persona-logo
Industry
Published February 18, 2025
Last updated March 13, 2025

Workforce identity verification use cases: How to leverage IDV throughout the employee life cycle

Identity verification paired with (IAM) platforms in the workplace can enhance workforce security and prevent security threats. Here are 4 use cases to consider.
Justin Lo
Justin Lo
10 min
Illustration of various good users (clear with green checkmarks) and bad users (blurry with red x's)
Key takeaways
The past decade has seen a dramatic upswing in cases of workforce-related fraud.
This rise has largely been driven by increased adoption of remote hiring and remote work policies, combined with fraudsters’ adoption of GenAI tools to power their attacks.
Deploying electronic identity verification (eIDV) at various points in the employee life cycle — for example, during onboarding, device enrollment, account recovery, and at other high-risk moments — can help limit this fraud without overwhelming security and IT teams.

If it seems like the number of cybersecurity and fraud attacks targeting businesses every year is growing, we’ve got some bad news: it is. And it isn’t just growing in frequency; it’s also costing companies more than ever before. 

Case in point: A recent survey conducted by PwC found that 27% of global companies have experienced a data breach in the last three years that cost between $1 million and $20 million. North American companies fared even worse, with a whopping one in three having experienced such an attack. 

But there’s some good news, too. By deploying workforce identity verification at key junctures throughout the employee life cycle such as onboarding or account recovery, businesses can significantly limit the volume of threats tied to their employees.

Below, we take a closer look at some of the factors that have led to the increase in workforce-related cybersecurity and fraud incidents. We also review some current solutions that have become less effective at combating these threats over time. Then, we define what workforce identity verification is and explain when it might be helpful to deploy. 

In recent years, various factors have combined to create an ideal environment for workforce-related fraud. One instrumental factor is that today’s businesses rely on a much more distributed workforce than they did even just five years ago; another is that fraudsters have powerful new tools in their arsenal with which to carry out fraud. 

Factor #1: A more distributed workforce

A decade ago, it was expected that the vast majority of a company’s employees would work on site in a physical office. When workers logged into their accounts, they did so in person on devices and network infrastructure owned by the company. This made it easier for the business to monitor for both cybersecurity policy compliance as well as identity threats. 

But over the past ten years, workforces became increasingly distributed — thanks, in part, to widespread adoption of cloud-based technologies that meant workers no longer needed to be on site to access a company’s systems. 

Allowing remote work makes it possible for businesses to attract and retain employees from a wider pool of talent. It can also lead to significant savings by reducing or even eliminating the need for office space. But by its very nature, it requires businesses to give up some of the security and control offered by a centralized workforce. 

That’s because remote workers often access company systems on multiple devices (like personal smartphones) and across various networks (from home routers to mobile hotspots to coffee shop WiFi). This dramatically expands the attack surface area, offering fraudsters and bad actors multiple avenues to try and skirt your business’s defenses. It’s much harder to defend multiple fronts than it is to defend a single front. 

Additionally, it’s much harder for an information security team to enforce cybersecurity policies — especially around things like password hygiene and credential sharing — when personal devices and networks are added to the mix. For many businesses, that means an increased threat of account takeover (ATO) attacks.

Factor #2: Fraudsters have more tools at their disposal

Just as the way we work has changed in recent years, so too has the way that fraudsters carry out their attacks. That’s because today’s fraudsters have access to powerful new tools that simply didn’t exist in the past — namely in the form of generative AI (GenAI).

Thanks to GenAI, it’s much easier for fraudsters to generate a variety of different assets for use in their attacks. With large language models (LLMs), for example, fraudsters can quickly draft emails, phone scripts, website copy, social media posts, and other text they need to engage in social engineering and phishing attempts. Likewise, they can use video and image generators to create realistic selfies, documents, and deepfakes to steal someone’s identity or evade identity verification.

In the past, creating these assets would take time, skill, and a certain degree of technical know-how. Today, they can be created in seconds by almost anyone, empowering fraudsters to carry out larger and more complex attacks faster than ever before. 

Why aren’t current solutions enough to stop these threats?

Years ago, many businesses embraced two-factor and multi-factor authentication (MFA) as a way of safeguarding against employees’ credentials becoming compromised. While this is better than simply relying on passwords to secure employee accounts, it has its limitations. 

Sending a one-time passcode to a verified device upon login only tells you that the person trying to log in has access to a trusted device. But it doesn’t protect against lost or stolen devices falling into the hands of a bad actor. It also doesn’t fully protect against SIM swapping and other methods of cloning a trusted device. 

Likewise, many businesses have invested heavily in employee training designed to reduce incidents of fraud — for example, instructing workers not to open emails from unknown senders or click on suspicious links. But this training can only go so far. People will always make mistakes, and fraudsters will always exploit these mistakes if and when they do occur. 

By requiring an employee to prove who they are when they attempt to log in to their company accounts or devices — for example, by submitting a selfie or uploading a photo of their ID — identity verification offers additional assurance that current solutions like MFA and employee training simply can’t. That’s why businesses looking to stay ahead of the fraud curve should consider deploying an IAM platform that incorporates identity verification as a part of its toolkit, like Okta does with Persona

What is workforce IDV?

Workforce IDV refers to the process of ensuring every member of your workforce — including your employees (remote and online), contractors, and freelancers — are who they say they are. It’s also called Know Your Employee (KYE).

When deployed as a part of the hiring and onboarding process, workforce IDV reduces the risk of inadvertently hiring a bad actor, especially for a remote role. When leveraged elsewhere in the employee life cycle, it helps you maintain organizational security by more securely controlling access to accounts and sensitive data vs. solely relying on multi-factor authentication. 

