Identity Verification
Prerequisites
Before implementing identity verification, understand:
- Fraud types especially synthetic identity
- AML/KYC basics for compliance requirements
- Risk scoring for step-up triggers
- Application fraud patterns
TL;DR
- Identity verification = Confirming customers are who they claim to be
- Methods (friction order): database checks → OTP/KBA → document + selfie
- Use risk-based step-up: low-risk = passive only, high-risk = full document verification
- Watch for: synthetic docs, deepfakes, photo replay attacks
- Vendors: Jumio, Onfido, Veriff (full-stack); LexisNexis, Experian (database)
Confirming that customers are who they claim to be.
Identity Verification Methods
Document Verification
Verifying government-issued ID documents:
| Check | Description |
|---|---|
| Authenticity | Is the document real (not forged)? |
| Validity | Is it expired? Revoked? |
| Tampering | Has it been altered? |
| Consistency | Do fields match each other? |
Document Types
| Type | Trust Level | Notes |
|---|---|---|
| Passport | 🔴 High | Standardized, hard to forge |
| Driver's license | ⚠️ Medium | Varies by jurisdiction |
| State ID | ⚠️ Medium | Similar to DL |
| Utility bill | ⚠️ Low | Address only, easy to fake |
Biometric Verification
Matching faces to documents:
| Check | Purpose |
|---|---|
| Face match | Does selfie match ID photo? |
| Liveness | Is this a real person (not photo/video)? |
| Age consistency | Does apparent age match DOB? |
Database Verification
Cross-referencing against authoritative sources:
| Source | What It Verifies |
|---|---|
| Credit bureaus | SSN, name, address history (key for synthetic identity detection) |
| DMV | Driver's license validity |
| SSA | SSN issuance, name match |
| Death records | Is person alive? |
| Sanctions lists | OFAC, PEP status (see AML Basics) |
Knowledge-Based Authentication (KBA)
Questions only the real person should know:
| Type | Example | Reliability |
|---|---|---|
| Static | "What was your first car?" | Low (data breaches) |
| Dynamic | "What was your mortgage payment in 2019?" | Medium |
| Out-of-wallet | Credit bureau-sourced questions | Medium |
KBA Limitations
Data breaches have compromised most KBA questions. Use as one factor, not sole verification.
Phone/Email Verification
| Method | What It Proves |
|---|---|
| OTP to phone | Access to phone number |
| Email click | Access to email |
| Phone ownership | Number registered to individual |
| Email age | How long email has existed |
Verification Waterfall
Order verification methods from least to most friction:
Risk-Based Verification
When to Step Up
| Signal | Recommended Action |
|---|---|
| New customer, low-risk profile | Passive only |
| New customer, medium-risk (risk score 30-60) | OTP/KBA |
| New customer, high-risk (risk score 60+) | Document verification |
| High-value transaction | Step up from baseline |
| Account change (address, phone) | Re-verify (may indicate ATO) |
| Suspicious behavior detected | Full verification |
Segment-Based Requirements
| Segment | Minimum Verification |
|---|---|
| Low-risk product, returning customer | None |
| Low-risk product, new customer | Bureau match + OTP |
| High-risk product, returning customer | OTP |
| High-risk product, new customer | Document + biometric |
Vendor Landscape
| Category | Examples |
|---|---|
| Full-stack | Jumio, Onfido, Veriff |
| Document | Authentix, IDology |
| Biometric | iProov, FaceTec |
| Database | LexisNexis, Experian |
| KBA | IDology, LexisNexis |
Fraud in ID Verification
Attack Vectors
| Attack | Description |
|---|---|
| Synthetic docs | AI-generated fake IDs |
| Photo replay | Photo of photo, not live person |
| Deepfakes | AI-generated face videos |
| Document fraud | Altered real documents |
| Credential sharing | Real person helps fraudster |
Countermeasures
| Attack | Defense |
|---|---|
| Synthetic docs | Document forensics, database cross-ref |
| Photo replay | Liveness detection (blink, turn head) |
| Deepfakes | Advanced liveness, multiple angles |
| Document fraud | Tamper detection, consistency checks |
| Credential sharing | Behavioral analysis, ongoing verification |
Next Steps
Implementing identity verification?
- Design verification waterfall - Least to most friction
- Choose verification methods - Document, biometric, database
- Integrate with risk scoring - Step-up triggers
Setting up risk-based verification?
- Define step-up triggers - When to require more
- Set segment requirements - By product and customer
- Configure risk thresholds - Score-based routing
Defending against IDV fraud?
- Understand attack vectors - Synthetic docs, deepfakes
- Implement countermeasures - Liveness, forensics
- Evaluate vendors - Jumio, Onfido, etc.
Related Topics
- Application Fraud - Origination-stage fraud
- Synthetic Identity - Fabricated identities
- Third-Party Fraud - Stolen identity usage
- Account Takeover - Hijacked accounts
- Evidence Framework - Tier 1/Tier 2 indicators
- Risk Scoring - When to step up verification
- Device Fingerprinting - Device-based identity signals
- Behavioral Analytics - Behavior-based identity signals
- AML Basics - KYC, OFAC, and PEP requirements
- Fraud Vendors - IDV vendor options
- Manual Review - When IDV triggers review