persona-logo
  • Research
  • Understanding and verifying digital identity
July 08, 2025

Understanding and verifying digital identity

Digital identity connects who people are in the real world with how they interact online, combining personal data, behavioral patterns, and technological signals to establish authenticity. As digital ecosystems expand and AI-driven threats evolve, strong identity verification is essential to preserve trust, prevent fraud, and enable secure online engagement.

Today, we use the internet in ways that were unthinkable when it was first created more than 40 years ago. With a single swipe or one-button click, we can connect with friends online, make purchases from around the world, apply for jobs, complete college classes, access banks, invest our money, shop for a house — even log into work remotely. 

While this migration online has brought many benefits, it hasn’t come without challenges. Here’s a big one to think about: How can we trust that someone is who they say they are online, especially with the specter of generative AI growing more and more capable every year? 

This is where the concept of digital identity comes into play. 

Below, we explain what digital identities are, why they’re so important, and how they can be established. We also walk through the different ways you can establish and confirm a user’s digital identity to keep your platform safe from fraud. 

What is digital identity?

A digital identity is a collection of data, activity, behavior, and other attributes that can be tied to a single individual in a way that differentiates them from everything else. While it is not the same thing as your digital footprint, the two concepts are similar.  

Individuals rely on their digital identities to navigate the web in a safe and secure way, accessing accounts and services that belong to them while keeping intruders out. Meanwhile, online businesses often seek to understand their customers’ digital identities in order to identify and mitigate fraud, inappropriate data access, and other risks. 

Digital identity examples and use cases

Different businesses in a variety of industries leverage digital identities to ensure that their platform or services are only being accessed by the people who should have access to them. Some common use cases include:

  • Employers looking to protect their digital systems to ensure that only employees are able to access sensitive corporate information — using workforce IDV, for example

  • Online marketplaces and other e-commerce platforms that want to limit transaction fraud in order to protect both their finances as well as other users

  • Healthcare providers that need to safeguard patient health information under HIPAA

  • Financial services providers that are required by law to establish a customer’s identity — digital or otherwise — before onboarding them

In each of these use cases, a business or organization might leverage multiple different aspects of an individual’s digital identity. An employer, for example, might require an employee to log into their account using credentials, while raising suspicions if this takes place on an unfamiliar device. A financial institution, on the other hand, might collect a customer’s government ID during initial onboarding while scanning their social media profiles for other risks. 

How does digital identity work?

As noted above, a person’s digital identity is a collection of multiple data points that are tied to various accounts and help paint a picture of who that person is. These pieces of data are called digital identifiers, and include things like an individual’s:

  • Date of birth

  • Username and password

  • Email address

  • Phone number

  • Fingerprint and/or face data

  • IP address

  • Browser fingerprint

  • Device fingerprint

  • Physical ID numbers 

  • Search history

  • Purchase history

  • Cookies

Some of these digital identifiers are constant, rarely (if ever) changing over the course of a person’s life. This is true of birthdays and ID numbers, for example. 

But other identifiers can and do change: 

  • The IP address associated with an individual can change depending on where they log into their account, for example, or whether they are using mobile data or WiFi. 

  • A single individual may have multiple device fingerprints if they own (and use) multiple devices. 

  • People can choose to create a new email address for any number of reasons. 

  • Behavior-driven digital identifiers — like their search history, purchase history, and presence (or lack) of cookies — are constantly changing every time an individual does anything online.

What all of this means is that a person’s digital identity is dynamic. It’s constantly changing and evolving over time, which can pose a challenge for businesses that leverage the digital identities of their customers or users for security and access purposes. 

How businesses can establish a person’s digital identity

If you require your users to create an account in order to use your platform or service, it's important to have a plan in place for establishing and protecting their digital identity. Some options to consider include:

Authentication

Identity authentication is the process of determining whether or not the person attempting to log into an account is actually the account’s owner. Any business that requires users to create an account on its platform must have an authentication strategy in place to facilitate a secure login.

At its simplest, authentication requires a user to provide a username and password to log into an account. Two-factor (2FA) or multi-factor authentication (MFA) up the ante by requiring a user to provide an additional piece of evidence upon using their login credentials, such as:

  • The answer to a security question

  • An authentication code

  • A selfie or fingerprint scan 

Multi-factor authentication is especially effective at defending against account takeover (ATO) fraud completed via password spraying, credentials stuffing, AI phishing, and other attacks. But it’s important to note that even MFA may not be able to fully protect against fraudsters leveraging AI-powered social engineering tactics at scale.

Verification

Identity verification (IDV) is the process of verifying a digital identity to a real-world, physical identity. While authentication is used to determine whether or not a person should have access to an account, verification is used to determine whether or not a person actually exists and is who they say they are. 

Identity verification is especially important for online businesses subject to regulations requiring any form of Know Your Customer (KYC), such as the financial industry and online marketplaces. It’s also helpful for industries where trust matters, such as online health and education platforms. 

