Managing Continuous Workforce Verification (Beta)

• Currently Available Oracle Beta Programs
• Continuous Workforce Verification Beta Program Sign Up

Identity Verification (IDV) is a process that validates a person's real-world identity by comparing their physical facial attributes to government-issued identification documents, such as passports and driver's licenses. This provides a high level of assurance that the user is who they claim to be.

Continuous Workforce Verification (CWV) builds on IDV by periodically re-validating a user's identity using facial biometrics after initial enrollment. This ensures that the person accessing applications or resources is the individual who is supposed to access the application or resource (and not someone who happened to gain possession of the credentials), strengthening your organization's security posture against imposters and unauthorized access.

This service integrates with third-party identity verification (or identity proofing) providers to perform the initial document and identity check. Once a user's identity is verified, their facial biometric data is enrolled with Oracle's native service for ongoing verification checks. Currently, Oracle supports Daon.

Identity Verification (IDV): The one-time process of proving a user's identity by matching a live selfie against a government-issued ID document. This is performed via a third-party provider.

Facial Biometrics: The process of capturing a user's unique facial characteristics to create a secure biometric template. This template is used for initial enrollment and subsequent verification checks. Facial biometrics in IAM is an OCI-native capability.

Continuous Workforce Verification (CWV): An ongoing security posture where a user's identity is periodically checked using facial biometrics to ensure the authorized user is still the one operating the account.

Identity Verification Provider: A third-party service (for example, Daon) that is integrated into OCI IAM to handle the initial identity proofing by verifying government-issued documents.

Liveliness Detection: Technology used during facial biometric scans to ensure the user is physically present and not using a photo, video, or mask to spoof the system. This involves prompts like tilting the head or blinking.

Inline Enrollment: An enrollment process that is mandated by an administrator and occurs directly within the sign-in flow. Users are typically required to complete it before they can access applications.

Continuous Workforce Verification Process

The process involves two key personas:

• Administrators: Configure Identity Verification providers and set up Continuous Workforce Verification policies that define when and how often users must verify their identity.
• Users: Enroll in the service by verifying their identity with a government-issued ID and their face. Subsequently, they complete periodic facial biometric checks as defined by the administrator.

1. An administrator at Example Inc. first establishes a commercial relationship with a supported identity verification provider, such as Daon.
2. In the OCI Console, the administrator navigates to the Identity Domain, configures Daon as an identity verification provider using credentials such as client ID and secret, and activates it.
3. The administrator then creates a Continuous Workforce Verification policy and adds a rule that specifies which user groups are affected.
4. Within the rule, the administrator enables facial biometrics and sets the frequency for periodic checks (for example, every 7 to 14 days) and re-enrollment (for example, every 6 to 12 months).

Oracle recommends combining Identity Verification and Biometrics for enhanced identity assurance. However, each capability is optional and can be used separately. Administrators have the flexibility to configure Continuous Workforce Verification with Identity Verification and Facial Biometrics, or with Facial Biometrics alone according to their organization’s specific needs. When both identity verification and facial biometrics are enabled for inline enrollment, the IDV process will be prompted first, followed by Biometric verification.

Administrators also have the option to specify enrollment as a mandatory inline option or a feature that users can skip and define settings such as verification frequency.

1. Initial Enrollment: An employee, John, is prompted to enroll inline after authentication (if Continuous Workforce Verification policy is configured for inline enrollment), or from My Profile. This is a one-time process.
   1. Identity Verification: A QR code appears on John's computer screen. He scans it with his smartphone to initiate the identity verification process with Daon. He takes a live selfie and then scans his government-issued ID. Daon validates the document's authenticity and confirms that the selfie matches the photo in the document.
   2. Biometric Enrollment: John is redirected back to his computer's web browser. He is prompted to position his face in a frame and complete randomized liveness prompts, such as tilting his head. The system captures his facial data, creates a biometric template, and stores it securely to complete his enrollment.
2. Ongoing Verification: Two weeks later, when John accesses an application, he signs in with his standard credentials. Immediately afterward, CWV initiates a facial biometric challenge. He positions his face, completes a liveness prompt, and the system validates his identity against the stored template, granting him access.

This use case highlights how Example Inc leverages the identity verification vendor Daon for continuous workforce verification (CWV). An administrator configures IAM to integrate with the identity verification provider and creates continuous workforce verification policies for periodic verification of users. Employee of Example Inc. verifies identity with a government-issued ID, enrolls in facial biometrics, and is re-verified through periodic identity checks.