It’s usually achieved by some combination of government ID verification, document verification, database verification, and selfie verification, depending on how it’s being deployed. 

4 use cases for IDV in the employee life cycle

As noted above, workforce IDV can be deployed in multiple ways throughout the employee life cycle, including:

IDV for employee onboarding

How sure are you that the person you’re hiring for a role is who they say they are? Unless you’re performing identity verification during hiring and onboarding, you can’t be completely sure. You may be asking yourself: Why would a person pretend to be someone they aren’t while applying for a job? Unfortunately, there are many potential reasons, including to:

  • Fake or forged credentials (like licenses and certifications) needed for the role

  • Avoid paying payroll and Social Security taxes

  • Gain access to trade secrets or valuable, sensitive information

  • Skirt international sanctions that prevent the hiring (as was recently seen when a US cybersecurity firm hired a North Korean threat actor)

Robust workforce IDV during hiring can help you reduce these risks — especially in remote hiring scenarios where you may never meet the applicant face to face. 

IDV for device enrollment

Any time an employee attempts to log into a work account (like email) from an unrecognized device, there’s a certain level of risk that the login attempt was actually completed by a bad actor trying to engage in an account takeover. That’s why most businesses trigger multi-factor authentication when an unrecognized device is detected during log in. But, as noted above, MFA isn’t a silver bullet to protect against account takeovers, especially in cases where a trusted device has been compromised in some way. One way to reduce this risk is to require employees to reverify themselves when they’re enrolling new devices. 

For example, you can require employees attempting to log into a work account on an unrecognized device to capture a selfie. This image would then be compared against an image on file — such as the portrait of a government ID or a previously-captured selfie. This way, even if a bad actor has compromised a trusted device, they will be denied access upon failing reverification. 

IDV account recovery

Even your best employees may occasionally forget their passwords and end up accidentally locked out of accounts they legitimately should have access to. This doesn’t just result in downtime for the employee that’s locked out of their account; it also means other resources — like your IT department or helpdesk — need to be pulled in to resolve the ticket. 

But it doesn’t have to be this way. By deploying automatic reverification during account recovery, you empower the affected employee to regain access to their account without tying up your helpdesk. The same is true for other incidents where IT might otherwise need to get involved — for example, when an employee needs to reset their password or MFA settings. 

IDV during high-risk actions

Employees often need to perform actions that carry a high degree of risk for the business — for example, initiating a large transaction, accessing sensitive information, or downloading data. Requiring an employee to reverify themselves at these high-risk moments can help protect against inappropriate access or account takeover. 

Ideally, you’ll tailor the amount of friction an employee encounters in these moments to the degree of risk associated with each action. Employees seeking to engage in lower-risk actions will encounter less friction, while employees seeking to engage in higher-risk actions will encounter more friction. 

Getting workforce IDV right with Persona + Okta

At Persona, we understand that a one-size-fits-all approach to identity verification doesn’t work. We also understand that thinking about assurance requires planning for both the person being verified (your employees) and the team doing the verifying (your IT and security teams). 

When the IDV experience introduces too much friction, not only does it lead to decreased employee productivity, as they are blocked from accessing crucial business systems, but it also leads to a higher burden of support tickets and internal requests for IT and security teams to address. Moreover, it makes employees more likely to find ways to try and bypass security measures — according to one recent survey, 65% of employees indicate that they’ve bypassed cybersecurity policies for convenience. The strategy that’s right for you will be the one that’s tailored to the realities of your business, your industry, and what your workforce looks like. 

That’s why we’ve integrated with Okta: to make it easier than ever for businesses to incorporate identity verification into their IAM strategy. By leveraging this integration, you gain access to:

  • An automated IDV solution that increases security without increasing the workload on your IT or security teams

  • A range of verification methods — including government ID verification, selfie verification, and database verification — so you can tailor your strategy to your specific risk tolerance and needs 

  • A wide breadth of fraud signals, including active signals as well as passive signals like IP addresses, device or browser fingerprints, and behavioral indicators like hesitation to better fight and adapt to sophisticated fraud

  • Global coverage in over 200 countries and territories in 20 languages so you can verify identities around the world and build a truly global workforce without compromising on security

  • Granular access controls and role-based permissions so you can fine-tune who should have access to which systems and accounts

Ready to learn more about how Persona can help you get workplace identity proofing right? Learn more about our integration with Okta’s Workforce Identity Cloud, how Okta leverages Persona for Workforce IDV, or request a demo today to get started.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Justin Lo
Justin Lo
Justin leads the product marketing team at Persona. In his spare time, he enjoys trying out new restaurants and jamming with Personified, Persona's in-house band.
Continue reading
  • Workforce security redefined: Persona and Okta partner to verify identities and protect against phishing and deepfakes
    7 mins

    Workforce security redefined: Persona and Okta partner to verify identities and protect against phishing and deepfakes

    Enforce identity verification throughout the employee life cycle using Persona and Okta’s out-of-the-box integration for identity verification.

  • Know Your Employee (KYE): How identity verification fits in the picture
    6 mins

    Know Your Employee (KYE): How identity verification fits in the picture

    A thorough Know Your Employee (KYE) process helps you verify the identity, credentials, and background of new and existing employees...

  • Employment identity verification: what it is and why it matters
    7 mins

    Employment identity verification: what it is and why it matters

    Find out why you need to verify prospective employees’ identities — and how to actually do it.