Identity fraud is no longer a back-office concern. With the EU’s AMLR (Anti-Money Laundering Regulation) entering its implementation phase and eIDAS 2.0 rolling out the European Digital Identity Wallet across Member States, the way organizations verify users has changed for good. At the same time, generative AI has lowered the cost of deepfakes and synthetic identities to near zero, putting traditional KYC controls under unprecedented strain.
In this environment, digital proof of identity is no longer optional — it is the foundation of trust for every remote interaction between a business and its customers. This guide explains what it is, how it works inside a KYC workflow, the regulations that govern it in 2026, and the best practices to deploy it without compromising user experience.
What is digital proof of identity?
Digital proof of identity is the process of confirming that a person is who they claim to be, using digital evidence verified by automated systems. It combines three layers of evidence:
- Something you have — a valid identity document (passport, national ID, driving licence), captured digitally and verified for authenticity.
- Something you are — biometric data, typically a selfie or short video that is matched against the photo on the document.
- Proof of presence — a liveness check confirming that the person in front of the camera is real, present, and not a recording, mask, or AI-generated artifact.
Unlike a scanned photocopy or a static PDF, digital proof of identity is machine-verifiable, auditable, and tamper-evident. Each step generates cryptographic and metadata signals (document MRZ, NFC chip reads, facial embeddings, device fingerprints) that together produce a high-confidence decision in seconds.
Why digital proof of identity is critical for KYC in 2026
Three forces are pushing digital identity from “nice to have” to “mandatory”:
Regulatory pressure has intensified
- eIDAS 2.0 (Regulation (EU) 2024/1183) requires every Member State to offer citizens an EU Digital Identity Wallet, recognised across the Union for both public and private services.
- The EU Anti-Money Laundering package (AMLR + AMLD6 + AMLA) standardises customer due diligence rules across the bloc and explicitly recognises remote, biometric-based onboarding as an acceptable method.
- The FATF Guidance on Digital ID sets the global baseline, while sectoral rules — EBA Guidelines on remote customer onboarding, PSD3, MiCA — extend it to banking, payments, and crypto-asset service providers.
Fraud is moving faster than legacy controls
Account-opening fraud, synthetic identity fraud, and AI-generated deepfakes are now the dominant attack vectors against remote onboarding. Static document checks and knowledge-based authentication (KBA) — once the industry standard — can be defeated by widely available tools. Modern biometric identity verification with passive liveness detection is one of the few defences proven to detect injection attacks and presentation attacks at scale.
Onboarding speed is a competitive moat
Customers expect to open a bank account, activate a SIM card, or board a flight in minutes — not days. Organisations that still require branch visits or manual document review lose conversion at every step. Digital proof of identity collapses onboarding from days to seconds, with completion rates above 90% when implemented with low-friction biometrics.
KYC, eKYC, and AML: how digital proof of identity fits
These terms are often confused. Clarifying them helps in deciding what to deploy:
| Concept | Scope | Where digital proof of identity applies |
|---|---|---|
| KYC (Know Your Customer) | Verifying a customer's identity at onboarding and on a risk-based basis thereafter | The core verification step |
| eKYC | KYC performed entirely through digital channels | The full workflow |
| AML (Anti-Money Laundering) | Broader compliance programme: KYC + transaction monitoring + reporting | The "K" in KYC, plus ongoing re-verification |
| KYB (Know Your Business) | Identity verification for legal entities and their beneficial owners | Verification of directors and ultimate beneficial owners (UBOs) |
In short: digital proof of identity is the evidence layer that powers KYC, eKYC, and the customer identification part of AML.
Methods of digital identity verification
Liveness detection
Liveness detection is what separates a real user from a photo, video replay, mask, or deepfake. Two approaches exist:
Active liveness — the user is asked to blink, smile, or move their head. Higher friction, lower completion rates, and increasingly bypassable by AI.
Passive liveness — the system analyses signals invisible to the user (texture, depth cues, screen reflections, micro-movements) without requiring any action. Lower friction, higher conversion, and harder to defeat.
For onboarding flows where every second matters, passive liveness is now the industry default.
Verifiable credentials and digital wallets
eIDAS 2.0 introduces a third path: instead of capturing documents and selfies, users present verifiable credentials from their EU Digital Identity Wallet (or equivalent national schemes). This shifts verification from “extract and check” to “verify a signed credential against a trusted issuer”. Identy’s ID Wallet and BioCode are built for this future, where reusable identity becomes the norm.
Database and watchlist screening
To complete KYC, identity data is screened against PEP (Politically Exposed Persons) lists, sanctions lists, and adverse media databases. This is a compliance check, not an identity check, but it is part of any compliant onboarding flow.
How to apply digital proof of identity in KYC: a 3-step framework
Most compliant onboarding flows follow the same three-step structure. What differs is the depth of each step.
1. Document capture and verification
The user submits images of their identity document — front, back, and where supported, an NFC chip read. The system:
- Extracts the data with OCR and parses the MRZ.
- Validates document authenticity against a template database.
- Checks expiry, issuing country, and document class against the acceptance policy.
- Where available, reads the NFC chip to obtain cryptographically signed data direct from the issuing authority.
2. Biometric capture and matching
The user records a short selfie or video. The system:
- Runs passive liveness detection to confirm a real, present person.
- Extracts a facial biometric template and matches it against the document photo using a 1:1 face comparison.
- Optionally captures a second biometric modality (fingerprint, palm) for higher-assurance use cases.
3. Risk assessment and decision
The system aggregates all signals — document score, biometric match score, liveness score, device and behavioural signals, PEP/sanctions screening — and produces a single decision:
- Approved: the customer continues.
