Patrick Bass Area: Monetization (audit p10) · Surface: /account/verified/submit, /account/verified/selfie · Dimension: feature-improvement · Severity: minor
Every modern verified-identity product (Stripe Identity, Persona, Onfido) automates document authenticity + face-match + liveness, returning a result in seconds. Our flow stores actual government-ID images in our own DB and waits on a human reviewer, which is slow for the buyer, an operational cost for the team, and a data-liability concentration (raw IDs at rest). Competitors verify instantly and never hold the raw document.
Evidence
VerificationController::submit (VerificationController.php:101-218) collects legal name + ID-type + raw front/back image uploads (base64-posted to platform-admin) and a self-recorded selfie video (selfieUpload:328-389), then flags 'under review' for a human. There is no Stripe Identity / automated document+liveness check anywhere (grep for identity/kyc/liveness/automatic in the controller returns only the user-typed confirmation checkboxes at :104,:112).Suggested fix. Offer Stripe Identity (or equivalent) as the verification path: redirect to a hosted verification session, store only the pass/fail + redacted result, and fall back to manual review only on failure. Reduces latency, reviewer cost, and raw-PII storage.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
