Workforce Identity Verification: Preventing Insider Fraud

Companies invest a lot of money into rigorous identity checks for customers; yet when it comes to new hires, the same process tends to be much lighter, if it all executed. Which can be costly.

Verizon’s 2025 Data Breach Investigation Report says the human element plays a key role in roughly 60% of breaches, while third-party involvement doubled to 30%. Gartner’s recent workforce research points the same way: interest in workforce identity management is rising because attackers have learned that onboarding and account recovery are softer doors into the business.

In this article, we will break down where and how exactly workforce identity verification protects against identity fraud, drawing on Regula’s experience and real-life use cases. 

The recent rise of workforce IDV is mainly driven by two types of recurring incidents: 

1. Bad actors getting hired into roles with the help of stolen or counterfeit identity data, sometimes paired with deepfakes during video interviews. 

2. Bad actors claiming to be employees during help-desk and account recovery interactions. 

The first type can be easily illustrated by the North Korean remote worker case: on June 30, 2025, the DOJ announced coordinated action against schemes that used fake or stolen identities to place North Korean IT workers inside U.S. companies. The department said the operation included searches of 29 suspected laptop farms across 16 states, along with seized financial accounts and fraudulent websites.

The account recovery side tells a different version of the same story. In September 2023, MGM Resorts International suffered a cyber incident that had an estimated negative impact of about $100 million. While they did not publicly lay out every step of the intrusion, widely cited reporting said the attackers got in by impersonating an employee and spoofing the IT help desk after researching staff on LinkedIn. MGM ended up shutting down affected systems, and the disruption hit hotel operations in visible ways, with reports of outages affecting room keys, slot machines, ATMs, and other services.

There are three workforce trust handoffs where companies are especially vulnerable to identity fraud: onboarding, access management, and account recovery.

The threats can be summarized as follows:

Within onboarding workflows, workforce identity verification should be triggered before a company turns a candidate into a trusted internal identity. That means checking the person before verified identity data moves into screening, and again before the first device, account, badge, or other employee credential is issued.

Onboarding always carries an element of risk, because a candidate quickly moves through recruiting, screening, HR record creation, device fulfillment, account issuance; and each team sees only part of the picture.

If the identity at the front of that chain is false, the company can still end up building a perfectly normal employee record around the wrong person.

In other words, bad identity data can get accepted early, then harden into a trusted HR and access-management record. That is the pattern the North Korean cases exposed: the attackers aimed to move far enough through normal hiring and onboarding that the company itself would issue the laptop, create the account, and grant employee status.

A stronger onboarding setup has to cover two trust transitions.

The first comes before screening data starts moving forward, at the applicant check stage:

• verify the ID document, including document-authenticity checks and, where supported, NFC chip reads

• verify the person holding it with selfie capture and liveness detection

• check the capture path for spoofing and tampering, including screens, virtual cameras, emulators, rooted or otherwise compromised devices, injected media, and AI-generated or deepfake video

• pass verified identity data into the screening flow instead of letting the applicant feed that process directly

The second comes when the person is about to receive the first account, the first device, or the first badge. At that stage, the company should:

• run a second workforce identity verification step before first access is granted

• match the verified identity back to the HR record that will receive the credentials

• log the result so HR, IAM, and IT are all working with the same information

Last year, Okta reported that the company had added mandatory identity proofing to new-hire onboarding and broader employee onboarding, first placing it during IT orientation when new employees set up FastPass.

Notably, the first version ran into practical issues such as preferred-name versus legal-name mismatches and exception handling. That’s why Okta later moved the check slightly forward, so new hires completed it when they first logged in and finalized account setup. The company says this made the new-hire process stronger without derailing IT orientation, and that the same setup now also supports self-service account recovery.

As part of broader workforce identity and access management, verification should be triggered when the company is about to grant, reissue, or escalate access that would be costly to give to the wrong person. 

Common examples include:

• first-time assignment of a privileged role

• PAM enrollment or a sensitive privileged-access checkout

• privileged access to source code, finance, or other high-impact systems

• badge issuance or reissue tied to a restricted physical area

• temporary privileged or physical access for contractors, vendors, or part-time workers

• access requests that arrive under unusual circumstances, such as a new device, an unexpected location, a mismatched time window, or weak surrounding context

This matters even more in temporary-access scenarios involving contractors, vendors, and part-time workers. In those cases, the company may need to verify a person before issuing a temporary badge or granting access to a site, and that check may involve not only a physical ID but also a digital credential such as a mobile driver’s license where that format is supported.

