Identity Verification: What It Is and When to Use It

Verification of identity has long relied on government-issued photo IDs, like a driver’s license or passport, that could be examined by an agent and compared to the person standing in front of them. But as we continue to evolve into a more digital society, our methods of identity verification have to keep up.

Here’s everything you need to know about identity verification: what it is, how to use it, pitfalls to avoid, and how it applies to e-signatures and digital signatures.

Identity (ID) Verification, defined 

Identify Verification is the method by which people prove they are who they say they are. It is a foundational element of security for all kinds of organizations, employers, customers, and individuals. ID Verification plays a major role in preventing fraud and identity theft and ensuring that contracts and agreements are legally binding.

Differentiating ID Verification, Authentication, and Authorization

People are often unclear on the differences between identity verification, authentication, and authorization. The confusion is understandable—these are all complementary elements of establishing trust in remote or digital interactions. In this section, we’ll lay out the differences and when each is used.

Verification

Companies most often use identity verification as a first step in creating a new relationship. For example, identity verification is used for setting up a financial services account, a sales contract, or an employment agreement. In each of those instances, a company needs to verify the identity of the person entering the relationship by three criteria: the identity is genuine (not invented); it belongs to the person they’re interacting with (not stolen); and the person is present at the time of capture (not falsely represented).

The verification process checks the legitimacy of the identifiers provided on an application, such as name, mailing address, phone number, and email address. Beyond traditional physical forms of identification, digital methods can include a fingerprint, facial scan, copy of a driver’s license, “liveness” checks and other means.

Verification isn’t required for every agreement, but it’s essential for many high-value, highly sensitive, or highly regulated transactions.

Authentication

Once an individual’s identity has been verified and the relevant agreement or contract has been finalized, the focus shifts to authentication for ongoing interaction. The National Institute of Standards and Technology (NIST) defines digital authentication as establishing “that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.”

Identity authentication is the process of proving that a person is the same person who has been previously verified and associated with an account.

Authentication can be as simple as requiring the individual to enter a password. More recently, authentication often includes additional checks such as multi-factor authentication (MFA).

Authorization

Following user authentication comes authorization. Identity authorization involves checking that the person has permission to do the things they’re trying to do. This typically encompasses the data they can access and the specific actions they’re allowed to perform, such as create, read, update and delete (CRUD) operations.

Looking at the lifecycle as a whole, we can see how each step builds on the preceding ones:

• Verification – This account is being created by a real person who is who they say they are.
• Authentication – The real person accessing this account or service is the person who created it.
• Authorization – The real person accessing the account or service is the person who created it, and they’re allowed to do these things with it.

When to use ID Verification

The level of identity verification required for an agreement or transaction depends on factors such as industry preference, regulatory requirements, financial value, legal considerations, and company risk tolerance. A higher level of identity verification is typically required in situations including:

• Account opening and onboarding
• Lending, leasing and financing
• Insurance applications
• Auto test-drive and sales agreements
• Patient onboarding and consent forms
• Employee onboarding
• Cross-border transactions
• Claims management 
• Dispute notices        
• Wire transfers
• Equipment financing

While the need for identity verification depends more on use case than industry, identity verification is an especially important capability for companies in sectors such as:

• Financial services
• Insurance
• Legal services
• Government
• Healthcare
• Life sciences
• Automotive
• Business services

What level of ID Verification Is required?

The level of identity verification required should be informed by the situation and desired level of security measures. For many routine interactions, basic measures of verification are enough—a PIN punched into a point-of-sale terminal, a password entered into an e-commerce site, a signer’s email address during an electronic signature process. Some other situations call for a higher level of identity verification, such as:

• A communication service provider (CSP) signing a new customer to an ongoing agreement
• A customer opening a new bank account or processing a mortgage application
• A real estate agent finalizing a rental agreement
• An insurer issuing a new insurance policy
• A human resources (HR) staff member onboarding a new employee

Challenges of ID Verification

ID verification is meant to provide trust between parties. And as the world has moved online, the same level of personal trust and verification is also required in the digital age. Proper identity verification online has been a key priority for businesses. There are a few significant challenges that must be addressed for identity verification in the digital age: 

• Integrating identity verification into all-digital processes with a high level of trust and fraud prevention
• Providing a smooth and painless identify verification experience as users demand—in a setting where it’s all too easy for customers to get impatient or annoyed, at which point they may likely abandon a transaction or agreement
• Adherence to industry or regional regulations

These challenges have driven ongoing innovation in both technology and policy to create identity verification systems designed for modern digital life.

How ID Verification Works

Identity verification can take many forms, from basic measures sufficient for low-risk transactions to more advanced methods that provide a higher level of trust for more sensitive, valuable, or highly regulated interactions. Identity Verification works by collecting information and comparing what’s collected to what’s on file, to check for a match that validates an identity to varying degrees. The more match points collected, the higher the degree of confidence in the identity verification. Information typically collected during the process of identity verification may include: 

• Email address – Signers enter their own email address, which is compared to the email address on file.
• Access code – Signers provide a code received by either a phone call or an SMS text message.
• Knowledge-based questions – Signers are asked personal questions such as past addresses or vehicles owned based on information gathered from commercially available databases.
• Photo ID upload – Signers are verified using their government-issued photo IDs such as passport, driver license or residence permit.
• Electronic or bank-based IDs – Signers submit their login credentials for existing bank or government accounts to prove their identity.
• ID verification – Signers provide a government-issued photo ID or European eID credential and complete additional remote identity verification checks.

