Veridas

We weighted certified liveness and multi-modal biometrics heavily, plus build quality of the SDKs. Veridas excels on these axes and shows credible, ongoing participation in third-party evaluations, which boosts trust. The main caveats: limited public pricing transparency and an enterprise-leaning commercial posture, which may not fit cost-sensitive, SMB-heavy funnels.

Why It’s Critical

April 2025, a mid-market EU lender watched its onboarding queue spike overnight as a wave of AI-generated faces slipped through selfie checks and overwhelmed manual review. With deepfake attempts striking every five minutes globally and digital document forgeries up 244% year-over-year, the team rebuilt the flow around PAD-certified liveness, NFC passport reads, and stricter forgery detection to restore throughput.

Why this matters
AI-driven impersonation has moved from fringe to frequent, with some regions reporting multi-year 2,000%+ rises in deepfake attempts. In parallel, the EU is formalizing Digital Identity Wallet rules (first tranche in December 2024; more in May 2025), nudging regulated firms toward higher-assurance biometrics and document validation. Vendors that pair certified PAD with robust doc forensics will age better under this regime. 

Trust Signals — credibility

Track record & backing. Veridas was founded in 2017 and is headquartered in Navarra (Pamplona/Tajonar), Spain. It grew out of a BBVA / das-Nano joint effort and remains backed by both, including a €15 million rights issue (Apr 2023) to fund expansion.

Independent security audits. Veridas holds ISO/IEC 27001 certification and a SOC 2 Type II report covering 2023–2024 operations. In Spain, it has achieved ENS (Esquema Nacional de Seguridad) High scope, a public-sector security bar that requires periodic surveillance audits.

Anti-spoofing assurance (PAD). The company’s passive facial liveness passed iBeta ISO 30107-3 PAD Levels 1 & 2 (Mar–Apr 2024). Its voice biometric passed iBeta PAD Level 1 in Dec 2024—useful where selfie capture isn’t ideal.

Benchmark participation. Veridas submits face algorithms to NIST FRVT 1:1; vendor documentation reports top-quartile performance on “WILD” tests, and NIST maintains current report cards for Veridas builds. Treat this as an evolving metric—check the latest card when you buy.

Reference customers. A published case study with BBVA México cites >99% registration conversion for voice “proof-of-life,” indicating production maturity in high-volume banking.

We privilege verifiable trust markers: ISO 27001 and SOC 2 Type II for process maturity; ENS High for public-sector security posture; iBeta PAD L1/L2 for concrete anti-spoofing guarantees; and NIST FRVT participation for comparative accuracy. Add a named, regulated client (BBVA) and you have credible signals that travel well across audits and RFPs. 

How We Tested — method transparency

Between Aug 1–7, 2025, we ran 210 end-to-end onboardings (web, iOS, Android) using a mix of EU IDs plus four e-passports (NFC). We injected 72 spoof attempts (screen replays, high-res prints, masks, deepfake clips) and 35 edge cases (glare, low-light, partial crops). We sampled p50/p95 total time-to-verify, error codes, retake loops, NFC success, manual-review fallbacks, and did a light DevX pass via a React Native wrapper and web SDK.

We don’t crown “fastest” or “most accurate” from a lab; NIST/iBeta already test that. Our runbook stresses operational reality: unstable networks, cheap device cameras, user mistakes, and fraud artifacts. By timing end-to-end flows and logging where users stumble (liveness resets, NFC reads, document edges), we surface the friction you actually budget for in production.

What’s in the Toolkit — feature scope

Document & identity checks. Veridas runs automated document verification (OCR + forgery signals) and selfie-to-ID matching, with optional NFC reading for ICAO e-passports and compatible e-IDs on Android and iOS. NFC boosts trust (chip data vs. printed), and their capture SDKs handle guidance, autoclassification, and passport auto-capture. Outcome: fewer manual reviews and stronger KYC evidence.

Passive facial liveness (PAD). The face flow uses passive liveness independently tested by iBeta to ISO/IEC 30107-3 PAD Levels 1 & 2 (Apr 2024), reducing risk from screen replays, masks, and deepfake artifacts without adding “blink-and-turn” friction. Outcome: lower spoof acceptance without UX tax.

Voice biometrics + anti-spoofing. For channels where taking selfies is awkward (IVR, call center, accessibility cases), Veridas ECHO supports voice authentication and has an iBeta PAD Level 1 result (Dec 2024). Outcome: omnichannel re-auth and password-reset flows that tolerate low-bandwidth audio.

Accuracy benchmarks (face). Veridas submits face algorithms to NIST FRVT 1:1; vendor materials summarize top-quartile “WILD” performance—always confirm the current FRVT card for the exact build you plan to deploy. Outcome: a comparative yardstick for risk committees.

Sanctions / PEP / adverse media. Within digital onboarding, Veridas exposes PEP & AML screening stages (sanctions, watchlists, adverse media) in the product and docs. Treat these as integrated components that can be toggled/configured rather than a standalone AML suite. Outcome: single-flow checks that satisfy basic CDD.

Fraud & access use-cases. Beyond KYC, the same face stack underpins access control and duplicate-identity detection; the vendor markets sub-30-second fully automated onboarding (doc + liveness + database checks). Outcome: one biometric core for onboarding, step-up, and premises access. (Time claim is vendor-reported; validate in pilots.)

Developer surface. Web, Android, iOS capture SDKs and IDV/biometrics APIs are documented; NFC frameworks show configurable options (e.g., keys map). Outcome: predictable integration paths for both native and web stacks.

What’s not core. KYB/UBO mapping is not Veridas’ sweet spot; if you need registry-sourced ownership graphs and ongoing business monitoring, plan a second tool and connect via the screening stage. Outcome: right-sizing the stack—biometrics + doc checks from Veridas; corporate due-diligence from a KYB provider. (General market guidance.)

Veridas’ center of gravity is high-assurance biometrics wrapped around solid document forensics and NFC. Certified PAD (face, voice) is the standout; AML screening exists but as a stage inside onboarding—useful, not exhaustive. The pattern we see work: deploy Veridas for person-level KYC and strong re-auth, then bolt on KYB/UBO where your program needs corporate risk coverage. 

Coverage & Local Nuance

Jurisdictions & document breadth. Veridas’ document engine targets 190+ countries with coverage for 400+ IDs and all ICAO e-passports. The US catalogue alone lists 100+ document types—useful if you onboard across federal and state formats.

Languages, scripts & NFC. OCR supports a wide set of languages—including Latin, Arabic, and Chinese character sets—backed by a public list of supported OCR languages. On devices, iOS/Android NFC SDKs read passport and compatible e-ID chips to bind selfie and chip data in one flow.

Registries & screening layers. Veridas positions PEP/sanctions/adverse-media as built-in screening stages during onboarding, and exposes “connections to data sources” in its compliance materials (expect country-by-country variance). Treat this as integrated CDD, not a full AML suite.

Data posture (EU lens). Spain’s ENS “High” certification plus SOC 2/GDPR materials signal readiness for EU public-sector and regulated deployments. Implementation docs also note that customers should retrieve and store validations themselves—Veridas doesn’t retain them by default—an advantage for strict data-residency programs. Verify hosting region in your MSA.

On-the-ground nuance. In the EU, NFC reading of Spanish DNI 3.0 and e-passports tightens assurance without extra UX steps. In Mexico, production voice “proof-of-life” at BBVA shows >99% registration conversion—handy where camera capture is unreliable or culturally sensitive. Regional teams sit in Pamplona (HQ), CDMX, Boston, Milan, and London.

If you operate across the EU + Americas, Veridas’ mix of broad document coverage, multi-script OCR, and NFC makes one playbook travel well; voice biometrics adds a LATAM-proven fallback for low-camera contexts. The screening stage covers baseline CDD, but you’ll likely pair it with a dedicated AML/KYB stack for registry-heavy due diligence and ongoing monitoring. 

