How Identity Verification Can Make Remote Work More Secure
Safer account logins, onboarding, and data access await companies that implement advanced identity proofing and verification strategies today.
by Bob Long, President, Americas
December 12, 2023
Despite the headlines around companies like Goldman Sachs and Tesla requiring employees to return to work (RTW) in the office five days per week, 77% of the Fortune 100 and many other companies operate on a hybrid work schedule. Another 16% operate in a fully remote model.
Whether employees are fully remote or work away from the office two or three days per week, new office requirements create unique challenges for managing the remote workforce and protecting company data and systems. Integrating remote digital identity verification into RTW planning and processes can help companies solve these challenges.
One of the benefits of flexible working is that businesses can take advantage of a much wider geographic pool of candidates to find the right hires for open roles. In its article, “What Will the Workplace Look Like in 2025,” the Society for Human Resource Management (SHRM) reports that 36% of companies say they’re willing to hire workers who are 100 percent remote and live anywhere in the U.S. or internationally.
Even companies that are hiring locally increasingly conduct interviews through video. The Economic Times reports that 90% of organizations now conduct virtual interviews in the early stages of the hiring process. iMocha, an AI-powered Skills Intelligence Cloud, states that the reasons why recruiters use virtual interviews include convenience, increased efficiency, and decreased bias.
Digital identity verification can help HR establish and ensure the identity of the person they are speaking with. The candidate can be asked to provide their government-issued photo ID as well as a selfie (facial biometric) that can be analyzed with AI to be sure it matches the photo in the ID and checked against watchlists to keep potential fraudsters with fake or synthetic identities out of the company’s Customer Identity and Access Management (CIAM). Digital identity verification solutions can capture and compare the smallest details and stop people who look similar, but may have different backgrounds and work experiences, from presenting themselves as each other.
ID verification for remote workers can also help companies increase security. This has been one of the largest concerns with remote working since many businesses had to adopt it on the fly in the spring of 2020. Meeting platform ZipDo reported that 62% of companies have seen an increase in work-related cyberattacks since the start of the pandemic.
Statista found that, “In 2023, 72 percent of global respondents indicated being very concerned or somewhat concerned about the online security risks of people working remotely, down from nearly 80 percent in 2022.”
How employees onboard and authenticate themselves to unlock their company-issued devices and access the systems and data they require to do their work is fundamental to security in remote and hybrid working environments.
The risks of password reliance
For businesses that have not modernized their CIAM, onboarding and account access processes still require employees to use passwords, leaving them and company data vulnerable to fraud attacks. When it comes to keeping bad guys out of the system, password complexity matters; the more characters and types of characters a password contains, the harder it is to crack. In its 2023 report on how long it takes to crack a password, Hive Systems reports that passwords using only numbers can be cracked instantly for up to 11 characters. In contrast, a 10-character password that uses a combination of upper- and lower-case letters, numbers, and special characters takes two weeks to crack.
The complexity of passwords goes up if employers mandate strict guidelines or issue passwords that conform to best practices while enforcing the need to regularly change passwords. But, the 2022 Password Hygiene & Habits report from PCMatic found that 75.9% of employers allow employees to choose their own password and nearly 21% don’t require employees to regularly change passwords.
Employee-chosen passwords can have many of the security problems of personal passwords.
First, there will be some people who re-use a password they use somewhere else because it’s convenient; this leaves not only the employee but the business vulnerable if the password is compromised in another location. According to Comparitech, LastPass has found that employees reuse a password an average of 13 times. Employee-developed passwords can also contain family or pet names, special dates, addresses, and other character strings that make them both easy to remember and easy to hack.
The challenge with enforcing complex passwords and having them changed regularly is that they are hard to remember. Keeper Security has found that 57% of employees store their passwords on sticky notes, another 49% keep them in unprotected plain-text files, and 62% have shared them using text or email. Each of these activities reduces password security and exposes its inherent lack of security as a knowledge-based authentication (KBA) method.
