Identity Verification
On this page
Before implementing identity verification, understand:
- Fraud types especially synthetic identity
- AML/KYC basics for compliance requirements
- Risk scoring for step-up triggers
- Account fraud patterns
- Passive verification ($0.02-0.50/check): Database checks, phone/carrier signals, email risk, synthetic fraud scoring. No customer friction.
- Documentary verification ($0.80-5.00/check): Government ID scan + selfie + liveness detection. High friction, high assurance.
- Use a risk-based waterfall: passive first, step up to documentary only when needed.
- Top vendors: Socure, SentiLink (passive/synthetic); Veriff, Persona, Jumio (documentary); Plaid (bank+ID combined); iProov (deepfake/liveness specialist).
- US lenders faced $3.3B in synthetic identity exposure (TransUnion, 2024). Ask vendors about injection attack detection, not just presentation attacks.
- Need the bigger picture? See KYC & KYB for Fraud Prevention for when to verify, ROI math, and building a proportional program.
Confirming that customers are who they claim to be.
What Identity Verification Is Up Against
Before choosing a verification method, you need to understand what's actually hitting your onboarding flow. Identity fraud falls into two categories: data-layer attacks (beating passive checks) and document-layer attacks (beating documentary verification). Most fraud programs need defenses against both.
Data-Layer Attacks (Target Passive Verification)
These attacks exploit the data sources that passive verification relies on. The fraudster never uploads a document - they pass (or try to pass) using stolen or fabricated data alone.
| Attack | How It Works | Scale |
|---|---|---|
| Synthetic identity | Combine a real SSN (often a child's, elderly person's, or immigrant's) with a fabricated name, DOB, and address. Build credit history over months. The identity looks real in databases because parts of it are. | $3.3B in lender exposure in the US (TransUnion, 2024). Fastest-growing fraud type. |
| Stolen identity (third-party fraud) | Use a real person's complete identity - name, SSN, DOB, address - obtained from data breaches, phishing, or dark web purchases. Passes database checks because all the data is real. | Billions of records available from breaches. Most common identity fraud type by volume. |
| Burner contact info | Create accounts with prepaid phones, VoIP numbers, and disposable email addresses. These pass basic "does this phone/email exist?" checks but fail carrier tenure and domain age checks. | Trivial to execute. Prepaid SIMs cost $1-5. |
| Data breach exploitation | Use leaked PII to answer KBA questions, verify SSN matches, and pass identity quizzes. Most KBA questions have been compromised by breaches. | Virtually every US adult has had PII exposed in at least one breach. |
What catches these: Synthetic fraud scoring (Socure, SentiLink), carrier tenure checks (Prove), email age/domain analysis, device fingerprinting, bank account verification (Plaid). No single signal catches all of them - you need layered passive checks.
Document-Layer Attacks (Target Documentary Verification)
These attacks target the ID scan + selfie + liveness flow. They've evolved rapidly since 2023 as AI tools have become accessible and cheap.
| Attack | How It Works | Difficulty to Detect |
|---|---|---|
| Forged documents | Alter a real ID template - swap the photo, change the name or DOB. Physical forgeries are declining; digital forgeries (edited images submitted to verification APIs) are growing. | Medium. Template matching and tamper detection catch most. |
| Synthetic documents | Generate a complete fake ID from scratch using AI. Modern tools produce IDs that pass basic template checks. | Medium-High. Requires document forensics and database cross-referencing. |
| Presentation attacks | Hold a photo, video, or mask in front of the camera during the selfie step. The simplest biometric attack. | Low. Basic liveness detection (blink, turn head) catches most. |
| Deepfakes | Use AI to generate a realistic face video in real-time during the selfie step. Lip-syncs, blinks, and moves naturally. | High. Requires advanced liveness detection. Deepfake tools are free or under $10/month. |
| Injection attacks | Bypass the camera entirely. Feed a synthetic video stream directly into the verification API or intercept the camera feed at the OS/driver level. The verification system never sees a real camera - it sees a manufactured video feed. | Very High. Now more common than presentation attacks (iProov). Bypasses all basic liveness checks. Only vendors with device integrity and camera source validation catch these. |
| Credential sharing | A real person willingly passes verification on behalf of a fraudster. The document is real, the face is real, the liveness is real - the intent is fraudulent. | Very High. Technically undetectable at verification time. Requires behavioral analysis and ongoing monitoring. |
The key stat: Roughly 1 in 20 IDV attempts in financial services is fraudulent (Veriff, 2025). Injection attacks are up 40% year-over-year (Entrust, 2026). Deepfake selfies specifically are up 58% YoY.
