Security & Best Practices
Below you can find a list of best practices to validate the result returned by our SDK:
- Make sure to enable and enforce the reading step (NFC) when supported by the document type you request for the KYC session. Reading step is the safest way to avoid fraudulent attempts. It can be enforced in two ways: overall, meaning a device that doesn't support NFC would not be able to perform the KYC session, or only if supported, meaning the reading step would be enforced only if the device supports NFC. For the latter case make sure to flag incoming sessions that didn't perform the reading step for an internal review.
- Cross check the data between different steps to validate the consistency. The data are available to you and you can perform this process in your backend.
- Make sure the documentType property value inside the JWS result matches the document type actually requested by your onboarding process.
- Make sure the document is not expired. The SDK can be instructed to disable the expiry validation, that is a parameter sent to the backend API, therefore subject to possible tampering.
- Make sure the reading object is not null if your onboarding process requires the reading step (NFC) to be performed.
- Make sure the face object is not null if your onboarding process requires the facial recognition step to be performed.
- When the face object is not null check the following properties:
- The match property value must be true.
- The matchLevel property value must be equals or above the match level defined by you or the SDK default ones (2 if photo taken from the optical scanning or 3 if photo taken from the chip of the document).
- Make sure the backgroundCheck object is not null if your onboarding process requires the background check step to be performed.