---
title: Verifying new employees during onboarding
description: Use PingOne Verify to automate identity proofing for new hires.
component: pingone
page_id: pingone:identity_verification_using_pingone_verify:p1_verify_onboarding_use_case
canonical_url: https://docs.pingidentity.com/pingone/identity_verification_using_pingone_verify/p1_verify_onboarding_use_case.html
llms_txt: https://docs.pingidentity.com/pingone/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: April 7, 2026
section_ids:
  example-scenario: Example scenario
  goals: Goals
  what-youll-do: What you'll do
  before-you-begin: Before you begin
  tasks: Tasks
  config-p1verify: "Task 1: Configuring PingOne Verify"
  adding-a-new-or-editing-an-existing-pingone-verify-policy: Adding a new or editing an existing PingOne Verify policy
  steps: Steps
  result: Result:
  orchestrating-a-davinci-verify-transaction: Orchestrating a DaVinci verify transaction
  steps-2: Steps
  view-results: "Task 2: Viewing verification results or manually approving an employee"
  viewing-verification-results: Viewing verification results
  steps-3: Steps
  manually-approving-an-employee: Manually approving an employee
  steps-4: Steps
  result-2: Result:
  next-steps: Next steps
  validation: Validation
  testing-the-employee-experience: Testing the employee experience
  verifying-results: Verifying results
  troubleshooting: Troubleshooting
---

# Verifying new employees during onboarding

Use PingOne Verify to automate identity proofing for new hires. By requiring a mobile-based government ID scan and biometric liveness check, PingOne Verify replaces slow, manual document reviews with a secure, digital-first workflow.

This process prevents ghost hiring, imposters, and insider threats, reducing HR risk by creating a secure audit trail before a new employee accesses company systems, business applications, or sensitive data.

|   |                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | PingOne Verify isn't a Form I-9 U.S. Employment Eligibility Verification replacement. All employees must complete an I-9 as part of their contract signing. |

## Example scenario

In this scenario, a candidate has been hired and must complete identity verification to gain access to the organization's internal systems. To initiate onboarding:

1. After a contract is signed, the organization's HR system initiates an automated onboarding workflow using PingOne Verify, sending a secure, one-time verification link to the new employee on their PingID application.

2. The organization orchestrates a verify transaction using PingOne DaVinci where the new employee downloads and sets up PingID on their mobile device to begin the high-assurance identity capture.

3. The employee scans their government-issued ID and performs a biometric liveness check.

4. The organization's backend evaluates the results. Upon a successful match, the system updates the employee's status to active.

5. The employee is redirected to a success landing page with instructions on how to access company resources and applications.

## Goals

After completing this use case, you'll know how to do the following:

* Configure PingOne Verify policies to validate government-issued IDs and biometric liveness for secure employee onboarding.

* Orchestrate a DaVinci workflow to automate the identity verification journey from the HR system to the employee's mobile device.

* Manage and audit verification results to confirm successful identity matches or manually approve employees to ensure day-one productivity.

## What you'll do

To set up the example scenario in this use case, you'll:

1. Add or edit a PingOne Verify policy.

2. Orchestrate a DaVinci verify transaction.

3. View verification results or manually approve an employee.

## Before you begin

Ensure you have the following:

* A [PingOne environment](../getting_started_with_pingone/p1_getting_started_adding_environment.html) with the PingOne Verify and PingOne DaVinci services.

* A [PingOne administrator role](../directory/p1_roles.html).

* [PingOne Verify Quick Start DaVinci Flow](https://marketplace.pingone.com/item/pingone-verify-quick-start) downloaded from the Ping Identity Marketplace.

## Tasks

Setting up this onboarding workflow takes two main steps:

* First, you'll create your identity verification rules and connect them to an automated sign-up flow. Learn more in [Task 1: Configuring PingOne Verify](#config-p1verify)

* Second, you'll learn how to check a new hire's verification status and manually approve them if they get stuck. Learn more in [Task 2: Viewing verification results and manually approving an employee](#view-results)

### Task 1: Configuring PingOne Verify

Configure PingOne Verify by creating a verification policy and orchestrating the secure transaction.

#### Adding a new or editing an existing PingOne Verify policy

Define the rules of identity proofing to ensure the person accessing your network is the same individual who signed the employment contract. By pairing biometric liveness with facial comparison, you anchor the digital onboarding session to a legal identity, preventing ghost hires, deepfakes, and imposters from infiltrating your organization before day one.

### Steps

1. In the PingOne admin console, go to **Identity Verification > Verify Policies**.

2. Browse or search for the policy you want to edit, or click **+** to add a new policy.

   For example, you could have a policy specifically for new hires that allows you to track and audit the actions taken by new hires during this initiation phase.

### Result:

The **Policy Details** panel opens.

