Government Issued identity documents (IDs), such as passports and drivers’ licenses, may be appropriate forms of authentication when presented in person, but we must stop trusting images of any such documents when they are utilized online.
In fact, images of government issued IDs are commonly available on the dark web for purchase, trade, or even gratis – and it should be no surprise as to why.
Since 9/11, office buildings in many cities require visitors to provide government issued IDs to personnel working at the security desk – and, in many cases, the IDs are scanned into computers. Bars and other venues that sell alcohol likewise require people to show their IDs, as do many schools (which often scan the documents into systems that check for membership on any lists of known sex offenders), non-profit organizations seeking to improve security, and others seeking to control who is present in their facilities. And, of course, we commonly show such documents in airports, when going to the doctor and utilizing medical insurance, when cashing a check or making a withdrawal at a bank, when buying federally-controlled cold medicine, or when purchasing alcohol, cigarettes, or firearms.
In most cases, people utilize their drivers’ licenses for such purposes; shortly before the COVID-19 pandemic, I estimated that I must have shown my own license to well over a hundred people in the previous 12 months. And, in nearly all such cases, my license was either actively scanned, or effectively photographed by security cameras. Furthermore, during that timeframe, like anyone else in a similar situation, not only did I have to show my license when leasing a car, applying for a loan, and submitting paperwork for other official documents, but I had to supply a photocopy of the license as well.
When all it takes is one unscrupulous person handling an ID to compromise security, and hundreds of people are handing that ID every year, the odds are not in the ID holder’s favor. Likewise, when ID information is processed through hundreds of computer systems and/or stored on them, and hackers need to compromise only one repository in order to obtain images, the odds of a leak are quite high. I was not surprised, therefore, to learn in 2019 that an image of my driver’s license – along with many others – was on the dark web, possibly stolen from one of the hundreds of locations in New York City where my license had been scanned over the past couple years.
From a security perspective, having physical possession of a difficult-to-counterfeit ID is a valid form of authentication – it is an example of proving one’s identity through possession of “something which only the legitimate party possesses.” But, possessing an image of such an ID does not, in any way, demonstrate that the user actually possesses the original document, especially not in a world in which hundreds of parties are creating digital images of the same document every year. Yet, so many parties continue, to this day, to verify identities based on the ability of those seeking to authenticate themselves to provide images of relevant government issued IDs.
Some cybersecurity industry insiders have argued that while the images of an ID does not prove that the person providing the image is the legitimate owner of the document, it does establish that the information on the document is accurate, and does associate a specific photograph with that specific person. Perhaps. But, images of IDs are easy to manipulate, and do not have the anti-manipulation security features of the original documents from which they were derived, raising serious questions as to whether such images, and any information displayed on them, should be ascribed any level of credibility whatsoever.
Authenticating someone based on that person’s possessing of a digital image of an ID document is negligent, and not much different in today’s world than authenticating someone based on the knowledge of that person’s mother’s maiden name. As such, it is time that we stop trusting images of government issued IDs, and start utilizing better methods for authenticating people.