Identity verification has emerged as a key component of modern enterprise security as rules tighten and cyber threats, increasingly powered by AI, grow in volume and effectiveness. Emerging technology, changing attack patterns, and new regulations are all influencing how companies validate identities.
Traditional identity proofing and verification methods — which are generally employed only at fixed checkpoints such as employee onboarding — are no longer enough. The prevalence of hybrid workforces, the advancement of fraud techniques, and the demand for seamless user experiences, are driving a shift toward continuous, contextual identity proofing. As we go into 2025, we look at key identity verification challenges and trends and their effects on workplace security.
It's increasingly common for organizations to discover (eventually) that the candidate they thought they hired for a role is not the person that joins the company. The FBI and other agencies have issued multiple alerts about fake IT workers from North Korea infiltrating U.S. companies by using fabricated or stolen identities. The most recent FBI statement warns that the stakes have grown higher, with North Korean IT workers extorting victims by holding stolen proprietary data and code hostage until the companies pay a ransom.
The focus on the threat from North Korea however, while undeniably severe, masks the growing and widespread nature of the issue. Fraudsters exploit the ubiquity of remote work to pull a bait and switch, using deepfakes or stand-ins to impersonate job candidates during interviews and verification processes. The person that shows up on day one, and granted system access, isn’t the same person who went through the initial screening. Motivations range from the somewhat innocuous, for example trying to land a job the person isn’t qualified for, to malicious attempts to gain access to corporate systems. Anyone can be a target — HYPR recently exposed its own brush with candidate fraud (which was thwarted by our Identity Assurance platform).
Credential resets remain a major vulnerability, with attackers tricking help desk agents to bypass security protocols. Most IT service desks operate with limited staff and handle a high volume of calls, many of which involve password or MFA issues. Attackers often take advantage of human nature and publicly available information to deceive service desk personnel, ultimately gaining access to legitimate credentials. Once inside, they can access sensitive systems, escalate privileges, and move laterally within an organization — often without triggering security alerts.
These attacks are particularly dangerous because they sidestep traditional security controls. Even with strong authentication policies in place, a well-executed social engineering attack can grant an adversary the same access as an authorized employee. Cybercriminals use tactics like creating a sense of urgency, posing as high-ranking executives, or leveraging insider-like information — often stolen or scraped from public sources — to make their requests seem credible. Generative AI has made these schemes even more convincing, allowing attackers to mimic speech patterns, craft realistic emails, or even generate deepfake voices in real time.
Preventing help desk social engineering with HYPR
The intensifying attacks on workforce system vulnerabilities underscore the critical need for enterprises to implement adaptive, robust identity proofing methods capable of detecting and neutralizing these sophisticated threats. Multi-factor verification (MFV) has emerged as a logical evolution of traditional multi-factor authentication (MFA). Instead of relying on authentication as the primary gatekeeper, MFV makes adaptive, risk-based identity verification an intrinsic part of daily access flows. It integrates factors like behavior, biometrics, and contextual signals to continuously validate user identity throughout the session. MFV can address weak spots in critical processes like credential recovery and device registration, which traditionally use insecure methods such as knowledge-based answers and help desk calls.
Consider a situation where a user logs in from a trusted device but behaves in an unexpected manner, for example accessing files that aren’t typical for their role or working from a different location. Based on these risk signals, MFV adjusts in real time, raising the required verification levels. By ensuring that verification aligns with the perceived threat and situational risk, MFV not only reduces the risk from compromised credentials, it provides a quicker, less intrusive process.
The draft NIST SP 800-63-4 guidelines, slated for release in 2025, introduce significant updates to strengthen identity proofing and verification standards. These include stricter provisions for remote identity proofing, incorporating advanced methods such as biometric matching and live document verification for remote onboarding. The draft standards also emphasize risk assessment, encouraging organizations to evaluate the risk level of each identity-related transaction and apply verification measures accordingly. Fraud detection is another area of focus, with requirements to detect and mitigate potential fraud during verification processes.
The guidelines highlight the shift toward continuous identity verification as a critical component of identity assurance. Enterprises looking to align with NIST 800-63-4 will need to adopt rigorous, scalable solutions to improve security while meeting compliance requirements.
Decentralized identity systems will start to gain traction in the workplace in 2025. Organizations can significantly simplify and secure processes like onboarding and credential recovery by incorporating verifiable credentials, such as Microsoft Verified ID credentials, into their identity processes. A modern decentralized identity verification workflow might include the following steps:
Example workflow to issue Microsoft Entra Verified ID credentials
This decentralized approach not only streamlines workflows but also strengthens security by reducing reliance on centralized systems.
As identity verification trends evolve, organizations must adapt to stay secure and competitive. Multi-factor verification, robust defenses against social engineering, and alignment with emerging standards like NIST 800-63-4 are critical to staying secure. Decentralized identity solutions offer promising advancements in simplifying and securing workforce processes, but only when paired with strong identity proofing practices.
HYPR’s Identity Assurance platform was built to help organizations navigate these challenges. HYPR integrates phishing-resistant passwordless authentication, adaptive risk mitigation, and automated identity verification into a streamlined and user-friendly access flow. It allows organizations to tailor identity verification processes to fit their specific environments and use cases. For instance, secure self-service options can be used in low-risk situations, while additional measures, such as live video verification, can be invoked in higher-risk scenarios or when anomalies are detected. To see how HYPR can help your organization, schedule a demo tailored to your identity security interests and needs.