Skip to main content

What is Identity Proofing?

Verify consumer identities with confidence.

identity proof

Identity proofing is a critical component of the broader identity verification process. It involves verifying an individual’s identity is genuine and not fraudulent at the time of onboarding or during high-risk activities. 

 

What is identity proofing?

Identity proofing is the process used by organizations to verify an individual is who they claim to be before granting access to sensitive information, services or facilities. The identity proofing process is foundational to establishing enhanced trust in digital and physical transactions, better ensuring services are provided to legitimate users while also helping to detect and prevent attempts at fraud.

 

What is an example of identity proofing?

A common example occurs in the banking sector when a new customer applies for a bank account online. They’re often required to provide personal information, such as their email address, phone number, Social Security number, driver's license or mobile device details, and a biometric like fingerprint or facial recognition scan. The bank then uses various tools and technologies to verify the authenticity of these documents and the identity information provided.

 

How does identity proofing work?

The identity proofing process generally involves three key stages:

 

In more comprehensive identity proofing, these stages incorporate advanced technologies, such as artificial intelligence (AI) and machine learning (ML) for increased efficiency and accuracy.

What are the key components of digital identity proofing?

Digital identity proofing is the process of verifying the authenticity of an individual’s identity using electronic methods, particularly in the context of online interactions and transactions. Key components of more effective  digital identity proofing include:

1. Device intelligence involves verifying device risk used for a transaction through a combination of layered insights about device history and reputation and device-to-identity linkages.

2. Database checks cross-reference the individual’s information like email address and phone number with trusted databases, such as credit bureaus, government records and public databases, to help confirm identity.

3. Document verification entails scanning and validating government-issued identification documents, such as passports and driver’s licenses, and using optical character recognition (OCR), facial recognition, ML and AI to check for authenticity, tampering and consistency with official records.

4. Behavioral models monitor and analyze user behaviors, such as typing patterns and interaction habits, to help establish a behavioral profile that can be used to better verify identity.

5. Biometric verification uses unique biological characteristics, such as fingerprints, facial recognition and iris scans, to better verify identity. Biometric data is more difficult to forge and provides a higher level of security.

What are the benefits of identity proofing?

In an era where digital transactions are extremely common, identity fraud is a major concern. For businesses, especially in sectors like banking, healthcare and public services, better assurance that the person accessing a service is indeed who they claim to be is crucial for enhanced security and legal compliance. Effective identity proofing helps mitigate risks associated with data breaches and fraud which can lead to substantial financial losses and damage to reputation.

Identity proofing offers several benefits to organizations and consumers alike:

What’s the difference between identity proofing and identity authentication?

While often used interchangeably, identity proofing and identity authentication are in fact distinct processes. Identity proofing is about establishing a user's identity initially, often involving rigorous checks against official documents or databases. On the other hand, identity authentication occurs after identity has been proven and involves continually verifying the identity of a user each time they access a system — using methods like passwords, biometrics or security tokens.

 

What’s the difference between identity proofing and identity verification?

Identity proofing and identity verification are closely related but address different aspects of identity management. Identity verification is simply the act of confirming an identity matches a person by checking personal details against available data. Identity proofing, however, includes additional steps like checking the validity of identity documents and may involve more in-depth analysis and corroboration.

 

How does identity document verification work?

Identity document verification involves checking government-issued documents like passports or driver's licenses to better ensure they’re authentic and have not been altered. It’s often a critical component of identity proofing. Highly comprehensive document verification processes use advanced software solutions which examine security features like holograms, machine-readable zones and biometric data embedded in the documents.

What are levels of assurance in identity proofing?

The levels of assurance (LoA) in identity proofing is a metric that describes the degree of confidence in the verification processes used to establish a person's identity. This concept is particularly important in areas where more highly secure access to information or physical locations is critical, such as in government services, financial transactions or healthcare. The LoA helps organizations determine a more appropriate level of security and rigor of verification processes required based on the potential risks involved in a transaction.

Categories of levels of assurance:

Generally, the LoA are categorized into four tiers as follows:

The highest level of assurance includes all elements of Level 3 with additional security measures. This could involve multiple forms of identification, advanced biometrics and possibly in-person verification by trained personnel. Level 4 is reserved for the most sensitive or higher-risk transactions where the impact of fraud would be extremely high.

High assurance demands stricter verification methods, including the presentation and validation of government-issued photo IDs. Verification at this level might also involve biometrics and in-person authentication. This level is more suitable for transactions requiring a higher degree of trust and where the consequences of identity fraud can be more severe.

