Learn IAM
Learn IAM

Identity Proofing

Identity Proofing

Overview

Identity proofing is the process of collecting, validating, and verifying evidence to confirm that a person is who they claim to be—before granting them a digital identity or access to systems. It's the foundation of the identity lifecycle: if you can't trust that "John Smith" is actually John Smith, every subsequent access decision is built on sand.

The challenge is balancing assurance with friction. High-assurance proofing (in-person verification, notarized documents) provides strong guarantees but creates user friction and operational cost. Low-assurance proofing (self-assertion, email verification) is convenient but vulnerable to fraud. The right level depends on the risk: onboarding a contractor with access to public documentation is different from onboarding a privileged administrator with access to production systems.

NIST SP 800-63A defines Identity Assurance Levels (IAL1, IAL2, IAL3) that provide a framework for matching proofing rigor to risk. Modern identity proofing increasingly leverages technology—document verification, biometric matching, fraud signals—to achieve higher assurance with less friction.

Key Decisions

DecisionOptionsRecommendationNotes / Gotchas
What is the assurance level required?IAL1 (self-asserted), IAL2 (remote proofing), IAL3 (in-person)Risk-based: IAL1 for low-risk, IAL2 for standard workforce, IAL3 for high-privilegeOne-size-fits-all over-provisions friction or under-provisions assurance.
What evidence is acceptable?Government ID, utility bills, employer records, social verificationGovernment-issued photo ID as primary; employer records for workforceUtility bills are weak evidence; social verification is easily faked.
How is evidence validated?Manual review, automated document verification, database checksAutomated document verification + database checks (with manual review for exceptions)Manual-only doesn't scale; automated-only misses sophisticated fraud.
How is the person matched to evidence?Knowledge-based verification, biometric, in-personBiometric matching (selfie vs ID photo) for remote; in-person for IAL3KBA is weak (data breaches); biometric is stronger but has equity concerns.
Who performs identity proofing?In-house, IDV vendor, identity networkIDV vendor for scale and expertise; in-house for high-risk or sensitive populationsBuilding in-house IDV is expensive and hard to maintain.
How do you handle failures?Reject, manual escalation, retry with different evidenceManual escalation with alternative evidence pathAutomatic rejection causes friction and potential discrimination.

Architecture & Reference Patterns

Pattern 1: Remote identity proofing (IAL2)

  1. User initiates proofing (onboarding portal, mobile app).
  2. User captures government-issued ID (front and back).
  3. Document verification service validates authenticity (security features, data extraction).
  4. User captures selfie (live or video).
  5. Biometric matching compares selfie to ID photo.
  6. Background checks (address verification, fraud signals, watchlists).
  7. Result: identity confirmed or escalated to manual review.

Pattern 2: In-person proofing (IAL3)

For highest assurance:

  1. User schedules appointment (physical location or video with trained operator).
  2. User presents physical identity documents.
  3. Operator inspects documents for authenticity.
  4. Operator verifies user matches documents (in-person or live video).
  5. Operator records verification outcome and evidence.
  6. Result: identity confirmed with physical verification.

Pattern 3: Employer-verified proofing (workforce)

For employees and contractors:

  1. HR initiates hire with identity data.
  2. Background check provider verifies identity and criminal history.
  3. I-9 verification (US) confirms work authorization.
  4. IT creates identity based on HR-verified data.

This leverages the employment relationship as a proofing event.

Pattern 4: Step-up proofing for privilege escalation

User initially proofed at lower level; higher proofing required for:

  • Access to sensitive systems (production, financial, PII).
  • Elevated roles (administrator, approver).
  • High-risk transactions.

Step-up proofing adds evidence requirements at the point of privilege request.

Pattern 5: Verifiable credentials for portable proofing

Instead of re-proofing at every organization:

  1. Trusted issuer (government, employer, institution) proofs identity and issues verifiable credential.
  2. User stores credential in digital wallet.
  3. User presents credential to new relying party.
  4. Relying party verifies credential cryptographically and trusts issuer's proofing.

This reduces friction while maintaining assurance.

Implementation / Rollout

Phase 0: Discovery

Inputs: Current onboarding processes, identity fraud incidents, regulatory requirements, user population (employees, contractors, customers), risk tolerance.

