Note: This section has been adapted from NIST Special Publication 800-63-3 and combined with additional research. IAL2 is the level of NIST certification that is generally appropriate for unemployment insurance agencies.
“Identity proofing” is the official term for what is colloquially referred to as identity verification; identity verification is technically just a step within a larger identity proofing process. Both are umbrella terms that encompass a range of techniques to collect and resolve data to a particular person, validate that the provided data is legitimate and accurate for that person, and/or verify that the data is truly the user. At all stages, identity proofing checks the consistency of the data as it relates to a unique person, with varying levels of certainty.
Identity proofing in its most technical sense is defined by NIST, which additionally provides an Identity Assurance Level framework and certification. The IAL requirements indicate a particular level of certainty about an identity’s validity; the techniques typically associated with each stage of identity proofing are:
Identity resolution: comparing personally identifiable information (PII) provided by the user to public databases.
Identity validation: confirming that the claimant is the same person as the owner of the user account.
Identify verification: establishing a physical connection between the applicant and the PII or evidence provided.
Identity validation is the first stage in NIST’s process of confirming that the claimant is the same person as the owner of the user account by evaluating “identity evidence.” With enough pieces of evidence, you can say with some certainty that a person is who they say they are. To achieve IAL2 designation, a system needs to collect between 1–3 documents and validate them with the issuing source.
Document verification is a system where a user uploads a photograph of an official document (e.g., a driver’s licence), and the validity of the document is verified through another system. If the document is verified through a system created by the vendor (e.g., that checks for accurate layout and font use, reasonable issuance dates, etc.), it is considered by NIST to be only “weak” evidence and thus does not contribute toward identity validation in the literal sense. That said, it can still be a useful feature of your system to have.
Only by checking with the department of motor vehicles that issued the driver’s license can it achieve an evidence strength high enough for use in identity validation at IAL2 standards.
Note: While a tax form could be used in document verification, using that same form to determine program eligibility is not a part of identity proofing.
Identity verification represents the highest degree of certainty that the user is who they say they are by establishing a physical connection between the applicant and the PII or evidence provided.
Common digital methods of true identity verification are:
Biometric verification is, e.g., where a person takes a selfie that is compared to their photo on an official document.
Enrollment codes or two-factor auth (2FA) is a way to verify that provided contact information is accurate by sending a code to a postal address, email address, and/or phone number (voice or SMS), and requiring that the enrollment code be provided to complete registration or login in the future.
Knowledge-based verification can be a component of identity verification by referring to data only available in authoritative and private sources.
To start with, identity proofing requires that the “self-asserted,” personally identifiable information (PII) provided by the user confirms that it belongs to a single, real person. It resolves this data by comparing it to public databases (e.g., checking the address provided by the user against a voter registration file).
A step-up in certainty would be to use knowledge-based verification (aka “KBV,” aka “Knowledge-based authentication”) to confirm the resolved identity by asking a question based on information others are unlikely to have (e.g., the system asks the user to provide the amount of their last utility bill). Depending on the specific KBV used, this technique can be a good opportunity to identify those using stolen identities.
Beyond that, more in-depth resolution techniques do not contribute toward an IAL2 designation, but they can be an important part of a solution for detecting fraud via the use of stolen or manufactured identities.
The more sophisticated forms of identity resolution are referred to as synthetic identity detection. With synthetic identity detection, machine learning (aka “artificial intelligence”) is used to combine the self-asserted data with other information you may have about a user (e.g., IP address, phone’s IMEI) and compare it with additional databases (e.g., telco records, credit header files, utility bills). It is through synthetic identity detection that criminals using stolen identities are typically found.
Some synthetic identity detection systems go even further and perform “network level” detection, e.g.:
How old is the domain name of the email address provided?
How many applications have there been from this IP address?
Have accounts on other sites been created with this combination of name + phone?
Note: a Social Security Number can be “resolved” to a person through synthetic identity detection, but it is not considered “validated” with any certainty until the Social Security Administration weighs in.