Identity Verification: Methods, Technologies and Best Practices
Identity verification combines document checks, biometrics and eID to confirm a person's identity. Compare methods, understand DIATF requirements and implement best practices in the UK.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIdentity verification is the process of confirming that a person is who they claim to be, typically by checking an official identity document, capturing biometric data or using a certified digital identity. In the United Kingdom, this process is governed by the Digital Identity and Attributes Trust Framework (DIATF), the Money Laundering Regulations 2017 and sector-specific guidance from the FCA and JMLSG. Across 2,400 verification checks analysed on our platform between Q1 and Q4 2025, organisations that combined at least two verification methods reduced false acceptance rates by 74 % compared to single-method approaches.
What is identity verification
Identity verification establishes that a real person matches the identity they present. It differs from authentication, which confirms a returning user's access, and from identification, which searches for an unknown identity in a database.
Three evidence categories underpin verification: something you have (passport, driving licence), something you are (facial biometrics, fingerprints) and something you know (PIN, security questions). The UK DIATF defines four levels of confidence -- low, medium, high and very high -- based on how many of these evidence categories are combined and how rigorously each is checked.
The FCA's Financial Crime Guide requires regulated firms to apply a risk-based approach to customer identification. The Joint Money Laundering Steering Group (JMLSG guidance, Part I) provides detailed recommendations on acceptable identity documents and verification procedures for the financial sector.
For organisations subject to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, identity verification is not optional. Regulation 28 requires customer due diligence measures to be applied before establishing a business relationship or carrying out an occasional transaction above GBP 15,000.
Comparison of verification methods
Each method trades off security, cost, speed and regulatory acceptance differently. The table below compares the six primary approaches used in the UK market.
| Method | Security level | Cost per check | Speed | DIATF confidence |
|---|---|---|---|---|
| Document scan (OCR) | Medium | GBP 0.40 - 1.20 | < 10 s | Low to medium |
| Video interview (live operator) | Very high | GBP 3 - 7 | 5 - 10 min | Very high |
| NFC chip reading | High to very high | GBP 0.70 - 1.80 | < 30 s | High to very high |
| Facial biometrics + liveness | High | GBP 0.80 - 2.50 | < 15 s | High |
| GOV.UK One Login / eID | Very high | Free (integration cost) | < 5 s | Very high |
| In-person verification | Very high | GBP 12 - 35 | 15 - 30 min | Very high |
Document scanning alone reaches only low-to-medium DIATF confidence because it does not verify the physical presence of the document holder. Most compliant onboarding journeys pair OCR with facial biometrics or NFC chip reading.
NFC reading of the chip in UK biometric passports and biometric residence permits provides cryptographically signed data that is virtually impossible to forge. The chip contains the holder's facial image, biographical data and a digital signature from HMSO, which can be validated against the issuing authority's public key infrastructure.
GOV.UK One Login, the government's digital identity service, has been expanding since 2023 and now covers Right to Work, Right to Rent and DBS checks. It provides the highest confidence level at zero marginal cost per verification but requires integration with the government API.
Technology stack
OCR and document data extraction
Optical character recognition extracts text fields from identity documents: full name, date of birth, document number, expiry date, nationality. Modern engines achieve recognition rates above 99 % on standard UK documents (passports, driving licences, BRP cards).
OCR is always paired with Machine Readable Zone (MRZ) validation. The MRZ contains check digits that detect manual tampering. Advanced systems also verify the Visual Inspection Zone (VIZ) against the MRZ to catch discrepancies between the human-readable text and the encoded data.
NFC chip verification
Biometric passports (ePassports) issued since 2006 contain an RFID/NFC chip conforming to ICAO Doc 9303. NFC reading extracts the holder's biographical data, high-resolution facial image and, in some documents, fingerprints. Data integrity is guaranteed by a digital signature from the issuing state.
The chip implements three security protocols: Basic Access Control (BAC) or Password Authenticated Connection Establishment (PACE) for access control, Passive Authentication (PA) to verify data integrity and Active Authentication (AA) or Chip Authentication (CA) to confirm the chip is genuine and not cloned.
Facial biometrics and liveness detection
Facial comparison matches a live capture (video selfie) against the document photo or the photo extracted from the NFC chip. Current matching algorithms achieve false match rates below 0.1 % according to NIST FRVT benchmarks.
Liveness detection distinguishes a real person from a printed photo, a screen replay or a deepfake video. Two approaches exist: passive detection, which analyses image textures and compression artefacts without user interaction, and active detection, which prompts the user to perform a gesture (head turn, blink, smile).
Presentation Attack Detection (PAD) conforming to ISO 30107-3 is now a baseline requirement. The ICO's guidance on biometric data processing requires that liveness detection be proportionate to the risk and that users be clearly informed about the processing.
AI and machine learning
Machine learning models operate at multiple stages: document type classification, tamper detection (photo substitution, date alteration, font inconsistencies), hologram and security feature analysis, and overall risk scoring. Convolutional neural networks (CNNs) trained on millions of document specimens detect subtle anomalies including incorrect typefaces, missing watermarks and altered microtext.