Outputs: Identity assurance requirements by population and access level, evidence requirements, vendor assessment, success metrics (fraud rate, completion rate, time to proof).

Phase 1: Design

Outputs:

  • Identity proofing workflow per assurance level.
  • Evidence requirements and acceptance criteria.
  • Vendor integration architecture (IDV service, background check).
  • Exception handling and manual review process.
  • Data retention and privacy considerations.

Phase 2: Build & Integrate

Outputs:

  • IDV vendor integration (API, SDK, white-label).
  • Onboarding portal or mobile app with proofing flow.
  • Integration with IGA/HR for identity creation.
  • Manual review queue and workflow.
  • Fraud detection and alerting.
  • Audit logging.

Phase 3: Rollout

Recommended sequence: Pilot with new hire population; validate completion rates and false positive/negative rates; expand to contractors; consider step-up for privileged access.

Guardrails: Alternative proofing paths for failures; bias testing; user feedback collection; fraud monitoring.

Phase 4: Operate

  • Monitor completion rates, failure rates, and fraud detection.
  • Review manual escalations for patterns and improvement opportunities.
  • Track false positive and false negative rates.
  • Periodic vendor review and market assessment.
  • Stay current on regulatory changes and best practices.

Risks & Failure Modes

RiskLikelihoodImpactEarly SignalsMitigation
Fraudulent proofing (fake documents, impersonation)MHFraud detected post-proofing, account takeoverDocument verification, biometric matching, fraud signals
High abandonment (friction causes users to give up)HMLow completion rates, user complaintsStreamlined UX, multiple evidence paths, clear instructions
Bias in biometric matchingMHDisproportionate failure rates by demographicVendor bias testing, alternative paths, human review
Privacy concerns (sensitive data collection)MMRegulatory scrutiny, user complaintsMinimize data retention, privacy disclosures, compliance review
Vendor failure (IDV service down)LHProofing blocked, new hires can't startRedundant vendors, manual fallback, SLA monitoring

Workshop Questions

Security / IAM

  • What identity assurance levels are required for different user populations and access levels?
  • What evidence types are acceptable, and what verification is required?
  • How should proofing failures and exceptions be handled?

HR / People Operations

  • What is the current onboarding process, and how does identity proofing fit?
  • What identity verification is already performed (background checks, I-9)?
  • What is the acceptable time and friction for identity proofing?

Legal / Compliance

  • What regulatory requirements apply (KYC, AML, privacy regulations)?
  • What data can be collected and retained during proofing?
  • What bias testing and fairness requirements exist?

User Experience

  • What channels are available for proofing (web, mobile, in-person)?
  • What accessibility requirements must be met?
  • How will users be supported when proofing fails?

Requirements Gathering Checklist

  • [Security / IAM] What identity assurance level is required per population and access type?
  • [Security / IAM] What evidence is required (government ID, biometric, employer records)?
  • [Security / IAM] How is evidence validated (document verification, database checks)?
  • [Security / IAM] What is the exception handling process for proofing failures?
  • [HR] What is the current onboarding process and timeline?
  • [HR] What identity verification is already performed?
  • [Legal] What regulatory requirements apply (KYC, AML, privacy)?
  • [Legal] What data retention policies apply to proofing evidence?
  • [UX] What channels are available (web, mobile, in-person)?
  • [UX] What accessibility and alternative path requirements exist?
  • [Vendor] What IDV vendors are being evaluated, and what are the integration requirements?

References

  • NIST SP 800-63A (Digital Identity Guidelines—Enrollment and Identity Proofing)
  • NIST SP 800-63-4 (Draft revision with updated guidance)
  • ISO/IEC 27001:2022 Annex A.5.16 (Identity management)
  • BSI TR-03147 (German Federal BSI—Assurance Level Assessment)
  • FATF Guidance on Digital Identity (KYC/AML)
  • W3C Verifiable Credentials Data Model (for portable proofing)
  • AAMVA DLDV (Driver's License Data Verification)
  • NIST IR 8259 (Foundational Cybersecurity Activities for IoT Device Manufacturers—device identity proofing)