Why This Matters for Choosing Your Approach
The split between data-layer and document-layer attacks is why you need both passive and documentary verification - but not on every customer:
- Passive catches synthetic identities, stolen data, burner phones, and breach-sourced fraud. It handles 70-90% of bad actors with zero customer friction.
- Documentary catches forged documents, deepfakes, and injection attacks. It's the step-up when passive flags something or the risk level demands higher assurance.
- Neither catches credential sharing (real person helping a fraudster). That requires behavioral analytics and ongoing monitoring.
This is the foundation for the verification waterfall approach: start passive, step up to documentary only when needed.
Passive vs. Documentary: The Core Split
Every identity verification method falls into one of two categories. Understanding this split is the single most important thing for choosing the right approach.
| Passive Verification | Documentary Verification | |
|---|---|---|
| What happens | You send customer data (name, SSN, phone, email) to an API. Get back a risk score. | Customer uploads a government ID and takes a selfie. System checks document + face match + liveness. |
| Customer friction | None - customer doesn't know it's happening | High - up to 60 seconds, significant abandonment |
| Cost per check | $0.02-0.50 | $0.80-5.00 |
| What it catches | Synthetic identities, stolen data, burner phones, disposable emails | Forged documents, deepfakes, impersonation |
| What it misses | Sophisticated synthetic identities with real documents | Nothing, if done well (but friction kills conversion) |
| Best for | Every new account as a baseline | High-risk accounts, regulatory requirements, step-up from failed passive |
The right answer for most merchants: Passive on everyone. Documentary only when passive flags something or your risk model demands it.
Passive Verification Methods
Database Verification
Cross-referencing customer data against authoritative sources. Understanding what's behind the curtain helps you evaluate vendors - some check two or three sources, others check dozens.
| Source | What It Verifies | Why It Matters |
|---|---|---|
| Credit bureaus | SSN, name, address history, credit file age | Core identity anchoring. Key for synthetic identity detection - synthetic IDs have thin or recently manufactured credit files. |
| Alternative credit headers | Utility, rent, telecom, insurance records from 180+ regional sources | Catches people the credit bureaus miss - thin-file consumers, recent immigrants, young adults. Fills gaps that synthetics exploit. |
| Government agencies | SSA (SSN issuance), IRS (TIN matching), DMV, professional licenses, court records | Highest-authority verification. SSA confirms the SSN was actually issued, not just present in a credit file. |
| Deceased databases | Death Master File (DMF), probate records, obituaries, cemetery records | Synthetic fraudsters frequently build identities around deceased persons' SSNs. Deceased checks catch this. |
| Sanctions/watchlists | OFAC, PEP, adverse media | AML compliance requirement (see AML Basics). Not fraud prevention per se, but often bundled with KYC. |
| Educational records | Enrollment at accredited institutions | Useful for age verification and thin-file identity validation (young consumers often have education records before credit records). |
Phone and Carrier Verification
| Signal | What It Tells You | Fraud Indicator |
|---|---|---|
| Phone type | Postpaid, prepaid, VoIP | Prepaid/VoIP = higher risk. Prepaid SIMs cost $1-5 and require no identity. |
| Network tenure | How long on carrier | Under 90 days = higher risk. Legitimate users average 3+ years on the same carrier. |
| Port history | How often ported, days since last port | Frequent porting or recent port = possible SIM swap. |
| SIM swap detection | Has the SIM been swapped in a configurable window (e.g., last 48 hours)? | Critical for protecting OTP-based verification. If the SIM was swapped, the fraudster - not the real customer - receives the code. |
| Name match | Does carrier name match provided name? | Mismatch = flag for investigation. |
| Line status | Active, suspended, disconnected | Inactive = high risk. Suspended lines may indicate unpaid accounts or fraud holds. |
| Area code vs. address | Does phone area code match stated location? | Mismatch isn't always fraud (people move), but adds to risk scoring. |
SIM swap attacks intercept SMS-based OTP codes by convincing a carrier to transfer a victim's phone number to a new SIM. This breaks any verification flow that relies on "does this person control this phone number?" Real-time SIM swap detection - checking whether the SIM was recently changed - is a critical passive signal, especially if you send OTPs as part of your step-up verification flow.
