Announcement

Workforce security redefined: Persona and Okta partner to verify identities and protect against phishing and deepfakes

Enforce identity verification throughout the employee life cycle using Persona and Okta’s out-of-the-box integration for identity verification.

Okta and Persona logos in the middle of a purple background
Last updated:
11/8/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways

Today, we are excited to announce a new partnership between Persona and Okta to help organizations protect against phishing and other identity-based attacks via automated identity verification. Available through a direct integration into Okta's Workforce Identity Cloud, this joint solution allows companies to easily incorporate identity verification into their Okta workflows, enhancing security measures for organizations worldwide.

Here’s what that means and why it’s important to you.

Rethinking security 

As the business landscape evolves, so do security needs. In the last decade, many organizations have migrated to cloud-based technologies and distributed workforces. For information security teams, these shifts have posed challenges. Today’s employees access company systems from multiple devices, across various networks, and outside the traditional office space. This dramatically expands the attack surface for criminals and leaves organizations more exposed to cyber threats, given that traditional network security models tend to rely on firewalls and perimeter-based defenses.

In response, many organizations are turning to Zero Trust security models. The core principle of Zero Trust is simple: trust no one by default. In this model, identity becomes the first line of defense. When it comes to system access, teams using Zero Trust generally institute strict access controls, which allow only verified users to gain access to important systems.

Unfortunately, cybercriminals are aware of these strategies and have developed their own responses. Social engineering, automation, and AI are all strategies cybercriminals use to exploit vulnerabilities in identity-first security models. The problem for security teams is that in these situations, bad actors trying to access key systems do have the right credentials. They’re just not the person they’re claiming to be. 

The growing problem: phishing and deepfake attacks

When companies think about risk, many focus on external threats. However, it’s internal employees who tend to be companies’ largest vulnerability. According to the Verizon Business 2024 Data Breach Investigations Report (DBIR), 68% of breaches involve human error, often by way of phishing schemes or compromised log-in credentials. 

As an IT or InfoSec professional, your job is, in part, to prevent these attacks. But there are multiple moments in the employee life cycle — new user onboarding or account recovery, for example — where it’s easy for criminals to take advantage of existing security systems. Users may provide the correct credentials or send authentication requests from a trusted device. But this doesn’t guarantee they are the legitimate account owner — credentials can be stolen, shared, or compromised.

How can teams gain the assurance they need in these situations?

The answer: identity verification

Identity verification (IDV) offers a powerful answer to this challenge. Verifying not just credentials, but individuals’ actual identities, is the most powerful way to ensure that users are who they claim to be. 

During onboarding, for example, new employees can be prompted to give their credentials but also asked to verify their identity with a government-issued ID or by submitting a live selfie. These checks tell you that the person entering your systems is the authorized individual and not someone impersonating them. Similar verifications can be put in place during critical events like account recovery or suspicious activity alerts.

The role of identity verification in the workforce

Identity verification isn’t just important for isolated moments in the customer life cycle. It’s also important for companies working to build a Know Your Employee (KYE) practice. 

For years the financial industry has been committed to Know Your Customer (KYC) protocols, which are often mandated and put in place to make sure customers don’t present too much risk to financial institutions. KYE is the equivalent for workforce teams. KYE ensures that businesses verify an employee's identity, credentials, and background before offering them access to sensitive company data or systems.

KYE involves several key steps:

  1. Identity verification: Before hiring, businesses confirm the identity of an applicant, often using methods like government ID verification, document verification, and/or biometric checks like selfie verification. This step ensures that the person is who they claim to be.
  2. Account recovery: During sensitive moments, such as recovering an account after potential suspicious activity, identity verification ensures that the person recovering the account is the legitimate owner.
  3. Ongoing monitoring and reverification: Regular reverification of employees — even if there is no prompting event — makes sure you catch new risks and flag suspicious activity.

Persona and Okta

For teams looking to secure access to their Okta without frustrating employees, the partnership between Persona and Okta delivers a full KYE suite, offered via Persona’s integration with Okta’s Workforce Identity Cloud. Benefits for teams include:

  • Easily add Persona’s identity verification solution within the Okta platform. Persona is now available via the Okta Integration Network. This lets teams create rules within their existing authentication policies to incorporate identity verification steps at critical moments.
  • Multiple verification methods: Persona offers various identity verification methods, including government ID checks, biometric verifications like selfies, and behavioral risk assessments to provide a comprehensive approach to identity security.
  • Automated identity verification: Persona’s automated identity verification system is designed for speed and accuracy. Government-issued ID checks and selfie verifications are processed in seconds, ensuring a smooth experience without compromising security.
  • Flexible use cases: The integration supports a wide range of use cases, including new employee onboarding, employee account recovery, and high-risk event verification.
  • Redaction policies: We work with organizations to align data retention and redaction policies, including instantly redacting users’ personal information after verification. 
  • Compliance standards: Persona’s platform aligns with industry compliance standards and company-specific risk frameworks, including NIST IAL2, ensuring that organizations meet regulatory requirements while maintaining high security standards.

