Identity Verification: Methods & Tech
Identity verification combines document checks, biometrics and digital ID to confirm a person's identity.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIdentity verification is the process of confirming that a person is who they claim to be, typically by checking an official identity document, capturing biometric data, or using a certified digital identity. In Canada, this process is governed by FINTRAC client identification requirements, the Pan-Canadian Trust Framework (PCTF), and sector-specific guidance from OSFI and provincial regulators.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
This article is provided for informational purposes and does not constitute legal advice. Consult a qualified legal professional for situation-specific guidance.
What Is Identity Verification
Identity verification establishes that a real person matches the identity they present. It differs from authentication, which confirms a returning user's access, and from identification, which searches for an unknown identity in a database.
Three evidence categories underpin verification: something you have (passport, driver's licence), something you are (facial biometrics, fingerprints), and something you know (PIN, security questions). The Pan-Canadian Trust Framework defines confidence levels based on how many evidence categories are combined and how rigorously each is checked.
FINTRAC's guidance on client identification provides detailed requirements on acceptable identity documents and verification procedures.
For organizations subject to the PCMLTFA, identity verification is not optional. The Act requires customer identification measures to be applied before establishing a business relationship.
Comparison of Verification Methods
| Method | Security Level | Cost per Check | Speed | Confidence Level |
|---|---|---|---|---|
| Document scan (OCR) | Medium | CAD 0.50 - 1.60 | < 10 s | Low to medium |
| Video interview (live operator) | Very high | CAD 4 - 9 | 5 - 10 min | Very high |
| NFC chip reading | High to very high | CAD 0.90 - 2.40 | < 30 s | High to very high |
| Facial biometrics + liveness | High | CAD 1 - 3.30 | < 15 s | High |
| Provincial digital ID | Very high | Integration cost | < 5 s | Very high |
| In-person verification | Very high | CAD 15 - 45 | 15 - 30 min | Very high |
CheckFile data from 120,000 rental applications shows that 8.3% of submitted payslips are falsified, representing an estimated annual rent default risk of EUR 2.8 million.
Document scanning alone reaches only low-to-medium confidence because it does not verify the physical presence of the document holder. Most compliant onboarding journeys pair OCR with facial biometrics or NFC chip reading.
NFC reading of the chip in Canadian biometric passports and permanent resident cards provides cryptographically signed data that is virtually impossible to forge.
Technology Stack
OCR and Document Data Extraction
Optical character recognition extracts text fields from identity documents: full name, date of birth, document number, expiry date, nationality. Modern engines achieve recognition rates above 99% on standard Canadian documents (passports, driver's licences, PR cards).
NFC Chip Verification
Biometric passports (ePassports) issued by IRCC contain an NFC chip conforming to ICAO Doc 9303. NFC reading extracts the holder's biographical data and high-resolution facial image. Data integrity is guaranteed by a digital signature from the issuing authority.
Facial Biometrics and Liveness Detection
Facial comparison matches a live capture against the document photo. Current matching algorithms achieve false match rates below 0.1% according to NIST FRVT benchmarks.
Liveness detection distinguishes a real person from a printed photo, screen replay, or deepfake video. Presentation Attack Detection (PAD) conforming to ISO 30107-3 is now a baseline requirement.
AI and Machine Learning
Machine learning models operate at multiple stages: document type classification, tamper detection, security feature analysis, and risk scoring.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRegulatory Framework in Canada
Pan-Canadian Trust Framework (PCTF)
The PCTF, developed by the Digital Governance Council under the auspices of the Government of Canada, sets the rules for organizations providing digital identity services in Canada. It defines good practice guides for identity proofing, verification, authentication, and fraud management.
FINTRAC Client Identification
FINTRAC's methods of identification specify acceptable documents and procedures for verifying client identity under the PCMLTFA. Acceptable government-issued photo identification includes Canadian passport, provincial driver's licence, and permanent resident card.
Work Authorization Checks
The Immigration and Refugee Protection Act imposes obligations on employers to verify work authorization. IRCC's employer verification tools enable digital verification of work permit status.
PIPEDA and Biometric Data
PIPEDA and provincial privacy legislation govern the collection and use of biometric data. The OPC recommends Privacy Impact Assessments for any identity verification system that processes biometric data at scale. Express consent is required for biometric data collection.
Best Practices for Implementation
1. Layer at least two evidence categories. A document scan alone is insufficient for regulated use cases. Combining OCR with facial biometrics or NFC chip reading achieves high confidence and satisfies FINTRAC requirements.
2. Mandate liveness detection for all biometric captures. Without Presentation Attack Detection, a printed photograph or screen replay can bypass facial matching.
3. Offer provincial digital ID as a verification channel. As provincial digital identity programs mature, offering them as an option reduces friction and cost.
4. Minimize data retention. Store only verification outcomes (pass/fail, confidence level, timestamp, reference ID), not raw document images or biometric templates. PIPEDA requires retention to align with the specific purpose.
5. Provide an accessible fallback. Always offer an alternative path (video interview, postal verification, or in-person check) to comply with accessibility requirements.
6. Monitor fraud patterns continuously. Track rejection rates, false positive rates, and detected fraud attempts.
For a comprehensive overview, see our industry document verification guide.
FAQ
What is the difference between identity verification and authentication?
Identity verification establishes who a person is during initial onboarding. Authentication confirms a returning user's identity during subsequent access.
What does FINTRAC require for client identification?
FINTRAC requires reporting entities to verify client identity using government-issued photo identification, a credit file, or dual-process identification methods. Specific acceptable documents and procedures are detailed in FINTRAC Guidance on client identification.
How much does automated identity verification cost?
Costs range from CAD 0.50 to CAD 9 per check depending on the method. A standard OCR + facial biometrics flow typically costs CAD 2 to 3.30. Visit our pricing page for estimates.
Are biometric templates stored after verification?
They should not be. PIPEDA and OPC guidance require biometric data to be deleted once the verification purpose is fulfilled. Only the comparison result should be retained.
How can organizations defend against deepfake attacks?
Active liveness detection is the primary defence. NFC chip reading provides the strongest protection because cryptographically signed data cannot be fabricated. Organizations should also implement continuous fraud monitoring, subscribe to threat intelligence from the Canadian Anti-Fraud Centre, and regularly update their detection models to counter evolving generative AI capabilities. Multi-layered verification -- combining document analysis, biometric liveness, and database cross-referencing -- provides the most robust defence against sophisticated deepfake attacks.
What Canadian regulations govern the use of biometric data for identity verification?
The collection and use of biometric data in Canada is governed by PIPEDA at the federal level and by provincial privacy legislation in Alberta, British Columbia, and Quebec. The Office of the Privacy Commissioner of Canada considers biometric information to be sensitive personal information requiring express consent for collection. Organizations must conduct Privacy Impact Assessments for biometric verification systems, implement appropriate safeguards, and retain biometric data only for the minimum period necessary. Quebec's Law 25 imposes additional obligations for biometric databases, including mandatory disclosure to the Commission d'acces a l'information before implementation.
Identity verification sits at the intersection of regulatory compliance, fraud prevention, and customer experience. To evaluate how CheckFile.ai integrates with your verification workflow, request a demo or free pilot.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.