Remember when a username and password were your ticket to almost anything? Identity security has evolved considerably —and continues to do so, in response to the ongoing evolution of identity-related threats.
From multi-factor authentication (MFA) to risk-based and passwordless authentication, new methods and tools to secure identities are constantly emerging as identity security experts work to outpace the growth in threats. ID verification represents a major step in this evolution.
ID verification is one of the most important developments in the evolution of identity security. It represents a major step in what can be done to curb credentials abuse that enables unauthorized access to an organization’s systems, applications, and data.
ID verification goes beyond examining and evaluating user credentials. Instead, the process confirms whether the identity itself is authentic; it’s focused on confirming whether the actual user or device requesting access is genuine, and not just someone or something in possession of those credentials.
And while it’s always been theoretically possible to verify identity manually—by having someone appear in person, for example—doing so is not always practical, especially in the era of remote work. That’s where secure enrollment via ID verification becomes essential.
ID verification is critical at key points in the identity security lifecycle, particularly in high-risk situations like when a new user is being onboarded or when they need to have their credentials reset or recovered. It’s particularly useful in situations when it’s impractical to verify a user’s identity, like when an employee, their manager, and the IT help desk are working in separate locations.
Secure enrollment is also essential to confirming that an organization is really working with the person they expect. If an organization hires, onboards, and gives access to John, then that user had better really be John: the IBM Security Cost of a Data Breach Report 2023 found that “attacks initiated by malicious insiders were the costliest, at an average of USD 4.9 million,” and that breaches that initiated by an insider took 308 days to detect. The Verizon 2024 Data Breach Investigations Report found that internal actors were responsible for 35% of data breaches, “a significant increase from last year’s 20% number.”
Verifying an employee’s identity right from the start is crucial for long-term security. A recent FBI/IC3 Public Service Announcement highlighted the threat of North Korea leveraging U.S.-based individuals to gain fraudulent employment and access to U.S. company networks. The FBI’s top tip is implementing identity verification during hiring to prevent candidate fraud, underscoring the importance of robust ID verification processes.
And even if state-sponsored espionage sounds too dramatic, there’s still the lower-stakes (but still creepy) fake candidate trend when person X interviews for an opening only for person Y to show up.
Without ID verification, it’s entirely possible for an imposter to be granted credentials or to recover someone else’s credentials by pretending to be that person. ID verification provides a way to intervene at high-risk points when the identity of the user, the process for authenticating that user, or the entitlements that user should have are unclear. In 2022, threat actors gained access to a non-governmental organization’s cloud and email accounts in part by using this process.
The ID verification process clarifies each, asking the user not only to prove who they are based on the credentials they carry, but also to verify they really are the person who is entitled to have those credentials.
Here’s how it works at the key points we mentioned:
- Credentials enrollment: ID verification secures enrollment by requiring proof of identity, such as biometrics or a government-issued ID, for birthright credentials to be issued to new users. Today’s online platforms make this not only secure, but also convenient and practical. Instead of having to present themselves in person with proof of identity in hand, users can do it digitally using ID verification. That helps remote workers and their organizations work securely and effectively.
- Credentials recovery: Once someone has basic credentials such as username and password, it’s not unusual for a bad actor to try to take over those credentials by contacting the help desk and claiming to have forgotten them. The ALPHV ransomware attacks on Las Vegas resorts reportedly began using that technique—and reportedly cost $100 million in damages. Requiring proof of identity is essential to stopping the attempt—and now it can be done in a way that’s seamless for a legitimate user. That’s why RSA will add credentials recovery to our ID verification workflow later this year.
At RSA, we’re working with ID Dataweb, a leader in ID verification, to enable both secure enrollment and secure credentials recovery processes for RSA customers. Our partnership embeds these processes in RSA My Page, our single sign-on (SSO) capability.
ID Dataweb technology is seamlessly integrated into RSA My Page, which allows users to quickly and securely verify their identity digitally—instead of having to locate and appear at the nearest office. Credentials recovery is equally effortless.
“RSA remains a leader in security with its state-of-the-art Unified Identity Platform,” said Matt Cochran, VP, Product and Operations, ID Dataweb. “By integrating ID Dataweb’s unrivaled identity verification capabilities, RSA now has a simple, one-click, no code deployment for advanced identity proofing workflows. Integrating our best-in-class solution means RSA users can be onboarded and productive seamlessly and securely.”
For both enrollment and credentials, ID verification is a simple process of initial authentication followed by ID Dataweb’s verification workflow. That workflow is enabled by RSA’s OpenID Connect (OIDC) connector for user verification.
It’s all part of the RSA Unified Identity Platform that combines authentication, access, governance, and lifecycle to help organizations prevent risks, detect threats, and evolve beyond IAM.
Download our solution brief to learn more about ID verification with RSA.