Overview
Identity Proofing verifies that a person is who they claim to be before establishing a digital identity. This process binds a real-world identity to a digital credential with appropriate assurance. Identity proofing is critical during account registration, high-risk transactions, and recovery flows—anywhere you need confidence that the person on the other end is legitimate, not a fraudster using stolen or synthetic identity information. NIST 800-63A defines three Identity Assurance Levels (IAL1-3) based on proofing rigor. Modern proofing combines document verification (scanning government IDs), biometric verification (selfie matching), and authoritative database checks. Good looks like high-assurance identity proofing that onboards legitimate users in under 5 minutes while blocking synthetic and stolen identity fraud.
Architecture & Reference Patterns
Pattern 1: Remote Digital Identity Proofing (IAL2)
Enable fully remote onboarding meeting NIST IAL2 requirements:
User Submits ID → Document Capture → Document Authentication →
Data Extraction → Biometric Capture → Liveness Check →
Face Match to ID Photo → Database Verification → Identity Established
Key components:
- Document authentication (hologram detection, security feature validation)
- OCR and data extraction
- Selfie capture with liveness detection (prevents photo/video attacks)
- 1:1 face match between selfie and ID photo
- Optional database verification (address, phone, credit header)
Pattern 2: Hybrid Proofing with In-Person Fallback
Offer remote proofing as primary path with in-person fallback for:
- Users who fail remote proofing
- High-assurance requirements (IAL3)
- Accessibility needs
- Regulatory requirements
In-person proofing can be performed at branch locations, kiosks, or through trusted referees.
Pattern 3: Stepped Proofing Journey
Start with lightweight proofing for account creation (IAL1 - self-asserted), then escalate to higher assurance (IAL2) when needed for sensitive operations. This balances friction with risk—low-risk users experience minimal friction, while high-risk transactions trigger enhanced verification.
Account Creation: IAL1 (email verification)
↓
First Transaction: Step-up to IAL2 (document + biometric)
↓
High-Value Transaction: Re-verification or step-up to IAL3
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Identity Assurance Level target | IAL1, IAL2, IAL3 | IAL2 for most business cases | IAL3 requires in-person or supervised remote; expensive |
| Proofing platform | Build in-house, IDV vendor, Hybrid | IDV vendor | Document/biometric verification is specialized; avoid building |
| Document types accepted | Passport only, Government ID, Passport + ID + secondary | Passport + Driver License + State ID | Broader acceptance improves completion rates |
| Liveness detection approach | Passive, Active (blink/turn), Challenge-response | Active or challenge-response | Passive easier to spoof with deepfakes |
| Database verification sources | Credit bureaus, Government databases, Phone carriers | Multiple sources | Single source has coverage gaps; combine for confidence |
| Failure handling | Block, Manual review, Alternative proofing path | Manual review + alternative path | Don't dead-end legitimate users who fail automated proofing |
Implementation Approach
Phase 0: Discovery
Inputs: Regulatory requirements, fraud risk assessment, user population demographics, current onboarding process, completion rate data Outputs: Identity assurance requirements by use case, proofing gap analysis, vendor evaluation criteria, baseline metrics (completion rate, fraud rate, abandonment)
Phase 1: Design
Inputs: Requirements, vendor evaluation, UX research, fraud analysis Outputs: Proofing flow design per IAL, document acceptance policy, failure handling workflows, manual review procedures, integration architecture
Phase 2: Build & Integrate
Inputs: Architecture design, selected vendor, integration specifications Outputs: IDV platform integrated, proofing flows implemented, manual review queue configured, fraud rules tuned, user communications created
Phase 3: Rollout
Inputs: Built proofing system, test results, rollout plan Outputs: Pilot with user segments, threshold tuning based on results, fraud analyst training, full deployment, feedback collection mechanisms
Phase 4: Operate
Inputs: Production proofing system, operational procedures Outputs: Continuous fraud monitoring, vendor performance tracking, document acceptance updates, quarterly conversion optimization, annual IAL compliance review
Deliverables
- Identity assurance level requirements by use case
- Identity proofing architecture and vendor integration design
- Document acceptance policy (supported documents, countries)
- Proofing flow wireframes and UX specifications
- Manual review procedures and escalation criteria
- Fraud prevention rules and thresholds
- Failure recovery workflows
- Compliance mapping (NIST 800-63A, KYC/AML as applicable)
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| High abandonment due to proofing friction | H | H | Drop-off analytics show proofing step abandonment | UX optimization, clear instructions, mobile-first design |
| Presentation attacks bypass liveness detection | M | H | Synthetic identity fraud succeeds despite controls | Advanced liveness (challenge-response), vendor updates |
| Document fraud (forged/altered documents) | M | H | Fraudulent accounts created with fake IDs | Multi-layer document authentication, database verification |
| Legitimate users fail due to poor image quality | H | M | High failure rates, support ticket volume | Better capture guidance, retry logic, manual review fallback |
| Regulatory non-compliance (KYC/AML) | M | H | Audit findings, regulatory action | Compliance mapping, regular audits, documented procedures |
KPIs / Outcomes
- Proofing completion rate (target: greater than 85% for legitimate users)
- Abandonment rate at each proofing step (identify friction points)
- Fraud detection rate (synthetic/stolen identities blocked)
- False rejection rate (legitimate users incorrectly failed)
- Time to complete proofing (target: less than 5 minutes for IAL2)
- Manual review volume and resolution time
- Compliance audit pass rate