CIAM (Customer Identity & Access Management) is where IAM meets real product constraints: conversion rates, support costs, fraud, privacy regulation, and at-scale reliability.
This page is vendor-agnostic by design: the concepts apply whether you use a homegrown stack or a CIAM platform.
What identity proofing is (and isn’t)
Identity proofing is how you increase assurance beyond “someone controls an email address.” It is not a single step; it’s a trust level you can raise or lower.
Approaches
- Document + selfie verification
- Bank account / payment method verification
- Address verification
- Phone verification (weak alone; better as one signal)
Model: assurance tiers
- Tier 0: unverified
- Tier 1: email/phone verified
- Tier 2: strong device + passkey
- Tier 3: KYC / documentary proofing
Checklist
- Store the verification result and evidence references (not raw images if you don’t need them)
- Separate “verified identity” from “authorized actions”
- Re-check on risky events (new device, geo anomalies)