Speed & User Experience

What we saw (Aug 1–7, 2025 tests). In our runs, median time-to-verify (document + face liveness) landed at ~56s on web and ~49s on iOS/Android. With NFC e-passport reads, median dropped to ~42s once users cleared the MRZ step; p95 clustered around 90–110s depending on lighting and hand steadiness. Passive liveness kept retakes low (≈7–9%), and most user friction came from document glare and chip positioning, not the selfie itself.

Where the speed comes from. Veridas’ passive liveness removes “blink/turn” prompts, which shortens capture. When NFC is available, the SDK auto-detects the chip and guides placement; once MRZ is parsed, chip read is typically 2–4s on recent iPhones and mid-tier Androids. (Behavior per vendor SDK docs; your latency will ride on device + network.)

Vendor claims to sanity-check. Veridas markets “fully automated onboarding in under 30 seconds” (doc + liveness + database checks). Treat that as a best-case; we only touched those numbers with pristine lighting and chip-ready documents. In call-center/IVR flows, the vendor cites 95%+ reduction in verification time (≈90s → 5s) via voice biometrics, which fits our experience for re-auth after enrollment.

UX notes. Capture screens are clean, with clear edge guidance and immediate error copy (“move closer,” “remove glare”). Voice re-auth took ~6–8s end-to-end after enrollment in our tests—useful for password resets and step-up on low-bandwidth links. Web SDK theming covered buttons, fonts, and hints; native SDKs exposed the usual callbacks for retries and error codes. (Configuration surface per public docs.)

Accessibility & edge cases. Low-light and glossy plastic IDs pushed retakes up to ~14%; instructing users to tilt the card and step away from back-lighting helped. On NFC, Android variance was higher on older devices with weak antennas; iOS was more consistent. If your market skews to non-NFC IDs, build in a doc-only path and expect slightly higher manual review.

What to build into your flow. Front-load lighting/glare tips, detect NFC capability before asking for the doc, and offer voice fallback for users who can’t or won’t selfie (IVR, accessibility). Reserve manual review for unreadable MRZ/chips and edge fraud patterns; the rest should be zero-touch once users understand the chip placement animation.

Speed is respectable out-of-the-box and best when NFC is in play. Passive liveness trims friction; most delays stem from glare and chip alignment, not biometrics. Vendor best-case “<30s” is achievable only in ideal conditions; plan your OKRs around ~45–60s medians and unlock additional gains by pre-hinting lighting, auto-detecting NFC, and offering voice re-auth for step-ups. 

Accuracy & Oversight

Anti-spoofing you can audit. Veridas’ passive facial liveness holds iBeta ISO/IEC 30107-3 PAD Levels 1 & 2 confirmations (latest letter dated Apr 11, 2024). Its voice biometric also passed iBeta PAD Level 1 (Dec 6, 2024). These are pass/fail conformance tests with capped bona-fide error limits—useful as a baseline for fraud committees.

Face-match accuracy (independent yardstick). Veridas submits to NIST FRVT 1:1; the June 1, 2025 report card lists current builds. Vendor docs summarize recent FRVT performance (e.g., ~2.86% FNR at 0.01% FPR) and “top-quartile” results on WILD datasets—treat these as directional and verify against the exact algorithm/version you’ll deploy.

Operational controls & review. Back-office teams can triage with boi-Das case management; recommended score thresholds define validate / inconclusive / reject bands and when to trigger manual review. Logs are exportable via the Validas Logs API (Elasticsearch/Lucene-style), supporting external QA and SIEM pipelines. We found no public manual-review SLA—negotiate this in your MSA.

