Verifying the Identity of your remote workforce

Remote Identity verification is growing in difficulty, but also in importance. Deepfakes are on the rise. They’re increasingly hard to distinguish from reality, and increasingly harmful to security as a result. So how do you verify an employee is who they say they are when you can’t physically verify them?

As a large enterprise with operations and offices around the globe, Okta has many remote workers connecting to its systems (using hardened devices) from home offices and other locations. Two of the more common remote-working questions I get asked are:

• How do we verify the identity of a person we’re trying to hire when so much of the hiring and onboarding processes are completed remotely?
• How do we verify the identity of a remote team member at some later point (for example, when someone purporting to be them calls our IT help desk?)

Let’s explore some best practices that organizations can use in these scenarios, based on what we’ve put in place at Okta, and what I’ve seen work in the industry as a whole.

Before we dive in, I want to stress that none of what I’m saying here is a substitute for a strong insider threat program, combining physical security, personnel awareness, and information-centric principles. Rather, these should all be regarded as complementary approaches to building and maintaining a strong security posture, existing under a broader security culture.

Identity fraud during the hiring process

While the risks associated with exclusively remote recruiting and hiring are not new, they came to the fore in July 2024 when Stu Sjouwerman, CEO and founder of security firm KnowBe4, posted a blog titled How a North Korean Fake IT Worker Tried to Infiltrate Us.

Sjouwerman’s post details how KnowBe4 unwittingly hired a North Korean hacker — who used "a valid but stolen U.S.-based identity" — into a software engineer role. Almost immediately upon booting up their newly provided corporate laptop, the hacker began to load malware. Fortunately, KnowBe4’s security controls detected the abuse, and the incident was contained before the hacker caused damage.

KnowBe4’s experience isn’t an isolated event. In fact, three U.S. government agencies issued a joint advisory in 2022 warning that North Korean IT workers were attempting to use Identity fraud to secure employment and gain access to sensitive information. The FBI published additional guidance in 2023, and the UK’s Office of Financial Sanctions Implementation issued a similar warning with even more detail. 

The risk posed by North Korean hackers is serious and should not be underestimated, but Identity fraud extends beyond individuals acting on behalf of regimes. Sometimes, applicants use proxies to apply for a job — the person who shows up to work is not the same person the company interviewed. 

Whatever the case, Identity fraud puts the company at risk. 

Guarding against Identity fraud

Unfortunately, there’s no simple fix for combating Identity fraud. If there were, organizations wouldn’t be facing this challenge.

In practice, strengthening your security defenses takes a multi-layered approach involving a combination of people, processes, and technology. In addition to the suggestions that follow, I recommend reading the government advisories linked in the previous section.

Start with your people: 

• Foster a culture of security in which everyone in the company is aware of the general threats.
• Ensure those involved in hiring receive specialized training to watch out for signs of Identity fraud, including:
  • Inconsistencies in the spelling of names across different documents and online profiles
  • An interviewee's reluctance to appear on camera
  • Different addresses for the location of work and shipment of hardware
  • Candidate hesitation when answering simple questions about background and qualifications
  • Look out for social media profiles that don’t match the candidate’s résumé, multiple profiles for the same identity with different pictures, or online profiles lacking a picture.

Build the processes to strengthen your security posture: 

• Conduct robust background checks, including biometric verification.
• During remote interviews, require that candidates turn on their camera.
• When checking references, directly source the contact information of the references rather than using the information provided by the candidate; try to verify the references (e.g., through known connections in a professional network).
• Require new employees to provide at least two documents for identity verification, such as a government-issued ID and/or notarized proof of identity.
• Request voided checks or certified documentation from new employees’ financial institutions showing their account information; verify that check and routing numbers match an actual bank and not a money service business.
• Implement an onboarding process that’s phishing-resistant end to end. (See my previous blog, The weakest link: Securing your extended workforce, for more information.)
• Consider requiring at least some of your interviewing or onboarding be held in person.

Adopt the technology to support your people and processes: 

• Consider using a third-party ID-proofing service, which can verify the identities of potential employees by cross-checking multiple methods of identification
• As part of secure onboarding, ship an offline security key (e.g., a YubiKey) and the laptop separately; ensure the destination addresses are the same and match the new hire’s work location, and don’t allow shipping to a P.O. Box.
• Ensure phishing-resistant authentication is used to verify identity prior to giving new hires access to business tools

Verifying the identities of remote workers

Now to address the second question: How do we verify the identity of a remote team member at some later point?

For context, some threat actors take advantage of vulnerable account recovery flows to access protected IT environments, often by phoning an organization’s help desk and pretending to be a legitimate member of the workforce.

Usually, such threat actors exploit account recovery flows that rely on single authentication factors:

• Today’s threat actors can apply open-source intelligence tactics to discover the personal details that often serve as knowledge-based authentication factors.
• Attackers can also acquire personally identifiable information from people search services, data brokers, and leaks posted to the dark web.
• Even ‘liveness’ checks that rely on audio or video are vulnerable due to advancing deepfake capabilities.

To combat these threats, we’ve leveraged our own tools and our workforce-wide implementation of YubiKeys to implement caller identity verification that’s phishing-resistant, auditable, and user-friendly for help desk agents and legitimate callers.

Organizations that haven’t implemented offline security keys can still introduce safeguards to help verify caller identity. For example, Okta Workflows makes it possible to largely automate a caller Identity verification process using Okta-enrolled authentication factors, including:

• An Okta Verify push challenge is sent to the purported caller’s registered mobile device.
• A one-time passcode (OTP) code from Okta Verify, Google Authenticator, or a similar trusted channel is sent to the purported caller’s registered mobile number.
• A secret keyword emailed to the purported caller’s primary or secondary addresses.

The upshot: Your training, tech, and processes must evolve 

It’s important to regularly revisit your training and procedures for verifying the identities of your remote workers, especially in the context of the most current tactics, techniques, and procedures employed by threat actors. Adversaries are highly motivated to find workarounds to your defenses, and a safeguard that was highly effective yesterday might not be as reliable tomorrow.

While technology can play a role, especially for phishing-resistant authentication, people and processes are also essential. Maximizing our protection against Identity fraud requires all three elements working in concert.

Finally, none of the above eliminates the need for an insider threat program, which complements the practices outlined above by helping to discover threats that made their way through your hiring filters (and by detecting the unfortunate scenario of a good employee gone bad).

If you want to learn more about securing your whole workforce, including contractors, vendors, and other third parties, read my article The weakest link: Securing your extended workforce.