Overview
Identity proofing is the process of collecting, validating, and verifying evidence to confirm that a person is who they claim to be—before granting them a digital identity or access to systems. It's the foundation of the identity lifecycle: if you can't trust that "John Smith" is actually John Smith, every subsequent access decision is built on sand.
The challenge is balancing assurance with friction. High-assurance proofing (in-person verification, notarized documents) provides strong guarantees but creates user friction and operational cost. Low-assurance proofing (self-assertion, email verification) is convenient but vulnerable to fraud. The right level depends on the risk: onboarding a contractor with access to public documentation is different from onboarding a privileged administrator with access to production systems.
NIST SP 800-63A defines Identity Assurance Levels (IAL1, IAL2, IAL3) that provide a framework for matching proofing rigor to risk. Modern identity proofing increasingly leverages technology—document verification, biometric matching, fraud signals—to achieve higher assurance with less friction.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| What is the assurance level required? | IAL1 (self-asserted), IAL2 (remote proofing), IAL3 (in-person) | Risk-based: IAL1 for low-risk, IAL2 for standard workforce, IAL3 for high-privilege | One-size-fits-all over-provisions friction or under-provisions assurance. |
| What evidence is acceptable? | Government ID, utility bills, employer records, social verification | Government-issued photo ID as primary; employer records for workforce | Utility bills are weak evidence; social verification is easily faked. |
| How is evidence validated? | Manual review, automated document verification, database checks | Automated document verification + database checks (with manual review for exceptions) | Manual-only doesn't scale; automated-only misses sophisticated fraud. |
| How is the person matched to evidence? | Knowledge-based verification, biometric, in-person | Biometric matching (selfie vs ID photo) for remote; in-person for IAL3 | KBA is weak (data breaches); biometric is stronger but has equity concerns. |
| Who performs identity proofing? | In-house, IDV vendor, identity network | IDV vendor for scale and expertise; in-house for high-risk or sensitive populations | Building in-house IDV is expensive and hard to maintain. |
| How do you handle failures? | Reject, manual escalation, retry with different evidence | Manual escalation with alternative evidence path | Automatic rejection causes friction and potential discrimination. |
Architecture & Reference Patterns
Pattern 1: Remote identity proofing (IAL2)
- User initiates proofing (onboarding portal, mobile app).
- User captures government-issued ID (front and back).
- Document verification service validates authenticity (security features, data extraction).
- User captures selfie (live or video).
- Biometric matching compares selfie to ID photo.
- Background checks (address verification, fraud signals, watchlists).
- Result: identity confirmed or escalated to manual review.
Pattern 2: In-person proofing (IAL3)
For highest assurance:
- User schedules appointment (physical location or video with trained operator).
- User presents physical identity documents.
- Operator inspects documents for authenticity.
- Operator verifies user matches documents (in-person or live video).
- Operator records verification outcome and evidence.
- Result: identity confirmed with physical verification.
Pattern 3: Employer-verified proofing (workforce)
For employees and contractors:
- HR initiates hire with identity data.
- Background check provider verifies identity and criminal history.
- I-9 verification (US) confirms work authorization.
- IT creates identity based on HR-verified data.
This leverages the employment relationship as a proofing event.
Pattern 4: Step-up proofing for privilege escalation
User initially proofed at lower level; higher proofing required for:
- Access to sensitive systems (production, financial, PII).
- Elevated roles (administrator, approver).
- High-risk transactions.
Step-up proofing adds evidence requirements at the point of privilege request.
Pattern 5: Verifiable credentials for portable proofing
Instead of re-proofing at every organization:
- Trusted issuer (government, employer, institution) proofs identity and issues verifiable credential.
- User stores credential in digital wallet.
- User presents credential to new relying party.
- Relying party verifies credential cryptographically and trusts issuer's proofing.
This reduces friction while maintaining assurance.
Implementation / Rollout
Phase 0: Discovery
Inputs: Current onboarding processes, identity fraud incidents, regulatory requirements, user population (employees, contractors, customers), risk tolerance.
Outputs: Identity assurance requirements by population and access level, evidence requirements, vendor assessment, success metrics (fraud rate, completion rate, time to proof).
Phase 1: Design
Outputs:
- Identity proofing workflow per assurance level.
- Evidence requirements and acceptance criteria.
- Vendor integration architecture (IDV service, background check).
- Exception handling and manual review process.
- Data retention and privacy considerations.
Phase 2: Build & Integrate
Outputs:
- IDV vendor integration (API, SDK, white-label).
- Onboarding portal or mobile app with proofing flow.
- Integration with IGA/HR for identity creation.
- Manual review queue and workflow.
- Fraud detection and alerting.
- Audit logging.
Phase 3: Rollout
Recommended sequence: Pilot with new hire population; validate completion rates and false positive/negative rates; expand to contractors; consider step-up for privileged access.
Guardrails: Alternative proofing paths for failures; bias testing; user feedback collection; fraud monitoring.
Phase 4: Operate
- Monitor completion rates, failure rates, and fraud detection.
- Review manual escalations for patterns and improvement opportunities.
- Track false positive and false negative rates.
- Periodic vendor review and market assessment.
- Stay current on regulatory changes and best practices.
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Fraudulent proofing (fake documents, impersonation) | M | H | Fraud detected post-proofing, account takeover | Document verification, biometric matching, fraud signals |
| High abandonment (friction causes users to give up) | H | M | Low completion rates, user complaints | Streamlined UX, multiple evidence paths, clear instructions |
| Bias in biometric matching | M | H | Disproportionate failure rates by demographic | Vendor bias testing, alternative paths, human review |
| Privacy concerns (sensitive data collection) | M | M | Regulatory scrutiny, user complaints | Minimize data retention, privacy disclosures, compliance review |
| Vendor failure (IDV service down) | L | H | Proofing blocked, new hires can't start | Redundant vendors, manual fallback, SLA monitoring |
Workshop Questions
Security / IAM
- What identity assurance levels are required for different user populations and access levels?
- What evidence types are acceptable, and what verification is required?
- How should proofing failures and exceptions be handled?
HR / People Operations
- What is the current onboarding process, and how does identity proofing fit?
- What identity verification is already performed (background checks, I-9)?
- What is the acceptable time and friction for identity proofing?
Legal / Compliance
- What regulatory requirements apply (KYC, AML, privacy regulations)?
- What data can be collected and retained during proofing?
- What bias testing and fairness requirements exist?
User Experience
- What channels are available for proofing (web, mobile, in-person)?
- What accessibility requirements must be met?
- How will users be supported when proofing fails?
Requirements Gathering Checklist
- [Security / IAM] What identity assurance level is required per population and access type?
- [Security / IAM] What evidence is required (government ID, biometric, employer records)?
- [Security / IAM] How is evidence validated (document verification, database checks)?
- [Security / IAM] What is the exception handling process for proofing failures?
- [HR] What is the current onboarding process and timeline?
- [HR] What identity verification is already performed?
- [Legal] What regulatory requirements apply (KYC, AML, privacy)?
- [Legal] What data retention policies apply to proofing evidence?
- [UX] What channels are available (web, mobile, in-person)?
- [UX] What accessibility and alternative path requirements exist?
- [Vendor] What IDV vendors are being evaluated, and what are the integration requirements?
References
- NIST SP 800-63A (Digital Identity Guidelines—Enrollment and Identity Proofing)
- NIST SP 800-63-4 (Draft revision with updated guidance)
- ISO/IEC 27001:2022 Annex A.5.16 (Identity management)
- BSI TR-03147 (German Federal BSI—Assurance Level Assessment)
- FATF Guidance on Digital Identity (KYC/AML)
- W3C Verifiable Credentials Data Model (for portable proofing)
- AAMVA DLDV (Driver's License Data Verification)
- NIST IR 8259 (Foundational Cybersecurity Activities for IoT Device Manufacturers—device identity proofing)