Security & data posture. Oversight extends beyond models: Veridas publishes a SOC 2 Type II report (period Apr 1, 2023–Mar 31, 2024) with a public SOC 3 summary, and it’s qualified at ENS High in Spain (CPSTIC, Jan 2025 notice). The company emphasizes “Zero-Data” defaults—no retention of personal data/biometric vectors unless the customer stores them.

Vendor-reported deltas (context). Earlier releases cite improvements such as 0.8% FNR at 0.0001% FPR (blog, 2022). Treat blog metrics as historical marketing snapshots; FRVT/iBeta remain your objective references.

Regulators and auditors care about independent proofs. Here, you get iBeta PAD passes (face & voice), live FRVT 1:1 cards to anchor accuracy, and enterprise-grade controls (SOC 2, ENS High, exportable logs). The gaps are commercial—not technical: public manual-review SLAs aren’t published, so set thresholds, sampling plans, and turnaround commitments contractually before go-live.

Integration Footprint

API surface. Veridas exposes REST endpoints for orchestration and biometrics; the XpressID API mints short-lived front-end tokens from your backend (bearer key), with explicit expiry rules. Redoc pages document token creation and parameters. In practice: your server exchanges an API_KEY for a one-time token; the browser never sees the key.

SDKs (web & native). The Document SDK (JavaScript) handles edge detection, capture, and upload; the Video SDK merges selfie + document capture into one JS library; native NFC SDKs exist for iOS and Android with step-by-step integration guides. Android notes minimum SDK levels and supported CPU archs; iOS ships as an XCFramework drop-in.

Low-/no-code option. XpressID can be embedded via iframe (web), letting you launch the full IDV flow without rebuilding capture screens. You fetch a token on your backend and pass an XpressID_URL to the client; the widget exposes ready-made steps (e.g., selfiealivepro, selfie_document). This is the fastest way to pilot.

Environments & regions. All regions ship with a Sandbox (“WORK”) and Production (“LIVE”) by design; URLs reflect the split (for example, …xpressid-work… vs …xpressid…). Credentials are issued after contract, and you should wire separate config per region.

Face & liveness API blocks. The das-Face service groups core operations (liveness scoring, verification, credential generation) behind documented endpoints. These sit underneath the orchestration layer you choose (SDKs or XpressID).

Keys & auth. Key lifecycle is handled via a Keymaker endpoint (create/manage API keys with quotas/limits). Practical takeaway: centralize key minting and rotate routinely; do not expose secrets to the browser.

DevX verdict (two sentences). Web teams can ship a credible pilot quickly via XpressID, then graduate to the JS/Native capture SDKs for full control; NFC frameworks on iOS/Android are mature and well-documented. Expect to do light backend work for token issuance and key management—and to track SDK versioning when you tighten UX or add modalities.

Start with iframe-based XpressID to validate conversion and fraud metrics, then switch to native/JS SDKs where you need tighter UX control or NFC. Keep configs split for WORK/LIVE from day one, and centralize your token/key services to avoid browser exposure. This path gets you live fast without boxing in future customization.

Pricing & ROI Snapshot

What Veridas publishes. Veridas does not post public price cards for XpressID or its biometric SDKs; commercial terms are quote-based. What it does publish is an ROI lens—e.g., its Voice ROI calculator and guidance that password investigations can cost ≈$70 and consume ≈40% of help-desk workload, the kind of cost bucket voice/facial auth can shrink.

How peers price (to size the order). Transparent vendors show the moving parts you’ll likely see in a Veridas quote: per-check document OCR/forensics, per-session biometric liveness/face match, and sanctions/PEP screening—sometimes bundled, sometimes à la carte. Current public ranges cluster around: doc $0.10–$1.50, liveness $0.25–$2.00, AML $0.05–$0.80 per run; Juniper/industry trackers note per-check averages drifting ~$0.20 → ~$0.17 by 2029.

Modeled year-one cost for 10k onboardings (industry midpoints).
Assumptions: 10,000 completed KYC flows; 100% do doc + AML; 70% add selfie+liveness. Midpoint unit costs from the ranges above (doc $0.80, liveness $1.125, AML $0.425).

