Run instant authentication checks on any government issued ID

Their authentication check doesn&#x27;t do much. They aren&#x27;t validating drivers licenses against a database. Has anybody tested this thing with common fake IDs? If you show it a color copy of a driver&#x27;s license, can it detect that? How? They&#x27;re looking only at a flat photo. They can&#x27;t tell a hologram from a photo of a hologram. They don&#x27;t make you take pictures from several different angles. You could probably take a picture of an ID, alter it in Photoshop, and get it through this thing.<p>Their privacy policy looks like a standard web site privacy policy. It says nothing about how they handle ID data. That&#x27;s a big deal, because Confirm is handling personal data that isn&#x27;t about Confirm&#x27;s own customers. This can create liability for Confirm or Confirm&#x27;s customers under various identity theft laws.<p>Here&#x27;s their founder: [1]<p>[1] <a href="https:&#x2F;&#x2F;www.linkedin.com&#x2F;in&#x2F;kylekilcoyne" rel="nofollow">https:&#x2F;&#x2F;www.linkedin.com&#x2F;in&#x2F;kylekilcoyne</a>

Sending photos of government issued IDs to third parties looks like a very dangerous approach to the problem.<p>These photos could be stolen and reused for fraud and identity theft.<p>Electronic IDs provide a much safer and more reliable way to check the identity of a user. Eg: every citizen in Belgium can authenticate HTTPS connections with his ID card.

So, what exactly are they promising to do? Let&#x27;s look at what they say in their terms of use:<p><pre><code> EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE LICENSED TECHNOLOGY IS PROVIDED ON AN “AS-IS” BASIS AND CONFIRM DISCLAIMS ANY AND ALL WARRANTIES. CONFIRM DOES NOT WARRANT THAT THE LICENSED TECHNOLOGY IS ERROR-FREE OR THAT OPERATION OF THE LICENSED TECHNOLOGY WILL BE UNINTERRUPTED. EXCEPT AS OTHERWISE EXPRESSLY PROVIDED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. ... EACH PARTY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT. </code></pre> 7 LIMITATIONS OF LIABILITY<p>7.1 Disclaimer of Consequential Damages. THE PARTIES HERETO AGREE THAT, NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, EXCEPT FOR (A) CUSTOMER’S BREACH OF SECTION 1 OR 6.2, (B) EITHER PARTY’S BREACH OF SECTION 5 , AND (C) LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 8.1 AND 8.2 BELOW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, LOST OR DAMAGED DATA, LOST PROFITS OR LOST REVENUE, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF A PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY THEREOF.<p>Which is to say, it could tell you that Lovin McSpoonful is a totally valid CA driver&#x27;s license, and you have no remedy if you rely on that to sell the 18 year old alcohol.

$ nslookup api.confirm.io<p>Non-authoritative answer: api.confirm.io canonical name = midentssl-861843077.us-west-2.elb.amazonaws.com. Name: midentssl-861843077.us-west-2.elb.amazonaws.com Address: 54.149.15.14 Name: midentssl-861843077.us-west-2.elb.amazonaws.com Address: 52.25.246.175<p>Hosted in the US on Amazon. That makes it immediately a no-go for European customers.<p>So, what&#x27;s the data retention policy? Who has access to it? Is any PII contained in the webserver logs? If the answer is &quot;no&quot;, how do you define PII?<p>Have you had a third party security audit done? If so, can we see the report?<p>Those are just a few of my initial questions :)

&quot;Contact sales&quot; is a clear, absolute dinosaur warning.<p>I want transparent pricing right on the page, instant SDK access for self evaluation, instant purchase if I want more, and no slimy sales process that depends on my region or what I negotiate.

What a great way to open your company up to a huge liability. When (and not if) this place gets hacked, expect to foot the bill for identity protection service for a few years for anyone you have scanned using this thing. The burden is usually on the person who originally handles the identity documents, even if a service they are using has been compromised. There&#x27;s a reason why many nightclubs no longer scan ID&#x27;s.<p>Also I don&#x27;t see any data or information about any guarantees, no case studies, etc. A service like this is worthless unless they are willing to provide something for when fraud does occur, or provide a guarantee that the service actually works and the results can be trusted.<p>Reading through their terms of service, there is no warranty what so ever. Their technology could be completely bogus, or do nothing for all you know. It&#x27;s a black box.<p>You&#x27;re basically opening yourself up to liability for questionable benefit.

