Demystifying Cybersecurity: Digital ID Verification

IoT - Internet of Things
©Sergey Nivens – stock.adobe.com

Security challenge

Zero Trust (ZT) is predicated on having the proper access and users to complete multifactor authentication. How do you know that someone is the person they say they are? With the exponential growth of home-based work, boosted even further by the pandemic, more and more employees are now hired remotely, with all interviews and hiring processes conducted online using video conferencing and email. So far so good, but this does represent a potential risk of hiring a person who is not who they claim to be? 

 

Cybersecurity experts have been warning the public about the very real risk of hiring fraudulent remote workers who can gain legitimate access to your organization as an employee, and from there be able to execute whatever attack they choose. 

 

Do you have any remote employees you have never actually met in person? You may have had a dozen of video conference calls with them, but this still does not prove their identity considering the person in charge of their registration who “checked” their credentials might not have met them either; the IDs provided might be genuine, but not related to the actual employee in question. 

 

To protect your organization from this risk, you need to enable an identity verification mechanism into your employee onboarding workflow.

 

What is ID verification?

ID verification is an authentication process that compares the identity a person claims to possess with documentation that proves it, to ensure that person is who they claim to be. Depending on the nature of the transaction performed, many documents can be used to prove someone’s identity, from a driver’s license or passport to a birth certificate or social security card. Usually, to be considered a valid ID, the credentials must be signed and contain a picture of the person it is associated with.

 

What is Digital ID verification?

Digital ID verification is similar, but in the digital world. It uses computer technology and verification methods such as biometric verification, face recognition, and digital ID document verification to verify the identity of a person online. This would typically be used when identity verification is mandatory and a person and their ID documents are not physically present, for example, when opening an online bank account or during a remote onboarding process, to ensure the person that is being hired is legitimate and matches the documents they submitted. 

 

Once the official ID has been validated, that person will be issued an identity or user certificate that will later be used to identify them and access resources securely, not just within your organization, but also when working with your partners and customers if need be.

 

How does it work?

Using a proper onboarding mobile app provided by the organization, the new employee would scan a government-issued ID and then take a live photo of themself. That picture will be checked against the one included in the government-issued ID to confirm both matches. 


If it checks out using the principles of digital certificates and Public Key Infrastructure (PKI), the user will then be issued an identity in the form of a digital user certificate that will be stored safely in their mobile device. 


Next time the user needs to authenticate to access corporate applications or resources, they will be able to use the certificate, instead of the usual user/password combination, to identity themself securely and transparently.

 

How does it help?

Faster employee onboarding

Digital ID verification helps automate the digital employee onboarding process, so new remote or home-based employees can be ready to start working from day one, from anywhere. Their passport, ID card, driver's license or other supported credentials can be validated, and an identity issued as soon as during the pre-hire process. 

 

Increased security

Nowadays everybody has dozens if not hundreds of online accounts or identities, one for each online service they access, from email providers to commercial websites, which can sometimes be cumbersome (remembering all those usernames and passwords), unsecure (the same password ends up being reused on many online services), as well as a major privacy concern (personal data available and handled by so many third-party entities). Some providers like Microsoft, Google, and Apple are trying to ease that by using one online identity to access other online services transparently and safely, using them as a unique Identity Provider (IdP). However, if you think about it, none of these identities are verified. Were you asked to provide an ID at any point in the process? Who can guarantee that the person behind john.doe@gmail.com is legally called John Doe, and is the employee you hired? 

 

As official government-issued IDs are provided by the new employee, crossed with biometrics (e.g., face recognition), and verified by trusted partners, the risk of impersonation or fraud is greatly reduced. A government-issued form of identification can uniquely identify an individual and cannot be shared or forged. Plus, once verified, certificates are used by people (employees, temporary workers, or partners) to identify themselves rather than passwords, rendering typical phishing attacks nearly impossible. 

 

Collaboration without collaboration

Verified IDs improve Business-to-business (B2B) collaboration by allowing organizations to easily grant access to internal collaboration tools, files, and more to employees in other organizations without the need of setting up a complex, challenging collaboration between each of them, by defining least-privilege access and inviting other organizations to access said resources. Employees of the partner’s organization will identify with their Digital ID, same as they do to access internal resources in their own organization. 

 

Suspend or invalidate credentials

As easily and quickly as identity can be issued by an organization, it can also be suspended or revoked, for example when an employee is on a long absence or leaves the company. These status changes are also visible for all partners and verifiers. 


With remote work growing more prevalent, the need to verify employees’ identities is greater than ever, for the safety of your infrastructure and sensitive corporate data and personal information. Implementing thorough ID verification methods, such as digital ID verification can help prevent cyber-attacks and deter malicious actors. ISEC7 is at the forefront of cybersecurity and has long worked with organizations to ensure their ecosystems are protected and their security posture is as strong as possible. If you have any questions about how to improve your organization’s security posture, the team at ISEC7 can complete a security assessment and help you navigate the options available to you, as well as help you leverage your existing solutions to their fullest capability. 


Contact

Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group