Identity proofing is the process of verifying that a person is who they claim to be before issuing them a credential. It's the critical first step that establishes the foundation of trust in any digital identity system, confirming that the individual requesting a credential matches the identity they're claiming.
Why does identity proofing matter?
A credential is only as trustworthy as the process used to issue it. If someone can obtain a digital driver's license using fraudulent documents or by impersonating another person, every subsequent use of that credential perpetuates the fraud. Banks relying on it for account opening would unknowingly accept a fraudulent identity. Employers verifying it for hiring would be misled. The entire chain of trust collapses.
Identity proofing answers the fundamental question that issuers must resolve: Is this person really who they claim to be? The rigor of this process determines the assurance level of the resulting credential.
What is in-person vs. remote identity proofing?
Identity proofing can occur in person or remotely, each with its own set of tradeoffs.
In-person proofing mirrors traditional DMV workflows. Individuals bring physical documents and undergo face-to-face identity checks with a trained examiner. The examiner inspects documents for authenticity, compares the applicant's face to the photos on file, and verifies the information against existing records. Once verified, the credential is provisioned directly to the person's device. This approach retains human oversight and works well for populations who can easily visit an office.
Remote proofing supports individuals who cannot easily reach physical locations. Credentials can be provisioned outside DMV facilities using secure digital processes and layered checks. Remote workflows rely on document verification, facial matching, and liveness detection to achieve comparable assurance without requiring a physical visit.
What are the components of remote identity proofing?
Remote identity proofing typically combines several verification methods:
Document verification confirms that identity documents are genuine. The system examines security features, checks for signs of tampering, and verifies that the document conforms to the expected formats for the issuing jurisdiction.
Facial matching confirms a one-to-one match between a selfie captured during the proofing session and the photo on file with the issuing authority, typically from DMV records. This biometric check verifies that the person requesting the credential is the same person whose identity documents are being presented.
Liveness detection ensures the applicant is physically present and not using a photo, mask, or video replay to fool the system. These checks may track head movements, analyze how skin reacts to light changes, or prompt users to follow on-screen instructions that confirm depth and geometry. Liveness detection helps mitigate presentation attacks, such as the use of photos, masks, or replays, and is most effective when layered with other verification controls.
Together, these tools enable identity verification without requiring an office visit, while maintaining trust in credential authenticity.
Assurance levels and standards
Not all identity verification methods provide the same level of assurance. NIST SP 800-63A defines identity assurance levels (IALs) that specify the strength of identity proofing required for different use cases:
IAL1 requires no identity proofing, the credential makes no claim about the real-world identity of the holder.
IAL2 requires evidence that the claimed identity exists and verification that the applicant is the person associated with that identity. This level supports most everyday transactions and can be achieved through multiple pathways, including document verification with or without biometric matching, depending on the workflow.
IAL3 requires in-person proofing with trained personnel and physical examination of identity documents. This highest level supports use cases demanding the strongest assurance, such as access to sensitive facilities or high-value financial transactions.
The credential itself can reflect the assurance level under which it was issued, allowing verifiers to determine suitability for a given use case. A credential issued at IAL3 might be required for secure building access, while an IAL2 credential could suffice for benefits eligibility checks.
How do you balance security and accessibility?
Identity proofing must strike a balance between security requirements and accessibility. Remote proofing expands access for residents in rural or underserved areas, enables faster provisioning without repeat office visits, and reduces administrative costs. However, it must achieve these benefits without compromising the rigor necessary to prevent fraud.
Best practices are emerging to address privacy concerns within these workflows. For example, new data streams captured during facial matching, such as selfie images, can be automatically discarded after verification, leaving only the original image from the issuer's database. This approach minimizes data retention while maintaining the integrity of verification.
As digital identity programs mature, agencies continue to refine proofing workflows to serve more residents securely. The goal is to make identity proofing both rigorous enough to prevent fraud and accessible enough to serve everyone who needs credentials.
Want to keep learning?
Subscribe to our blog.
