October 28, 2025

How Cloudflare and Nametag Are Closing the Identity Assurance Gap in Zero Trust Workforce Onboarding

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Workforce Identity Verification

Prevent breaches and reduce IT support costs with ready-to-use solutions built on Deepfake Defense™ identity verification and turnkey IAM integrations.

Five stars in a line
Learn how

Today we’re introducing a new partnership and integration with Cloudflare Access, the leading Zero Trust Network Access (ZTNA) solution and part of Cloudflare’s Security Access Service Edge (SASE) Cloudflare One. Our joint solution combats advanced hiring fraud threats, including North Korean IT worker laptop farms, by verifying the person setting up a new device before they gain access to anything. Read on to learn more, then check out our integration page and use our dev docs to get started.

“Cloudflare is excited to partner with Nametag to further our commitment to delivering the best Zero Trust Network Access (ZTNA) solutions. Enhancing Cloudflare One with Nametag to verify new hires during onboarding ensures that only legitimate users can access internal resources, eliminates deepfake threats, and protects against sophisticated impersonation schemes.” – Kenny Johnson, Principal Product Manager at Cloudflare 

The Insider Threat You Can’t See Coming

Securely onboarding remote employees is one of the most difficult challenges for IT departments. You get a ticket from HR which includes the new hire’s start date, name, and mailing address. You re-image a laptop you have on hand, or arrange a new device to be shipped directly to the employee from the distributor. Then what happens?

Someone receives the package, sets up the laptop, and connects it to your networks––but you don’t really know who, exactly, is doing these things. 

All you really know is that whoever is connecting the laptop to your networks and installing apps has valid credentials, and maybe that the device posture checks out.

DPRK IT Workers: A Case Study in Insecure Device Provisioning

IT departments at multinational enterprises typically take one of two approaches to getting new employees set up with company laptops:

  1. Send pre-configured devices from a headquarters or regional hub.
  2. Have new devices shipped to a new hire directly from a distributor. 

In either model, however, IT has little visibility into who actually receives it.

The reality is that device provisioning is a major blindspot in enterprise security, and North Korean IT worker schemes have weaponized it.

In July, an American woman was sentenced to over 8 years in prison for operating a “laptop farm” on behalf of North Korea, helping bad actors by receiving, configuring, and operating more than 90 devices from her home. 

This case was not isolated; over the past 6 months, Cloudflare’s REACT incident response team assisted with investigations leading to thousands of illegitimate remote workers being identified.

This highlights a fundamental gap in enterprise onboarding: verifying that the person setting up a company-issued laptop is who they claim to be.

IT inherits the risk, but has no control over the hiring processes involved.

Fake IT Workers: A Story of Impersonation and Inherited Risk →

Close the Final ZTNA Gap with Cloudflare and Nametag

Nametag and Cloudflare have partnered to solve this problem at its source. With our new integration and joint solution, we’re enabling IT teams to place a workforce-grade identity verification “gate” at device provisioning. 

When a new hire first authenticates to internal systems or begins credential enrollment, Cloudflare Access invokes Nametag’s Deepfake Defense™ engine to verify that the user is both a real person and the right person. The employee’s verified identity is compared against their corresponding directory accounts, establishing a durable trust anchor for future access.

For legitimate users, the process is easy. In under 30 seconds, they simply scan their government-issued photo ID and take a selfie. Our Deepfake Defense engine combines advanced cryptography, biometrics, spatial liveness and other features to verify that the person behind the device is both a real human and the right human. Our suite of privacy controls ensures that their information is both respected and protected.

If a verification is rejected, the user stays isolated. Bad actors, whether impersonating a fraudulent worker or an accomplice operating a laptop farm, are blocked before they can do any damage. Even if a fraudster obtains valid directory credentials, they can’t use them to access any apps. IT and security teams are alerted immediately, along with the information you need to make an informed decision on how to proceed with that user.

“The cost of hiring a North Korean IT worker or other imposter goes from your entire network and hundreds of hours of ransomware remediation, to a $1500 laptop and a few hours of IT time.” - Aaron Painter, CEO at Nametag

How to Set up Zero Trust Onboarding with Cloudflare + Nametag

Every organization handles new employee onboarding slightly differently, so we’ve architected this solution to be both highly flexible and as turnkey as possible. Whether your IT department ships pre-imaged devices or factory-new hardware, or follows another workflow entirely, our Coudflare integration supports you. 

Here are two suggested implementation paths based on example customer scenarios:

Example Implementation Path 1: Directory login [pre-imaged devices]

  1. IT creates a shell account for a new employee in your IAM provider.
  2. IT configures and ships a laptop to the new employee, and shares their directory username and password (how doesn't matter, see below).
  3. In order to access protected applications, the employee has to go through Cloudflare One, which uses Nametag as the authentication factor.

In this scenario, two things can happen:

  1. The employee successfully verifies their identity, and their verified identity is successfully matched to their shell account. The employee can proceed to enroll in MFA and then access the apps they need to do their job.
  2. The employee’s identity verification is rejected. They can appeal, but your IT and security teams are notified. The employee has a device and directory credentials, but they can’t do anything with them: apps are gated by MFA, and to enroll in MFA they must access another app (i.e. your identity provider) which is protected by Nametag through Cloudflare.

Example Implementation 2: Standard OS onboarding [factory-new devices]

  1. IT creates a shell account for a new employee in your IAM provider.
  2. IT ships the employee a new device directly from the distributor.
  3. The new employee goes through the standard MacOS or Windows device setup process, including setting a username and password for the device.
  4. In order to access applications, the new employee has to go through Cloudflare One, which uses Nametag as the authentication factor.

In this scenario, two things can happen:

  1. The employee successfully verifies their identity, and their verified identity is successfully matched to their shell account. The employee can proceed to claim their IAM directory credentials (via Nametag), enroll in MFA, and then access the apps they need.
  2. The employee’s identity verification is rejected. They can appeal, but your IT and security teams are notified. The employee has a device but can’t access your networks and apps, and can’t claim their IAM credentials.
Learn more about Zero Trust Device Provisioning

End-to-End Secure Onboarding: The Trust Anchor of Zero Trust

After secure device provisioning, the next step in onboarding is credential issuance. Nametag has a solution for this, too: after setting up their new device, new employees can be directed to a self-service portal where they re-verify their identity before setting passwords and enrolling MFA with your identity providers. Our patented reverification technology means that they simply take a new selfie, reducing friction while maintaining workforce-grade assurance.

This end-to-end solution makes onboarding both safer and faster, eliminating the need for manual video calls or in-person device pickups while preventing sophisticated impersonation attacks.

Learn more about end-to-end secure onboarding with Nametag →

Get Started with Nametag + Cloudflare

Deepfake-enabled impersonation attacks are no longer limited to phishing or deepfake voice scams; they now affect your hiring and onboarding processes. By securing the first moment of device access, Cloudflare and Nametag are helping enterprises stay ahead of a new class of identity-based threat.

Our integration with Cloudflare is available today. Learn more on our integration page and then use our dev docs to get started with Zero Trust Onboarding.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies