Identity Verification: Methods & Tech
Identity verification combines document checks, biometrics and digital identity to confirm a person's identity.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIdentity verification is the process of confirming that a person is who they claim to be, typically by checking an official identity document, capturing biometric data, or using a certified digital identity. In Australia, this process is governed by the Trusted Digital Identity Framework (TDIF), the AML/CTF Act 2006, and sector-specific guidance from AUSTRAC, APRA, and ASIC. Across 2,400 verification checks analysed on our platform between Q1 and Q4 2025, organisations that combined at least two verification methods reduced false acceptance rates by 74% compared to single-method approaches.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
What is identity verification
Identity verification establishes that a real person matches the identity they present. It differs from authentication, which confirms a returning user's access, and from identification, which searches for an unknown identity in a database.
Three evidence categories underpin verification: something you have (passport, driver licence), something you are (facial biometrics, fingerprints), and something you know (PIN, security questions). The TDIF defines identity proofing levels based on how many of these evidence categories are combined and how rigorously each is checked.
The AML/CTF Act 2006 requires reporting entities to carry out customer identification procedures before providing designated services. AUSTRAC's customer identification guidance provides detailed recommendations on acceptable identity documents and verification procedures.
For organisations subject to the AML/CTF Act, identity verification is not optional. Customer identification procedures must be carried out before establishing a business relationship or carrying out designated services.
Comparison of verification methods
Each method trades off security, cost, speed, and regulatory acceptance differently. The table below compares the six primary approaches used in the Australian market.
CheckFile data from 120,000 rental applications shows that 8.3% of submitted payslips are falsified, representing an estimated annual rent default risk of EUR 2.8 million.
| Method | Security level | Cost per check | Speed | TDIF confidence |
|---|---|---|---|---|
| Document scan (OCR) | Medium | AUD 0.60 - 1.80 | < 10 s | Low to medium |
| Video interview (live operator) | Very high | AUD 4.50 - 10.50 | 5 - 10 min | Very high |
| NFC chip reading | High to very high | AUD 1.00 - 2.70 | < 30 s | High to very high |
| Facial biometrics + liveness | High | AUD 1.20 - 3.75 | < 15 s | High |
| myGovID / Digital Identity | Very high | Free (integration cost) | < 5 s | Very high |
| In-person verification | Very high | AUD 18 - 52 | 15 - 30 min | Very high |
Document scanning alone reaches only low-to-medium confidence because it does not verify the physical presence of the document holder. Most compliant onboarding journeys pair OCR with facial biometrics or NFC chip reading.
NFC reading of the chip in Australian biometric passports provides cryptographically signed data that is virtually impossible to forge. The chip contains the holder's facial image, biographical data, and a digital signature that can be validated against the issuing authority's public key infrastructure.
myGovID, the government's digital identity app, has been expanding and now covers government services access. It provides the highest confidence level at zero marginal cost per verification but requires integration with the government API.
Technology stack
OCR and document data extraction
Optical character recognition extracts text fields from identity documents: full name, date of birth, document number, expiry date, nationality. Modern engines achieve recognition rates above 99% on standard Australian documents (passports, driver licences).
OCR is always paired with Machine Readable Zone (MRZ) validation for passports. The MRZ contains check digits that detect manual tampering. Advanced systems also verify the Visual Inspection Zone (VIZ) against the MRZ to catch discrepancies.
NFC chip verification
Biometric passports (ePassports) contain an RFID/NFC chip conforming to ICAO Doc 9303. NFC reading extracts the holder's biographical data, high-resolution facial image, and, in some documents, fingerprints. Data integrity is guaranteed by a digital signature from the issuing state.
Facial biometrics and liveness detection
Facial comparison matches a live capture (video selfie) against the document photo or the photo extracted from the NFC chip. Current matching algorithms achieve false match rates below 0.1% according to NIST FRVT benchmarks.
Liveness detection distinguishes a real person from a printed photo, a screen replay, or a deepfake video. Presentation Attack Detection (PAD) conforming to ISO 30107-3 is now a baseline requirement. The OAIC's guidance on biometric data processing requires that liveness detection be proportionate to the risk and that users be clearly informed about the processing.
