Many businesses consider their employees their most valuable asset. After all, without trusted and skilled employees, most businesses would find it difficult to design, produce, and deliver a product or service at scale.
Unfortunately, employees can also sometimes be a liability — especially if they’re lying about their identity. When you hire someone without really knowing who that person is, you open your business up to a variety of risks, including everything from remote worker fraud to data breaches, embezzlement, theft, and more.
The good news? A thorough workplace identity proofing process can help you vet any applicant — and understand the risks they might pose to your business — before you hire them. It can also help you avoid fraud attacks where bad actors impersonate your legitimate employees.
Below, we explain what workplace identity proofing is before offering some best practices you can use to design and shape your own processes.
What is workplace identity proofing?
To understand workplace identity proofing, it’s important to understand what identity proofing is more broadly. According to the National Institute of Standards and Technology (NIST), identity proofing consists of three main steps:
- During resolution, the goal is to distinguish the claimed identity from the general population to determine whether it is truly unique.
- During validation, the goal is to determine whether the identity evidence is valid and genuine; i.e., that it is correct and isn’t counterfeit or stolen. Validation also involves determining whether the claimed identity exists in the real world.
- During verification, the goal is to determine whether the claimed identity actually belongs to the person claiming it.
With this in mind, workplace identity proofing refers to this process when it takes place in the context of employment. Usually, it occurs during the hiring and employee onboarding process, especially for remote workers. Some companies also leverage identity proofing when an employee attempts to log into their work accounts, access sensitive information, and/or complete otherwise risky actions.
Workplace identity proofing is broadly related to the concepts of Know Your Employee (KYE) and employment identity verification.
Why is workplace identity proofing so important?
In virtually all jurisdictions, you’re required to verify that the people you intend to hire have the legal right to be employed in the country. To determine this, you must verify an individual’s identity within a reasonable margin of error. With this in mind, at its simplest level, workplace identity proofing helps you comply with these laws and regulations.
The benefits extend beyond this, however, as identity proofing also helps you evaluate the different risks that a new hire might pose, which can help you avoid hiring people that might carry out various types of fraud, including:
- Remote worker fraud
- Employment identity theft
- Data breaches
- Corporate espionage
- Embezzlement
- and more
Additionally, periodically reverifying employeescan help catch instances where a fraudster or bad actor tries to impersonate a legitimate employee to gain access to systems or accounts that they shouldn’t have access to. For example, if a remote employee tries to log into an account from a new device or location far from their known address, that might point to an account takeover due to social engineering, phishing, password spraying, or credential stuffing.
Best practices for identity proofing in the workplace
Whether you’re designing a workplace identity-proofing strategy from scratch or fine-tuning your processes, we’ve outlined some best practices below to help you in your rollout.
1. Start with a risk assessment
As discussed above, businesses implement employee identity proofing for one main reason: to manage risk. It only makes sense, then, that the identity-proofing strategy you ultimately pursue should be based on the results of an in-depth risk assessment.
While each business has its own nuances that should inform this risk assessment, consider asking the following questions:
- Is your business or industry subject to any specific laws or regulations requiring employee verification? If so, what are the potential penalties for non-compliance?
- Does your business handle any sensitive customer data, such as financial information, medical records, or personally identifiable information (PII) that would be valuable targets for fraudsters?
- Does your business currently have or intend to have a large portion of remote workers? Will these workers need to access any sensitive information while they are remote?
- Do you require your employees to carry certain degrees, licenses, or certifications that could potentially be forged or otherwise spoofed?
- What specific types of fraud is your business, product, or service vulnerable to?
Once you’ve completed this risk assessment, incorporate any insights gleaned into your broader strategy.
2. Choose the assurance level that is right for you
In the world of identity proofing, assurance refers to the degree of certainty — or confidence — that a person is who they say they are. NIST has established three Identity Assurance Levels (IALs) that a) measure this certainty and b) establish requirements for achieving them:
- IAL1: This is the lowest level of assurance, which typically relies on self-asserted information and does not actually involve identity proofing. There is no requirement to link the individual to a specific real-life identity.
