In the US, the Remote Identity Validation Technology Demonstration (RIVTD) – a scheme to evaluate biometric digital ID systems that has been in the works since 2022, is now in the final stages of development.
The involved government agencies include the Department of Homeland Security (DHS), the Transportation Security Administration (TSA), Homeland Security Investigations (HSI) Forensic Laboratory, and the National Institute of Standards and Technology (NIST).
Among the things RIVTD is there to evaluate and assess is identity verification when photos are taken with phones, including the “liveliness of selfies.”
The system is being developed in three stages – called “tracks” – of which the third and final, dedicated to said “liveliness,” is now in progress. The idea here is to ensure that a true selfie is submitted, instead of an image of a digital or physical photograph.
Another thing those behind RIVTD want to avoid is people using masks instead of “taking an actual selfie in real-time,” say reports.
The first two “tracks” concerned the assessment of the validity of documents like ID cards or driver’s licenses, with the second turning the focus on how selfies match photos on ID documents.
The need for all this is explained by TSA as a way to fend off “bad actors or impersonators” in the looming world of remote self-enrollment that uses a person’s digital identity.
The DHS, on the other hand, talks about “risk-based decision-making.”
“Such decision making may involve determining whether an individual is eligible to receive specific services or benefits or ascertaining if an individual is a known or suspected threat,” the agency is quoted as stating.
RIVTD is to be used in both REAL ID and “legacy documents” – and REAL ID “compliance” will from May 2025 be necessary for documents travelers use for domestic flights in the US.
The digital version of REAL ID is coming soon, thanks to the REAL ID Modernization Act.
If you wonder what happens to the biometric data and photos that TSA collects, the agency says they are deleted once the identity verification process is complete. Except, that is – when it’s stored for up to two years.
One of the reasons is to be able to launch systems like RIVDT – i.e., data retention is justified by the need to help with “testing and development.”