← Back
Cloudflare
Cloudflare integrates identity verification with Access to stop deepfake-based insider threats
Cloudflare · featureapisecurityintegrationplatform · blog.cloudflare.com ↗

Zero Trust's Missing Piece: Identity Verification

Traditional zero trust architecture verifies devices and credentials, but stops short of verifying that the person behind those credentials is who they claim to be. This gap has become a critical vulnerability as sophisticated threat actors—often linked to nation-states—exploit the hiring-to-onboarding window to infiltrate companies using stolen or fabricated identities and deepfake technology.

The Threat: Organized Remote IT Worker Fraud

According to Cloudflare's 2026 Threat Report, "remote IT worker" fraud is rapidly accelerating. These aren't lone attackers—they're organized operations running laptop farms: warehouses of devices remotely accessed by workers using fake identities to steal intellectual property and funnel revenue. Bad actors now use generative AI to pass interviews and deepfake tools to create flawless forged government IDs, rendering traditional background checks ineffective.

The Solution: Nametag Integration

Cloudflare has integrated Nametag, a workforce identity verification platform, directly into Cloudflare Access via OpenID Connect (OIDC). The integration works as an external IdP or as a chained evaluation factor alongside existing identity providers like Okta or Microsoft Entra ID.

How It Works

The verification flow is straightforward:

  1. New users attempting to access onboarding portals trigger a Nametag verification challenge
  2. Users submit their work email, snap a selfie, and scan their government-issued photo ID from their phone
  3. Nametag's Deepfake Defense engine—powered by cryptography, biometrics, and AI—confirms the user is a real person and the right person
  4. Upon successful verification, Nametag returns an ID token to complete the OIDC flow
  5. Cloudflare Access grants or denies access based on the verified identity and existing policies

The entire process takes under 30 seconds, and no biometric data is stored after verification.

Broader Security Posture

This partnership complements Cloudflare's existing insider threat protections, including API-driven Data Loss Prevention (DLP), Remote Browser Isolation (RBI), and shadow IT detection. Combined, these tools create a layered defense against both external attacks and insider threats before malicious actors gain access to sensitive resources.