1. Click the **Pencil** icon ([icon: pencil, set=fa]).

2. Enter or edit the following configurations:

   | Setting               | Recommended threshold | Reasoning                                                                                                                                                                                                                                                                                                                                                                                                               |
   | --------------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Government ID**     | Required              | Prevents ghost hiring by anchoring the biometric to a legal identity.Click the toggle in **Fail Expired IDs** to fail verification for expired IDs. This meets standard compliance for HR and legal right to work checks.                                                                                                                                                                                               |
   | **Facial Comparison** | Medium or High        | Ensures the live person is the same person on the ID.&#xA;&#xA;Choose a high threshold if your policy requires a near-perfect match. Choose a medium threshold if you want to prioritize a smooth onboarding experience. A medium threshold setting is more forgiving of environmental factors, such as dim lighting or lower-quality mobile device cameras, that might otherwise cause a legitimate ID to be rejected. |
   | **Liveness**          | High                  | Requires the employee to provide a selfie for verification.Select **2** or **3** **Selfie Retry Attempts** to account for poor lighting or bad angles without failing the whole onboarding process immediately.                                                                                                                                                                                                         |

3. Click **Save**.

4. (Optional) Configure one or more languages and modify the PingOne Verify text fields that are presented to the employee in notifications and agreements. Learn more in [Configuring language localization](p1_verify_configuration_setup.html).

#### Orchestrating a DaVinci verify transaction

You must bridge the gap between your policy and the employee's mobile device. Orchestration is the engine that sends the verification request and handles the response.

|   |                                                                                                                                                                                                      |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | This orchestration uses PingID for document capture. The employee can find downloading instructions in the [PingID downloads](https://www.pingidentity.com/en/resources/downloads/pingid.html) page. |

Learn more about [orchestration methods](p1_verify_configuration_setup.html#p1-verify-orchestration).

### Steps

1. In DaVinci, on the **Flows** tab, click **+ Add Flow** and select **Import Flow**.

2. Upload the PingOne Verify Quick Start DaVinci Flow and click **Import**.

3. Update the PingOne Verify Quick Start flow with your PingOne Verify policy.

4. Click the PingOne Verify **Create Verify transaction** node in the flow.

5. In the **Verify Policy** list, select the policy you configured.

   ![Screen capture of the PingOne Verify flow configuration in DaVinci.](_images/p1-verify-davinci-orhcestration.png)

   |   |                                                                                                                                                                                                                                                                                                                                                                              |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Locate the **Determine Device Type** node.- If the employee is using a desktop, **Determine Device Type** node triggers the **Display QR code** node. The employee scans this with their phone to open the PingID app.

   - If the employee is using their mobile device, the node provides a direct link to the Apple App Store or Google Play to ensure PingID is installed. |

6. Add a custom message in the **Read Metadata** node at the end of the flow to point to your corporate welcome portal.

7. Click **Apply**.

   ![Screen capture of the read metadata node in a DaVinci flow.](_images/p1-verify-davinci-flow-read-metadata.png)

### Task 2: Viewing verification results or manually approving an employee

Monitoring verification transactions allows HR and Security teams to ensure that only identity-proven individuals move from new hire to active status. In this onboarding use case, reviewing these results is your final security gate to confirm that the person who signed the contract is the same person accessing your corporate network.

This is necessary to:

* Create a permanent record of identity proofing for legal and HR audits.

* Identify a fail status early and investigate potential ghost hires or deepfake attempts before system access is granted.

* Identify partial or fail statuses caused by poor image quality and reach out to the employee to ensure they're ready for their first day.

#### Viewing verification results

Accessing verification results allows you to evaluate real-time status updates, review transaction IDs, and ensure compliance before granting network access.

### Steps

1. In the PingOne admin console, go to **Directory > Users** and browse or search for the employee you want to view.

2. Click the employee entry to open the employee details panel.

3. In the employee details panel, go to **Services** > **ID Verification** to view the verification status and results for the employee.

   For each **Transaction ID**, the status of the employee ID verifications, including a timestamp and the result, is displayed.

4. Click **View** to view the metadata result for a specific transaction ID.

   The following table shows verification statuses and the recommended action to take.

   | Status                  | Definition                                                                           | Action required                                                                                                                                                                                               |
   | ----------------------- | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Requested**           | The system has generated a verification request for the new employee.                | Monitor for status change to **Initiated**.                                                                                                                                                                   |
   | **Initiated**           | The new employee opened the link or scanned the QR code to begin the session.        | None. The new employee is currently active in the session.                                                                                                                                                    |
   | **In progress**         | The new employee has submitted their ID, and the service is validating the document. | None. Awaiting service provider (SP) results.                                                                                                                                                                 |
   | **Partial**             | One step is complete, but another is pending.                                        | Send a reminder or re-trigger the link for the employee to finish the missing step, such as providing a selfie.                                                                                               |
   | **Success**             | Identity is validated. The transaction met all policy thresholds.                    | Proceed with provisioning or verify the **Active** status in the directory.                                                                                                                                   |
   | **Approved manually**   | An administrator bypassed the automated results to verify the new employee.          | Review audit logs to ensure manual verification was documented.                                                                                                                                               |
   | **Approved no request** | The transaction was approved by an admin before the employee started the process.    | None.                                                                                                                                                                                                         |
   | **Fail**                | Validation failed due to fraud, unsupported documents, or poor image quality.        | If the failure is due to image quality, ask the new employee to retry.If the metadata suggests document tampering or a live person mismatch, don't proceed. Escalate to your Security team for investigation. |

   |   |                                                                                                                                                                                                                                                  |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Verified personally identifiable information (PII) is stored temporarily for 30 minutes in the verification service before being deleted. Only the final verification status and configured verified claims are retained in the identity record. |

