Read “The Global State of Fraud and Returns” report
A bad account can look harmless when it’s created. A trusted account can look normal right up until it isn’t. That’s what makes identity proofing vs. identity verification so important in ecommerce: One helps you decide whether to trust a new identity in the first place, while the other helps you spot when an established account is no longer behaving like the customer behind it.
If you treat them like the same thing, you can miss fraud at sign-up, overlook account takeovers (ATOs) later and spend time fixing issues that started much earlier. To close those gaps, you need to understand how proofing and verification work, what it can cost when they fail and where identity gaps tend to surface across the customer journey.
TL;DR
|
Identity proofing vs. identity verification at a glance
Identity proofing and identity verification address different parts of the same trust problem.
| Identity proofing | Identity verification | |
| Core question | Is this customer’s identity real? | Is it the real customer accessing the account or attempting the transaction? |
| Most relevant fraud risk | Malicious account creation | Existing-account misuse and ATO |
| Goal | Stop fake or risky identities from entering the ecosystem | Stop unauthorized use of an existing account |
What is identity proofing in ecommerce?
Identity proofing is how merchants determine whether the identity behind a new account is real. It asks two questions at once: Is this claimed identity credible? Do the signals around this session back that up?
How identity proofing works
In ecommerce, identity proofing usually does not rely on formal document checks the way a bank or government service might. Instead, merchants tend to evaluate a mix of identity, device and behavioral signals to decide whether a new account appears to belong to a legitimate shopper or to a fraudster using fake, stolen or manipulated information.
Those signals can include details like:
- New email addresses with no sign of normal use
- Phone numbers that appear inactive or fake, like +1-555-555-5555
- Inconsistent name, address and email
- IP or location data that conflicts with the rest of the submitted identity (i.e. the shopper says their address is in New York but their IP address geolocation is Spain)
- Devices or browsers linked to repeated sign-up attempts
While that front-door decision matters, a believable identity at sign-up doesn’t guarantee that the right person will be using the account later.
What is identity verification in ecommerce?
Identity verification is the process of confirming that the one interacting with an account or transaction is the legitimate customer or, in cases involving agentic commerce, an authorized agent acting on the customer’s behalf. In ecommerce, identity verification is ongoing and comes into play at login, during checkout and whenever a shopper tries to take a higher-risk account action, like changing a password, updating a shipping address or adding a new payment method.
How identity verification works
Identity verification works by evaluating the signals tied to a login or account action against what is already known about the shopper.
Relevant signals can include:
- A device or browser the account has used before
- A login location that fits the account’s normal geography
- Behavioral signals during a session, i.e. how fast the user types or how quickly they move around the website or app
- Failed login attempts
- Unusual account activity, like an attempt to change a shipping address or a dormant account becoming active and placing a high-value order
- Loyalty points or store credit being redeemed on an account that has never used either
Context matters here. A new device or a faster-than-normal session is not automatically suspicious on its own. People replace phones. And they’re also handing off more shopping tasks to AI agents, which move through sessions much faster and leave behind fewer traditional behavioral signals than humans. The key question is whether the activity still fits the account’s normal pattern. When it doesn’t, especially during higher-risk actions like changing payment details or redeeming stored value, that can signal the actor behind the session isn’t the rightful account holder.
Key differences between identity proofing vs. identity verification
Identity proofing lives primarily at account creation, when the relationship begins and when you have the most leverage over whether or not a bad actor gets a foothold in your system.
Identity verification takes place at every login, checkout and account change. The risk context of those moments determines how much friction is appropriate. A returning customer on a trusted device should sail through. The same account acting out of pattern should get a second look.
The two also address different fraud risks:
- Identity proofing helps stop fraud that starts before a customer relationship really exists, like fake accounts opened with stolen personally identifiable information (PII), synthetic identities built from real and fabricated data or bot-driven sign-ups designed to abuse promotions.
- Identity verification protects against fraud that targets existing customer trust, like ATOs, credential stuffing and unauthorized access to stored payment methods or loyalty balances.
The cost of getting identity wrong
When merchants have a gap in proofing, verification or both, the cost can add up quickly. In fact, a study by Docusign and Entrust found that businesses around the world lose an average of around $7 million each to identity fraud every year when direct costs (i.e. chargebacks and refunds) are combined with indirect costs (i.e. reputational damage and employee resources).
