July 14, 2026

What Is Identity Proofing? Definition, Process, and Assurance Levels

What Is Identity Proofing? Definition, Process, and Assurance Levels

Identity proofing is the process of verifying that a person is who they claim to be before an organization grants them a credential, an account, or access. NIST SP 800-63A defines it as three steps: resolution, validation, and verification. The strength of those steps determines the identity assurance level (IAL), from self-assertion at IAL1 to supervised, biometric-backed proofing at IAL3.

Identity Proofing vs. Authentication

The two get confused constantly, including inside security teams. Identity proofing happens once, at the front door. It establishes who you are before an account or credential exists. Authentication happens every time after. It checks that the person returning is the same one who was proofed.

A password, a passkey, or MFA authenticates. None of them proof. If the proofing was weak, every authentication that follows protects a fraudulent identity.

The Three Steps NIST Defines

Resolution. Collect enough information to distinguish one specific person from everyone else: name, date of birth, document numbers.

Validation. Confirm the evidence is genuine and accurate. Is this passport real? Does this license match the issuing authority’s records?

Verification. Confirm the person presenting the evidence is its rightful owner. This is where photos, biometrics, and live checks come in.

Fraud enters wherever one step is weak. A stolen document presented by the wrong person passes validation and fails only at verification. A synthetic identity can pass a face check and fail only at resolution. Strong proofing has no weak step.

Identity Assurance Levels: IAL1, IAL2, IAL3

IAL1 accepts self-asserted identity. No proof required.

IAL2 requires evidence: typically a document check plus a selfie match, done remotely or in person. Most commercial verification products operate here.

IAL3 is the highest level. It requires biometric collection and either in-person proofing or a supervised remote session with a trained operator on controlled hardware. Federal PIV credentialing and other high-assurance workflows require it.

The Three Ways to Proof an Identity

Unsupervised remote. The person photographs a document and takes a selfie on their own phone. It scales cheaply, and it is the method generative AI is beating. Deepfakes now account for 1 in 5 biometric fraud attempts, according to the Entrust 2026 Identity Fraud Report, drawn from more than 1 billion verification events.

In-person. A trained agent examines the person and the evidence in the same room. It resists these attacks and has for a century. It does not scale.

Supervised remote. A trained operator supervises a live session at a controlled identity station. It is the only remote method NIST allows at IAL3. This is the model NextgenID patented as supervised remote identity proofing (SRIP).

Why Proofing Standards Are Rising

U.S. identity fraud cost $27.3 billion in 2025 and reached 18 million victims, according to the Javelin 2026 Identity Fraud Study. Generative AI is the accelerant: fraudulent documents, faces, and voices are now cheap to produce and hard for algorithms to catch alone.

The response is visible across government and regulated industry: assurance requirements are moving up, not down. Agencies that accepted remote self-service proofing are mandating supervised or in-person sessions for high-risk transactions. For a deeper look at what the standard requires, read our NIST 800-63 guide to remote identity proofing.

How to Choose the Right Level

Match assurance to consequence. If a wrong identity costs a password reset, IAL1 or IAL2 is proportionate. If it costs a federal credential, access to controlled systems, or a regulated transaction, the answer is IAL3 with supervision. See how NextgenID delivers IAL3 identity proofing across walk-in, on-site, and mobile stations.

Identity Proofing: Frequently Asked Questions

What is identity proofing in simple terms?

It is how an organization confirms a person is who they claim to be before granting an account, credential, or access. It happens once, at enrollment, and everything downstream depends on it.

What is the purpose of identity proofing?

To stop fraud at the front door. If a fraudulent identity passes proofing, every login, transaction, and access decision that follows protects the wrong person.

What are the three steps of identity proofing?

NIST SP 800-63A defines three: resolution (distinguishing one specific person), validation (confirming the evidence is genuine), and verification (confirming the person presenting the evidence owns it).

What is the difference between identity proofing and authentication?

Proofing establishes who you are, once, before a credential exists. Authentication checks that the returning user is the same person, every time after. Passwords and MFA authenticate. They do not proof.

What identity proofing level do federal agencies require?

High-assurance federal workflows such as PIV credentialing require IAL3, the highest level in NIST SP 800-63. IAL3 requires biometric collection and either in-person proofing or a supervised remote session.

See IAL3 proofing end to end. Request a demo.

Latest Insights

Press coverage highlighting NextgenID's role as a leader in identity verification and fraud prevention.