How to Verify Someone’s Identity
Every practical way to confirm who someone is, why most now fail against GenAI deepfakes, SIM swaps and social engineering, and a step-by-step framework for proving the real person on the other end of a call.
Attackers broke the old playbook
For most of the internet’s history, verifying someone’s identity meant asking a question only they could answer: a password, a PIN, a mother’s maiden name, the last four digits of a Social Security number.
That model no longer works. Generative AI can clone a voice from a few seconds of audio, render convincing video of a face in real time, and produce a flawless image of a “scanned” ID on demand. Attackers no longer have to steal an identity and hope it still works. They can build a believable one on the spot. And the secrets we once relied on have leaked in breach after breach.
Nowhere is this more dangerous than the help desk. Someone calls IT and says, “I’m locked out, my laptop and security key were stolen.” The agent on the line is now the last line of defense. They have to verify a human they cannot see, under time pressure, using information that has leaked. Get it wrong, and the “employee” they just helped walks straight in and plants ransomware.
This guide covers every common way to verify someone’s identity, shows where each one breaks, and lays out how to confirm the real person behind the call.
In the deepfake era, the question that counts is whether an independent source confirms the person’s claim. Strong verification checks that claim against authoritative systems of record in real time, and watches the channel for signs of fraud.
Three questions, one True Persona
Before you pick a method, get precise about the goal. Verifying identity comes down to three questions, and most methods answer one while assuming the other two:
1. Is this a real, valid identity?
Does the credential or document exist, and is it genuine rather than forged or synthetic?
2. Does it belong to the person presenting it?
Is the credential bound to the human on the other end, or just held, photographed, or recited by someone else?
3. Is the person here right now, acting for themselves?
Are they live and present, or a recording, a relayed session, or a deepfake an attacker controls?
A document scan answers the first question and says nothing about the third. A one-time passcode gestures at the second and ignores the first. Trusona calls the answer to all three the True Persona, the real person behind a valid identity. A serious verification process reaches the True Persona instead of clearing a single checkbox.
Five ways to verify, ranked
Almost every identity check falls into one of five categories. This is what each one proves, and what defeats it.
| Method | What it checks | Strength today | What defeats it |
|---|---|---|---|
| Knowledge-based | Something they know: security questions, PINs, personal facts | Low | Data breaches, social media, basic social engineering |
| OTP & MFA | Something they have: an SMS code or authenticator | Medium | SIM-swap scams, real-time phishing or man-in-the-middle, push fatigue |
| Document scan | A government ID image, on its own | Medium | High-quality fakes, GenAI-altered images, replayed scans |
| Biometrics | Something they are: selfie match and liveness | Falling | GenAI face swaps, deepfake video, camera-injection attacks |
| Authoritative sources | Corroboration from systems of record (DMV, mobile carrier, identity bureaus), plus channel-fraud signals | High | Very little. An attacker would have to defeat several independent sources at once |
The first four methods ask the caller to supply proof, and a caller can fake or intercept most of what they supply. The fifth checks the claim against sources the caller does not control, which is why it holds up.
How attackers beat each one
Each traditional method made sense in its time. This is how modern attackers walk through them, often combining several in one call.
GenAI deepfakes
A cloned voice, a synthetic face, an AI-generated ID image: generative tools produce all of them convincingly and cheaply. Selfie-match and liveness checks assume the face in front of the camera is a live human. Injection attacks and deepfake video break that assumption.
Trusona does not rely on selfie or liveness checks. Against modern GenAI they amount to security theater: they look rigorous, give everyone false confidence, and let synthetic faces through.
SIM swap & OTP interception
Texting a one-time code to the phone on file trusts that the SIM still belongs to your user. In a port-out scam, an attacker moves the victim’s number to their own device and receives the code. The user never sees it, and the help desk never learns the number changed hands hours ago.
Man-in-the-middle relay
A patient attacker skips faking the document. They make a real victim do the work: they relay your verification link to the genuine employee, capture the response, and pass it back in real time. Every signal looks legitimate. The person completing it is not the person on your call.
Social engineering the human
Every breached password, org chart, and LinkedIn profile gives an attacker material. They rehearse, stay calm, and create urgency: “I have a board meeting in five minutes and I’m locked out.” An agent armed only with knowledge questions has to win an argument against a professional, and usually loses.
Six checks that hold up
A confident attacker can talk past knowledge questions, and breached secrets prove nothing. A resilient process leans on evidence the caller can’t fake. Use this checklist:
-
Don’t verify with breachable secrets
Treat name, date of birth, employee ID, address, and the last four digits as public. On their own they confirm nothing.
-
Anchor to a government ID, then keep going
A scan proves a document exists. On its own it can be forged, AI-altered, or replayed from an earlier session.
-
Corroborate against authoritative sources
Match the ID and phone number to independent systems of record: the issuing DMV, the mobile carrier, and identity bureaus such as LexisNexis. Forging one source is hard. Forging all of them at once is impractical.
-
Read the channel as well as the claim
Watch for the tells that the person isn’t who or where they say: a relayed man-in-the-middle session, a recent SIM swap, or a replayed scan.
-
Let the customer verify you, too
Impersonation runs both ways. Give people a way to confirm your agent is genuine before they hand over anything sensitive.