Email Risk Scoring
| Signal | Low Risk | High Risk |
|---|---|---|
| Email age | Years old | Created in last 30 days |
| Domain | Major provider (Gmail, Outlook) | Disposable domain (tempmail, guerrilla) |
| Social presence | Linked to social accounts | No social footprint |
| Breach history | Not in breach databases | In multiple breaches (stolen address) |
| Deliverability | Active mailbox, receives mail | Undeliverable or inactive |
| Pattern | firstname.lastname format | Random/gibberish string (xj3kd9@...) |
| Private relay | Not a relay domain | Apple Private Relay, Hide My Email (not fraud per se, but limits correlation) |
Identity Correlation
This is the concept most merchants miss about passive KYC. Vendors don't just check "does this phone number exist?" They check "does this phone number belong to this person?"
Correlation scoring measures the strength of the relationship between an identity element (email, phone, address) and the person's name. The result is a confidence level:
| Confidence | What It Means |
|---|---|
| Very high (0.95+) | Full name match confirmed by multiple sources |
| High (0.85-0.94) | Partial name match (nicknames, fuzzy matches) confirmed |
| Medium (0.75-0.84) | Last name match confirmed |
| Low (0.65-0.74) | Partial match only, weak correlation |
| Unknown (0.20-0.64) | Can't determine relationship |
| Disconnected (below 0.20) | No correlation found - identity elements don't belong together |
Why this matters: A stolen identity might have a valid SSN, a valid phone number, and a valid email - but the SSN belongs to one person, the phone to another, and the email to a third. Correlation scoring catches this. Individual element checks would all pass; correlation scoring reveals the mismatch.
Three key correlations to look for in any passive KYC vendor:
- Name-to-phone - Is this phone registered to this person?
- Name-to-email - Is this email associated with this person?
- Name-to-address - Does this person live (or have lived) at this address?
Synthetic Fraud Scoring
Probabilistic models that answer: is this a real person, or a fabricated identity?
These models combine multiple signals - credit header data, phone tenure, email age, address history, SSN issuance patterns, inquiry velocity - into a single synthetic fraud score. A real person has a consistent data trail across all these sources. A synthetic identity has gaps and inconsistencies.
Key signals these models analyze:
| Signal Category | What It Looks For |
|---|---|
| SSN analysis | Was the SSN issued to a person of this age? Is it randomized (post-2011)? Does the issue state match the applicant's history? |
| Credit file velocity | How many unique names, phones, or addresses are tied to this SSN? Multiple different names on one SSN = synthetic. |
| Inquiry patterns | How many credit applications has this SSN been used for recently? What's the average time between inquiries? Rapid-fire applications = fraud. |
| Name gibberish detection | Does the name contain nonsensical patterns? Auto-generated names have detectable statistical signatures. |
| Deceased SSN usage | Is the SSN associated with a deceased person? Fraudsters often build synthetics on deceased individuals' SSNs. |
Key vendors: Socure (multi-signal), SentiLink (specialist).
Knowledge-Based Authentication (KBA)
Questions only the real person should know:
| Type | Example | Reliability |
|---|---|---|
| Static | "What was your first car?" | Low (data breaches) |
| Dynamic | "What was your mortgage payment in 2019?" | Medium |
| Out-of-wallet | Credit bureau-sourced questions | Medium |
Data breaches have compromised most KBA questions. Use as one supplementary signal, never as primary verification. KBA alone should not pass anyone through your verification flow.
