content: add tiered verification, liveness checks, and onboarding/offboarding

Adds workforce security content from Andrew Chang-Gu (CISSP) presentation:
- 3-level identity verification framework (pseudonymous → verified → privileged)
- Anti-deepfake liveness techniques for video interviews
- Hardened onboarding sequence (identity → environment → scoped access)
- Instant offboarding procedure (IdP → sessions → secrets → hardware → audit)

Author: artemisclaw82

docs/pages/dprk-it-workers/mitigating-dprk-it-workers.mdx

@@ -12,6 +12,8 @@ contributors:
   users: [blackbigswan]
 - role: reviewed
   users: [yaniv, dickson]
+- role: contributed
+  users: [andrew-chang-gu]
 ---
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
 
@@ -60,6 +62,62 @@ limit the effects of a DPRK IT Worker infiltration and what you should do after
 6. Regardless of our tips of not focusing on "Asian man in his 20-30s" that particular appearance is still the most
     common (If not cloaked under the generative AI). Similarly, Korean-English accents.
 
+### Tiered Identity Verification
+
+Verification depth should scale with the sensitivity of the role being filled.
+
+**Level 1 — Pseudonymous Contributor** *(OSS contributors, community moderators, bounty hunters)*
+- On-chain wallet history demonstrating consistent, legitimate activity over time
+- Persistent pseudonymous identity with verifiable history (GitHub commits, forum participation)
+- Liveness check (see below)
+- **Scoped access only** — never admin rights, treasury access, or production systems
+
+**Level 2 — Verified Worker** *(Engineers, operations staff, administrative roles)*
+- Government-issued photo ID verification
+- Background check through a reputable provider, with verified jurisdiction
+- Reference checks with direct contact verification (don't rely on references you can't independently validate)
+- Video interview with active liveness verification (see below)
+
+**Level 3 — Privileged Operator** *(Treasury signers, cloud root access, security leadership)*
+- **In-person verification mandatory** — final-round interviews conducted on-site or at a trusted venue
+- Hardware wallet issuance and setup conducted in-person or via verified secure delivery
+- Dual-authorization requirements for all privileged actions
+- Periodic re-verification, especially after extended remote-only periods
+
+### Defeating Deepfakes: Liveness Verification
+
+Video interviews are now a primary vector for DPRK operative infiltration. Pre-recorded deepfake video can fool a casual interviewer, particularly when audio "technical difficulties" are used as cover. Standard video calls are not sufficient for identity verification at Levels 2 and 3.
+
+Incorporate unpredictable, interactive requests into video calls:
+
+- Ask the candidate to turn their head sideways and hold the position
+- Have them read a randomly generated phrase displayed on screen for the first time during the call
+- Request a hand movement across the face mid-stream
+- Ask them to screen-share and perform a live technical task requiring real-time interaction with their environment
+
+The goal is to introduce enough unpredictable real-time interaction that a pre-rendered deepfake cannot keep up.
+
+> ⚠️ Any candidate who persistently, escalatingly avoids in-person interaction — even for high-value roles — warrants a security review. This is a documented indicator of DPRK IT worker activity.
+
+### Hardened Onboarding
+
+The sequence in which access is provisioned matters:
+
+1. **Identity first.** Provision the IdP account with phishing-resistant MFA before any other access.
+2. **Environment setup.** Issue the managed device, provision VDI access, or configure enterprise browser policies before any production system access.
+3. **Scoped access.** Apply least-privilege from day one. Don't grant broad "we'll scope it later" permissions.
+4. **Secrets hygiene briefing.** Ensure the new team member understands secrets management practices.
+
+### Instant Offboarding
+
+1. **Disable the IdP account first** — this cascades across all connected SSO applications immediately.
+2. **Kill active sessions** — force session revocation in all applications.
+3. **Rotate all shared secrets** — any API keys, shared passwords, or access tokens the departing person had access to.
+4. **Recover hardware** — retrieve issued devices and remotely wipe.
+5. **Audit access** — review the access log for the 30-day period prior to offboarding for anomalous activity.
+
+> ⚠️ The period between a decision to terminate and actual offboarding is the highest-risk window for insider data exfiltration. For sensitive roles, access revocation should happen simultaneously with or before any notification.
+
 ## Hardening your organization
 
 1. Define and implement tight access control rules for all of your employees, especially remote ones. Avoid giving