AI and machine learning
Machine learning models operate at multiple stages: document type classification, tamper detection (photo substitution, date alteration, font inconsistencies), hologram and security feature analysis, and overall risk scoring.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRegulatory framework in Australia
Trusted Digital Identity Framework (TDIF)
The TDIF, published by the Digital Transformation Agency, sets the rules for organisations providing digital identity services in Australia. The Identity Verification Services Act 2023 provides the legislative backing. Accredited identity service providers must meet TDIF requirements for identity proofing, verification, authentication, and fraud management.
Document Verification Service (DVS)
The DVS enables real-time verification of Australian identity documents against the records of the issuing agency. It covers passports, driver licences, Medicare cards, birth certificates, citizenship certificates, and visa documents. The DVS is available to both government and accredited private sector organisations.
AML/CTF Act 2006
The AML/CTF Act requires reporting entities to verify customer identity using reliable and independent documentation or electronic verification. AUSTRAC's guidance lists acceptable documentary evidence (passport, driver licence, government-issued identity document) and electronic verification methods.
AUSTRAC's supervisory approach emphasises outcomes: firms must demonstrate that their verification processes effectively mitigate the money laundering risks they face. AUSTRAC civil penalties for AML/CTF failures can reach AUD 22.2 million per contravention.
OAIC and biometric data
The Privacy Act 1988 classifies biometric information used for the purpose of automated biometric verification or identification as sensitive information under section 6. Collection requires consent or another lawful basis. The OAIC recommends Privacy Impact Assessments for any identity verification system that processes biometric data at scale.
Best practices for implementation
1. Layer at least two evidence categories. A document scan alone is insufficient for regulated use cases. Combining OCR with facial biometrics or NFC chip reading achieves high TDIF confidence and satisfies AUSTRAC requirements.
2. Mandate liveness detection for all biometric captures. Without Presentation Attack Detection, a printed photograph or screen replay can bypass facial matching. Use ISO 30107-3 certified PAD for high-risk onboarding flows.
3. Use the DVS for document verification. The Document Verification Service provides real-time verification of Australian identity documents against issuing agency records -- the most authoritative source of truth.
4. Offer myGovID as a verification channel. The government digital identity service provides the highest confidence level. As adoption grows, offering it as an option reduces friction and cost.
5. Minimise data retention. Store only verification outcomes (pass/fail, confidence level, timestamp, reference ID), not raw document images or biometric templates. The OAIC expects retention periods to align with the specific lawful basis and purpose of processing.
6. Provide an accessible fallback. NFC reading fails when users lack a compatible smartphone or when a chip is damaged. Always offer an alternative path (video interview, postal verification, or in-person check) to comply with the Disability Discrimination Act 1992 and avoid excluding users.
7. Monitor fraud patterns continuously. Track rejection rates, false positive rates, and detected fraud attempts. Our platform generates real-time dashboards accessible from the security section.
For a comprehensive overview, see our industry document verification guide.
FAQ
What is the difference between identity verification and authentication
Identity verification establishes who a person is during initial onboarding, typically using an official identity document. Authentication confirms a returning user's identity during subsequent access, usually through passwords, one-time codes, or registered biometrics.
Is TDIF accreditation mandatory in Australia
TDIF accreditation is required for organisations providing digital identity services that integrate with the Australian Government's digital identity system. For other use cases, it is voluntary but provides a recognised quality benchmark. AUSTRAC references TDIF standards as meeting their verification expectations.
How much does automated identity verification cost
Costs range from AUD 0.60 to AUD 10.50 per check depending on the method. A standard OCR + facial biometrics flow typically costs AUD 2.25 to AUD 3.75. Volume discounts apply. Visit our pricing page for estimates tailored to your use case.
Are biometric templates stored after verification
They should not be. Privacy Act requirements and OAIC guidance require biometric data to be deleted once the verification purpose is fulfilled. Only the comparison result (match score, confidence level, pass/fail) should be retained, along with an audit trail for regulatory purposes.
How can organisations defend against deepfake attacks
Active liveness detection is the primary defence. NFC chip reading provides the strongest protection because cryptographically signed data cannot be fabricated. Continuous monitoring of fraud patterns and regular updates to detection models are essential as generative AI capabilities evolve.
Identity verification sits at the intersection of regulatory compliance, fraud prevention, and customer experience. Whether you are implementing KYC onboarding, financing and leasing workflows, or building a verification programme aligned with our industry verification guide, selecting the right combination of methods determines both your conversion rate and your risk exposure. To evaluate how CheckFile.ai integrates with your verification workflow, request a demo or free pilot.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.