Documentary Verification Methods
Document Verification
Verifying government-issued ID documents:
| Check | Description |
|---|---|
| Authenticity | Is the document real (not forged)? |
| Validity | Is it expired? Revoked? |
| Tampering | Has it been altered? |
| Consistency | Do fields match each other? |
| Data extraction | OCR pulls name, DOB, address, ID number |
Document Types
| Type | Trust Level | Notes |
|---|---|---|
| Passport | High | Standardized, hard to forge, MRZ machine-readable |
| Driver's license | Medium | Varies by jurisdiction, some easy to fake |
| National ID | Medium | Common outside US, varies widely |
| Utility bill | Low | Address proof only, easy to fabricate |
Biometric Verification
Matching faces to documents:
| Check | Purpose |
|---|---|
| Face match | Does selfie match ID photo? |
| Liveness | Is this a real person (not photo/video/deepfake)? Look for NIST PAD Level 2 certification (the industry standard for presentation attack detection). |
| Age consistency | Does apparent age match DOB? |
| Injection detection | Is the video feed coming from a real camera or being fed in digitally? This is separate from liveness - a deepfake can pass liveness but fail injection detection. |
Verification Waterfall
Order verification methods from least to most friction:
Verification doesn't just reject fraudsters - it also rejects real customers. Thin-file populations (young adults, recent immigrants, people without credit history) often fail passive KYC checks because they don't have enough data in the databases these checks rely on. If your verification flow rejects 5% of real applicants and those applicants are worth $125 each, that's a measurable revenue loss. Build escalation paths (documentary step-up instead of outright decline) so legitimate thin-file customers have a way through.
Risk-Based Verification
When to Step Up
| Signal | Recommended Action |
|---|---|
| New customer, low-risk profile | Passive only |
| New customer, medium-risk (risk score 30-60) | OTP + enhanced passive (carrier check) |
| New customer, high-risk (risk score 60+) | Documentary verification |
| High-value transaction | Step up from baseline |
| Account change (address, phone) | Re-verify (may indicate ATO) |
| Suspicious behavior detected | Full documentary verification |
Segment-Based Requirements
| Segment | Minimum Verification |
|---|---|
| Low-risk product, returning customer | None |
| Low-risk product, new customer | Passive (bureau match + email/phone scoring) |
| High-risk product, returning customer | OTP |
| High-risk product, new customer | Documentary (ID + selfie + liveness) |
Vendor Comparison
Passive Verification Vendors
| Vendor | Specialty | Est. Cost/Check | Coverage | Best For |
|---|---|---|---|---|
| Socure | Multi-signal identity + synthetic fraud scoring | $0.10-0.50+ | US-centric | Strongest synthetic ID detection. Used by 4 of top 5 US banks. |
| SentiLink | Synthetic identity scoring only | $0.02-0.15 | US only | Specialist. Does one thing extremely well. Often layered with other vendors. |
| Prove | Phone-centric identity (carrier data, SIM tenure) | $0.05-0.25 | Global | Zero-friction verification. Customer enters phone number, done. |
| Ekata (Mastercard) | Lightweight API - phone, email, address, IP | $0.05-0.30 | Global | Quick integration, good for adding identity signals without a heavy lift. |
| Trulioo | Global identity verification (KYC + KYB + AML) | $0.50-2.00+ | Global (195+ countries) | Strong international coverage. Good for cross-border merchants. |
| LexisNexis | Full identity data network (Emailage, ThreatMetrix, ID Analytics) | $3.00-8.00+ | Global | Enterprise. Largest data network, but enterprise pricing to match. |
Documentary Verification Vendors
| Vendor | Est. Cost/Check | Self-Serve? | Best For | Notable |
|---|---|---|---|---|
| Stripe Identity | $1.50/verification (first 50 free) | Yes | Stripe merchants, easiest on-ramp | Built into Stripe dashboard. No new vendor. ID + selfie + liveness. |
| Veriff | $0.80-1.89 | Yes | SMBs, transparent pricing | Published pricing. Video-based verification option. 230+ countries. |
| Sumsub | $1.35+ | Yes | All-in-one KYC/KYB/AML | 2025 Gartner Leader. 220+ countries. No-code verification links available. |
| Persona | $1.50+ (Essential) | Yes | Developers, custom workflows | 2025 Gartner Leader. Strong orchestration. Also does KYB. |
