With the increase in social engineering attacks on the rise and the need for heightened security protocol and business processes around providing password and account support especially with the large amount of workforce being hybrid or remote, many organizations are finding it challenging to validate a persons identity.
At Instrumental Identity we have worked with many different organizations, particularly in higher education where we have been able to mitigate some of those risks and challenges.
Identity proofing is an important aspect of making sure the person you are proving support to is who they claim they are. While there are third-party tools and companies that provide this service, the costs can sometimes pose even more challenges. Within our experience working in higher education, one of the most sought out sectors for cyber attacks we have been able to provide some more rigorous methods of ID Proofing.
Most organizations were able to get away with Knowledge-Based ID verification for years in which your support staff would rely on factors like DOB, last name, address, phone number, etc. All things which are now much more easily found on the internet. Those days are now behind us. Some of what we recommend and provide as part of our products and services, in particular with SailPoint IdentityIQ is the ability to use things like multi-factor authentication apps like DUO and Okta, use one-time passwords sent to a verified email or phone, view photo ID’s from a third-party badging system without needing to store it and when needed have dynamic knowledge-based questions & answers that are likely only to be known by the identity you are validating. These could be questions like, the last name of a professor for a course you are enrolled in, the middle name of your primary beneficiary, the date you were hired, or things like listing an application you recently logged into or location based information obtained from your IdP/MFA vendor.
Using our SailPoint UI Plugin we are able to add this functionality into SailPoint IdentityIQ and allow your support staff to confidently identify and support users. Actions such as resetting passwords or updating MFA settings for a user can be blocked until a user has gone through appropriate ID Proofing steps and all actions are audited. To take things a step further we have also introduced workflows and buttons in our UI plugin to flag an identity for suspicious activity/red flags doing an ID Proofing session. This could then go through a more rigorous process by your security team or supervisors where no action can be taken on that user until they are properly verified.
Below is an example of some of the features we have enabled for our customers.
What the end-user will see on their mobile device running Okta or DUO is a push notification. Each of which will be audited and logged in either Okta or DUO as well as SailPoint.
Note: while these methods don’t leverage verified push for obvious reason, you should ensure your support staff an educating the end user about fraudulent pushed notifications and when possible configure your MFA application for verified push or risk-based security. Additionally it doesn’t hurt to remind them about sharing passwords and passcodes.
The feedback from the end-user will be visible within the SailPoint user ingterface using our plugin and once a user has passed verification protocols, other features can be enabled for the support representative to continue assisting the caller.
