How to Onboard a Third-Party with Identity-Based Authentication

Javed Shah

In this vlog, 1Kosmos CMO, Michael Cichon, and 1Kosmos VP of Product Management, Javed Shah, discuss why it’s important to onboard a third-party with identity-based authentication.

Michael:
Good morning, Javed Shah, vice president of product management. Welcome to the 1Kosmos vlog. How are you this morning?

Javed:
Morning, Michael. I’m doing great. Thank you for having me.

Michael:
Well, great. I wanted to chat with you today about new hire onboarding and contractor onboarding. Can you talk a little bit about the challenges in new hire onboarding that we’re seeing?

Javed:
Sure, absolutely. Yeah. It’s a big problem. Onboarding new hires, especially, third party contractors. We all know that COVID accelerated digital transformation of the enrollment process, but it is still commonplace to see new hires, especially contractors, be onboarded remotely where companies are collecting government documentation over email, transmitting PII and putting all of that important information, especially PII, at risk of exposure. So it’s still… It continues to be a cumbersome process. It is hard to deal with the sensitivities of data involved. And at the end of the day, you still haven’t proved the true identity of the user come access enforcement time. So the 1Kosmos solution is designed specifically to solve this problem.

Michael:
Okay, great. So identity proofing, 1Kosmos knows a little bit about that. What’s the role of 1Kosmos identity proofing in new hire and contractor onboarding?

Javed:
Sure. 1Kosmos specializes in identity proofing and verification. It’s something we call BlockID Verify. That gives us strong solutions for both the workforce and customer side of the house. At the end of the day, we are proving the user’s identity and then letting them use that identity over and over without user names and without passwords into any applications they desire to access. Our verify offering is underpinned by our very own proofing technology where our approach is to bind the device to a verified and validated identity of the user.

Javed:
So with our experience, new hires, especially third party contractors, enroll their own identity. For example, a contractor would sign up after downloading the app, set up the pin and in the process also create a private key in the trusted platform module of the phone. Then we collect baseline biometrics, such as Touch ID and Face ID, and also an advanced liveness biometric from the user, something we call Live ID. So this information is then encrypted, and encrypted with the private key, unique to the user, unique to the device and is stored on the digital wallet, in the phone as well as in a private blockchain. So I’ll stop there. I’ll let you have a crack at that.

Michael:
So live ID, this is anti spoofing. I can’t spoof it with a photograph or a video. Is that the point?

Javed:
Absolutely. Absolutely. There’s several components actually to the technology. One is simply just taking the image of the user live. The user in front of the phone, let’s grab that picture. Let’s match that to the images that are presented in the evidence, which is the government documentation. So that’s matched and then of course is the liveness detection, for which we apply all kinds of proprietary stuff. Depth detection, so on and so forth, to make sure that you can’t just put a mask on, with a picture of you from two years ago and have that pass for a match against your government evidence. So that’s really key for us.

Michael:
Okay. So what if I don’t have a driver’s license? What if I don’t have a government ID?

Javed:
Well, in which case, what happens is, like I said, gov ID specifically refers to proofing the identity of the user against documents or evidence that was issued by a trusted party, which is the government, but doesn’t have to stop at gov ID. 1Kosmos also extends the proofing capability to any other form of ID, a non-physical identity, for example. Could be your account in a bank, which we term Bank ID, or it could be your corporate account in a workforce use case, which becomes your Corp ID, or a Telco ID simply because you were vetted by a carrier and they went through that process, for example, with you, or onboarding you, as a user, as a customer. We are able to leverage by derivation anyone else’s proofed version of your identity and add that to our wallet. And that becomes part of your non physical, but proofed credential that we store in our wallet. Again, same process applies again.

Michael:
I see. So is this what is meant by flexible levels of identity assurance?

Javed:
It is, in some sense, yeah, absolutely. You’re able to, with our technology, with our concept of using digital identity wallets, you’re able to bring on physical as well as non-physical forms of identity. But then you’re also able to assign assurance levels. This defines identity assurance as simply the number of factors available, which evidence you to be the person you claim to be, as validated by a trusted authority, like a government, for example.

Javed:
An example would be a driver’s license, a passport, a Telco ID or Corp ID, and your higher levels just starts to go up. If you lose one of those, the 1Kosmos technology dynamically detects that you have, or you’ve lost possession of one of your assurance levels and we automatically adjust downward, just making sure that the identity based authentication remains true to the fact, the current fact, and is very continuous in that nature. So yeah, long answer to your question, but definitely derivative of all of the different forms of proofing.

Michael:
Fair enough. But let me just challenge one thing and ask you one deeper question here. There’s a lot of passwordless solutions out there and they’re using biometrics. Why is identity necessary? Thumbprint? It’s my thumbprint, right? Why is that not good enough?

Javed:
A biometric is not good enough, Michael, because a biometric does not have liveness associated with it. This is something that live ID brings to the table. We want to make sure that the user presenting the biometric is indeed live and associated with a proofed and validated version of their identity, as matched into the digital wallet, where we store both the Live ID, as well as the Gov ID, for example. It is the match of the two in real time which establishes that the biometric is associated with a real person and the same person, both real and same as the proofed credential.

Michael:
Okay. All right. Fair enough. Fair enough. That’s very cool. So, all right. So once you have this established, how does this solve the day two access problem or challenge?

Javed:
Absolutely. Yes. Day one and day two. Day one is enrollment, day two is access enforcement. It is not possible to enforce access of a person simply because they enrolled if you are missing the identity. Think of it this way, contractor jacking. Being able to replace the individual who you signed up to do an important piece of work with any other person. It is not something that anyone would stand for. Today, that problem does exist. How do you solve that problem? Very simply, just make sure that the person logging onto your systems on day two and beyond is indeed the same person you onboarded on day one. How do you do that? So for day two access, what companies are concerned about, the third party access, is simply, who’s the trusted authenticator and is it a real person? And is it the same person, real and same person that I onboarded on day one?

Javed:
That’s number one concern. So the 1Kosmos digital wallet is the representation of that proofed user identity and is available for continuous identity based verification whenever required. All of that access on day two and beyond is now gated using a simple, low, medium, high risk journey, using which, administrators may fine tune the journey that the contractor potentially should go through and step up that experience as necessary. So you can’t do that if you don’t have a proofed and validated version of identity to compare the user against. And also you need flexible levels of identity assurance, which are dynamically evaluated at run time.

Michael:
Well, Javed, thank you very much for your time today. I appreciate it. Have a good rest of your day.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.