The onboarding of new hires is one of the last processes to go digital in most enterprises. The same, tired process of scanning and faxing or emailing proof of citizenship (i.e. driver’s license, or national identity documents) is still the norm.
This introduces many security concerns for both parties:
- The quality of the documents may be poor due to lighting or other factors.
- The image file size may change depending on how it is captured due to compression or low-quality black and white scanners.
- The documents are now exposed via the candidate’s email, in the HR rep’s email, or sitting on a server. This puts personal identification information at risk at every step of the journey.
- Even after documents are sent, you don’t have a good way to verify the person sending them is truly who you are interacting with.
A typical hiring process goes from talent acquisition (interviewing, background check, etc.) to an offer letter. Once a candidate accepts, it is now time to “get them in” to the system. This is day 1 of an employee’s journey - let’s discuss how this process can be digitally transformed.
New standards for document and biometric onboarding allow organizations to prove who someone is remotely by leveraging their smartphone’s camera and other security features. The NIST standard called 800-63-3A clearly outlines a path to do this via a user-directed and streamlined process.
Document-centric identity verification is a growing trend in enterprise cybersecurity. A recent study by Gartner found that by 2022, 80% of companies will be using this method of verification in their organizations, and over 60% of mid-size to global enterprises will implement passwordless authentication methods in the same timeframe. However, deploying this technology effectively requires integration of document-centric verification and passwordless authentication, and careful attention to industry standards that will provide organizations maximum protection.
In 2017, the US federal government introduced the NIST 800-63-3a identity proofing standard which is of critical importance for organizational security measures to comply. In short, NIST 800-63-3a gives guidance on how to capture two forms of identity documentation, validate them, and compare them to the images on the documents with the person’s face. For organizations hiring employees, this means they have verifiable proof, backed by a rigorous standard, that everyone signing onto their systems is who they say they are.
Technology has made this process possible by leveraging the smartphone or computer of the new hire. Specifically, biometric ID proofing and digital authentication make this process much easier for companies to verify their employees’ identities without a significant investment in sophisticated systems. They simply scan the documents, take a selfie, and the system does the rest, including guiding the user through the capturing of quality images. The results? A standards-based identity that an organization can trust for onboarding and re-authentication.
It’s important to distinguish that this form of biometric enrollment is not the same as TouchID, FaceID, and other device-based biometrics. Those forms of biometric are not linked to a real identity. The biometric must be a representation of one user and instantly matched to the government documents.
As they embrace an identity proofing solution, companies can issue a digital credential that allows them to access their internal systems, such as an active directory certificate. This is protected the same way the identity documents are. The usage of cryptographic keys is a growing trend in the industry and is backed by another standards body, the FIDO Alliance. The acronym “FIDO” stands for “Fast Identity Online”. FIDO eliminates usernames and passwords. They set the bar on how a company can implement various authentication technologies. However, FIDO alone is not strong enough to entirely protect organizations, because it does not have proof of identity as part of the standard (ie. verifying against government-issued documents).
When FIDO is combined with strong identity proofing, like NIST 800-63-3, the process provides indisputable proof that employees, contractors, or partners are who they say they are. Why? When they transmit their credentials, they have the same digital signatures that were enrolled with their identity that cannot be used or replicated by a third party.
This experience is truly a game-changer for organizations and remote workers. When a user needs to access a resource, they provide their biometric (selfie) and they can access the company’s network. There are several ways for a user to connect to a remote resource including the scanning of a QR code or triggering of a push message to their smartphone. Because of this, the organization now knows with a high degree of certainty that the person sitting at the keyboard is who they say they are - every time they authenticate.
The time is now for organizations to embrace these identity standards - for their sake, and for their users. As hybrid work is likely here to stay and companies assess their hiring and security practices, there has never been a better time to invest in new systems that ensure maximum protection for their most important assets.