Is Your New Employee Really Who They Say They Are?
New hire fraud is a top concern for Chief Security Officers (CSOs) in most organizations. With the rise of remote work during the COVID-19 pandemic, these concerns have only been exacerbated. Many companies assume that checking a new employee’s driver’s license and passport ensures that they are always the person logging in and working every day. Unfortunately, this isn’t necessarily the case. The increase in remote work in the last year has made it easier than ever for fraudsters to attack your organization. Let’s look at how identity fraud happens in an organization:
When a new employee or contractor gets hired, they receive access to numerous company resources like email and Slack. To gain access to these resources, they will likely use an active directory username and password as well as 2FA like a one-time code tool.
What happens if this employee or contractor decides to outsource some or all of their work? The employee will provide a third party outsourcer with their usernames, passwords, and 2FA codes. This can be done in seconds on collaboration tools like Slack. Whether this person simply found someone cheaper to do their work, or they are getting paid by a third party to let them into the organization to steal intellectual property, this could have detrimental security consequences for your organization. For example, your company likely did a thorough background check of your current employees and contractors. However, you did not do a background check of the subcontractor. This means that this individual could have a questionable background that is not suitable to work at your company. Your company resources and knowledge are now vulnerable to the will of the subcontractor.
How Does Identity Solve This Issue?
With the rise of remote work, identity fraud has become an even more pressing issue. To mitigate fraud, companies should embrace the same “Know Your Customer” identity proofing rules that banks have been using for years.
When a bank onboards a new customer, they are legally required to identity proof them with driver’s licenses, passports, or other government issued identification documents. The bank scans these documents for authenticity and compares them to the customer’s face. Previously, banks required each customer to be in person for this process.
Traditionally, it has been difficult to complete this process remotely. The document holder is required to scan the documents before emailing or faxing them to his or her bank. This presents several challenges for both the customer and bank:
- It is difficult to get a quality photograph of the documents. (proper angle, lighting, etc.)
- Image file size can be distorted in the transmission process (emails can compress photos)
- Personal information is at risk in several places-the candidates email, servers, the HR rep’s email
- After the company receives the documents, it’s still difficult to verify the identity of the individual sending them
Strong Customer Authentication to the Rescue
Advancements in identity proofing can help companies mitigate the risks listed above. Also, the documents used in the hiring process can be used each time the individual needs access to company resources, not just during the onboarding process.
Document-based identity verification is becoming more widely used in enterprise cybersecurity. Recently, a Gartner study found that 80% of companies will be using document based verification by 2022. In the same timeframe, 60% of mid-size to global enterprises will start using passwordless authentication methods. The deployment of document based verification and passwordless authentication requires these two technologies to be integrated based on industry standards.
The NIST 800-63-3a identity proofing standard was introduced by the US federal government in 2017 and it is critical that your organizational security measures comply with it. NIST 800-63-3a gives guidance on capturing two identity verification documents, validating them, and comparing them against the real person’s face. When your organization uses this standard to onboard a new employee, you have indisputable proof that your employees are who they say they are every time they log onto a system.
This level of identity verification is possible by leveraging the smartphone of the document holder. In fact, with biometric ID proofing and digital authentication, a high level of verification is possible without investing in advanced systems. The document holder can scan his or her documents and take a live ID “selfie” and the system will take care of the rest, including ensuring that the user takes high quality photos of his or her documents. This leads to identity verification based on standards that your company can use not only for onboarding, but for verification each time your employee accesses your company systems.
This type of biometric enrollment is distinct from device-based biometrics like TouchID and FaceID because those biometrics are not attached to a real identity. To be linked to a real identity, the biometric must represent one user and instantaneously match with their government documents.
How is this enrolled identity verified each time they access a company resource? Advanced cryptography and computing hardware have made this possible. Upon enrollment of the users identification documents and “selfie” live ID, each user is given a private key. The identity information and selfie that they enrolled are securely stored. It is impossible to unlock the key without the user’s permission because the user is the only one with access to this data.
Digital Credentials & The FIDO Alliance
In addition to using an identity proofing solution, companies can issue digital credentials. These allow individuals to access internal company systems like an active directory certificate. Similar to the identity documents, this information is securely stored and the user is the only one with access to the data. Cryptographic keys are an emerging technology in the cybersecurity industry and they are governed by the FIDO Alliance, which stands for “Fast Identity Online”. The purpose of the FIDO Alliance is to eliminate the use of usernames and passwords. The FIDO Alliance determines how companies can use authentication technologies. However, if your company is only protected by FIDO, you are still not completely secure. This is because identity proofing against government documents is not an element of the FIDO standard.
The combination of the FIDO and strong identity proofing standards, like NIST 800-63-3, provides organizations with indisputable proof that their employees are who they say they are at all times. This is because each time an employee transmits his or her credentials under these standards, they are using the same digital signatures that they created upon enrollment. These cannot be stolen or replicated by anyone else.
Whether your employee works in an office or remotely, they provide their biometric live ID “selfie” and access your company’s network. Users can connect remote resources several ways including sending messages to their smartphones or scanning a QR code. Now, your company knows indisputably that your employee is who they say they are every time they authenticate.
Companies and individuals will benefit from embracing these identity standards as soon as possible. Remote work is here to stay. Invest in security systems that set your company up for success and protect your most important assets.