This level requires some evidence to support the claimed identity and often involves checks against publicly available data or knowledge-based verification (answers to personal questions, for instance). It also offers a moderate degree of confidence but might still be vulnerable to fraud.

This level typically involves less confidence in the asserted identity's validity. Verification methods might include self-asserted information without any further validation. This level may be suitable for services where there are lower risks associated with an incorrect identity assertion.

 

 

Implementing levels of assurance:

Organizations must carefully assess their specific needs and potential risks to help determine the appropriate LoA for their identity proofing processes. Regulatory requirements often dictate the minimum LoA needed for certain types of transactions, especially in sectors like finance, healthcare and government services. For example, in the context of digital identity services, governments and international bodies, such as the International Organization for Standardization (ISO), European Union Agency for Cybersecurity (ENISA), and United States National Institute of Standards and Technology (NIST), there are set standards to better ensure organizations apply a more appropriate level of scrutiny based on the sensitivity of information or services accessed.

Examples of standards set by governments and international bodies include:

NIST Special Publication 800-63-3 provides guidelines on digital identity proofing and authentication, outlining different levels of assurance (ranging from low to high) based on the required security and risk management needs.

 

This European regulation sets standards for electronic identification and trust services for electronic transactions within the European Single Market. It defines assurance levels as low, substantial and high to ensure secure electronic interactions between businesses, citizens and public authorities.

This international standard from the International Organization for Standardization provides a framework for identity proofing and authentication, specifying four levels of assurance from very low to very high. It offers guidelines for organizations worldwide to determine the appropriate level of identity verification needed.

Published by Canada’s Treasury Board Secretariat, this framework categorizes assurance levels from IAL1 (low) to IAL3 (high), detailing requirements for identity proofing processes in federal services.

These standards help in preventing identity theft and ensuring digital transactions are more secure and trustworthy.

By adopting a structured approach to determining the LoA needed for various interactions, organizations can better protect themselves and their customers from the consequences of identity fraud while better balancing user convenience and system security.

What’s the role of multi-factor authentication (MFA) in identity proofing?

Multi-factor authentication is a component of the broader identity and access management process that often follows once identity proofing has been completed.

1. Understanding MFA and its role: Multi-factor authentication involves verifying a user's identity by requiring two or more different forms of authentication before access is granted. These factors typically fall into three categories:

  • Something you know: a password or PIN 
  • Something you have: a security token, smartphone app or smart card
  • Something you are: biometric identifiers like fingerprints, facial recognition, or iris scans

MFA is a critical security measure used to enhance the assurance the person requesting access to a digital account or physical location is indeed the legitimate user or owner of that account. It’s especially important in better protecting sensitive data and systems from unauthorized access which might occur if a single factor like a password is compromised.

 

2. How MFA differs from identity proofing: Identity proofing, as previously discussed, is the initial process of verifying an individual’s identity to establish an identity account or credential. This might involve verifying personal information against trusted sources, validating government-issued IDs or even in-person verification.

MFA, on the other hand, is used each time access is attempted; it helps verify the user attempting access is the same user who originally completed the identity proofing process. It's a form of authentication, not an initial proofing of identity.

While MFA is a critical security mechanism, it doesn't independently establish or prove an individual's identity from scratch but rather helps ensure the ongoing access to a system is more secure and controlled. Identity proofing occurs prior to MFA in the user identity establishment process, laying the groundwork for more secure and effective authentication measures like MFA to be most effective.

How do you choose the right identity verification provider for your business?

Selecting the right identity verification provider involves several considerations:

  • Broad solutions: Look for providers offering a range of services from authoritative data sources (like credit, email, IP and phone number databases) to device proofing to document verification to biometric analysis.
  • Technology: Choose a provider using advanced technologies like AI and machine learning for more accurate and efficient verification.
  • Compliance: Ensure the provider meets all relevant compliance standards for your industry.
  • Reputation and reliability: Consider the provider’s market reputation and the reliability of their solutions.
  • Customer support: Good customer support is crucial for addressing  issues more quickly and effectively.

As businesses continue to digitize and the frequency of cyber threats increases, robust identity proofing becomes indispensable. By implementing rigorous identity proofing processes and choosing the right providers, businesses can better protect themselves and their customers from escalating risks of identity fraud and establish a stronger foundation of trust that’s crucial for long-term success.

Get identity verification that’s right for you