- Rejected: the case is closed or returned for retry.
- Manual review: a compliance analyst inspects the case before deciding.
This step is where machine learning matters most. A well-tuned decision engine catches synthetic identities and injection attacks that would pass each individual check in isolation.
A robust digital proof of identity stack rarely relies on a single method. The most reliable systems combine several, scaled to the risk of the use case.
Document verification
The document is the anchor of the identity claim. Modern ID verification software checks the document on multiple dimensions:
- OCR and MRZ parsing to extract and cross-validate the data fields.
- Security feature checks — holograms, microprint, UV elements, ghost photos.
- NFC chip reading for ePassports and biometric ID cards, which provides cryptographically signed data straight from the issuing authority. This is the gold standard, as it cannot be forged.
- Template matching against a global library of document specimens to detect counterfeits.
Biometric verification
Once the document is validated, the system must confirm that the person presenting it is its rightful holder. This is done by matching the user’s biometric sample against the document photo. Identy’s multimodal approach supports facial recognition, fingerprint, and palm biometrics, giving deployments the flexibility to match the modality to the channel and risk level.
Common fraud vectors in 2026 — and how digital proof of identity counters them
| Threat | What it looks like | Primary defence |
|---|---|---|
| Deepfakes | AI-generated faces or videos used during selfie capture | Passive liveness + injection-attack detection |
| Synthetic identity fraud | Fabricated identities combining real and fake data | Document authenticity + database cross-checks |
| Presentation attacks | Printed photos, masks, screen replays | Multi-spectral liveness, depth analysis |
| Injection attacks | Bypassing the camera with a virtual feed | Device integrity checks, SDK-level protection |
| Account takeover | Reusing a real identity after credential theft | Step-up biometric re-authentication |
We explore the deepfake threat in depth in our analysis of AI as both cause and response to digital identity theft fraud.
Industry use cases
- Banking and fintech — Remote account opening, credit applications, step-up authentication for high-value transfers. See biometric solutions for banking.
- Telecom — SIM registration and number-porting fraud prevention, increasingly mandated by national regulators.
- Government — eGovernment portals, social benefits, digital driving licences, voter registration. See biometric software for governments.
- Travel and hospitality — Seamless boarding, hotel check-in, age verification.
- Healthcare — Patient identification and access to digital health records.
Best practices for implementation
- Choose passive liveness over active wherever risk allows. The conversion gain is real and measurable.
- Use multimodal biometrics for high-risk transactions. Combining face with fingerprint or palm raises assurance without proportional friction.
- Design for privacy by default. Apply data minimisation, encryption at rest and in transit, and clear retention policies aligned with GDPR.
- Treat KYC as continuous, not one-off. Re-verify on risk triggers — large transactions, device change, behavioural anomalies — using lightweight biometric step-up.
- Plan for eIDAS 2.0 wallets now. Even if your customer base does not use them yet, designing your stack to accept verifiable credentials future-proofs your onboarding.
- Monitor model performance. Biometric and document models degrade as fraud techniques evolve. Quarterly performance reviews are now standard practice.
Frequently asked questions
Is digital proof of identity legally valid?
Yes. Under eIDAS 2.0 in the EU, FATF guidance globally, and equivalent frameworks in most jurisdictions, properly implemented digital identity verification has the same legal standing as in-person verification for KYC purposes.
What is the difference between KYC and eKYC?
KYC is the regulatory obligation to know your customer. eKYC is KYC performed through digital channels — the same outcome, achieved remotely with digital proof of identity instead of paper documents and branch visits.
How does liveness detection prevent deepfakes?
Modern passive liveness detection analyses signals that AI-generated content cannot reliably reproduce: skin texture under different lighting, micro-movements, depth, screen reflections, and device-level signals. Combined with injection-attack detection, it forms the main defence against deepfake-driven fraud.
How long does digital identity verification take?
A typical end-to-end flow — document capture, biometric capture, liveness, decision — takes between 30 seconds and two minutes for the user. The automated decision itself is usually returned in under five seconds.
Is digital proof of identity GDPR-compliant?
It can be, when implemented with privacy by design: explicit consent, data minimisation, purpose limitation, secure storage, and clearly defined retention periods. Biometric data is “special category” data under GDPR and requires a valid legal basis (typically explicit consent or substantial public interest).
What is the EU Digital Identity Wallet and how does it affect KYC?
The EU Digital Identity Wallet, mandated by eIDAS 2.0, lets citizens store and present verified credentials (ID, driving licence, diplomas) from a mobile app. For KYC, it means organisations can accept signed credentials directly, often skipping document capture and biometric matching entirely for low and medium-risk use cases.
Can digital proof of identity work offline or in low-connectivity environments?
Yes. SDK-based solutions like Identy’s run the capture and quality checks on-device, sending only encrypted templates and results to the server. This makes them suitable for field agents, rural enrolment, and emerging markets where connectivity is intermittent.
The future of digital identity is reusable, biometric, and continuous
The direction of travel is clear. Identity verification is moving from a one-off, document-heavy event to a continuous, credential-based, biometric process anchored in digital wallets. Organisations that invest now in modular, standards-based stacks will absorb the eIDAS 2.0 transition without rebuilding their onboarding flows.
For CMOs and digital transformation leaders, the message is straightforward: digital proof of identity is not just a compliance line item. Done well, it lowers fraud losses, raises onboarding conversion, and builds the trust that turns prospects into long-term customers.
- FAFT – Guidance on Digital ID
- European Union – eIDAS Regulation (EU 910/2014)
- European Banking Authority – Guidelines on remote customer onboarding
