Identity proofing: how to verify identity

March 15, 2022

Identity verification (or identity proofing) can happen in a number of ways, but some approaches will be stronger than others to help you meet business priorities. It could be enabling growth via a superior user experience, reducing fraud, satisfying compliance, or removing complexity and manual processes – or a combination of them all. In this article we'll guide you through some of the different approaches and examine their strengths and weaknesses.

 

What is identity verification?

Identity verification is a process that businesses use to prove that their users or customers are who they claim to be. Identity fraud is on the rise, up 44% from 2019. This can be linked to the increase in people using digital services, the growth of crypto and fraudsters becoming more sophisticated. But it doesn’t mean your business has to suffer the financial and reputational damage that can come from fraud. 

The best way to bolster your security against identity fraud is with robust identity verification: that is, making sure you know that a person claiming an identity is a real person, and really is who they say they are. 

How do you verify someone’s identity?

Most types of identity verification rely on one, or a combination of, the following: 

  • What people have (like their ID, database or credit records, phone numbers, social profiles, and email addresses)

  • What people know (such as knowledge-based information like your mother’s maiden name)

  • What people are (like their facial biometrics, fingerprints, or voice)

These different approaches offer varying levels of assurance in a person’s identity. Particularly if you’re only using one method in isolation.

How to check identity online?

Identity verification is a legal KYC requirement for regulated industries. The requirements for online identity verification vary for industry and region, but they broadly follow these steps. 

  • First you ask the user who they are. This is their “claimed identity” or user-inputted information. This basic information can be captured with sign-up forms. But you still need to corroborate the identity of that person. 

  • Check that they have something to prove their identity. This can be a document, or a question that only they would know. 

  • Check that they are a real person and that what they submitted truly belongs to them. This can be done with biometric verification, using their fingerprint, face scan, hand scan, iris or voice.  

How can I assess what kind of identity verification is right for my business?

You can measure the effectiveness of an identity verification method by assessing it against four criteria.

The four criteria of identity verification:

1- Reliability: Can you rely on the integrity of the data, or has it been threatened by previous attacks?

2- Inclusivity: Does the approach you’re using work for as many people as possible? Does it work for people in different locations, of different ages and backgrounds.

3- Affordability: How expensive is the approach you’re using? Once you've factored in the cost of protecting the data and credentials, will you see a return on investment?

4- User experience: Is it easy for your customers? Do they feel that your approach is secure, intuitive and fast?

Watch our expert video explaining what the identity landscape looks like to learn more. 

Online identity verification methods

Let’s dive into the different approaches to identity verification, and see how they stack up against the criteria.

Document verification

Identity documents include passports, driver’s licenses and National Identity cards.

  • Reliability

On the whole, they’re hard to forge, or tamper with - unless you’re an experienced fraudster. So once verified the data and information contained in these documents is pretty reliable.

  • Inclusivity

Most people also have some form of ID. They’re very universal. So this form of verification can be considered mostly inclusive, if people have an ID. 

  • Affordability

Traditionally identity documents were designed for people to review in a face-to-face, 3D environment, like border security at an airport.

So verifying IDs in a digital setting requires adjustments, including scanning and photographing a document to generate a 2D image, and assessment and analytics to determine that the document is genuine. 

Most businesses aren’t going to have this technology in house and will bring on an external vendor with the expertise and technology in place - so using them does have an associated cost. 

  • Experience

Finally, your customers need to submit their ID in some capacity. Whether that’s in person, sending in a scanned copy, or taking a photo as part of a wider verification process. This is an extra, but often necessary, step for them to take. It’s about making that step as seamless as possible.

Biometric verification

Biometrics are unique traits of individuals which you can use as personal identifiers. The most commonly used biometric verification types include fingerprints, facial traits and voice patterns. 

  • Reliability

A biometric by itself isn’t enough for identity verification. But when tied to another identity verifier, such as a photo ID, they provide high levels of assurance. They are very difficult to forge, steal, hack or lose, so provide high levels of data reliability.

  • Inclusivity

 Biometric verification is also very inclusive. Everyone has unique traits in their physiology that can be used as identification.

  • Affordability

When it comes to cost, biometric technology is more expensive than other methods, simply because it’s more complex. However, with biometrics growing in popularity, it’s becoming more affordable as a means of identity verification.

  • Experience

Biometrics also offer a good user experience, especially once users are familiar with the process. Most people are familiar with using facial recognition or fingerprint technology on their phones - which can give them secure access in seconds.

Database checks

Databases are systems that house information. They can be private databases run by for-profit companies, or public databases run by governments. 

Examples of private databases include credit bureaus and telephone directories. Examples of public databases include government identifiers, like Social Security Numbers. 

  • Reliability

When using databases for identity verification, you should consider that data breaches have compromised data trustworthiness. Large amounts of personal data that have been breached are available to buy sometimes for very cheap. Atlas VPN found bundles of data including social security numbers, full names, driver’s license numbers, passport number, and email address available for as little as $4.  

This heavily impacts a databases’ reliability, making it virtually impossible to have assurance in a user’s true identity via a database check alone.

  • Inclusivity

Databases also aren’t very inclusive. Younger people or new immigrants are less likely to have built up a credit record that allows a database to identify them.

  • Affordability

Databases are a relatively inexpensive form of identity verification. 

  • Experience

Database checks do offer a simple user experience. A user generally won’t have to do much on their side, other than supply the information needed to be checked on the database, such as name, date of birth and address history. However, they may take longer than other forms of verification. 

Knowledge-based information

Knowledge-based questions and answers (also referred to as KBAs) work on the assumption that only the person being asked knows the secret answer to the identifying question.

  • Reliability

As they’re frequently derived from financial information, the data reliability for KBA is problematic for the same reasons as databases. A huge amount of this data has been compromised, and could be available to fraudsters.

  • Inclusivity

Likewise, not everyone has built up good financial records to base these KBA questions and answers on, which affects how inclusive the method is.

  • Affordability

Like databases, KBA is a relatively cheap approach.

  • Experience 

The trade off of KBA being cheap is that it’s a poor experience for users. Questions have to be very specific to be effective. Users will struggle to remember answers to questions like ‘what was the interest rate on your mortgage in June 2005?’

When you compare these five different approaches of identity verification to each other, it’s clear that some are more effective than others.

However, no method alone is ever going to offer 100% assurance in all of your customer’s identities, or be 100% efficient in catching fraud. 

Identity management is complex. And every business, use case and scenario is different.

That’s why a holistic approach to identity is so important. As a business implementing identity verification, you should consider the overall customer journey. 

Onfido’s solution is trusted globally and can drive real business value. Forrester’s Total Economic Impact™ report of Onfido quantifies three measurable benefits Onfido delivers that generate a 261% ROI:

  • 26% increase in customer acquisition

  • 27% increase in fraud detection

  • 30% decrease in time spent onboarding 

Read Forrester’s Total Economic Impact™ study to learn more about how Onfido can benefit your business.

Previous Article
What is regtech?
What is regtech?

Find out more about what regtech is, its history and the benefits it can offer your business.

Next Article
Understanding fraudster psychology: three fraudsters you want to avoid
Understanding fraudster psychology: three fraudsters you want to avoid

Find out what some of the common motivations are behind fraudulent attacks and what behavior to look out for.