The way we work has fundamentally changed. While remote and hybrid models offer flexibility and productivity gains, they also make it harder to confidently verify who is on the other side. Traditional controls mainly prove what a user knows (e.g., a password) or what a user has (e.g., a device). In a world of credential theft, impersonation, and AI-driven deception, that isn’t always enough to establish trust.

Today, Oracle is addressing this challenge with Oracle Cloud Infrastructure Identity and Access Management (IAM) Identity Assurance—an AI-powered capability that ties digital identities to real, verified individuals and helps maintain that link over time with identity verification and facial biometric checks. Identity Assurance complements existing IAM controls (e.g., a robust set of MFA factors including Push Notifications, One-time passcodes, and FIDO2 authenticators), and Oracle’s broader security posture, as exemplified by our leadership’s commitment and exciting product innovations.

Here’s a breakdown of how Identity Assurance operates:

Step 1: Identity Verification. This step establishes the initial trust anchor. Users begin by scanning a government-issued ID (such as a driver’s license or passport) and taking a live selfie with their phone. This information is transmitted to an Identity Verification (IDV) vendor that validates the authenticity of the document and performs a biometric selfie match against the photo on the ID. This process confirms that the individual presenting the ID is a real person and the legitimate holder of the document. Customers will be able to use their preferred IDV vendor because IAM integrates with industry leaders such as Clear and Daon.

Step 2: Enrollment. After verifying identity, users complete a one-time enrollment in Identity Assurance. During enrollment, users look at their device’s camera and follow simple on-screen prompts, allowing the system to capture a high-quality facial scan. Oracle uses advanced AI algorithms to extract unique facial features and convert these into a mathematical representation (“biometric embedding”) that are encrypted and stored. Raw images are never saved. To help protect against spoofing and ensure embeddings are created from real individuals—not photos or videos—the system performs both active and passive liveness detection. Users complete a guided movement (such as following a dot on the screen), while the system simultaneously analyzes subtle signals and patterns to confirm live presence.

Step 3: Continuous Verification. Users accessing resources protected by OCI IAM, such as OCI console or Fusion Apps, are prompted periodically (e.g., randomly every 7-14 days) to verify identity after authentication. The system captures a live facial scan, analyzes it, and compares it to the previously enrolled biometric embedding. Results are recorded in OCI Audit and failure triggers an alert which can be routed to customer Security Operations and Compliance teams to investigate.

Configuring Identity Assurance is designed to be simple. Administrators create an “Identity Assurance” policy in the OCI IAM Identity Domain. This policy defines the conditions under which Identity Assurance operates–which group of users are required to complete biometric checks and at what frequency. This policy-driven approach provides the flexibility to tailor security posture based on unique conditions, e.g., requiring more frequent Identity Assurance for employees who access production workloads. Identity Assurance can also be deployed in an environment where user identities are managed in an IdP external to OCI.

Security and Privacy of Biometric Data
Oracle recognizes that the processing of biometric data requires a high level of security and privacy protections. Here’s how Identity Assurance is designed to protect it:

  1. No Raw Image Storage: Oracle does not store the original facial images captured during enrollment. Only encrypted biometric embeddings are retained.
  2. Robust Encryption: Biometric embeddings are encrypted in transit (mTLS) and at rest using Oracle Database Transparent Data Encryption (TDE) with industry-standard algorithms such as AES-256.
  3. Data Isolation: Embeddings are stored separately from IAM data and isolated within each identity domain. This is designed to prevent correlation with sensitive identity information and limits blast radius. Network protections such as Zero Trust Packet Routing help guard against data exfiltration.
  4. Restricted Access: Access to biometric data by Oracle operators is tightly controlled under a strict zero-access policy enforced through cryptographic controls and policy safeguards.
  5. User Control: Customers can collect user consent during enrollment. Users can unenroll at any time, which permanently deletes their biometric data.
  6. No Data Sale: Oracle does not sell biometric data to third parties.

Getting Started with Identity Assurance Today
Oracle is using Identity Assurance to strengthen its own security posture, and we’re excited to announce that Identity Assurance is now Generally Available for OCI IAM customers in US regions (PHX, IAD). To learn more, read the Identity Assurance documentation, or reach out to your OCI account representative. We’re confident that Identity Assurance will be a valuable tool to help strengthen your security posture and support protection of your critical assets–your workforce.