What the ENISA remote identity verification guide says (and why NFC matters)
ENISA, the European Union Agency for Cybersecurity, published a good-practices guide for remote identity verification (remote ID proofing) in 2024. It's essential reading for any business that onboards customers remotely: it explains how attacks have evolved — deepfakes included — and which controls actually work. Here's a summary of the essentials and why reading the document's NFC chip takes center stage.
What it is and why it was published
The report builds on ENISA's earlier 2022 work on attacks and countermeasures, and responds to a deeper shift: since the pandemic, identity verification has moved from the counter to remote, automated, at-a-distance processes. With the arrival of eIDAS 2.0 and the European identity wallet (EUDI Wallet) — with the ambition that 80% of citizens use it regularly by 2030 — cases requiring a high level of assurance will grow. Remote verification is also key to complying with anti-money-laundering regulation.
The problem: increasingly sophisticated attacks
ENISA's analysis identifies two major families of attacks against remote verification:
- Against the person's face: presentation and injection attacks on facial biometrics, where deepfakes have become one of the leading threats.
- Against the identity document: presentation or injection of manipulated or synthetic documents.
In response, ENISA proposes a set of good practices organized into four control domains: environmental, process, organizational and technical. The underlying idea: the pace and sophistication of new threats requires combining prevention and detection, not relying on a single control.
Defending the document: registries and, above all, the NFC chip
Here's the point that matters most to us. To validate the identity document, ENISA highlights two good practices as the most notable:
- Checking the document's status against official registries.
- Scanning the document's NFC chip, when available.
On NFC, the report is specific: reading the chip to verify personal data and the holder's biometric photo makes it possible to eliminate several synthetic attacks (fake documents, injected deepfakes). In practice, it's one of the strongest defenses against impersonation, because the chip's data is cryptographically signed and extremely difficult to forge.
Put another way: NFC isn't a silver bullet on its own, but one of the two best practices for securing the document, within a layered approach. And everything suggests its role will grow as the European framework enables and standardizes it.
What it means for your business
If you verify identities remotely — banking onboarding, fintech, insurance, signing, customer sign-up — ENISA's practical message is clear:
- Don't rely solely on a photo of the document (OCR): that's exactly what synthetic attacks know how to fake.
- Prioritize controls that verify the document at the source: NFC chip reading is the most powerful and accessible example available today.
- Combine it with liveness and injection detection on the biometric side, to close the deepfake flank.
YOiD reads the ID card's NFC chip
ID Verify captures ID card or foreigner-card data by reading the chip via NFC, with cryptographic verification of the document's signature — exactly the practice ENISA highlights. With optional liveness-based biometric verification.
See how ID Verify works →Frequently asked questions
Does ENISA say NFC is the most secure method?
ENISA highlights it as one of the two most notable good practices for validating the identity document, capable of eliminating several synthetic attacks. It's not presented as the sole solution, but as a very strong layer within a layered approach, and it warns that its use still isn't uniformly permitted for private providers across the EU.
What is remote identity verification (remote ID proofing)?
It's the process of confirming remotely that a person is who they say they are, usually combining identity document verification with biometric facial verification, with no physical presence.
Why are deepfakes so prominent in this report?
Because presentation and injection attacks on the face — deepfakes included — have become one of the leading threats. That's why ENISA recommends strengthening both document verification (NFC chip) and attack detection during biometric capture.
Source: ENISA, Remote ID Proofing — Good Practices (March 2024). Full report at enisa.europa.eu. This summary is informational and does not replace the original report.