Identity proofing, or identity verification, is the process of verifying that someone is who they say they are. It ensures that the claimed digital identity exists in the real world and that the person claiming it is an authorized representative for that identity.
Historically, Identity proofing is commonly performed by organizations as part of an onboarding process before or alongside the issuing of authentication credentials to access digital systems. Often, this is done with in-office visits or a series of manually performed steps.
Identity proofing is necessary to help mitigate the risk of unauthorized access, identity fraud, data breaches, and other malicious activities to your services and sensitive data. Compared to authentication, which focuses on the ownership of the user credentials, identity proofing ensures that the individual holding the credentials is truly who they claims to be.
Identity risks occur throughout the customer or employee identity lifecycle. Many companies apply identity proofing at the time of new account opening or employee hire and neglect other key moments of increased risk. Adversaries targeting credentials do not merely stop at trying to impersonate or intercept at the time of onboarding.
Threat actors frequently target weak links in the authentication chain, including account recovery and day-to-day activities. Modern identity proofing should be user journey-oriented and adaptable beyond initial onboarding to ensure the highest continuous protection against identity fraud.
Potential candidates may misrepresent their qualifications and experience by using fake documents or references during the interview process to increase their chances of being hired by a company.
The growing trend of remote work combined with AI technology has also made it easier for imposters to create deepfake videos of the candidate, AI-generated voices, resumes, and use interview proxies to game the interview system. This is why candidate verification is becoming increasingly important for HR teams.
Before giving any new hire access to corporate systems and data, HR teams need to ensure that the person they are onboarding has a credible identity and is the legitimate owner of the identity they are claiming. They also need to verify that the new employee is, in fact, the person that was interviewed for the role.
Credential reset processes occur for a variety of reasons, such as when a user loses their mobile device or forgets their access information. Organizations typically expect professionals to call into their company helpdesk and generally verify the individual through familiarity with one another, secret questions, and loose identifiers such as their employee ID.
Attackers can increasingly exploit these flaws with social engineering, deepfake attacks, and advanced voice AI to trick IT teams into providing new credentials. Modern identity proofing techniques seek to address the challenges of a global workforce and equip support teams with the ability to correctly identify that the person seeking access is who they say they are.
Employees may need elevated privileges as they gain responsibility in an organization. Organizations must first ensure both the employee’s change in role and identity before granting access to systems and data previously out of reach. These best practices help defend against unauthorized access and data breaches targeted at these important career moments.
Other situations may arise where an employee triggers a behavior that seems suspicious or there are indications of elevated risk to an organization. For example, an organization may require identity proofing after an employee attempts to access the network from an unexpected location, at an unusual time, or if threats have been flagged by security tools.
NIST defines identity proofing primarily in Special Publication 800-63A, detailing the process of verifying an individual’s identity with evidence provided by the applicant. Historically, the methods primarily used include in-person verification against a government-issued document, the user’s ability to convey knowledge-based answers about themselves, or to answer secret questions created at an earlier time with the company.
Depending on the level of access and privileges of the user, companies may combine multiple steps to further challenge an end user. This is often not user-centric and can lead to significant friction or challenges to reach successful verification.
NIST defines different Identity Assurance Levels (IALs) such as IAL1 for minimal verification and IAL2 and IAL3 for more stringent procedures to be used for more risk-based and privileged access needs.
Modern identity proofing seeks to consider the user’s privileges and access requirements and provides the seamless ability to challenge the user into providing expected data.
Orchestrating a user journey through identity proofing should take the user on a path that requires an appropriate and efficient amount of context switching, few or no requirements to download various software or tools to proceed, and should seek to cause minimal disruption to the action which they are then seeking to perform.
Organizations typically combine different types of identity proofing since each type offers different levels of trust and security.
Identity documents can be stolen, altered, or forged by malicious actors. To mitigate these risks, organizations employ various technologies to digitally verify the validity of a document, such as a government-issued ID passport, driver’s license, or military ID card.
Another method of identity proofing is through identifying distinct physical or behavioral characteristics. These can include fingerprints, voice patterns, or facial features, keystroke patterns, or mouse movements.
Since biometrics are typically more difficult to fake or forge than document verification, their verification delivers a higher level of trust – and are often combined with other identity verification methods such as document verification.
Video verification is executed through a live video conference and involves prompts and actions aimed at verifying a user's liveness while identifying any signs of spoofing or coercion. It may also include document verification to confirm that the person in the government-issued ID is the same as the one in the video.
