Industry

Workplace identity proofing: Methods & best practices

Workplace identity proofing can help employers mitigate risks associated with employment fraud. Here are 5 best practices to guide your identity proofing.

Green background with an icon of a shield that contains a torso with a checkmark next to it
Last updated:
12/12/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Workplace identity proofing is the process of verifying that an applicant, hire, or employee is actually who they say they are.
  • Implementing identity proofing in the workplace can help you mitigate many types of employment fraud — e.g. remote worker fraud and employment identity theft — as well as account takeovers of legitimate employees. 
  • Best practices include basing your proofing processes on a thorough risk assessment of your business and leveraging multiple types of verification for comprehensive coverage. 

Many businesses consider their employees their most valuable asset. After all, without trusted and skilled employees, most businesses would find it difficult to design, produce, and deliver a product or service at scale. 

Unfortunately, employees can also sometimes be a liability — especially if they’re lying about their identity. When you hire someone without really knowing who that person is, you open your business up to a variety of risks, including everything from remote worker fraud to data breaches, embezzlement, theft, and more. 

The good news? A thorough workplace identity proofing process can help you vet any applicant — and understand the risks they might pose to your business — before you hire them. It can also help you avoid fraud attacks where bad actors impersonate your legitimate employees. 

Below, we explain what workplace identity proofing is before offering some best practices you can use to design and shape your own processes. 

What is workplace identity proofing?

To understand workplace identity proofing, it’s important to understand what identity proofing is more broadly. According to the National Institute of Standards and Technology (NIST), identity proofing consists of three main steps:

  1. During resolution, the goal is to distinguish the claimed identity from the general population to determine whether it is truly unique. 
  2. During validation, the goal is to determine whether the identity evidence is valid and genuine; i.e., that it is correct and isn’t counterfeit or stolen. Validation also involves determining whether the claimed identity exists in the real world. 
  3. During verification, the goal is to determine whether the claimed identity actually belongs to the person claiming it.  

With this in mind, workplace identity proofing refers to this process when it takes place in the context of employment. Usually, it occurs during the hiring and employee onboarding process, especially for remote workers. Some companies also leverage identity proofing when an employee attempts to log into their work accounts, access sensitive information, and/or complete otherwise risky actions. 

Workplace identity proofing is broadly related to the concepts of Know Your Employee (KYE) and employment identity verification

Why is workplace identity proofing so important?

In virtually all jurisdictions, you’re required to verify that the people you intend to hire have the legal right to be employed in the country. To determine this, you must verify an individual’s identity within a reasonable margin of error. With this in mind, at its simplest level, workplace identity proofing helps you comply with these laws and regulations. 

The benefits extend beyond this, however, as identity proofing also helps you evaluate the different risks that a new hire might pose, which can help you avoid hiring people that might carry out various types of fraud, including:

  • Remote worker fraud
  • Employment identity theft
  • Data breaches
  • Corporate espionage
  • Embezzlement
  • and more

Additionally, periodically reverifying employeescan help catch instances where a fraudster or bad actor tries to impersonate a legitimate employee to gain access to systems or accounts that they shouldn’t have access to. For example, if a remote employee tries to log into an account from a new device or location far from their known address, that might point to an account takeover due to social engineering, phishing, password spraying, or credential stuffing

Case study
Remote verifies workers quickly and compliantly with Persona
Learn more

Best practices for identity proofing in the workplace

Whether you’re designing a workplace identity-proofing strategy from scratch or fine-tuning your processes, we’ve outlined some best practices below to help you in your rollout. 

1. Start with a risk assessment

As discussed above, businesses implement employee identity proofing for one main reason: to manage risk. It only makes sense, then, that the identity-proofing strategy you ultimately pursue should be based on the results of an in-depth risk assessment. 

While each business has its own nuances that should inform this risk assessment, consider asking the following questions:

  • Is your business or industry subject to any specific laws or regulations requiring employee verification? If so, what are the potential penalties for non-compliance?
  • Does your business handle any sensitive customer data, such as financial information, medical records, or personally identifiable information (PII) that would be valuable targets for fraudsters?
  • Does your business currently have or intend to have a large portion of remote workers? Will these workers need to access any sensitive information while they are remote? 
  • Do you require your employees to carry certain degrees, licenses, or certifications that could potentially be forged or otherwise spoofed?
  • What specific types of fraud is your business, product, or service vulnerable to? 

Once you’ve completed this risk assessment, incorporate any insights gleaned into your broader strategy.

2. Choose the assurance level that is right for you

In the world of identity proofing, assurance refers to the degree of certainty — or confidence — that a person is who they say they are. NIST has established three Identity Assurance Levels (IALs) that a) measure this certainty and b) establish requirements for achieving them:

  • IAL1: This is the lowest level of assurance, which typically relies on self-asserted information and does not actually involve identity proofing. There is no requirement to link the individual to a specific real-life identity. 
  • IAL2: This level offers moderate assurance in a person’s identity. It requires multiple forms of proof — such as a government ID, tax identification numbers, and/or documents — to support the real-world existence of an identity, and verifies that the correct person is associated with it.
  • IAL3: This is the highest level of assurance. It requires an authorized and trained representative to verify the individual — typically in person.

Which assurance level is right for your business will depend on the results of your risk assessment, your risk tolerance, and the industry your business operates in. That said, most businesses typically gravitate toward IAL 2.

3. Leverage multiple types of verification

When you rely too heavily on any single verification method, you increase the risk that a bad actor may uncover and exploit a weakness in your processes. Leveraging multiple forms of verification empowers you to achieve a higher level of assurance and increases your chance of catching bad actors before they find a way into your systems. 

For example, a business that leverages database verification alongside government ID verification may be in a better position to catch forged or altered IDs, since database verification allows them to check the veracity of the information contained in the ID. Likewise, a business that pairs government ID verification with selfie verification may be better equipped to identify and stop deepfakes and AI-generated images. And one that leverages all three may have robust coverage against a wide range of threats. 

While the specific mix of verification methods you incorporate will depend on your needs, some options include:

4. Embrace ongoing reverification

While some businesses may only perform identity proofing during the hiring and onboarding process, reverification can help you manage employee risk throughout a worker’s tenure. 

There are many reverification strategies you might consider, including:

  • Date-based reverification that is triggered when an employee’s identity evidence (government ID, visa or immigration status, certification or license, etc.) is set to expire
  • Event-based reverification that is triggered when an employee attempts to complete a high-risk action, such as accessing sensitive information, changing a record, or downloading a database
  • Continuous reverification that takes place in an ongoing manner — for example, perpetually scanning employees against sanctions lists, watchlists, PEP databases, and for adverse media mentions 

5. Think beyond verification

While identity verification plays a crucial role in workplace identity proofing, it isn’t the only way to evaluate employee risk. In addition to whatever verification methods you choose to implement, consider also assessing a variety of risk signals — including passive signals like IP address, geolocation, device fingerprint, and browser fingerprint.

These signals can offer significant insights into the risks posed by applicants, hires, and employees. If a job applicant is using an IP address linked to a high-risk country known for fraud, for example, you might rethink hiring them or require additional information and proof of identity. Likewise, if an employee tries logging into their work account from a new device or unusual location, you might require reverification to counter account takeover attempts. 

Passive signals can also facilitate link analysis, empowering you to understand how an applicant or employee is linked to others within your database — for example, known fraudsters. 

How Persona can help

Here at Persona, we understand that a cookie-cutter approach to identity proofing doesn’t work. From the regulations your business must comply with to the number of remote workers on staff to the types of fraud your business is subject to, your business is unique. You need an identity-proofing strategy tailored to your specific needs.

With Persona’s flexible identity platform, you can design the process that works for you. Choose which verification methods will get you to the assurance level you need. Select which passive signals you want to collect for added context. Deploy reverifications, link analysis, ancillary reports, and more to mitigate the types of risk your business specifically sees. 

Ready to learn more about how Persona can help you get workplace identity proofing right? Learn more about our integration with Okta’s Workforce Identity Cloud or request a demo today to get started.

Published on:
12/12/2024

Frequently asked questions

No items found.

Continue reading

Continue reading

Share codes: Digitizing the UK right to work
Share codes: Digitizing the UK right to work
Industry

Share codes: Digitizing the UK right to work

Before any UK company hires a non-UK citizen, it must verify that the individual has the right to work in the country. Share codes are a key step in this process.

Best practices for merchant onboarding
Best practices for merchant onboarding
Industry

Best practices for merchant onboarding

Merchant onboarding is a set of processes that payment service providers undertake to vet merchants before doing business with them. Learn more.

Australian social media ban: What platforms need to know
Australian social media ban: What platforms need to know
Industry

Australian social media ban: What platforms need to know

Under the newly passed Social Media Minimum Age Bill, social media platforms are required to prevent Australians under 16 from having an account. Learn more.

Workforce security redefined: Persona and Okta partner to verify identities and protect against phishing and deepfakes
Announcement

Workforce security redefined: Persona and Okta partner to verify identities and protect against phishing and deepfakes

Enforce identity verification throughout the employee life cycle using Persona and Okta’s out-of-the-box integration for identity verification.

Identity proofing: what it is and why it matters
Industry

Identity proofing: what it is and why it matters

Learn what identity proofing entails and how to incorporate it into your business to prevent fraud.

Employment identity verification: what it is and why it matters
Industry

Employment identity verification: what it is and why it matters

Find out why you need to verify prospective employees’ identities — and how to actually do it.

Ready to get started?

Get in touch or start exploring Persona today.