How Persona approaches identity verification

A one-size-fits-all approach to identity verification can create unnecessary friction for employees, allow bad actors to slip through, and deliver a poor user experience. The problem becomes magnified as generative AI gives cybercriminals new tools. Today, for example, 80 percent of companies say they lack protocols for handling deepfake attacks.

To successfully overcome these threats, organizations are better served when they take a layered approach to identity verification. Doing this allows them to use a much wider array of signals for assessing whether individuals are who they claim to be.

At Persona, we recommend two key methods:

  1. Collecting and verifying more active signals
    Most teams verify identity through actively provided information, such as documents, personal data, selfies, and liveness checks. However, fraudsters are increasingly using generative AI to target these processes. By introducing a wider variety of active data requests, organizations can make it more difficult for cybercriminals to impersonate legitimate individuals.
  2. Gathering and analyzing more passive signals
    Passive signals — signals you can gain about a user without the user having to actively submit information — can help identify suspicious activity and trigger additional verification when necessary. Passive signals include data such as IP addresses, device or browser fingerprints, and behavioral indicators like hesitation or unusual actions during the interaction.

By combining active and passive methods, organizations become far more able to fight and adapt to sophisticated fraud, such as advanced social engineering and deepfakes.

Even more importantly, this layered approach allows businesses to create dynamic identity verification processes to improve security while minimizing friction for legitimate users. Businesses can use the signals collected during identity verification to personalize each employee's verification experience based on risk. For example, if an employee is logging in from a new IP address, organizations can automatically trigger a reverification prompt. For all other employees, it's smooth sailing as usual.

This combination of breadth and depth — the ability to collect a wide range of signals paired with Persona's adaptable approach to fraud — gives companies the power to stay ahead of fraud both now and into the future.

Blog post
See how Persona’s approach to deepfakes and GenAI fraud lines up with industry recommendations
Learn more

Protecting against phishing from onboarding to offboarding

The integration of Persona and Okta brings a powerful identity verification solution to the dynamic, distributed workplace. By adding real-time identity verification to your Zero Trust strategy, you can reduce the risk of phishing attacks, account takeovers, and unauthorized access — all while providing employees with seamless, secure access to the tools they need. With identity as the new perimeter, Persona and Okta ensure that only the right people access your network, no matter where they are or what device they’re using.

Ready to get started? Take a closer look at our workforce identification capabilities, or talk to a Persona expert today.

Published on:
10/16/2024

Frequently asked questions

No items found.

Continue reading

Continue reading

Persona ranked 1st across all evaluated Use Cases in 2024 Gartner® Critical Capabilities report, positioned highest for Ability to Execute in inaugural Magic Quadrant™ for Identity Verification
Persona ranked 1st across all evaluated Use Cases in 2024 Gartner® Critical Capabilities report, positioned highest for Ability to Execute in inaugural Magic Quadrant™ for Identity Verification
Announcement

Persona ranked 1st across all evaluated Use Cases in 2024 Gartner® Critical Capabilities report, positioned highest for Ability to Execute in inaugural Magic Quadrant™ for Identity Verification

See how Persona was evaluated in the inaugural Gartner® Magic Quadrant™ for Identity Verification and Critical Capabilities report, and learn more about our configurable approach to identity.

Build bespoke age verification with Persona
Build bespoke age verification with Persona
Announcement

Build bespoke age verification with Persona

When thinking about age verification, balancing regulations and privacy can seem overwhelming. That’s why we offer a configurable age verification solution built to serve the needs of your business.

Onboard businesses globally with Persona's international KYB solution
Onboard businesses globally with Persona's international KYB solution
Announcement

Onboard businesses globally with Persona's international KYB solution

Streamline global business onboarding with Persona's international KYB solution, ensuring compliance and a seamless experience across borders.

AI phishing attacks: What you need to know to protect your users
Industry

AI phishing attacks: What you need to know to protect your users

Phishing has become more sophisticated thanks to AI. Learn more.

Know Your Employee (KYE): How identity verification fits in the picture
Industry

Know Your Employee (KYE): How identity verification fits in the picture

A thorough Know Your Employee (KYE) process helps you verify the identity, credentials, and background of new and existing employees to control for fraud.

Combatting deepfakes and AI: how Persona’s approach lines up with industry recommendations
Industry

Combatting deepfakes and AI: how Persona’s approach lines up with industry recommendations

Our understanding of three insights on deepfakes and AI from Gartner, and how we incorporate them.

Ready to get started?

Get in touch or start exploring Persona today.