People often use identity proofing and verification as synonyms. We wouldn’t say they are wrong, as in fact, there’s a fine line between the terms.
Let’s find out.
Identity proofing definition
Identity proofing is the process of ensuring that the person applying for a service, attempting to cross a border, etc., is who they say they are, with the highest level of confidence. The process requires two key elements:
An actual applicant who provides their identity attributes. The attributes are certain characteristics associated with a person: full name, date of birth, address, etc. Fingerprints and face biometrics are also identity attributes.
Evidence or proof that connects these attributes to the individual. This can be an authority-issued passport, national ID card, eID, or digital signature. Depending on the context, some other evidence can be used, for example, identity information obtained from a bank.
Given the diverse conditions in which identity proofing is performed, it may come in different context-specific formats, such as:
Requiring the physical presence of an applicant. For example, that’s the case when you want to obtain a digital signature.
Attended remote format, where an applicant communicates in real-time with a registration officer. One example of it is video interviews that some banks hold before opening an account.
Unattended remote format. There’s no real-time communication, but the process may still involve manual operations on the officer’s side. That might be the case with digital KYC procedures: the customer’s personal information is processed and verified in automatic mode, but if the system detects any irregularities, it flags a human operator to intervene.
All of the above formats can involve a different number of manual operations: from a fully manual process, to a hybrid process (like when a border control officer has an ID scanner at their fingertips), to fully automated mode (same border control but going through automated gates).
What’s the difference between identity proofing and identity verification?
That’s a good question, because the two terms are often used interchangeably. Here’s how we treat them in Regula.
Identity proofing is a more official term used to describe the initial process of establishing identity. It’s typically used by authoritative organizations, such as ETSI, which we mentioned earlier, or Gartner. The latter issues annual buyer’s guides for identity proofing.
In this sense, identity verification is rather a technical process, a sum of various operations needed to validate someone’s identity (e.g., ID plus selfie), while identity proofing is rather a result of this verification.
Also, when it comes to identity verification, it often gets mixed up with “authentication” and “authorization.” You can read more about this in our previous explainer What Is Identity Verification & How Is It Done?
Identity proofing process
The identity proofing process, regardless of its type, consists of five tasks:
Attribute and evidence collection
Attribute and evidence verification
Binding to the applicant
Issuing the result of identity proofing
These steps don't always happen one after the other. They can well occur together, like when you collect information from an ID card and at the same time use it to check if the ID card is valid.
1. Identity proofing initiation
Simply put, this is the starting point. The reason for identity proofing initiation is legal requirements aimed at public safety. So when a citizen applies for a new passport, that’s a signal for the bureaucratic machine to spring into action and ensure this passport won’t get in the wrong hands.
At this step, the inspection party must ensure that the applicant is aware of the purpose of identity proofing and agree with it. It is also their responsibility to provide applicants with clear guidance on the process.
2. Attribute & evidence collection
The required attributes and evidence may differ depending on whether the applicant is a natural or legal person and, naturally, the legislation of a given country.
For example, the attributes (unique identifiers) for legal persons can be their national registration number, tax number, VAT number, or LEI (Legal Entity Identifier), while for a natural person, their full name is typically required.
Evidence collection usually involves submitting physical or digital identity documents which contain an applicant’s photo. Using digital signatures as evidence imposes requirements for the use of appropriate security certificates.
Depending on the context, there might be the need for numerous evidence collection: primary and supplementary. Some documents can have a long lifetime (e.g., 10 years) or even have no expiration date, so the identity attributes obtained from this evidence (e.g., last name) may have changed since it was issued. This issue is solved by using supplementary evidence, such as a name change certificate.
3. Attribute & evidence validation
Once the data is collected, it needs to be verified.
At this step, it’s important to verify that the submitted evidence is of an appropriate type for the identity proofing use case as well as is authentic, has not been altered, or (in some cases) isn’t a copy of the original.
Also, it’s checked against its expiration date, and the personal details are verified by running all sorts of cross-checks between various elements.
4. Binding to the applicant
While the submitted details and evidence might seem alright, we still need to ensure that the person applying is the rightful owner of that evidence and that they actually have it in their possession. This is called binding.
Binding is most often performed by means of face biometrics by comparing the physical appearance of an applicant and their photo in the documents. It can happen either manually by a human registration officer or automatically with the help of face recognition systems. The latter is considered more secure as it involves extra protection against deepfake attacks or face morphing.
An important part of the binding process during remote identity proofing is a liveness check. By this term, we mean making sure that there’s a real person in front of the camera, not a pre-recorded video.
Last but not least, a note on the equipment used. In the case of remote identity proofing, say with a user’s mobile device, it’s only used for capturing data and preliminary data quality assessment. All the verification operations must be done in a secure perimeter controlled by the inspection party.
Naturally, if identity proofing is happening with the physical presence of the applicant, the inspection party must use properly secured equipment to read the presented identity document and take a picture of their face.
5. Issuing the result of identity proofing
There are no strict requirements on the format of how the result of identity proofing should be presented. It can be a PDF document, an XML or JSON file with structured data, or an identity assertion (e.g., OIDC or SAML). It can even be “passed” of “failed” labels.
However, whatever the result is, it should be delivered securely. It can be digitally signed, encrypted, and transmitted over a secured communication channel. These measures allow all parties to ensure the result is not intercepted or manipulated and can be trusted.
How to implement effective identity proofing
For many years, establishing confidence in identities has relied on user-entered Personally Identifiable Information (PII), which was then checked against static sources. Unfortunately, this method can fall short in ensuring that the individual behind those real-world identity details is genuinely present in the online interaction.
To address the risks, the paradigm shifted towards a document-centric identity proofing approach. Below, we’ve prepared a few tips that you can consider when implementing your identity proofing workflow.
1. Automate where possible
In the realm of identity proofing, automation is a powerful ally. It not only expedites the verification process, but also significantly enhances accuracy. There’s a good reason why border control officers are equipped with various document readers which can instantly pinpoint even the tiniest irregularities, such as discrepancies in fonts or holograms, that may escape human observation..
Also, automated verification is a game changer in remote scenarios, such as customer onboarding in regulated industries (aviation, banking, fintech, etc.). It minimizes the time and effort required from users, increases accuracy, and drastically cuts operational costs.
2. Borrow expertise in identity documents
Being able to reliably authenticate and verify an ID document is a cornerstone of identity proofing. But there are thousands of documents in the world, each with its own unique characteristics and security features. Creating and maintaining such a database is not a small task.
Therefore, it's advisable to partner with a vendor who specializes in document forensics. Such a partner not only possesses an extensive repository of reference documents, but also has the capability to promptly update it to stay relevant in a rapidly evolving landscape.
3. Find a partner who can cover all the main touchpoints
Identity proofing is a multifaceted process that often involves several crucial touchpoints: document authentication and validation, as well as running biometrics and liveness checks. To simplify and streamline identity proofing workflows, it's better to collaborate with a single vendor offering an all-encompassing solution that covers these essential aspects.
Not only is it easier to implement and maintain a solution from a single source, but it also ensures a cohesive approach to identity verification, reducing the chances of vulnerabilities stemming from disparate systems.