Passwords also come with the cost of resetting them, whether the password has been forgotten or employees need help making their regular update. Forrester Research found that each password reset costs $70, while analysts at Gartner estimate that 40% of all help desk calls are related to passwords and resets.
Passwords leave businesses vulnerable to phishing attacks, in which employees receive plausible-seeming emails, SMS, and voice messages that look or sound like they were sent by someone within the organization asking. These phishing tactics often involve asking the employee to reveal their credentials for a legitimate reason. Many organizations try to train their employees to avoid falling prey to phishers, but the Zscaler 2023 Phishing Report found that there was a 42.7% increase in attacks over the past year. The report identifies the rise of phishing kits sourced from black markets and chatbot AI tools as elements that make it easier to develop more targeted fraud campaigns.
Businesses often attempt to overcome the security challenges associated with passwords by implementing multi-factor authentication (MFA), which implements at least two factors (sometimes a password plus another factor) for login security. Most often, this second factor is a four-, six-, or eight-digit code that must be entered into an authenticator or the employee’s application itself. Though two or more factors are safer than just a password, MFA that uses these types of codes can still be hacked into, especially if the codes are sent to the employee via text (known as SMS OTP, or one-time password) or email.
Even companies in the security business can fall victim to problems with passwords. The Hacker News reported that Norton LifeLock Password Manager was breached in a brute-force attack that used stolen credentials, noting that, “No matter the strength of a company’s security, a password stolen from another less-protected organization is difficult to prevent from reuse.”
The advantages of digital identity verification for the hybrid workforce
Digital identity verification incorporates the use of biometric factors, such as fingerprints and facial scans, to verify and authenticate an employee’s identity. Because these physical factors are unchangeable, morphological, and integral to the employee, they are intrinsically more secure than passwords – they can’t be shared, guessed, lost, forgotten, or hacked. And since they can’t be shared, biometric factors also can’t be phished.
Biometrics-based remote digital identity verification is convenient for employees to use and saves an organization’s IT team time, money, and headaches: biometric factors are impossible to forget or lose, and never need to be changed or reset.
Biometrics solutions can also incorporate the unique patterns in how an employee performs tasks, such as how they type, move a mouse, or swipe between applications. Known as behavioral biometrics, these factors can help to ensure an employee’s identity throughout a session where they may be dealing with particularly sensitive information.
Example of a digital identity verification use case
In a typical login process without digital identity verification, an employee uses a password to unlock their computer and phone. Then, when they want to use a phone app, they have to authenticate themselves, which often involves entering their password and then entering a randomly generated code into an authenticator on their phone.
When they want to use desktop apps, they again have to enter their password and an authenticator code. When they go to use web apps, they have to enter their password and an authenticator code one more time.
In contrast, with digital identity proofing and authentication, the employee registers once (proofing/verification), and then gains access to the applications they need by taking a selfie with their registered phone (authentication and future authentications). It’s faster, simpler, and more secure than traditional login processes relying on passwords.
Still, biometrics can also be used to improve the security of password-based multi-factor authentication scenarios for businesses that are wedded to their existing password infrastructure. The authenticator application on the employee’s phone can be set up to use a fingerprint instead of a code. While codes can be hacked or stolen, a fingerprint can only be used by the employee who owns it.
Finding the right solution for your business
Remote digital identity verification is critical to modern business. Organizations across industries are under increased attack from phishers, hackers, and other criminals – especially with the advent of enhanced, generative AI technology being available to a wider audience and being used for deepfakes and other types of spoof attacks. Passwords alone, and when used in typical MFA processes, simply aren’t up to the demands of a hybrid workforce that needs to securely access company applications, systems, and data from many different locations.
Switching to digital identity verification overcomes the security challenges of passwords and reduces the burden on employees and IT by replacing passwords with biometric factors that can’t be lost, hacked, forgotten, or stolen. For companies who wish to continue using passwords, adding biometrics to an MFA process can also increase security and ease of authentication.
See how Daon’s biometrics-based digital identity verification solutions can help you more easily and securely onboard and authenticate your remote workforce.