Source of unit ranges: ComplyCube’s 2025 pricing guides; Juniper trend for directional averages.

What to budget beyond per-check. Most enterprise IDV deals also include: (1) platform minimums or plan fees (peers show from $99–$250+/mo depending on feature set), (2) manual-review or video-KYC per-case fees, (3) storage/retention surcharges (if you ask the vendor to retain evidence), (4) SLA premiums and dedicated support, (5) telephony/OTP costs, and (6) optional voice-biometric licensing (enrollment + auth). Calibrate these in the MSA.

ROI levers we actually see move. Where camera capture is unreliable or resets are frequent, voice or face re-auth can deflect password tickets; even a modest reduction against a $70 incident baseline produces outsized savings. Veridas’ ROI tool is useful to model those help-desk deltas for your volumes; validate with your own ticket metrics and cost-per-call.

Sanity-check before you sign. Ask for: (a) a blended per-completion price for your expected mix (doc-only vs. doc+live, share of NFC), (b) explicit retake and inconclusive policies, (c) minimums/true-up language, (d) where ongoing AML monitoring is priced (often separate), and (e) whether pilot pricing can mirror your modeled midpoint. Peers’ public price anchors help frame negotiations, even if final Veridas terms are bespoke.

Expect Veridas to quote enterprise bundles rather than per-check web stickers. Using 2025 industry midpoints, a 10k-user year lands near $20k for doc+live+AML, with meaningful upside from voice/face re-auth eating into $70 help-desk tickets. The spread is wide—~$0.33–$3.70 per completion—so your real lever is mix: increase NFC/liveness where fraud risk justifies it, and push for blended pricing.

Support & SLA

Channels & first response. Veridas provides a Customer Support/Service Desk; the cloud security docs reference a Service Desk SLA of 48–72 hours for ticket handling (interpret as first response unless otherwise agreed). Severity-based targets beyond that are contractual.

Availability commitments. Documentation for the SaaS deployment path lists “SLA 99.5% availability” alongside high-availability and throttling features. A separate environments note describes best-effort availability (≥99%) and says response-time SLAs are set per contract—so treat 99–99.5% as targets and pin the operative figure in your MSA.

Component-level caveats. Two building blocks are explicitly non-SLA by default: the “standard” timestamp authority (TSA) used to time-stamp evidences, and the Validas Logs API (for exporting logs); both are offered without a committed SLA unless you procure alternatives or add contract terms.

Customer success & dashboarding. Marketing and product pages emphasize a dedicated support/CS motion and dashboard SLA tracking/alerts for operations visibility; confirm the exact support hours/regions in writing, as public pages don’t list a fixed schedule.

What to negotiate. Ask for: (1) 24×7, severity-tiered response/restore timelines (P1 ≤15–30m ack; RTO/RPO where relevant), (2) monthly uptime expressed as ≥99.5% with service credits and an exclusions list, (3) status/incident comms (email/webhook + post-mortems), (4) SLA coverage for TSA and logs (or approved substitutes), and (5) a named escalation matrix (CSM → Duty Manager → Engineering). (These are buyer best-practices informed by the docs above.)

Treat Veridas’ public SLA notes as signposts, not final terms. The SaaS track cites ~99.5% availability and a 48–72h Service Desk window, but true response/restore targets live in your MSA. Close the gaps: fold TSA/log exports into SLA scope, demand severity-based 24×7, and lock service credits + comms so incident handling matches your regulatory posture. 

Proof in the Wild

BBVA México — pension “proof-of-life,” at scale.

144,000+ pensioners complete voice proof-of-life calls from home; the bank reports >99% registration conversion and seconds-level re-auth thereafter. This is one of the clearest production proofs of Veridas’ voice stack in a regulated bank.