-
Make the decision fast and consistent
A clear red, yellow, or green outcome keeps a tired agent from rationalizing a bad call, and keeps average handle time low.
Strong verification skips the secret the caller has to know. It checks their claim against sources they don’t control, and watches the channel for signs of fraud.
Where attackers strike first
The same playbook shows up wherever someone you can’t see can trigger a high-value action. The most-targeted moments:
Resets & recovery
Password and MFA resets, account recovery, and the classic “my laptop and security key were stolen.”
Onboarding & payroll
Remote new-hire verification, including fraudulent “IT worker” applicants, and direct-deposit changes.
Money movement
Wire approvals, vendor and AP bank-detail changes, and CEO or CFO impersonation (BEC fraud).
Account takeover
High-value account recovery, loyalty and rewards redemption, and large or unusual orders.
Patient access
Patient-portal access and password resets that expose sensitive medical records.
Applications & benefits
Online applications, financial-aid requests, and benefits eligibility.
How ATO Protect verifies the True Persona
Trusona ATO Protect was built for this moment. It confirms the True Persona behind a call in real time, checks against sources an attacker can’t control, and flags the channel tricks older methods miss. The differences that matter:
Verify total strangers
Verify anyone on their first contact, in any channel. Nothing to enroll in advance.
Proof you can’t fake
Matches the ID and phone against independent systems of record (DMV, carrier, LexisNexis), well beyond a photo of a document.
Nothing to breach
Trusona deletes the personal data from each session and keeps only a non-sensitive result. Runs on SOC 2 infrastructure.
Catch the man-in-the-middle
Spots when an attacker relays your link to the real employee and feeds the answer back in real time.
Let them verify you
Agent Verify lets your employees and customers confirm the agent calling them is genuine, with a one-time code.
Every scan is single-use
Scan Anti-Replay means you can’t scan the same way twice, so an attacker can’t reuse a captured “good” scan.
Catch a hijacked number
Surfaces a recent SIM swap or port-out, the tell-tale of a number that changed hands.
Red / Yellow / Green
One glance gives even a brand-new agent a confident decision, and shortens average handle time.
No integration required
Start in a secure web portal today; add the optional API into ServiceNow, Okta, Entra ID, and more later.
2,500+ ID types
Passports and driver licenses worldwide, with optional AI-tampering detection on the document itself.
Deepfakes can’t pass
No selfie match, liveness test, or typing test, because GenAI already beats them. Real corroboration instead.
Three steps to a verified caller
You don’t replace your systems. You add a verification step at the moment of risk, so your process changes while your stack stays the same.
Send a Trusonafy Link
From the web portal, or through the API, the agent sends a secure link by SMS, email, or chat to the number on file. No app to download.
The person scans their ID
In their mobile browser, they scan a government ID. Behind the scenes, Trusona captures device, location, man-in-the-middle, and anti-replay signals.
Verify the True Persona
Trusona matches the ID and phone against authoritative sources, and the agent sees a red, yellow, or green result in seconds. No personal data is stored.
Frequently asked questions
What is the most reliable way to verify someone’s identity online?
Corroborate the person’s claimed identity against independent, authoritative systems of record (the issuing DMV, their mobile carrier, and identity bureaus like LexisNexis) in real time, while checking for SIM swaps, man-in-the-middle relays, and replayed scans. This holds up far better than knowledge questions, one-time passcodes, or a selfie, which a determined attacker can breach, intercept, or fake with generative AI.
Why aren’t security questions or one-time passcodes enough?
Personal facts such as name, date of birth, employee ID, address, and Social Security number have leaked in countless breaches, so they confirm almost nothing. One-time passcodes sent by SMS can be intercepted through SIM-swap (port-out) scams or relayed in real time during a phishing or man-in-the-middle attack, so holding the code no longer proves holding the account.
Can deepfakes beat selfie matching and liveness checks?
Yes, more and more. Generative AI produces convincing face swaps and video, and injection attacks can feed synthetic footage straight into a verification flow, defeating selfie-match and liveness tests. Because these methods keep losing ground to GenAI, Trusona treats them as security theater and does not rely on them.
Does Trusona ATO Protect store personal data (PII)?
No. Trusona deletes the personal information captured during a verification session, and the service runs on SOC 2 infrastructure. It keeps only non-sensitive outcomes for reporting: a timestamp, the agent’s user ID, the ID type, the last four digits, the source results, and the overall risk summary.
Which IDs are supported, and does it require integration?
It supports more than 2,500 ID types worldwide, including all passports and driver licenses from regions such as the US, Canada, UK, and India. It works from a secure web portal with no integration required, and offers an optional REST API that connects to systems like ServiceNow, Okta, and Microsoft Entra ID.
How fast can an agent verify someone, and does it work with first-time callers?
Verification takes seconds and works with first-time callers because there is no pre-registration. The agent sends a secure link, the caller scans a government ID in their mobile browser, Trusona checks the identity against authoritative sources, and the agent sees a red, yellow, or green result.
See ATO Protect stop an impersonation attempt.
Watch it verify a first-time caller in real time, with no integration, no stored PII, and no selfie theater.