| Jumio | $1-5+ | No | Global document coverage | 5,000+ document types. 200+ countries. Enterprise-focused. |
| Onfido (Entrust) | $0.50-4+ | No | Fintech, workflow builder | Acquired by Entrust in April 2024. Strong AI document analysis. |
| Incode | $1-4+ | No | Latin America, speed | 2025 Gartner Leader. 1.5-second average verification. |
| Mitek | $1-4+ | No | Enterprise, strong growth | Datos Insights leader (Jan 2026). MiPass 4D biometric. |
| Au10tix | $1-3+ | No | Speed, consortium detection | 4-8 second automated verification. Detects coordinated attacks across 60+ companies. |
| iDenfy | $0.50-1.35 | Yes | Mid-market, competitive pricing | 3,000+ doc types. Includes KYB and AML screening. |
Biometric / Liveness Specialists
| Vendor | Est. Cost/Check | What It Does | Notable |
|---|---|---|---|
| iProov | $0.50-2+ | Liveness detection + deepfake prevention only (no document verification) | Best-in-class injection attack detection. Used by governments and banks. |
| FaceTec | SDK licensing | 3D liveness + face matching | On-device processing option for privacy-sensitive use cases. |
Combined / Hybrid Approaches
| Vendor | Type | Est. Cost/Check | Coverage | Best For |
|---|---|---|---|---|
| Socure | Passive + Documentary | $0.10-0.50+ (passive), more for doc | US-centric | Teams wanting one vendor for both passive and documentary |
| Plaid | Passive + Bank verification | $1-5+ (full flow) | US/Canada | Bank+ID combined. Strongest signal when you already need bank connectivity. See detailed analysis. |
| Persona | Documentary + KYB + Orchestration | $1.50+ | Global | Developers who want to build multi-step verification flows |
| Alloy | Orchestration layer | $1-5+ | US-focused | Combines multiple vendor signals into unified decisioning. Fintech-focused. |
Plaid: Bank + Identity Combined
Plaid's identity verification works differently from pure IDV vendors. When a customer links their bank account, you get ownership verification, account history, and identity data from the bank's records.
Why it's powerful: Bank data is hard to fake. You can create a synthetic identity with a fabricated SSN and a burner phone, but you can't easily create a fake bank account with years of transaction history.
Why it costs more: ~$500/month platform baseline + per-check fees ($1-5+ for full Identity + Auth). Plus the customer goes through a bank-linking flow. Best when you already need bank connectivity (ACH payments, balance checks) and want to layer identity on top.
Cost Comparison
| Tier | What You Get | Cost Per Check | Monthly at 1,000 checks |
|---|---|---|---|
| Passive only | Database match, phone/email scoring, synthetic fraud score | $0.02-0.50 | $20-500 |
| Documentary only | ID scan + selfie + liveness | $0.80-5.00 | $800-5,000 |
| Full KYC bundle | Passive + documentary step-up + ongoing monitoring | $1.50-8.00 | $1,500-8,000 |
| Bank + ID (Plaid) | Bank account verification + identity signals | $1.00-5.00 + platform fee | $1,500-5,500 |
When to Buy What
| Your Situation | Recommendation | Budget |
|---|---|---|
| Under $1M, standard e-commerce | Don't buy dedicated IDV. Processor tools + 3DS are enough. | $0 |
| Under $1M, on Stripe, need doc verification | Stripe Identity. First 50 free, pay-per-use. Already integrated. | $0-100/month |
| $1M-$5M, seeing synthetic fraud | Add passive KYC. Start with Prove or Ekata for lightweight checks. | $100-500/month |
| $1M-$5M, high first-order fraud | Passive + documentary step-up. Stripe Identity (if on Stripe), Veriff, or Sumsub for self-serve. | $300-2,000/month |
| $5M-$20M, multiple fraud types | Full waterfall. Socure or SentiLink for passive + Veriff/Persona/Jumio for documentary. | $1,000-5,000/month |
| $20M+, enterprise | Multi-vendor stack. LexisNexis or Socure passive + Jumio/Onfido/Mitek documentary + iProov liveness. | $5,000-20,000+/month |
| Fintech, lending, crypto | Full KYC (regulatory requirement). Socure + Persona/Sumsub/Jumio. Consider Plaid if bank-connected. | $2,000-15,000+/month |
| Marketplace (seller KYB) | KYB platform. See KYC & KYB for vendor comparison. | $500-5,000/month |
Defending Against IDV Fraud
For the full threat landscape, see What Identity Verification Is Up Against at the top of this page. This section covers countermeasures and vendor evaluation.
