Security Implications of Digital vs Physical Onboarding
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Rohan Pinto of 1Kosmos warns that while the time for digital onboarding is now, the processes for deploying are in dire need of an overhaul.
In the post-COVID business world, digital onboarding has become commonplace. Especially given how digital transformation has accelerated the move to online services and remote hiring. For example, it’s not unusual for companies to hire an individual whom they may not meet in person for months, if ever. And it’s not restricted to employees and customers. It’s also part of the Identity Governance and Administration (IGA) workflow for partners, contractors, and freelancers. Unfortunately, many companies still rely on technologies that are seriously outdated and cannot provide a smooth, efficient, and secure process.
Of course, security is paramount in digital onboarding. Inadequate onboarding processes are one of the sources of this problem. More than a third of respondents to one survey on the subject identified screening new employees as the primary step in securing their remote workforce. Establishing with certainty that potential hires, contractors, and others really are who they say they are at the time of onboarding strengthens company security for the duration of the relationship.
Making digital onboarding efficient is equally essential. Accessing the applications, data, and other digital services employees need to do their work should not be made more difficult by security practices– and providing secure ease of access begins at onboarding. In industries such as banking, where 43 percent of customers bank with a mobile app, removing friction from the onboarding process can create a competitive advantage. Digital onboarding also significantly reduces data errors associated with manual identity verification processes when compared to biometric identity proofing.
Widget not in any sidebars
Digital Onboarding: Updating Past the Security Implications
Current Processes: Weak and Vulnerable
The biggest problem with most current digital onboarding practices is they lack identity verification. And are often unable to bind verified identities with user accounts. Here’s the typical process. After a company receives a signed offer, HR creates the necessary records manually. Often, newly hired employees transmit proof-of-identity documents (driver’s license, etc.) via email, which is a significant privacy risk in itself. Worse, there’s no guarantee that the documents really belong to the sender and not an imposter.
The second step of the process in most large companies is a phone call from the hiring manager that conveys a username and password. The vast majority of companies also provide an MFA that resides on the user’s phone. Sometimes the MFA is a physical token. This is another point where things can go wrong. What if, on day one, the MFA goes to a fraudster? How can a company know that new employees receiving this MFA are who they say they are? Beyond this risk, phones and tokens in the possession of genuine employees can be lost or stolen and thus fall into the hands of bad actors.
Even when the intended employees receive their MFA and theft isn’t involved, MFAs are no longer infallible. In fact, the risks involving MFAs are significant enough to trigger an FBI warning stating that they are vulnerable both to social engineering and to technology that can even intercept one-time passcodes.
New Approaches to Digital Onboarding
Given these weaknesses, it’s time for organizations to consider new approaches to digital onboarding that reduce the risk of fraud as much as possible, while eliminating manual steps to increase efficiency and reduce costs.
Ultimately, there’s no safe way to digitally onboard a new employee, contractor or consumer without verifying their digital identity the way you would in the physical world. The following guidelines can lead to a process that achieves this goal in a way that’s both secure and efficient.
- Move to self-enrollment. Eliminating the back-and-forth between your organization and a new employee via self-enrollment not only simplifies the onboarding process, it is also a requirement for NIST certified applications. It also makes it more secure and more private. For example, new employees can “submit” photographs of their identity documentation, e.g. driver’s license to an app on their own phone. This eliminates the need for e-mail transmission of PII, which is always risky. Furthermore, phone-based technology can verify the validity of the IDs in question (and the device itself) with no need for human involvement.
- Verify identity with biometrics. The fact that a government document is valid doesn’t guarantee that it belongs to the individual who is submitting. To address this risk, a phone-based face biometric that requires a user to smile or wink can be compared with the photo on the ID in real time. This step perfectly replicates what would happen with an in-person identity verification.
- Use public key encryption. New cryptographically backed public-private key pair standards like Fast Identity Online (FIDO) allow users to eliminate passwords by using a fingerprint, microphone or camera to authenticate themselves. The flexibility provides organizations with the ability to match authentication methods with access risk levels. With FIDO, all communications are encrypted, and private keys never leave users’ devices, which lessens the chances of someone discovering them during transmission.
- Verify access requests with biometrics. To verify that the individual sending the request for access is a genuine employee, use the same video ID process as was used to verify the government documents during onboarding – a “live selfie” where the worker smiles, blinks their eyes or demonstrates some type of movement or emotion.
Final Thoughts
Digital onboarding that meets, or even exceeds, identity verification processes used in the physical world is possible thanks to new technologies and standards like FIDO, NIST, and iBeta PAD2. And its benefits extend beyond the initial onboarding workflow, by improving security with identity-verified authentication for day-to-day access requests and eliminating passwords altogether.
Widget not in any sidebars