Security & Best Practices
Below you can find a list of best practices to validate the result returned by our SDK:
Validate the signature as described in chapter JWS validation and parsing.
Enable JWS result encryption (JWE) as described in chapter Enable result encryption.
Set the nonce in the SDK (see Uqudo Builder Enrolment Configuration). The nonce should be generated server side and then compared with the nonce property value you can find in the JWS result.
Set your own sessionId in the SDK (see Uqudo Builder Enrolment Configuration). The sessionId should be compared with the jti property value in the JWS result.
Activate the Analytics functionality within the SDK for a more comprehensive understanding of the KYC session.
Activate the functionality within the SDK to retrieve data of an uncomplete KYC session in cases where either the user or the SDK terminates the session. This capability is crucial for troubleshooting scenarios, such as when the SDK terminates the session due to excessive failed facial recognition attempts.
Make sure to enable and enforce the reading step (NFC) when supported by the document type you request for the KYC session. Reading step is the safest way to avoid fraudulent attempts. It can be enforced in two ways: overall, meaning a device that doesn't support NFC would not be able to perform the KYC session, or only if supported, meaning the reading step would be enforced only if the device supports NFC. For the latter case make sure to flag incoming sessions that didn't perform the reading step for an internal review. Note: from mobile SDK version 3.x and above the reading step, when enabled, is not optional anymore and is enforced if the device supports NFC.
Cross check the data between different steps to validate the consistency. The data are available to you and you can perform this process in your backend. Note: from mobile SDK version 3.x and above you have the data consistency check result straight in the SDK result, see the verification object for details.
Make sure the documentType property value inside the JWS result matches the document type actually requested by your onboarding process.
Make sure the document is not expired. The SDK can be instructed to disable the expiry validation, that is a parameter sent to the backend API, therefore subject to possible tampering.
Make sure the reading object is not null if your onboarding process requires the reading step (NFC) to be performed.
Make sure the face object is not null if your onboarding process requires the facial recognition step to be performed.
When the face object is not null check the following properties:
The match property value must be true.
The matchLevel property value must be equals or above the match level defined by you or the SDK default ones (2 if photo taken from the optical scanning or 3 if photo taken from the chip of the document).
Make sure the backgroundCheck object is not null if your onboarding process requires the background check step to be performed.
Last updated