What Is Identity Proofing?
Identity proofing, authentication and management are becoming increasingly complex and essential aspects of running a successful enterprise. Organizations need to get identity right if they want to comply with regulatory requirements and combat fraud.
It’s also becoming table stakes for making your customers feel safe and recognized. Nearly 75 percent of consumers expect businesses to protect them online, and 70 percent say it’s important for businesses they frequently deal with to identify them across visits.1
Identify proofing is the process organizations use to collect, validate and verify information about someone. There are two goals — to confirm that the identity is real (i.e., it’s not a synthetic identity) and to confirm that the person presenting the identity is its true owner.
The identity proofing process also relates to and may overlap with other aspects of identity management.
Identity proofing vs identity authentication
Identity proofing generally takes place during the acquisition or origination stages of the customer lifecycle — before someone creates an account or signs up for a service. Identity authentication is the ongoing process of re-checking someone’s identity or verifying that they have the authorization to make a request, such as when they’re logging into an account or trying to make a large transaction.
How does identity proofing work?
The National Institute of Standards and Technology (NIST) Special Publication 800-63-3, Digital Identity Guidelines, has an overview of the three stages of the identity proofing process:
- Resolution: The goal of the first step is to accurately identify the single, unique individual that the identity represents. Resolution is relatively easy when detailed identity information is provided. In the real world, collecting detailed data conflicts with the need to provide a good customer experience. Resolution still has to occur, but organizations have to resolve identities with the minimum amount of information.
- Validation: The validation step involves verifying that the person’s information and documentation are legitimate, accurate and up to date. It potentially involves requesting additional evidence based on the level of assurance you need.
- Verification: The final step confirms that the claimed identity actually belongs to the person submitting the information. It may involve comparing physical documents or biometric data and liveness tests, such as a comparison of the driver’s license to a selfie that the person uploads.
The NIST guidelines are the standards that federal agencies must follow for their digital identity services, and industry often uses the same guidelines as a framework for their identity and access processes. The current NIST guidelines — Revision 3 — were updated in 2017 and have three identity assurance levels (or IALs).
- IAL 1: Doesn’t require identity proofing to create an account. For example, you may be able to sign up for an online game or newsletter without submitting any identification.
- IAL 2: Requires users to submit identifying information and evidence either in-person or remotely. For example, when you need to upload a picture of your driver’s license and a selfie to create an account or confirm a transaction. It also requires address confirmation and may include (but doesn’t require) biometric checks, such as a fingerprint or face scan.
- IAL 3: Requires in-person or supervised remote identity verification, address verification and biometric checks.
There is a proposal to update the NIST guidelines, and the NIST is requesting comments on the proposed Revision 4 through March 24, 2023. The updates aim to advance equity, give consumers additional choices, deter fraud and build on the lessons learned from previous revisions and real-world implementation. It also has four identity assurance levels, starting with IAL0, which is when there’s no requirement for identity proofing.
Service providers that offer identity proofing, verification and management services can get certified if they conform to the current NIST guidelines. For example, Experian’s identity proofing solutions are NIST 800-63-3 IAL2 certified by Kantara Initiative.
Building an effective identity proofing strategy
By requiring identity proofing before account opening, organizations can help detect and deter identity fraud and other crimes. And although the NIST offers guidelines, you can use different online identity verification methods to implement an effective digital identity proofing and management system. These may include:
- Document verification plus biometric data: The consumer uploads a copy of an identification document, such as a driver’s license, and takes a selfie or records a live video of their face.
- Database validations: The proofing solution verifies the shared identifying information, such as a name, date of birth, address and Social Security number against trusted databases, including credit bureau and government agency data.
- Knowledge-based authentication (KBA): The consumer answers knowledge-based questions, such as account information, to confirm their identity. It can be a helpful additional step, but they offer a low level of assurance, partially because data breaches have exposed many people’s personal information.
In part, the processes you’ll use may depend on business policies, associated risks and industry regulations, such as know your customer (KYC) and anti-money laundering (AML) requirements. But organizations also have to balance security and ease of use.
Each additional check or requirement you add to the identity proofing flow can help detect and prevent fraud, but the added friction they bring to your onboarding process can also leave customers frustrated — and even lead to customers abandoning the process altogether.
Finding the right amount of friction can require a layered, risk-based approach. And running different checks during identity proofing can help you gauge the risk involved.
For example, comparing information about a device, such as its location and IP address, to the information on an application. Or sending a one-time password (OTP) to a mobile device and checking whether the phone number is registered to the applicant’s name.
With the proper systems in place, you can use high-risk signals to dynamically adjust the proofing flow and require additional identity documents and checks. At the same time, if you already have a high level of assurance about the person’s identity, you can allow them to quickly move through a low-friction flow.
Experian goes beyond identity proofing
Experian builds on its decades of experience with identity management and access to multidimensional data sources to help organizations onboard, authenticate and manage customer identities.
With a single API integration, Experian CrossCore® gives you access to a suite of identity proofing and fraud detection capabilities, including identity element verifications, risk analytics, device intelligence, document validation and biometrics. CrossCore Doc Capture offers end-to-end support for document and selfie verification, and you can use step-up OTP or KBV checks when appropriate.