Today, we are excited to announce a new partnership between Persona and Okta to help organizations protect against phishing and other identity-based attacks via automated identity verification. Available through a direct integration into Okta's Workforce Identity Cloud, this joint solution allows companies to easily incorporate identity verification into their Okta workflows, enhancing security measures for organizations worldwide.
Here’s what that means and why it’s important to you.
Rethinking security
As the business landscape evolves, so do security needs. In the last decade, many organizations have migrated to cloud-based technologies and distributed workforces. For information security teams, these shifts have posed challenges. Today’s employees access company systems from multiple devices, across various networks, and outside the traditional office space. This dramatically expands the attack surface for criminals and leaves organizations more exposed to cyber threats, given that traditional network security models tend to rely on firewalls and perimeter-based defenses.
In response, many organizations are turning to Zero Trust security models. The core principle of Zero Trust is simple: trust no one by default. In this model, identity becomes the first line of defense. When it comes to system access, teams using Zero Trust generally institute strict access controls, which allow only verified users to gain access to important systems.
Unfortunately, cybercriminals are aware of these strategies and have developed their own responses. Social engineering, automation, and AI are all strategies cybercriminals use to exploit vulnerabilities in identity-first security models. The problem for security teams is that in these situations, bad actors trying to access key systems do have the right credentials. They’re just not the person they’re claiming to be.
The growing problem: phishing and deepfake attacks
When companies think about risk, many focus on external threats. However, it’s internal employees who tend to be companies’ largest vulnerability. According to the Verizon Business 2024 Data Breach Investigations Report (DBIR), 68% of breaches involve human error, often by way of phishing schemes or compromised log-in credentials.
As an IT or InfoSec professional, your job is, in part, to prevent these attacks. But there are multiple moments in the employee life cycle — new user onboarding or account recovery, for example — where it’s easy for criminals to take advantage of existing security systems. Users may provide the correct credentials or send authentication requests from a trusted device. But this doesn’t guarantee they are the legitimate account owner — credentials can be stolen, shared, or compromised.
How can teams gain the assurance they need in these situations?
The answer: identity verification
Identity verification (IDV) offers a powerful answer to this challenge. Verifying not just credentials, but individuals’ actual identities, is the most powerful way to ensure that users are who they claim to be.
During onboarding, for example, new employees can be prompted to give their credentials but also asked to verify their identity with a government-issued ID or by submitting a live selfie. These checks tell you that the person entering your systems is the authorized individual and not someone impersonating them. Similar verifications can be put in place during critical events like account recovery or suspicious activity alerts.
The role of identity verification in the workforce
Identity verification isn’t just important for isolated moments in the customer life cycle. It’s also important for companies working to build a Know Your Employee (KYE) practice.
For years the financial industry has been committed to Know Your Customer (KYC) protocols, which are often mandated and put in place to make sure customers don’t present too much risk to financial institutions. KYE is the equivalent for workforce teams. KYE ensures that businesses verify an employee's identity, credentials, and background before offering them access to sensitive company data or systems.
KYE involves several key steps:
- Identity verification: Before hiring, businesses confirm the identity of an applicant, often using methods like government ID verification, document verification, and/or biometric checks like selfie verification. This step ensures that the person is who they claim to be.
- Account recovery: During sensitive moments, such as recovering an account after potential suspicious activity, identity verification ensures that the person recovering the account is the legitimate owner.
- Ongoing monitoring and reverification: Regular reverification of employees — even if there is no prompting event — makes sure you catch new risks and flag suspicious activity.
Persona and Okta
For teams looking to secure access to their Okta without frustrating employees, the partnership between Persona and Okta delivers a full KYE suite, offered via Persona’s integration with Okta’s Workforce Identity Cloud. Benefits for teams include:
- Easily add Persona’s identity verification solution within the Okta platform. Persona is now available via the Okta Integration Network. This lets teams create rules within their existing authentication policies to incorporate identity verification steps at critical moments.
- Multiple verification methods: Persona offers various identity verification methods, including government ID checks, biometric verifications like selfies, and behavioral risk assessments to provide a comprehensive approach to identity security.
- Automated identity verification: Persona’s automated identity verification system is designed for speed and accuracy. Government-issued ID checks and selfie verifications are processed in seconds, ensuring a smooth experience without compromising security.
- Flexible use cases: The integration supports a wide range of use cases, including new employee onboarding, employee account recovery, and high-risk event verification.
- Redaction policies: We work with organizations to align data retention and redaction policies, including instantly redacting users’ personal information after verification.
- Compliance standards: Persona’s platform aligns with industry compliance standards and company-specific risk frameworks, including NIST IAL2, ensuring that organizations meet regulatory requirements while maintaining high security standards.
How Persona approaches identity verification
A one-size-fits-all approach to identity verification can create unnecessary friction for employees, allow bad actors to slip through, and deliver a poor user experience. The problem becomes magnified as generative AI gives cybercriminals new tools. Today, for example, 80 percent of companies say they lack protocols for handling deepfake attacks.
To successfully overcome these threats, organizations are better served when they take a layered approach to identity verification. Doing this allows them to use a much wider array of signals for assessing whether individuals are who they claim to be.
At Persona, we recommend two key methods:
- Collecting and verifying more active signals
Most teams verify identity through actively provided information, such as documents, personal data, selfies, and liveness checks. However, fraudsters are increasingly using generative AI to target these processes. By introducing a wider variety of active data requests, organizations can make it more difficult for cybercriminals to impersonate legitimate individuals. - Gathering and analyzing more passive signals
Passive signals — signals you can gain about a user without the user having to actively submit information — can help identify suspicious activity and trigger additional verification when necessary. Passive signals include data such as IP addresses, device or browser fingerprints, and behavioral indicators like hesitation or unusual actions during the interaction.
By combining active and passive methods, organizations become far more able to fight and adapt to sophisticated fraud, such as advanced social engineering and deepfakes.
Even more importantly, this layered approach allows businesses to create dynamic identity verification processes to improve security while minimizing friction for legitimate users. Businesses can use the signals collected during identity verification to personalize each employee's verification experience based on risk. For example, if an employee is logging in from a new IP address, organizations can automatically trigger a reverification prompt. For all other employees, it's smooth sailing as usual.
This combination of breadth and depth — the ability to collect a wide range of signals paired with Persona's adaptable approach to fraud — gives companies the power to stay ahead of fraud both now and into the future.
Protecting against phishing from onboarding to offboarding
The integration of Persona and Okta brings a powerful identity verification solution to the dynamic, distributed workplace. By adding real-time identity verification to your Zero Trust strategy, you can reduce the risk of phishing attacks, account takeovers, and unauthorized access — all while providing employees with seamless, secure access to the tools they need. With identity as the new perimeter, Persona and Okta ensure that only the right people access your network, no matter where they are or what device they’re using.
Ready to get started? Take a closer look at our workforce identification capabilities, or talk to a Persona expert today.