#### Manually approving an employee

Automated checks could fail due to damaged ID cards, lens glare, or minor data mismatches. Manual approval allows HR administrators to intervene, bypassing policy requirements to activate the employee's directory status and resume the DaVinci onboarding orchestration. This prevents first-day lockouts while maintaining a secure, documented audit trail of the override.

### Steps

1. In the PingOne admin console, go to **Directory > Users** and browse or search for the employee you want to edit.

2. Click the employee entry to open the employee details panel.

3. In the employee details panel, click the **Services tab** > **ID Verification** to view the verification details for the employee.

4. Click **View**, then **Manually Approve**.

### Result:

* The employee's directory status changes from inactive to active.

* The DaVinci flow receives the approval signal and redirects the employee's phone or browser to the success landing page, where they receive their corporate sign-on instructions.

* The transaction is marked as `APPROVED_MANUALLY`. This ensures that if a security audit occurs later, the organization can see exactly which administrator authorized the access and why.

  |   |                                                                                                                                                                                          |
  | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Because manual approval bypasses biometric security, always document the reason for the override in the employee's HR record or the PingOne user notes to maintain a secure audit trail. |

### Next steps

To monitor identity verification transaction activity for your organization filtered by your choice of date and PingOne Verify policy, learn more in [using the Identity Verification Dashboard](p1_verify_monitoring.html#using-the-identity-verification-dashboard).

## Validation

After you've configured your policy and orchestrated the flow in DaVinci, you're ready to verify the identity proofing part of your onboarding process.

### Testing the employee experience

Perform this test to simulate the journey of a new hire and ensure the PingID integration is functioning as expected:

1. In DaVinci, click **Try Flow** to run the flow and trigger a PingOne Verify transaction.

2. Follow the prompts within PingID to scan a government-issued ID and perform the biometric liveness check.

3. Verify the browser or application redirects you to the success landing page for your corporate portal.

### Verifying results

Reviewing transaction data ensures your policy thresholds, such as liveness and facial matching, are effectively blocking unauthorized access without hindering legitimate hires. This validation confirms that no ghost hires or imposters have bypassed your perimeter, providing a verified link between a digital record and a real-world person.

To confirm PingOne Verify correctly updated the employee's permissions and directory status:

1. In the PingOne admin console, go to **Directory > Users** and select the employee.

2. Verify the transaction shows a status of **Success** on **Services tab** > **ID Verification**.

3. Click **View** on the latest **Transaction ID** and review the metadata.

   * Confirm the **Liveness** and **Facial Comparison** scores meet your high or medium thresholds.

   * Verify the **Government ID** was correctly validated and the transaction shows **Success**.

     ![Screen capture of verify transaction id metadata.](_images/p1-verify-metadata-transaction.png)

4. If a transaction shows a **Fail** status, review the metadata to determine your next steps:

   * For image quality issues, ask the new employee to retry the scan in better lighting or at a different angle.

   * For security alerts, if the metadata suggests document tampering or a biometric mismatch, stop the onboarding process immediately and escalate the case to your Security team.

   * For damaged documents, if the automated check fails but you have verified the identity through other means, use the **Manually Approve** option to move the employee to **Active** status.

5. Confirm the employee's status has been updated to **Active**. This verifies your DaVinci orchestration successfully updated the directory after the verification match.

## Troubleshooting

Delays in identity verification directly impact an employee's first-day productivity and their first impression of the organization. If the process stalls, the employee remains inactive in the directory and is blocked from essential tools.

Use the following table to resolve common issues and ensure a smooth onboarding experience.

| Issue                       | Potential cause                                                                                                                                                                                                   |
| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| QR code doesn't open PingID | The employee is using their phone's camera app to scan the QR code, which opens Web Verify in a browser. They need to open the PingID app specifically to scan the code.                                          |
| QR code isn't displayed     | Return to the **Create Verify Transaction** node in DaVinci and ensure you selected your specific policy from the list.                                                                                           |
| Policy not applied          | Return to the **Create Verify Transaction** node in DaVinci and ensure you selected your specific policy from the list.                                                                                           |
| Partial status              | The employee likely completed the government ID scan but closed the PingID app before finishing the biometric liveness check. Send a reminder or re trigger the link for the employee to finish the missing step. |
