Resources › ID card via NFC
ID card via NFC

What the ENISA remote identity verification guide says (and why NFC matters)

Analysis · 5 min read · Based on the ENISA "Remote ID Proofing — Good Practices" report (March 2024)

ENISA, the European Union Agency for Cybersecurity, published a good-practices guide for remote identity verification (remote ID proofing) in 2024. It's essential reading for any business that onboards customers remotely: it explains how attacks have evolved — deepfakes included — and which controls actually work. Here's a summary of the essentials and why reading the document's NFC chip takes center stage.

What it is and why it was published

The report builds on ENISA's earlier 2022 work on attacks and countermeasures, and responds to a deeper shift: since the pandemic, identity verification has moved from the counter to remote, automated, at-a-distance processes. With the arrival of eIDAS 2.0 and the European identity wallet (EUDI Wallet) — with the ambition that 80% of citizens use it regularly by 2030 — cases requiring a high level of assurance will grow. Remote verification is also key to complying with anti-money-laundering regulation.

The problem: increasingly sophisticated attacks

ENISA's analysis identifies two major families of attacks against remote verification:

In response, ENISA proposes a set of good practices organized into four control domains: environmental, process, organizational and technical. The underlying idea: the pace and sophistication of new threats requires combining prevention and detection, not relying on a single control.

Defending the document: registries and, above all, the NFC chip

Here's the point that matters most to us. To validate the identity document, ENISA highlights two good practices as the most notable:

On NFC, the report is specific: reading the chip to verify personal data and the holder's biometric photo makes it possible to eliminate several synthetic attacks (fake documents, injected deepfakes). In practice, it's one of the strongest defenses against impersonation, because the chip's data is cryptographically signed and extremely difficult to forge.

ENISA notes — and it's worth saying honestly — that NFC chip reading is still not uniformly permitted for private providers across the EU, and that official document registries remain voluntary and incomplete. That regulatory inconsistency is precisely one of the things the European framework (eIDAS 2) is meant to sort out.

Put another way: NFC isn't a silver bullet on its own, but one of the two best practices for securing the document, within a layered approach. And everything suggests its role will grow as the European framework enables and standardizes it.

What it means for your business

If you verify identities remotely — banking onboarding, fintech, insurance, signing, customer sign-up — ENISA's practical message is clear:

YOiD reads the ID card's NFC chip

ID Verify captures ID card or foreigner-card data by reading the chip via NFC, with cryptographic verification of the document's signature — exactly the practice ENISA highlights. With optional liveness-based biometric verification.

See how ID Verify works →

Frequently asked questions

Does ENISA say NFC is the most secure method?

ENISA highlights it as one of the two most notable good practices for validating the identity document, capable of eliminating several synthetic attacks. It's not presented as the sole solution, but as a very strong layer within a layered approach, and it warns that its use still isn't uniformly permitted for private providers across the EU.

What is remote identity verification (remote ID proofing)?

It's the process of confirming remotely that a person is who they say they are, usually combining identity document verification with biometric facial verification, with no physical presence.

Why are deepfakes so prominent in this report?

Because presentation and injection attacks on the face — deepfakes included — have become one of the leading threats. That's why ENISA recommends strengthening both document verification (NFC chip) and attack detection during biometric capture.

Keep reading

KYC and digital onboarding: verification methods → What is an AISP and what's it for →

Source: ENISA, Remote ID Proofing — Good Practices (March 2024). Full report at enisa.europa.eu. This summary is informational and does not replace the original report.