Cyber threats are becoming increasingly sophisticated with the number of bad actors involved increasing at an alarming rate. New and sophisticated techniques are being used that have evolved over the years to leverage modern computational hardware. These developments have aided and abetted the guessing of passwords and hacking of digital credentials. While these threats expose the inherent weaknesses of password-based authentication schemes, simplistic identity-detached passwordless authentication is not the answer either.

Personnel Onboarding Risks and Requirements

Organizational risk tolerance for new hire onboarding is very low because of the Day 1 access granted to services and applications. Granting access comes with risk and therefore companies will try the usual means of identity proofing via background checks on government-issued documents, work history, address history, etc., as a means to establish trust. But there are limits to background checks that a company normally performs, as these might not extend exhaustively to domestic and international subcontractors. Therefore, establishing trust via identity-linked proofing becomes mandatory.

Passwordless for employees does not by itself inoculate the enterprise against credential compromise. Ensuring the employee is who they claim to be is the gap in most passwordless solutions today because while passwordless only eliminates friction in the employee’s journey, it does not make the journey more secure.

What is needed is a means to mitigate identity theft and identity spoofing to ensure the individual is exactly who they are claiming to be. For the new hire onboarding journey to be secure the employee’s identity must be established irrefutably as well. Companies ask for government-issued identity documents to prove an individual is who they are claiming to be, but that does not prove that the individual logging in to applications at any given time is indeed the same person.

Authorization is another added requirement for onboarding an existing employee to new applications and services. Risk is minimized best when there is continuous authentication as well as transactional authorization in place where the company checks for the identity and authentication assurance level of the individual in real-time before granting them access to critical service and application assets.

Privacy, PII and the Onboarding Process

A CIO is interested in simplifying and securing the Information Architecture of the Enterprise and implementing guardrails for preserving user privacy. Data privacy has recently attained critical focus in the international community with violations costing companies billions in penalties and significant reputational damage to boot. The organization has a fiduciary responsibility to protect the Personally Identifiable Information (PII) of their employees and customers.

In essence, there are a few key factors driving the need for a digital transformation of the new hire onboarding process: verify the identity of the individual, secure the PII data in a way that it is impossible to compromise it, secure or even better, eliminate login credentials (i.e., passwords), implement continuous verification of the identity, continuous transactional authorization before granting access, and finally, ensure continuing privacy of the individual by imposing protections and restrictions on any PII release to third-parties.

Simplified Access

Simplified access to legacy systems using passwordless sign-on improves productivity, no doubt about that. Even better, enabling quick password resets to legacy apps after the individual has completed a strong identity-based authentication roundtrip using live biometrics enables faster and frictionless access to legacy applications. Another strategic benefit of deploying an identity-based passwordless solution is to reclaim 2FA spend on migrating legacy systems to passwordless. Why not re-use the identity from a secure digital identity wallet for onboarding new hires and existing employees to modern and legacy services?

Reduce Costs

A CIO’s broad mandate is to reduce IT costs, including personnel onboarding administration costs by implementing projects that automate the self-service workflows for new hire onboarding, identity proofing, and identity verification. Another key requirement is to reduce help desk costs, which can be implemented by automating password resets for legacy applications as described previously. This identity-based authentication strategy also eliminates help desk calls for those same password resets and reduces 24/7 helpdesk overhead and support costs with fewer complaints and ‘stalled’ or stuck employees.

Improve Security

A quick word is in order for a CISO’s mandate as well. They are looking to improve the overall security posture and prevent – or the more likely scenario – manage losses from data breaches (they are inevitable!). CISOs want to restrict the amount of PII stored in a central user repository to only what is needed to do business. A good information security program also attempts to eliminate vulnerabilities resulting from weak non-identity based authentication techniques.

In summary, CXOs want to simplify the information and information security architecture of the organization, minimize the reputational damage of information breach, and reduce their insurance liability at the same time. Why not go with an identity based authentication and proofing platform that makes mass credential compromise impossible?

It is clear that live biometrics-based aka identity-based authentication that uses pre-proofed identity is much stronger for use in a continuous authentication and continuous authorization paradigm than any other form of identity-detached passwordless scheme. It is the only way to verify that the individual is who they are claiming to be at the time of an access request.

1Kosmos Identity-Based Authentication

All these goals can only be achieved if an organization starts with identity and not just authentication. The traditional approach to passwordless authentication is to focus on MFA or passwordless login. While 1Kosmos is passwordless, we bring identity-based features to an authentication scheme used by the organization. This flexibility may be used to enhance the identity verification process using strong biometrics-based identity and verification of user credentials via industry standards.

What’s unique about 1Kosmos is that we start with Identity, instead of starting with authentication, as the basis for strong authentication and this enables us to solve many of the same challenges for both employees and customers. Our biometrics engine allows for continuous identity verification of the individual at login-time, and continuous transactional authorization at access-time, while remaining aligned with the company’s risk policies. It is no longer acceptable to identity-proof an employee or a customer once – for example during onboarding or new hire – and let them use services indefinitely.

By combining authentication with true Identity (NIST 800-63-3a principles and modified versions for corporate applications), you have a much higher assurance to know who is truly at the end of a digital connection every time they authenticate.

These principles apply to customers especially in the banking industry where strong KYC is needed. 1Kosmos is a member of the FIDO alliance, DIACC, The DIF foundation, Linux Foundation (for Trust over IP), W3C, and the COVID Credentials group. This ensures that you will have a partner with a product that is not only open, preventing vendor lock-in, but is on top of the latest trends in Identity.