Identity proofing is a security measure taken to validate a user’s identity by verifying that their claimed identity is their actual identity. This is accomplished by conducting an initial verification of an actual identity and then using this to authenticate a user’s claimed identity during future transactions.
|Data that is provided by a user, but is unvalidated and unverified (i.e., who the user says they are)
|Data that has been validated and verified, proving the authenticity of a user’s identity (i.e., validated to confirm that the user is who they say they are)
The identity-proofing process is commonly conducted at the time a relationship is established. For instance, it is performed when a new employee starts a job or when a customer opens a bank account.
Why identity proofing is important
Without question, identity proofing is important to safeguard personal and sensitive information. Following are details often cited regarding the importance of identity proofing.
One of the most common use cases for identity proofing is related to the collection of anti-money laundering (AML) laws and regulations used to prevent money obtained from illegal practices from entering the financial system. A key part of this is the requirement for financial institutions to “know your customers” (KYC). Identity proofing is utilized to support compliance with AML and KYC.
Additional use cases for identity proofing include:
- E-commerce website registrations
- Fraud detection
- General protection from security threats
- Increased customer trust
- Online transactions
- Remote account access services
- Software-as-a-service (SaaS) accounts
Implementing effective identity proofing
The first step in identity proofing is to determine what level is required. A simple framework is included in guidelines set forth by the National Institute of Standards and Technology (NIST) that provides direction for federal agencies.
NIST identifies three levels of identity assurance. The appropriate identity-proofing systems can be selected and implemented based on the required level.
- NIST identity assurance level one
Identity proofing is not required. For instance, it is not necessary when signing up for a loyalty account or a newsletter.
- NIST identity assurance level two
Limited identity proofing is required; for instance, when it is necessary to provide identifying information in person or remotely as well as evidence of address validity (e.g., uploading a photo of a driver’s license.) While not a requirement, level two identity assurance may include biometric checks (e.g., fingerprint or retinal scan).
- NIST identity assurance level three
In-person or supervised remote identity verification, address verification, and biometric checks are required for the highest level of identity proofing.
When considering what identity-proofing systems and processes to use, it is important that they be user-friendly and integrated seamlessly into the organization’s operations structures. Organizations can use any number of identity-proofing methods, such as those outlined below.
Methods of identity proofing
Based on the identity assurance level required, there are a number of identity-proofing methods that may be employed. These range from self-reported information to verification with physical items.
Options for biometric verification include:
- Facial recognition
- Iris recognition
- Voice imprints
Knowledge-based and identity document verification
This involves unique identifying information that the user knows, or a legal document, such as:
- Driver’s license or state identification card
- Social Security Number (or the last four digits of the number)
- Maternal grandfather’s name
- Make and model of their first car
- Name of the elementary school they attended
Out-of-band verification (also known as out-of-band authentication)
Out-of-band proofing is a type of identity proofing that requires more than one form of verification. Two-factor authentication and multi-factor authentication are types of out-of-band identity proofing.
How identity proofing works
The National Institute of Standards and Technology (NIST) Special Publication 800-63, Digital Identity Guidelines, provides comprehensive guidelines for how identity proofing should be conducted to validate that a user is who they say they are. It includes three core steps.
- Identity resolution
Uniquely qualifying a person’s identity in the context of the population or system.
- Identity validation
Gathering proof of identity from the person (e.g., user (username, password, answers to security questions) and confirming that it is accurate, authentic, and valid.
- Identity verification
Confirming that the individual is, in fact, who they claim they to be.
The British government has a slightly different version of this process that includes:
Obtaining evidence of identity from official documentation that is internationally recognized and has security features that are considered immutable.
Confirming that the documentation is legitimate and genuine.
Verifying that the identity has existed over time with account statements or other records.
- Identity fraud review
Assessing the risk of the identity being fraudulent by comparing it with a government-run or other trusted fraud database.
Verifying that the identity belongs to the person claiming it using various methods, such as biometrics, knowledge-based verification, and out-of-band verification.
Identity proofing vs authentication
Identity proofing and authentication both involve validating the user. The key difference between identity proofing and authentication is when this process takes place.
|Identity proofing takes place at the point of origination when a relationship is established with a user (e.g., know your customer checks).
|Authentication takes place when a returning user requests access and uses baseline information that has been gathered and verified during identity proofing.
Consequences of poor identity proofing
As with any security failure, there are many negative consequences associated with poor identity proofing, including:
- Account takeover
- Anti-money laundering (AML) non-compliance fines
- Damaged reputation
- Identity spoofing
- Identity theft
- Loss of customer trust
- Money laundering
- Transaction fraud
Identity proofing for compliance and overall security
For financial institutions, identity proofing is a vital part of anti-money laundering compliance, as it is necessary for meeting requirements to know your customer (KYC). Identity proofing has also become integral to organizations’ overall security posture and fraud prevention programs because it enhances security and reduces fraud, limiting access to systems and applications to users who can be proven to be valid.
Use cases for identity proofing abound. In addition to finance, identity proofing is used in healthcare (e.g., telemedicine), operations (e.g., new hire onboarding and user assignments), and cloud services (e.g., account access controls).
You might also be interested in:
Unleash the power of unified identity security.
Centralized control. Enterprise scale.