-3 standard defines testing methodologies to assess how well biometric systems resist presentation attacks (PAD). These attacks attempt to deceive systems using:

• printed photos,
• videos displayed on screens,
• masks or other physical artifacts.

Certification under this standard measures a system’s ability to detect such attempts. It provides an objective performance benchmark, based on tests conducted by independent laboratories.

CEN 18099: Defending Against Injection Attacks

Modern attacks go beyond what is shown to a camera. They now include injection attacks, where manipulated video streams are fed directly into the system via emulators or virtual cameras.

The European standard CEN/TS 18099 specifically evaluates a system’s ability to detect these injection attacks (IAD). It addresses highly relevant threats such as deepfakes and altered video streams.

The Link with eIDAS 2.0 and Regulatory Requirements

With eIDAS 2.0 and its implementing acts, requirements for remote identity verification are becoming significantly stricter. High assurance levels now demand robust mechanisms capable of demonstrating resistance to biometric attacks.

ISO and CEN standards are not just marketing labels, they are technical benchmarks that increasingly underpin regulatory requirements. Choosing a certified solution means anticipating compliance obligations and securing digital journeys over the long term.

Conclusion

As fraud becomes more professionalized and regulatory expectations continue to rise, choosing a certified biometric solution is no longer a secondary strategic decision, it is a core driver of trust.

Biometrics can significantly strengthen digital identity, provided it is properly evaluated, tested, and integrated into a comprehensive security approach. Organizations that prioritize certified, robust, and well-balanced solutions will be better equipped to protect their digital journeys and meet the expectations of both regulators and users.