By &quot;any government issued ID&quot; do they mean &quot;some US government issued IDs&quot;? The website has no indication on what countries are covered, or whether e.g. US military IDs or FAA pilot licenses are covered.<p>Reminiscent of IDnow ( <a href="https:&#x2F;&#x2F;www.idnow.eu&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.idnow.eu&#x2F;</a> ), which has been around for a while now. IDnow claims that it &quot;is available worldwide. IDnow supports identification documents (passports and personal ID cards) in accordance with the common ICAO standard, which is valid in more than 190 countries.&quot;

I&#x27;m curious how they&#x27;re protecting this data. Having access to a bunch of raw, high-megapixel ID images is enormously useful for bad actors.

From the website, it looks like they&#x27;re doing image analysis on the ID scans to verify its authenticity. Given that it&#x27;s hard for a human to spot a high quality fake, I doubt that some machine learning model can do much better. The only thing I&#x27;d imagine it being useful for would be for checking off a regulatory requirement.

Seems kind of sketchy to be saying &quot;safe &amp; secure&quot; but not even bothering to set up HTTPS for your website

Seems like a sketchy business to me. Who founds a company, raises 4M out of the gate, and the acquires a competitor a month later? <a href="http:&#x2F;&#x2F;www.confirm.io&#x2F;#!our-story&#x2F;h6arz" rel="nofollow">http:&#x2F;&#x2F;www.confirm.io&#x2F;#!our-story&#x2F;h6arz</a>.<p>Combine that with a &quot;partnership&quot; six months after that, and it really seems like there is zero proprietary technology that was built by this company in the first place.

No https and no pricing info means no bueno.

Consider that to verify these ID&#x27;s they would need bi-lateral agreements AND api access to each issuing authority for the cards to lookup up the card to verify it against the &quot;real&quot; data. Unlikely they have achieved that given governments are not in the business of offering this service to the market these days.<p>The question becomes, who takes on the liability for the identity asserted by the user who has presented the card? They could compare it to all previous images of the card, but again, was that original?<p>All eID solutions have a bootstrapping problem related to the &quot;fons honoram&quot; that creates the legitimate &quot;original.&quot;<p>The use cases for ID are all law enforcement related, and the integrity of these processes does not withstand even basic scrutiny.<p>What is the problem they need to solve? Limited liability broker for proof of legal identity over a communications channel.<p>Here are the things that matter:<p>- &quot;liability&quot; - &quot;broker&quot; - &quot;proof&quot; - &quot;legal&quot; - &quot;identity&quot;<p>Here is what other companies in that space do:<p>&quot;ah takez teh picturez of teh cardz and ah sendz to tehm.&quot;<p>This company may have solved these other problems. If they have, I would be yelling it from the rooftops because the technology doesn&#x27;t matter, they would literally have been given the right to print money.

Site doesn&#x27;t work without JS. No love for progressive enhancement :(.

There are a ton of players in the &quot;ID verification&quot; space (LexisNexus, Jumio, MiTek, KoFax). Most of them are only verifying the formatting of the ID, not the information.<p>I&#x27;ve yet to find an API based solution that can reliably verify information solely based on the picture of someones drivers license.

US only it seems. The world is bigger then that. Although that is obviously less obvious to some...

If anyone from confirm reads this: You should probably change that video on your site if that&#x27;s a real ID.<p>That name, DOB, address, and license number is easily discernible from the video.

Can this use a square-style card reader to allow for swiping cards? It seems pretty clunky to use the camera if you&#x27;re working the door someplace.

This is an interesting problem space. We recently looked into this and found Jumio, how does this service compare to them?

Aren&#x27;t the advanced badge features they are verifying secret?

Reading through the comments I&#x27;m enjoying thinking about this as an elaborate honeypot set up by a state actor for recruiting. Looking forward to the longform Wired article in a few years!

Cool. Now we just need a &quot;generate fake ID photos API&quot; to close the loop.

This would have been a literal lifesaver when I was running the fifth largest Bitcoin exchange in the world . . . looks good too!