Access management becomes risky at the moment a person asks for more reach than they already have. The problem is that these requests often look routine because they appear to come from a known employee, while in reality they may be coming from a compromised account, a borrowed identity, or a rushed exception process. 

Once that happens, the issue can become much larger than access to one tool: it can quickly turn into fraud, industrial espionage, customer-data exposure, or physical security risk.

Despite the potential dangers, it’s also impractical to have full identity proofing (e.g., an ID document check + face verification with liveness) for high-frequency requests. That’s why arguably the best kind of an access management system is the tiered kind.

For example, a full workforce IDV check is indeed required, but for rare, high-impact changes such as a new admin role, a PAM checkout, access to finance or source-code systems, or badge issuance tied to a sensitive physical area. The request should then be checked against the right employee record, the person’s role, training status, current device or session context, and the scope of access being requested. If the request is approved, the access should be narrow and time-bound where possible, with a clear audit trail.

At the same time, lighter follow-up checks, such as face authentication or a verifiable credential on the employee’s device, can be used for lower-risk requests.

Cellcentric’s case is a good example of privileged logical access to online resources: they have implemented a system with access packages valid for eight hours before the administrator has to request access again and present the credential again.

As for physical access, NEC is a good example of face verification moving into physical access management. In 2024, it began replacing conventional employee ID cards for about 20,000 staff at its headquarters in Japan with a digital employee ID tied to facial recognition. The system is used for building entry and exit, lockers, printing, PC login, and even workplace payments.

In account recovery, workforce identity verification is the control that stands between a legitimate reset and an account takeover. When someone asks to regain access to a real employee account, the company needs to verify the person inside the recovery flow itself, because a weak reset process can restore trust to the wrong person just as easily as it restores access to the right one.

Companies are moving toward phishing-resistant MFA and passkeys for a good reason, but the problem is that stronger authentication makes recovery quality more important, not less. Phones are replaced, USB tokens are lost, devices are wiped, and employees still need a way back in. 

Many teams still do not have a good way to verify a caller who wants even a moderate-security authenticator reset, and the service-desk agent is often measured on speed. If identity matching is not automated, the verified identity data lands in front of that agent, who then has to search HR or access records by hand. 

In other words, weak recovery design creates privacy problems and security problems at the same time.

At a minimum, workforce identity verification should be triggered inside the recovery flow itself, either in self-service or in the help-desk tool. The caller should prove document authenticity, face match, and capture integrity, and that result should be checked against the employee record before any reset goes through. 

And, again, there should be tiers to this system. After the first high-assurance IDV event, some companies may use lighter follow-up methods such as face authentication or a verifiable credential (VC) stored on the employee’s phone and presented later to a self-service recovery or PAM tool. 

VCs are particularly useful in large enterprises where employees may work from different offices, because they help verify the person while location and device signals help judge the context.

One of the stronger cases comes from healthcare: Tampa General Hospital automated 80% of account recovery requests, cut MFA reset time from 4.5 days to 20 minutes, reduced help-desk resolution time by 99%, and cut account-related support calls by 22% after placing identity verification into workforce recovery.

The clearest way to think about workforce identity verification is this: it belongs at the exact points where a company is about to hand over a lot more trust than it had earlier. 

In onboarding, that trust looks like a laptop, an email account, and a place inside the org chart.

In account recovery, it looks like restored access to a real employee identity. 

In access management, it looks like the keys to systems and physical spaces that can widen the damage of any mistake.

A company that wants to cover all those areas well needs an entire stack that can verify the person, catch spoofing attempts, match the result to the right internal record, and feed that result into other systems.

Regula IDV Platform can do all of these. More specifically, the solution is able to:

• Orchestrate multi-step verification flows across onboarding, account recovery, and access-request journeys instead of treating verification as a one-off event.

• Verify identity documents at global scale using a document library of 16,000 templates from 254 countries and territories, with chip-based checks where applicable.

• Confirm that the document holder is real and present through face matching, face identification, and liveness checks tested against ISO 30107-3 PAD requirements.

• Support controlled access to workforce identity data through granular roles, permissions, and access boundaries across profiles, workflows, and devices.

• Handle PII and biometric data in line with enterprise requirements through consent controls, configurable retention and deletion, geography-specific storage, and where needed, storage in an organization-managed environment. 

• Integrate with existing client and third-party systems, so verification results move into the next control point without copy-paste or handoffs.

• Support repeated workforce use cases without forcing full IDV every time by using the initial IDV event as the basis for later face authentication or verifiable credentials.