Knowledge-based verification involves asking an individual personal information that only they can potentially answer, such as where they went to high school, the name of a pet, or a 2FA code.
Familiarity-based verification is the act in which a user is further verified by their administrators through familiarity in interaction. In the case of in-person visitation, seeing an individual they have previously seen before or hearing from a new individual with detailed insight about their common connections and working environment helps to strengthen an administrator's level of trust about an individual seeking verification.
In a remote environment, the individual, being an existing colleague, may provide helpful clues to FBV. At the same time, in a remote environment, these clues can potentially be false positives that threat actors heavily focus on to build trust.
While identity proofing for customers and the workforce share many similarities and methods, there are a few key differences:
The risks from insufficient identity proofing are widespread and growing, yet underscore its importance and need at all stages of the employee lifecycle.
Recent examples include:
The MGM Attack
The recent MGM attack is a prime example of how attackers impersonated an employee, convinced help desk personnel to reset account credentials, and eventually gained full access to IT systems, exfiltrating highly sensitive data. The attack cost the resort group over $100 million and disrupted operations for days.
Fake IT hires from North Korea.
The FBI has issued multiple warnings about fake IT workers from North Korea posing as U.S.-based contract workers. Thousands have been hired by U.S. companies, sending their paychecks to North Korea to fund its ballistic missile programs.
They were able to fake their identities using a combination of forged documents, social media profiles, third parties, and proxy servers. Most recently, the FBI warned that such imposters are exfiltrating data and proprietary code and extorting victim companies to pay a ransom.
Remote workers that fail identity verification.
HYPR uncovered its own version of a fake IT worker when a contractor hired through an IT service firm failed identity verification during his onboarding. First, a location check did not match the information he had provided.
Second, discrepancies were found between the passport photo and the face scan during the biometric verification. Finally, the new hire refused to turn on his camera for the video verification, claiming technical issues. The candidate then abruptly ceased contact and informed the contracting firm that he had found another position.
The last example illustrates the importance of a multi-layered approach to identity proofing during both the hiring and onboarding processes. This comprehensive approach may help mitigate North Korean IT worker scams as well. A trigger requiring additional identity verification for escalated privileges may have mitigated the MGM attack.
The rise of hybrid and remote work, cloud and AI technology demands that organizations turn to identity proofing to secure their data and IT infrastructure.
Other benefits of identity proofing include:
Identity proofing helps organizations meet a wide range of standards and regulations, including:
A multi-layered approach to identity proofing allows organizations to implement different user identification methods based on the use case and level of risk. Different use cases may also require adhering to different regulations or standards, depending on the industry.
Avoid an overly strict approach that rejects legitimate candidates or employees who gained more responsibility and access to sensitive data. At the same time, an approach that is too loose allows fraudulent users to slip through and pose a risk to your organization.
For example, a multi-layered approach allows you to combine documentation verification with biometric verification to reduce friction as much as possible while at the same time allowing stronger verification for use cases that present higher risk situations.
After mapping your existing systems, identify any security gaps or weaknesses. Run through different user scenarios to understand where you need identity proofing in the user journey (e.g., at login for a bank account, before continuing the interview process for an employee).
Run extensive pilot tests to evaluate the integration’s ability to deliver a seamless and frictionless experience while ensuring security. Mapping existing systems and testing integrations helps to ensure that the identity proofing implementation strategy you choose is the one that aligns with your organization’s operational needs.
Offer adequate support and training to employees to ensure that the identity proofing process is used effectively and how it specifically ensures the organization adheres to different legal and industrial regulations.
Make sure stakeholders clearly understand the benefit that identity proofing can bring to the organization, such as a reduced risk of cybersecurity attacks and subsequent monetary fines, increased operational efficiency, and a faster, more secure employee interview or onboarding process.
As threats evolve, the identity proofing process will change to meet the increasing security demands. Organizations must continuously adapt to changing technology, emerging threats, and updated compliance requirements on how identity proofing can help them defend against these threats and help them adhere to the latest regulations.
When considering implementing an identity proofing solution, your organization should ensure that it:
As an identity security solution that supports two of the largest U.S. banks, HYPR ties identity proofing to link real-world and digital identities, triggering identity proofing at critical times of heightened risk.
HYPR’s automated identity verification solution, HYPR Affirm, delivers continuous proofing and verification for both your workforce and customers throughout the identity lifecycle.
Its features include: