Can NY Notaries Use Biometric Modalities (Including Facial Recognition) for Identity Verification When Performing RON?
Yes! Because of New York’s role (and especially metro New York City) as a global financial center, there will increasing demand by customers in the commercial and financial sectors to take advantage of the security and convenience afforded by Remote Online Notarization (RON). A critical challenge for the online notary comes in the identity verification of signers and, particularly, foreign citizens. Fortunately, New York’s RON law and administrative regulations, give New York online notaries more options than enjoyed by notaries in most other states, including the use of biometrics.
Navigating Identity Verification in (RON)
As a refresher, New York gives the online notary the following methods for verifying identity:
- the notary’s personal knowledge of the signer,
- use of a credible witness, or
- presentation of a government-issued credential, a third-party validation of a government credential (i.e. credential analysis), and identity proofing that is performed by a third-party credential service provider.
It is this identity proofing step that can be satisfied by use of a biometric.
Read more: Why is KBA Verification Secure?
Meeting Identity Assurance Level 2 (IAL2) Standards with Biometrics in NY
Title 19 of the New York Codes, Rules and Regulations (NYCRR), Chapter V, Subchapter E, Part 182, Section 182.7.a provides: “Identity proofing must meet, at minimum, the Identity Assurance Level 2 standard as outlined in the Digital Identity Guidelines of the National Institute of Standards and Technology (NIST), as referenced in subdivision (b) of this section, or any industry accepted standard that is at least as secure, or more secure, than that standard.”
Identity Assurance Level 2 (IAL2) is defined in NIST’s the Special Publication 800-63a, which is part of the overall SP 800-63-3 standard last revised in 2017, and which is currently undergoing revision. The New York regulation incorporates the update as of March 2, 2020, which expressly references use of “biometric modalities” in meeting the IAL2 standard.
Leveraging Facial Recognition and Liveness Detection in NY Remote Notarization
With RON providers, including eNotaryLog, the NIST IAL2 identity proofing can be met legally by means of a biometric authentication in the form of liveness detection and facial matching (1:1). Liveness detection is a security measure against face spoofing and still picture attacks. Along with this liveness test and facial matching, ideally the biometric authentication deployed by RON providers enables image capture, face detection, and features extraction.
Recently, at least one commentator has expressed concern about the liability risk posed to relying parties by the New York regulation’s recognition of “any industry accepted standard” that meets or exceeds the NIST IAL2 standard. How is a relying party or even an online notary to know what other industry standards meet this?
Read more: Guide to Remote Online Notarization (RON) Technology
Mobile Driver’s Licenses: The Future of Identity Verification in Notary Services
Fortunately, mobile driver’s licenses (mDLs) are gaining traction in the United States. These mDLs follow the ISO 18013-5 global standard that ensures a common baseline for cross border international interoperability and operational security. They represent a dynamic and forgery-proof government-issued identification credential that both traditional and online notaries will be able to use in verifying signer identity. And, although New York doesn’t yet issue mDLs, the New York online notaries will be able to rely upon such interoperable mDLs issued to signers from other states and countries.
Balancing Security and Convenience: Biometric Authentication for NY Notaries
How should a New York online notary approach the matter of biometric authentication? First, the New York online notary is not required to use biometric authentication. For US signers, the use of a knowledge-based authentication (KBA) third-party provider is acceptable within the NIST IAL2 standards as well as the mortgage banking industry (MISMO) standards.
The Evolution of NIST Standards and the Implications for NY Online Notaries
Should a New York online notary desire to make biometric authentication available to customers, the notary is required to use a third-party provider that complies with the NIST IAL2 standard or an industry equivalent. Section 182.4 (a)(2) specifies that the online notary must “use only those vendors or providers who comply with the standards outlined in this Part and any communication or reporting relating to those standards as required by the secretary of state.” However, note that the secretary of state does not approve the various providers of biometric authentication. Therefore, a best practice for an online notary is to obtain written confirmation from the provider of compliance with the NIST or an equivalent industry standard. Some providers will actually possess industry certification. But New York doesn’t require this extra step, which could also result in greater expense to the online notary and the signer.
The NIST 800-63A (5.3.1) provides the following specification for use of biometrics: “biometric comparison, using appropriate technologies, of the applicant to the strongest piece of identity evidence provided to support the claimed identity. Biometric comparison performed remotely SHALL adhere to all requirements as specified in SP 800-63B, 5.2.3.”
In turn, NIST 800-63B specifies that: “The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence).” When using biometrics, NIST 800-63B requires that it be part of a multi-factor authentication that includes a physical authenticator (i.e. something you have) and presentation attack detection technologies (liveness detection).
Preparing for the Future: NIST’s Updated Biometric Guidelines and NY Notaries
It turns out that NIST is in the process of updating the 800-63 standard. And, the recent working draft reflects expanded reliance on the use of biometrics. 800-63A-4 (5.1.8) provides: “Biometrics is the automated recognition of individuals based on their biological and behavioral characteristics such as, but not limited to, fingerprints, iris structures, or facial features that can be used to recognize an individual. As used in these guidelines, biometric data refers to any analog or digital representation of biological and behavioral characteristics at any stage of their capture, storage, or processing. This includes live biometric samples from applicants (e.g., facial images, fingerprint), as well as biometric references obtained from evidence (e.g., facial image on a driver’s license, fingerprint minutiae template on identification cards). As applied to the identity verification process, CSPs may use biometrics to uniquely resolve an individual identity within a given population or context, verify that an individual is the rightful subject of identity evidence, and/or bind that individual to a new piece of identity evidence or credential.”
After NIST finalizes this updated version, the New York Secretary of State will be well-advised to alter the administrative rule so as to reflect the change. This will place New York online notaries in a great position to service a global customer base.
Contact us to learn more about how eNotaryLog can help you with using biometric authentication for identity verification.