Countermeasures by Attack Type
| Attack | Defense | Key Vendors |
|---|---|---|
| Synthetic identities | Synthetic fraud scoring, credit bureau cross-ref | Socure, SentiLink |
| Stolen identities | Multi-signal verification (phone tenure + email age + device + address), bank account verification | Prove, Plaid |
| Forged/synthetic documents | Document forensics, template matching, NFC chip reading | Jumio, Onfido/Entrust |
| Presentation attacks | Liveness detection (blink, turn head, random prompts) | Most documentary vendors include basic liveness |
| Deepfakes | Advanced liveness, multi-angle capture, texture analysis | iProov, Jumio |
| Injection attacks | Device integrity checks, camera source validation, SDK-level protection | iProov, Jumio, Incode |
| Credential sharing | Behavioral analytics, ongoing monitoring, velocity checks | BioCatch, Sardine |
What to Ask Your Documentary Verification Vendor
The most important questions, in order of priority:
- Do you detect injection attacks, or only presentation attacks? Injection attacks now outnumber presentation attacks. If your vendor only catches someone holding up a photo, they're missing the bigger threat.
- What's your deepfake detection rate on injected video? Get a number. "We detect deepfakes" is not an answer.
- How often do you update your detection models? AI-generated attacks improve weekly. Monthly or quarterly model updates are not fast enough.
- Can you detect if the camera feed is being intercepted or replaced? This is the injection attack question phrased differently. Vendors with native SDKs have an advantage over pure API-based verification here.
- What's your false rejection rate? Leading vendors target under 2%. Above 5% means you're rejecting real customers at a rate that costs you money. Ask specifically about thin-file populations (young adults, immigrants) - some vendors have higher false rejection rates for these groups.
- Are you NIST PAD Level 2 certified for liveness detection? NIST's Presentation Attack Detection standard is the industry benchmark. Level 2 means the vendor has been independently tested against spoofing attacks. Not all vendors have this certification.
- Do you support NFC chip reading? Modern passports and some national IDs have NFC chips with cryptographically signed data. Reading the chip is the strongest document authentication available.
Next Steps
Implementing identity verification?
- Understand passive vs. documentary - Start with the right approach
- Design your waterfall - Least to most friction
- Compare vendors - Match to your volume and risk
- Read the KYC/KYB guide - ROI math and program design
Choosing a vendor?
- Check the cost comparison - Budget by tier
- Match to your situation - Recommendations by volume
- Evaluate deepfake defense - Questions to ask
Defending against IDV fraud?
- Understand the threat landscape - Data-layer and document-layer attacks
- Implement countermeasures - Match defenses to attack types
- Ask the right vendor questions - Injection detection, deepfake rates, NFC
Related Topics
- Data Enrichment - IP, email, phone signals (enrichment, not verification)
- KYC & KYB for Fraud Prevention - When to verify, building a proportional program
- Account Fraud - Fake signups and onboarding-stage fraud
- Synthetic Identity - Fabricated identities
- Third-Party Fraud - Stolen identity usage
- Account Takeover - Hijacked accounts
- Evidence Framework - Tier 1/Tier 2 indicators
- Risk Scoring - When to step up verification
- Device Fingerprinting - Device-based identity signals
- Behavioral Analytics - Behavior-based identity signals
- AML Basics - KYC, OFAC, and PEP requirements
- Fraud Vendors - IDV vendor options
- Manual Review - When IDV triggers review