Identity proofing vs identity verification: what’s the difference?
TL;DR
- Identity proofing is the full process of establishing that a claimed identity is real and belongs to a present person.
- Identity verification is one step inside proofing, confirming presented credentials match a trusted source.
- NIST SP 800-63-4, finalised July 2025, defines proofing across three identity assurance levels.
- Authentication is a third, separate step that confirms a returning user, not the original identity.
- The terms are not interchangeable, and regulated onboarding usually requires all three.
Teams use “identity proofing” and “identity verification” as if they mean the same thing, and the slip causes real gaps in onboarding design. They are related but not equal. Identity proofing is the whole process of establishing that someone is who they claim to be. Identity verification is one specific step within it. Getting the distinction right matters because regulators, standards bodies, and auditors treat them as separate requirements with separate evidence. This guide defines each term, sets them side by side in a comparison table, shows where authentication fits, and helps you decide which your business needs.
Defining identity proofing
Identity proofing is the end-to-end process of collecting and validating evidence to establish that a claimed identity is real and belongs to the person presenting it. It is the umbrella term for everything involved in proving an identity at onboarding, from gathering documents to confirming a live person is behind them.
The authoritative reference is the US National Institute of Standards and Technology. Under NIST SP 800-63-4, finalised in July 2025, the sole objective of identity proofing is to ensure an applicant is who they claim to be to a stated level of certitude, performed at one of three identity assurance levels (NIST SP 800-63A).
Under SP 800-63A-4, the proofing process runs in three steps: resolution (establishing a unique identity from collected evidence), validation (confirming that evidence is authentic and accurate), and verification (confirming the applicant is the rightful owner of that evidence). Verification is the third step – it cannot happen without the first two.
The identity proofing process covers the full chain of resolving an identity, validating the evidence, and confirming the applicant is the rightful owner of it. Verification is one link in that chain, which is why proofing is the broader of the two terms in any complete guide to identity verification.
Defining identity verification
Identity verification is the narrower step of confirming that the credentials a person presents match a trusted, authoritative source. Where proofing asks “have we established this identity to the required level of assurance?”, verification asks the more specific question “does this document and this face match the records we trust?”
In practice, verification is the moment a passport is authenticated, a live selfie is matched to the document photo, and the identity is cross-checked against a database. Those checks produce a clear pass or fail. Proofing wraps around them, adding the resolution and evidence-evaluation steps that decide whether the verified credential is enough for the assurance level the business or regulator requires. So verification is essential to proofing, but it is not the whole of it.
Identity proofing vs identity verification: side-by-side comparison
The fastest way to separate the two terms is to compare them across the dimensions that matter for onboarding and compliance. The table below sets identity proofing against identity verification on definition, scope, process, regulatory reference, ownership, and output.
| Dimension | Identity proofing | Identity verification |
| Definition | The full process of establishing a claimed identity is real and belongs to the person | The step of confirming presented credentials match a trusted source |
| Scope | Broad, covers resolution, evidence validation, and ownership confirmation | Narrow, confirms a specific credential or biometric matches |
| Process steps | Collect evidence, validate it, confirm the applicant owns it, assign an assurance level | Authenticate the document, match the biometric, cross-check the database |
| Regulatory reference | NIST SP 800-63-4 identity assurance levels | AML customer due diligence under FATF Recommendation 10 |
| Who performs it | A credential service provider or regulated business at onboarding | The verification system or service, often via an API |
| Output | An identity established to a stated assurance level | A pass, fail, or refer decision on a credential |
The table makes the relationship clear. Verification is a component, proofing is the system that component sits inside. A business can run verification without a full proofing framework, but it cannot run rigorous proofing without verification.
Where authentication fits in
Authentication is a third distinct step, and confusing it with the first two is the most common mistake of all. The cleanest way to hold the three apart is as a sequence. Proofing establishes the identity once. Verification confirms the credentials within that proofing. Authentication then confirms, on every future visit, that the returning user is the same person who was proofed.
A password, a one-time code, or a fingerprint unlock is authentication. None of those steps re-establish the original identity. They only confirm continued access to an account that was already proofed and verified. This is why a strong authentication setup cannot rescue weak proofing. If a synthetic identity is proofed incorrectly at the start, every authentication afterward simply confirms the same fraudulent account. The full breakdown lives in the difference between identity verification vs authentication.
Which does your business need?
Most regulated businesses need all three, but the emphasis shifts with sector and risk level. The question is rarely “proofing or verification” but “how much assurance does this relationship require, and which steps deliver it.”
A high-risk relationship such as opening a bank account or a crypto wallet needs full identity proofing at a high assurance level, which means robust verification plus the evidence-evaluation steps around it. A lower-risk interaction such as a returning user accessing a low-value feature may need only authentication, because the proofing was completed at onboarding. The practical rule is to match the assurance level to the risk and the regulation. Under AML rules, proofing and verification are mandatory at onboarding, and the AML identity verification obligations define how rigorous that proofing has to be. Remote identity proofing, sometimes called digital identity proofing, has to deliver the same assurance as in-person checks, which is where liveness and document forensics become non-negotiable.
NIST SP 800-63-4 defines three identity assurance levels – IAL1, IAL2, and IAL3 – with IAL2 and above requiring remote or in-person proofing with validated evidence and biometric confirmation.
How Shufti supports identity proofing and verification
If you are building an onboarding flow that has to satisfy an assurance-level requirement, the gap most teams hit is treating verification as if it were the whole proofing job. A pass on a document check does not prove the applicant owns that identity to the level a regulator expects. Shufti covers the chain end to end, with document forensics, biometric matching, liveness detection, and database cross-checks running through one integration, so the verification steps sit inside a proofing process that produces an auditable record. Document intelligence trained on 10,000+ document types across 240+ countries and territories means the same flow holds its assurance level in markets where retrofitted systems fall short.
See how Shufti runs identity proofing and verification end to end on real onboarding data — book a demo.
Frequently Asked Questions
What is the difference between identity proofing and identity verification?
Identity proofing is the full process of establishing that a claimed identity is real and belongs to the person presenting it. Identity verification is one step within proofing, confirming that presented credentials match a trusted source. Proofing is the broad framework, and verification is a specific component inside it.
Is identity proofing the same as KYC?
No, but they overlap. Identity proofing is the process of establishing an identity to a stated assurance level, drawn from NIST guidance. KYC is the wider regulatory programme that includes proofing and verification at onboarding plus ongoing risk assessment, AML screening, and monitoring throughout the customer relationship.
What is remote identity proofing?
Remote identity proofing establishes a person's identity without physical presence, using document capture, biometric matching, and liveness detection over a device camera. To be compliant, it has to deliver the same level of assurance as an in-person check, which is why liveness detection and document forensics are central to a remote proofing flow.
Why does the distinction between proofing and verification matter?
The distinction matters because regulators and standards bodies treat them as separate requirements. Designing an onboarding flow around verification alone can leave an assurance gap, since proofing adds the evidence-evaluation and ownership-confirmation steps that prove the verified credential actually belongs to the applicant.