Using E-Signatures and Digital Signatures for ID Verification

Identity verification is often used in the context of an electronic signature or digital signature. While often confused or used interchangeably with each other, these are two distinct forms of signing.

An electronic signature or e-signature is any signature image, symbol, fingerprint, click, verbal sound or process that verifies a document and creates a legally binding record in place of a traditional “wet,” or handwritten, signature. An e-signature may be as simple as clicking a box or typing your name or initials into a fillable form while agreeing or accepting that you’ve signed the document.

A digital signature is a specific type of e-signature that complies with strict legal regulations, provides the highest level of assurance of a signer’s identity and enhances the security of a transaction. Relying on a technology called Public Key Infrastructure (PKI), a digital signature uses algorithms and encryption to both sign and verify the authenticity of a document. A digital certificate generated during the signing process authenticates the signer’s identity and provides evidence of tamper-proofing.

Highly secure, more easily traceable than a basic e-signature and considered the legal equivalent of a handwritten signature across all 27 European Union member states, certain levels of digital signature are a good tool for sensitive data such as financial records, personally identifiable information (PII), data regulated under the Health Insurance Portability and Accountability Act (HIPAA), and other confidential paperwork or contracts.

Both e-signatures and digital signatures offer numerous advantages over a wet signature. For example:

• Wet signatures can easily be forged and tampered with, while e-signatures and digital signatures have many built-in layers of security and authentication.
• E-signatures and digital signatures offer an electronic record that serves as an audit trail and proof of the transaction.
• Certificates of Completion (CoC) accompanying a digital signature can include specific details about each signer on the document, such as the consumer disclosure indicating that the signer agreed to use e-signature, the signature image, key event timestamps, and the signer’s IP address and other identifying information.
• A seal generated using PKI indicates that a digital signature is valid and that the document hasn’t been tampered with or altered since the date of signing.
• By enabling fully digital documentation and signature processes, e-signatures and digital signatures reduce paper usage, helping companies both reduce costs and meet sustainability goals. 

What do SES, AES, QES and eIDAS 2.0 mean for ID Verification?

E-signatures and digital signatures are often described using the terms SES, AES or QES to indicate ascending levels of verification and trust.

Simple electronic signature (SES)

The term SES refers to the most basic form of e-signature. Appropriate for everyday use cases such as a sales and procurement agreement, SES relies on the simplest verification measures; it’s usually enough to know the signer’s email address or enter a unique access code.

Advanced electronic signature (AES)

A true digital signature, AES provides additional authentication steps to verify signer identities for higher-value transactions or agreements. The signer typically uses a valid identity document to confirm that they are who they say they are, and may be required to provide  a unique access code after the signing process as well. AES also includes a certificate-based digital ID issued by a trusted service provider (TSP) and attached to the envelope as part of the transaction. The resulting digital signature is legally binding.

Qualified electronic signature (QES)

QES, also a true, legally binding digital signature, offers the highest level of trust through a face-to-face, or equivalent, identity verification process by a qualified trust service provider (QTSP)—a higher level of TSP—and the creation of a digital certificate with an electronic signature device. Across all 27 EU member states, it is considered the legal equivalent to a handwritten signature and, when contested in court, shifts the burden of proof to the challenging party.

eIDAS 2.0

As digital signatures become more common around the world, the EU has taken the lead in policies governing their use. In 2014, the EU established the Electronic Identification, Authentication and Trust Services (eIDAS) regulation to ensure secure and reliable electronic identification and trust services across its member states. Under eIDAS, TSPs and QTSPs must meet the highest standards of security and reliability set by the EU, adhere to more stringent requirements and undergo regular audits to ensure ongoing compliance.

When adopted, it is expected that version 2.0 of eIDAS will expand the regulation to include additional types of electronic trust services as well as the concept of an EU Identity Wallet, a digital platform that allows individuals and businesses to store and manage their electronic identification and trust services, including digital signatures and certificates, securely and conveniently.

Why ID Verification user experience matters

While identity verification can be a critical part of a customer interaction, it can’t be allowed to come at the expense of the interaction itself. The perception of excessive or obtrusive checks for signers can increase drop-off rates and create a negative impression of the company requiring them. For this reason, customer experience is a key area of identity verification innovation. Leading solution providers are working to make the identity verification process as seamless and painless as possible, focusing on these attributes:

• Fast: Ensuring that the process can be completed in minutes, not days
• User-friendly: With intuitive steps and step-by-step guidance, in a mobile-friendly experience
• Self-serve: Avoiding the need to set up live appointments with human agents
• Accessible: As a cloud-based process that eliminates the need to download and install a separate app

Learn more about identity verification for e-signatures and digital signatures.