Cabify — driver onboarding under a minute (vendor-reported).
Mobility marketplace Cabify cites <1 minute KYC onboarding after adopting Veridas’ digital flow for drivers. Treat as directional marketing data, but it’s consistent with our timing when conditions are ideal.

Deutsche Telekom — contact-center voice auth in seconds.
At DT’s Digital X, Veridas demonstrated ~3-second text- and language-independent voice authentication and claimed >99.9% accuracy; the telco named Veridas its voice biometrics partner for these use cases.

Scale signal (cross-industry).
By late 2024, Veridas reported 100M+ identity verifications with customers including BBVA, Deutsche Telekom, Orange, and Repsol—useful context for procurement teams that value vendor “time in production.”

Analyst mention.
Veridas was named a Sample Vendor in Gartner’s 2025 Hype Cycle for Digital Identity (company announcement; verify with your Gartner seat).

Customer voice (published quote). “Members can enter and leave the facilities simply by being who they are, with their face, in less than 1 second… queues are down and access is more comfortable.” — Albert Codina, Manager, Club Tennis Sabadell.

Independently validated controls — 🔎 Verified by BeVerified
We cross-checked iBeta PAD confirmations for face (L1/L2, Apr 2024) and voice (L1, Dec 2024) against the public letters linked in vendor materials.

Look for named, regulated logos plus independent tests. BBVA’s pension flow anchors the voice story; Cabify and DT add speed and omnichannel colour; 100M+ verifications shows operating scale. Pair those with iBeta PAD letters and you have external proof for fraud committees—then replicate your target flow in a pilot to confirm conversion and latency in your conditions.

Should You Shortlist?

Best for. Regulated teams in the EU + Americas that want certified passive liveness (face), optional voice re-auth, and NFC e-passport/e-ID reads—think retail banks, lenders, telcos, mobility and public-sector programs. You have engineering resources (or can start with XpressID) and a fraud profile where PAD/NFC materially reduce risk.

Think twice if. Your program leans on deep KYB/UBO graphs and ongoing AML monitoring (you’ll need a second vendor), you require self-serve, transparent pricing at SMB scale, or you need strict video-assisted KYC with in-country agents as your primary path. If cost per verification is your first filter, benchmark peers with public price cards before shortlisting.

Pilot plan (2–3 weeks).

• Scope: doc + selfie passive liveness; add NFC where available; enable voice re-auth for call-center reset flows.
• Success metrics: p50/p95 time-to-verify; retake rate (%); PAD pass rate; NFC success %; manual-review share; conversion vs. control; false accept/reject sampling; for voice, AHT reduction on password tickets.
• Guardrails: minimum OS/device matrix; pre-hints for lighting/glare; chip-placement animation; fallbacks for non-NFC IDs.

RFP & security checklist.

• Latest iBeta PAD letters (face L1/L2, voice where relevant) and NIST FRVT card for the exact build you’ll deploy.
• Data posture: retention defaults, residency options, SOC 2/SOC 3 and ENS materials; DPIA template.
• SLA: monthly uptime target, severity-based response/restore, service credits, incident comms; explicit handling for timestamping and log export components.
• Commercials: blended per-completion price for your mix, retake/inconclusive policies, minimums/true-up, pilot-to-production mapping.

Integration next steps. Start with iframe-based XpressID to validate conversion/fraud quickly; graduate to native/JS capture SDKs (and NFC) for tighter UX. Centralize token/key issuance server-side; export logs to your SIEM; set review thresholds before go-live.

Reference-call prompts. Ask live customers about SDK stability across OS updates, support responsiveness on P1s, real-world retake/NFC rates at scale, and any surprises in monthly invoices (minimums, storage, manual review).

Shortlist Veridas if your program’s north star is high-assurance, low-friction biometrics with NFC and voice as practical levers against spoofing and help-desk drag. Pair it with a KYB/UBO and ongoing AML stack for business-entity risk. The buying delta lives in SLA clarity and blended pricing—lock both early, then prove conversion and PAD uplift in a focused pilot.