The same is true at the merchant level. For example, if 25 compromised or fraudulent accounts each place a $120 order, that’s $3,000 in direct exposure right away. If just 10 of those accounts also redeem $30 in loyalty value, the total rises to $3,300. And the true cost is usually higher. If those 25 orders turn into chargebacks and your payment provider charges a $15 dispute fee, that adds another $375, bringing the total to $3,675 before you factor in shipping losses, employee investigation time or any processing fees you may not recover on refunded orders.
How to tell if your fraud strategy has an identity gap
Identity gaps are easy to miss because they often surface as something else first. Weak proofing may show up as fake accounts, promo abuse or chargebacks. Poor verification may show up as ATOs, loyalty fraud or misuse of stored payment methods.
The questions below are meant to help you spot where trust may be breaking down across the customer journey.
At account creation:
- Can you tell if the email address used when the account was opened is established and legitimate or if it was recently created?
- If the same device creates five accounts in a week across different email addresses, would that pattern surface in your stack?
- During a promotion, can you distinguish between a true first-time customer and someone creating a new account to reuse a first-order offer?
At login and sensitive account events:
- If a dormant account suddenly became active, redeemed stored value and updated its shipping address in the same session, would that sequence stand out anywhere in your current setup?
- Do password resets get any added risk evaluation, or are they treated the same as routine self-service activity?
- When a customer adds a new payment method to an existing account, do you evaluate that event on its own, or only if an order comes later?
- Can you tell when a session no longer fits the account’s normal pattern, even if the login itself succeeds on the first try?
Across the journey:
- How much visibility do you have into accounts that never place an order but stay active in your system?
- Can you connect a chargeback or return dispute back to signals that were present when that account was created?
- If an order is approved at checkout, do you also know whether the account behind it was brand new, lightly trusted or missing important context?
- When you review fraud losses, can you tell how many originated from suspicious account creation or suspicious account activity before the transaction itself?
How to start closing the identity gap
If you’ve found that you do have an identity gap, you don’t need to overhaul everything at once. In most cases, closing it starts with better visibility at sign-up, more context around higher-risk account actions and a smarter way to connect those signals across the journey.
Prioritize account creation if you haven’t yet
If you’re investing heavily in transaction-level fraud controls and applying no evaluation to new accounts, that’s the highest-priority gap. Passive signals, like device fingerprint, email quality or behavioral patterns, gathered during account creation can be highly predictive of downstream fraud without adding friction for real customers.
Build risk tiers into your verification logic
Not every login warrants an MFA challenge. And not every order from an established account needs the same scrutiny as a first-time guest checkout. Use risk-adaptive verification to apply more friction at genuinely high-risk moments. That matters for revenue as much as risk. If every unfamiliar device, password reset or account update triggers the same heavy-handed response, you increase the chances of slowing down or blocking legitimate customers. Better verification logic helps you challenge suspicious activity without creating unnecessary friction that hurts customer experience.
Think in sequences, not snapshots
A single anomalous signal is usually ambiguous. A login from a new IP is explainable. That same login, followed by an address update and a high-value transaction attempt using a stored card, is worth questioning. Consider adopting a Commerce Protection Platform like Signifyd’s, which can connect identity, device and behavior signals so risky patterns are evaluated in context rather than in isolation.
Protect the entire journey, not just the transaction
When identity controls break down, the impact doesn’t always show up right away. By the time you start connecting the dots, the issue is often more expensive and harder to trace back to where it started.
To stay ahead of that, you need a way to evaluate trust across the full account journey, from account creation through login, checkout and higher-risk account changes. And that’s where Signifyd can help. Our Commerce Protection Platform helps you connect signals from site visits, account creation and later account activity, so you can spot suspicious patterns earlier and make stronger trust decisions across the customer journey.
Photo by Getty Images
FAQs
Does ecommerce need both identity proofing and identity verification?
Yes. Identity proofing helps stop fake or risky accounts at sign-up. Identity verification helps protect legitimate accounts from takeover or misuse later. Merchants need both to reduce account-related fraud.
How do identity proofing vs. identity verification vs. authentication vs. KYC relate?
They’re related but distinct. Identity proofing evaluates whether a claimed identity is real, primarily at account creation. Identity verification confirms the right person (or authorized AI agent) is present at a specific moment or action. Authentication is the technical mechanism used to confirm identity at an access point — a password, biometric scan or one-time code. KYC (Know Your Customer) is a formal regulatory framework that mandates identity checks before onboarding clients.
