CIAM.wiki

Identity proofing and verification

Authentication proves someone holds an account. Identity proofing proves, before the account exists, that the person behind it is real and who they say they are. For consumer businesses that is the difference between onboarding a customer and onboarding fraud.

What it covers

Proofing combines several checks, used together based on risk:

  • Document verification: scanning and validating a government ID.
  • Biometric and liveness: matching a selfie to the document and confirming a live person, not a photo or a deepfake.
  • Database and watchlist checks: confirming the identity against authoritative sources and screening for sanctions or PEP status (KYC and AML).

How many of these you apply, and how much friction you add, should scale with the risk of the action.

Where it fits CIAM

Proofing happens at registration and feeds the identity that CIAM then manages. A proofed account can carry a higher assurance level (the NIST 800-63 identity assurance levels are the common reference), which can unlock higher-value actions later without re-proofing. The cleaner the handoff from the proofing step into the CIAM profile, the less friction you carry forward.

Most CIAM platforms do light verification (email, SMS) and integrate a specialist for document and biometric proofing. Browse the proofing specialists in the market map.

The AI-fraud wrinkle

Deepfakes and injection attacks now target the biometric step directly. Vendors are responding with presentation- and injection-attack detection, but it is now a core evaluation question rather than a footnote. The same AI that helps verify is being used to defeat verification.

What to ask a CIAM vendor

  • Does proofing cover document, biometric, and liveness, with database and watchlist checks where needed?
  • How is the verification result carried into the CIAM identity and its assurance level?
  • What defends the biometric step against deepfakes and injection attacks?
  • What is the global document and language coverage for the markets we serve?
  • Can the proofed identity be reused for later high-value actions without re-proofing?

The buyer takeaway: proofing is a risk and conversion decision as much as a security one, and the strongest setups tune friction to risk rather than verifying everyone the same way. Binding that proofed real-world identity to the ongoing digital account is the heart of identity convergence. Where regulated, confirm KYC and AML obligations in compliance, then run the vendor matcher.