- IAL2: This level offers moderate assurance in a person’s identity. It requires multiple forms of proof — such as a government ID, tax identification numbers, and/or documents — to support the real-world existence of an identity, and verifies that the correct person is associated with it.
- IAL3: This is the highest level of assurance. It requires an authorized and trained representative to verify the individual — typically in person.
Which assurance level is right for your business will depend on the results of your risk assessment, your risk tolerance, and the industry your business operates in. That said, most businesses typically gravitate toward IAL 2.
3. Leverage multiple types of verification
When you rely too heavily on any single verification method, you increase the risk that a bad actor may uncover and exploit a weakness in your processes. Leveraging multiple forms of verification empowers you to achieve a higher level of assurance and increases your chance of catching bad actors before they find a way into your systems.
For example, a business that leverages database verification alongside government ID verification may be in a better position to catch forged or altered IDs, since database verification allows them to check the veracity of the information contained in the ID. Likewise, a business that pairs government ID verification with selfie verification may be better equipped to identify and stop deepfakes and AI-generated images. And one that leverages all three may have robust coverage against a wide range of threats.
While the specific mix of verification methods you incorporate will depend on your needs, some options include:
- Government ID verification: Collecting and verifying one or multiple government IDs, such as a driver’s license, passport, passport card, or digital ID
- Database verification: Cross-checking the information provided by an applicant, hire, or employee against the information contained in an issuing or authoritative database
- Document verification: Collecting and verifying documents, such as mail (for address verification) or licenses and certificates (for credential verification)
- Selfie verification: Collecting a selfie and comparing it against the ID portrait to identify potentially fake, forged, or altered documents
- Additional reports: Screening applicants or hires against sanctions lists, watchlists, politically-exposed persons (PEP) lists, and adverse media databases to get a better sense of the risks they pose
4. Embrace ongoing reverification
While some businesses may only perform identity proofing during the hiring and onboarding process, reverification can help you manage employee risk throughout a worker’s tenure.
There are many reverification strategies you might consider, including:
- Date-based reverification that is triggered when an employee’s identity evidence (government ID, visa or immigration status, certification or license, etc.) is set to expire
- Event-based reverification that is triggered when an employee attempts to complete a high-risk action, such as accessing sensitive information, changing a record, or downloading a database
- Continuous reverification that takes place in an ongoing manner — for example, perpetually scanning employees against sanctions lists, watchlists, PEP databases, and for adverse media mentions
5. Think beyond verification
While identity verification plays a crucial role in workplace identity proofing, it isn’t the only way to evaluate employee risk. In addition to whatever verification methods you choose to implement, consider also assessing a variety of risk signals — including passive signals like IP address, geolocation, device fingerprint, and browser fingerprint.
These signals can offer significant insights into the risks posed by applicants, hires, and employees. If a job applicant is using an IP address linked to a high-risk country known for fraud, for example, you might rethink hiring them or require additional information and proof of identity. Likewise, if an employee tries logging into their work account from a new device or unusual location, you might require reverification to counter account takeover attempts.
Passive signals can also facilitate link analysis, empowering you to understand how an applicant or employee is linked to others within your database — for example, known fraudsters.
How Persona can help
Here at Persona, we understand that a cookie-cutter approach to identity proofing doesn’t work. From the regulations your business must comply with to the number of remote workers on staff to the types of fraud your business is subject to, your business is unique. You need an identity-proofing strategy tailored to your specific needs.
With Persona’s flexible identity platform, you can design the process that works for you. Choose which verification methods will get you to the assurance level you need. Select which passive signals you want to collect for added context. Deploy reverifications, link analysis, ancillary reports, and more to mitigate the types of risk your business specifically sees.
Ready to learn more about how Persona can help you get workplace identity proofing right? Learn more about our integration with Okta’s Workforce Identity Cloud or request a demo today to get started.