The type of identity verification you choose varies depending on the laws you’re subject to, unique customer expectations, and the level of assurance you need. IDV options include:

  • Government ID verification

  • Database verification

  • Selfie verification

  • Document verification 

Reporting

Sometimes, identity verification on its own doesn’t provide enough information about an individual. In these cases, it may be possible to run a variety of reports to gather additional context about who a person is — both online and offline:

  • Phone & email risk reports: These reports return information like age, spam scores, and more to help you evaluate the reputation of an email address or phone number provided by an individual. 

  • Social media risk assessment: These reports take an inventory of the individual’s social media footprint to help you decide whether you want to work with them.

  • Watchlist and sanctions list screening: These reports compare information provided by the individual (such as name, date of birth, and contact information) against information contained in official watchlists and sanctions lists. 

  • Adverse media report: These reports scan media databases for negative mentions of an individual. This can include criminal convictions, involvement in lawsuits or disputes, and other negative mentions. 

Reports help you paint a more robust picture of who a person is and can help you gauge the risks associated with working with them — particularly important if your business is subject to Anti-Money Laundering (AML) regulations and you’re looking to hire remote applicants. 

Link analysis

Link analysis is a process of determining how a user is connected to (or linked with) other people on your platform or within your database. 

Businesses use link analysis primarily to identify instances of fraud. For example, if multiple accounts all share suspicious details (like an IP address, device fingerprint, browser fingerprint, or payment details) it may suggest that a single user has created multiple accounts on your platform for some reason. 

While this may be legitimate, it could also be indicative of referral fraud, promo abuse, and other nefarious actions. It may also point to a ring of fraudsters on your platform, all sharing the same details. 

Likewise, link analysis can help you understand if an account belongs to a real person or if it may be a shell account. You can do this by analyzing an account’s connections to other accounts to determine whether it follows a natural, expected pattern, if it’s random, or if it’s generally suspicious. Like reporting, link analysis offers one more layer of context and detail to help tie a person’s digital identity to a real-world counterpart. 

The role of digital identities in identity verification

Identity verification is all about ensuring that a person or business is who they say they are. For some companies, like financial institutions and online marketplaces, it’s a necessary part of complying with Know Your Customer (KYC), Know Your Business (KYB), and Anti-Money Laundering (AML) laws and regulations. For other businesses, it offers a path to reduce and mitigate other types of fraud risk.

Digital identities can empower you to comprehensively verify your customers’ identities. While this isn’t a comprehensive list, here are some of the ways you might leverage a digital identity as a part of your broader IDV strategy.

Social media profiles 

Not every person has a social media profile, but an individual’s presence on social media (especially across multiple platforms) can go far in helping you establish whether or not a person is real, as opposed to synthetic identity fraud. 

Profiles can also give you more information about an individual to inform your risk analysis. Photos on a person’s social media profile, for example, can be compared against selfies submitted by a person during onboarding in order to identify potential cases of identity theft. 

Personal details on a profile, like a date of birth, can be compared against information submitted by the user and found in official databases. Social media posts in general can serve as a source for adverse media screening, amongst other uses.

Device identities

When a user signs up for an account, if you collect information about their device — such as their device fingerprint, browser fingerprint, IP address, etc. — you then have the ability to recognize that device when the individual tries to log into their account in the future. This can provide additional assurance against account takeover (ATO) fraud by allowing you to trigger reverification or heightened security measures when a user tries to log in using an unrecognized device. 

Collecting a user’s device identity also gives you data to help identify fraud rings on your platform. For example, a single individual might use one phone to create multiple accounts on your platform to take advantage of freemium features or to engage in marketplace referral fraud. 

Email

When an individual signs up for an account using their email address, it’s important to ensure that they actually own that email address and that it isn’t fake. Email verification gives you that assurance and makes it possible to leverage two-factor authentication (2FA) in the future as a part of the login process or during reverification attempts. 

You can also use an individual’s email address to perform an email risk report, which can help you uncover helpful information about an email address, including:

  • How old the email address is

  • Whether or not it is tied to spam activity

  • Whether or not it is included in any blocklists

  • And more

Selfies and government-issued IDs 

By collecting and verifying a customer’s government-issued ID when they open an account on your platform, you are linking their account to an official form of identification, allowing you to deploy database verification and other methods — offering some of the strongest assurance that someone is who they say they are. 

If you’re worried about user experience friction, you can use digital IDs like mobile driver’s licenses and e-passports to speed up your verification process. 

Similarly, you can collect a user’s selfie for identity verification during the onboarding process in order to link their face to their digital identity within your system. Then, you can require the user to upload a selfie as a means of two-factor authentication when logging into their account or during reverification. For added identity assurance, consider collecting both a photo ID and selfie, and comparing the two to protect against the risk of stolen IDs.

Conclusion

Digital identity is dynamic and multi-source, so effective programs layer controls: strong verification, risk-based authentication, contextual signals, and linkage across devices, emails, and accounts. When right-sized to the use case, this mix reduces account takeover and synthetic activity while respecting privacy and user experience. The key is continuous tuning so the system stays both secure and usable at scale.