Remote Identity verification is growing in difficulty, but also in importance. Deepfakes are on the rise. They’re increasingly hard to distinguish from reality, and increasingly harmful to security as a result. So how do you verify an employee is who they say they are when you can’t physically verify them?
As a large enterprise with operations and offices around the globe, Okta has many remote workers connecting to its systems (using hardened devices) from home offices and other locations. Two of the more common remote-working questions I get asked are:
- How do we verify the identity of a person we’re trying to hire when so much of the hiring and onboarding processes are completed remotely?
- How do we verify the identity of a remote team member at some later point (for example, when someone purporting to be them calls our IT help desk?)
Let’s explore some best practices that organizations can use in these scenarios, based on what we’ve put in place at Okta, and what I’ve seen work in the industry as a whole.
Before we dive in, I want to stress that none of what I’m saying here is a substitute for a strong insider threat program, combining physical security, personnel awareness, and information-centric principles. Rather, these should all be regarded as complementary approaches to building and maintaining a strong security posture, existing under a broader security culture.