Gartner’s Right: Why Workforce Identity Verification Can’t Wait
Gartner VP Analyst Akif Khan has good reason to believe workforce use cases for identity verification (IDV) will gain serious traction in 2025. Having received just five calls about the topic in the first five of his six years on Gartner’s IAM team, he reports there’s been a major spike in such queries in recent months. In a January LinkedIn post, Kahn reveals the biggest drivers of client interest in workforce IDV are account recovery flows and employee onboarding.
It’s easy to see why. Thanks to high-profile data breaches at MGM and Caesars, IT service desks have become prime targets for fraudsters impersonating employees seeking assistance with a password reset and account recovery. In these “vishing” scams, information gleaned from employee social media profiles can help hackers fool overworked IT service desk personnel into granting them unfettered access to corporate systems.
Meanwhile, more than 100 US companies in aerospace, defense, retail, and technology have fallen prey to North Korean nation-state attackers leveraging falsified identity information and deepfake technology to gain employment in remote IT positions from which they can exfiltrate data and conduct espionage. Even though technology to prevent such incursions is readily available, the frequency and severity of successful attacks keep growing.
Workforce Wake-up Call: The IDV Imperative
Whether it’s the service desk or employee onboarding, the cost of doing nothing about workforce IDV can be catastrophic. Once fraudsters have infiltrated corporate systems, they are free to escalate their access privileges, steal valuable data and source code, deploy crippling ransomware, and more.
Ransomware exposure costs US businesses an estimated $124 billion annually, and 35% of victim organizations never retain their data. And that’s just the start of the pain. A year after the February 2024 ransomware attack on UnitedHealth, the $22 million ransom was nothing compared to the $3.09 billion in total financial losses stemming from the incident.
Meanwhile, the average cost of a data breach topped $4.88 million in 2024—$9.48 million for US-based organizations. But according to PwC, 27% of companies worldwide, and 34% of companies in North America, have suffered a data breach that cost them between $1 million and $20 million in the past three years. As much as 44% of organizations hit by an identity-related breach estimated the associated costs exceed those of a typical data breach.
In the case of North Korea’s operatives, fraudulent employees who passed background checks, reference verifications, and rounds of Zoom interviews performed job tasks while installing remote monitoring and management (RMM) tools to establish a persistent presence within compromised networks. Others worked to exfiltrate data stored in OneDrive, SharePoint, and other cloud-based systems.
With help desk attacks, the ever-growing attack surface of outsourced IT support and call center operations crewed by less experienced, often short-term employees make these organizations especially vulnerable to vishing. Emerging, AI voice-enabled attack modalities only make matters worse
Hope Is Not a Strategy: Balancing Security, Cost, and UX
Put it all together, and it’s no wonder Khan is fielding more questions about workforce IDV. And in his post, he asks the exact right questions: “Will organizations see the value in using IDV for these workforces use cases? Do they see the cost and challenges to the UX as proportionate to the risks being mitigated? And do they feel confident that IDV can mitigate those risks?”
As I mentioned, technologies to effectively address these use cases are widely available today. Organizations sourcing solutions are likely to find these same technologies prompt answers to Khan’s other questions in the affirmative.
The problem today is that HR departments and IT service desk operations with remote workers tend to rely on antiquated identity verification processes that rely on manual review of government-issued credentials shared in the clear via email and SMS messaging. High-quality fake credentials and deepfake technologies easily defeat these measures. Traditional forms of multifactor authentication (MFA) aren’t much help. Fraudsters increasingly demonstrate the ability to compromise SMS-based codes and push notifications through social engineering, SIM swapping, and other techniques.
Many forms of biometric authentication aren’t foolproof either. Anyone with administrative access can register things like user biometrics to any device they access—or set up an alternative identity provider to bypass authentication measures all together. These technologies aren’t always easy to integrate with existing workflows or infrastructure either—let alone meet a growing array of privacy mandates.
Modernizing Workforce Verification and Authentication
With traditional forms of MFA growing unreliable, modern forms of identity verification and authentication are setting new standards for security, convenience, and efficiency. Solutions certified to FIDO2, iBeta biometrics-, UK DIATF, and NIST 800-63-3 standards, for instance, combine machine-verified identity to government-issued credentials (driver’s license, state ID, passport, etc.) and enable non-phishable multifactor authentication when verified users login to digital services.
1Kosmos, for example, is a case in point. Our workforce verification solution provides an order of magnitude improvement in credential issuing during user onboarding and account recovery—replacing weak, knowledge-based and two-factor forms of authentication with a simple self-service workflow that accommodates government-issued credentials in 140 countries with 99% accuracy. Executed from any device, anywhere, anytime, 1Kosmos detects stolen and synthetic identities while establishing high-assurance trust for legitimate workers.
Meanwhile, our workforce authentication solution eliminates the vulnerabilities of traditional passwords via passwordless, identity-backed biometrics. Built on a decentralized identity framework, it ensures secure, frictionless authentication of employees, contactors, and supply chain partners and, importantly, puts users in control of their own personal identifiable information. We also provide support for password reset and legacy 2FA/MFA to accommodate disparate IT environments built over decades.
Our solutions are built on the only platform certified to NIST 800-63-3, UK DIATF, FIDO2, and iBeta ISO/IEC 30107- standards with an SDK and standard APIs to avoid security exploits and prevent vendor lock. With collaborations like our partnership with Concentrix, we help organizations enable workforce verification and authentication that transforms security, reduces costs, and enhances the user experience.
Khan-versation Starter: Looking Forward to What’s Next
In his LinkedIn post, Gartner’s Khan writes, “I’m super interested to see whether this takes hold in 2025,” adding,” I look forward to engaging with clients and vendors this year to see how this shapes up.” We couldn’t agree more—and we look forward to doing just that.
To learn how 1Kosmos can help protect your organization against worker fraud and service desk attacks with the only NIST, DIATF, FIDO2, and iBeta certified workforce verification and authentication solutions on the market, click here.