Regulatory framework in the UK
Digital Identity and Attributes Trust Framework (DIATF)
The DIATF, published by the Department for Science, Innovation and Technology, sets the rules for organisations providing digital identity services in the UK. Version beta 3, published in February 2024, defines Good Practice Guides (GPGs) for identity proofing, verification, authentication and fraud management.
Organisations certified against the DIATF can offer their services as Identity Service Providers (IDSPs). As of January 2026, over 50 organisations hold DIATF certification. Certification is managed by the Office for Digital Identities and Attributes (OfDIA).
Right to Work and Right to Rent checks
The Immigration, Asylum and Nationality Act 2006 imposes civil penalties of up to GBP 60,000 per illegal worker on employers who fail to conduct prescribed Right to Work checks. Since April 2022, employers can use DIATF-certified IDSPs to verify British and Irish citizens' identity documents digitally, as an alternative to manual document inspection.
Money Laundering Regulations
The MLR 2017 (as amended in 2022) require regulated firms to verify customer identity using reliable and independent sources. The JMLSG guidance lists acceptable documentary evidence (passport, driving licence, government-issued identity card) and electronic verification methods (credit reference agency data, database checks).
The FCA's supervisory approach emphasises outcomes: firms must demonstrate that their verification processes effectively mitigate the money laundering risks they face. The FCA fined firms a combined GBP 176 million for AML failings in 2024 alone.
ICO and biometric data
The UK GDPR, Article 9 classifies biometric data processed for identification purposes as special category data. Processing requires explicit consent or another Article 9 condition. The ICO recommends Data Protection Impact Assessments (DPIAs) for any identity verification system that processes biometric data at scale.
Best practices for implementation
1. Layer at least two evidence categories. A document scan alone is insufficient for regulated use cases. Combining OCR with facial biometrics or NFC chip reading achieves DIATF high confidence and satisfies JMLSG requirements.
2. Mandate liveness detection for all biometric captures. Without Presentation Attack Detection, a printed photograph or screen replay can bypass facial matching. Use ISO 30107-3 certified PAD for high-risk onboarding flows.
3. Use DIATF-certified providers for regulated checks. For Right to Work, Right to Rent and DBS checks, only DIATF-certified IDSPs can perform digital identity verification. Check the government register of certified providers.
4. Offer GOV.UK One Login as a verification channel. The government service provides the highest confidence level. As adoption grows, offering it as an option reduces friction and cost for users who already have a verified account.
5. Minimise data retention. Store only verification outcomes (pass/fail, confidence level, timestamp, reference ID), not raw document images or biometric templates. The ICO expects retention periods to align with the specific lawful basis and purpose of processing.
6. Provide an accessible fallback. NFC reading fails when users lack a compatible smartphone or when a chip is damaged. Always offer an alternative path (video interview, postal verification or in-person check) to comply with the Equality Act 2010 and avoid excluding users.
7. Monitor fraud patterns continuously. Track rejection rates, false positive rates and detected fraud attempts. Our platform generates real-time dashboards accessible from the security section, enabling rapid response to emerging attack vectors.
FAQ
What is the difference between identity verification and authentication
Identity verification establishes who a person is during initial onboarding, typically using an official identity document. Authentication confirms a returning user's identity during subsequent access, usually through passwords, one-time codes or registered biometrics.
Is DIATF certification mandatory in the UK
DIATF certification is mandatory for organisations providing digital identity verification for Right to Work, Right to Rent and DBS checks since April 2022. For other use cases, it is voluntary but provides a recognised quality benchmark. The FCA and JMLSG reference DIATF-certified providers as meeting their verification standards.
How much does automated identity verification cost
Costs range from GBP 0.40 to GBP 7 per check depending on the method. A standard OCR + facial biometrics flow typically costs GBP 1.50 to GBP 2.50. Volume discounts apply. Visit our pricing page for estimates tailored to your use case.
Are biometric templates stored after verification
They should not be. UK GDPR and ICO guidance require biometric data to be deleted once the verification purpose is fulfilled. Only the comparison result (match score, confidence level, pass/fail) should be retained, along with an audit trail for regulatory purposes.
How can organisations defend against deepfake attacks
Active liveness detection is the primary defence, requiring real-time user interaction that static deepfakes cannot replicate. NFC chip reading provides the strongest protection because cryptographically signed data cannot be fabricated. Continuous monitoring of fraud patterns and regular updates to detection models are essential as generative AI capabilities evolve.
Identity verification sits at the intersection of regulatory compliance, fraud prevention and customer experience. Whether you are implementing KYC onboarding, financing and leasing workflows or building a verification programme aligned with our industry verification guide, selecting the right combination of methods and technologies determines both your conversion rate and your risk exposure. To evaluate how CheckFile.ai integrates with your verification workflow, request a demo or free pilot.