Vlog: 1Kosmos Achieves Perfect Score in Level 2 PAD Certification

Hello everybody, this is Michael Cichon, I’m the Chief Marketing Officer here at 1Kosmos. I’m joined today by Mike Engle, our Chief Strategy Officer. 1Kosmos recently announced presentation attack detection level two. What does this mean?

Yeah, no, great to be here, Michael. Good to see you again. PAD, as you mentioned, presentation attack detection is just like it sounds. When you are using online services and verifying your identity, you’re typically presenting yourself by scanning a face, or a document, a driver’s license to a requesting service, right, signing up for a new bank account. So I’m presenting it. A presentation attack is when I’m presenting something that’s false, or faked, fabricated, deep faked, et cetera. So the term, presentation attack detection, is the art of stopping that type of attack. So PAD is really a simple term for trying to stop bad guys that are faking images or videos, et cetera.

Okay. So as companies are moving to biometrics for authentication, no big surprise, the cybersecurity attackers, the threat actors, whether they’re following this trend or whether they’re ahead of this trend is, I guess, depends on your point of view. The key is that attempts are being made to hack the biometrics, so. What, I mean, let alone PAD 2, what is PAD 1? There’s apparently different levels to this.

There is, yeah. So there’s a simpler version of presentation attack detection, PAD 1, we’ve had that for a few years. Pad level 2 is a whole nother level of testing, and it’s a much more sophisticated set of attacks that are done on the testing algorithms, for example. So to give you actually a couple of concrete examples, the lab we use is called iBeta. They’ve been around for like 25 years, they’re recognized by NIST, the government agency, for standards, and they’re also recognized by FIDO. So they’re very well accredited. And we’ve been tested by them for both levels, PAD 1 and PAD 2.

For PAD 1, iBeta will spend about $30 per attack. So how much time, effort, money do you spend creating a fake thing? $30. For PAD level 2, it’s up to $300 per attack. So big difference, you’re talking 10 times the spend. And you also need much more sophisticated equipment, you spend a lot more time on it as well. So instead of spending eight hours on a particular type of attack, they could spend up to four days, so much more stringent.

I see. So a PAD 1 would be something like a paper mask or something like that, and a PAD 2 would be more advanced, potentially even using AI?

Yeah, using AI. I mean, typically it’s presenting something in the physical world. AI is certainly something we spend a lot of time focusing on, but, you know Tom Cruise, right? Of course you do, Mission Impossible, they put the rubber masks over their head and you cannot tell the difference. That’s the type of testing that iBeta would do. Latex masks, they do deep fakes and synthetic, the other types of materials as well.

Okay. All right. So along with the announcement, we announced that the 1Kosmos platform achieved a perfect score. This was a 0% imposter attack presentation attempt rate, or accept rate. Any details, context around what that means?

Well, yeah, so 0%, I mean, that’s the gold standard. If you have 1% and you have millions of customers coming in, that ends up being quite a number. So 0% is, you can’t get much better than that.

Okay. Now, we’ve had for a while, liveness detection. How does 1Kosmos’ liveness detection then stand out from other solutions in the market?

Some companies just don’t use it. If you see on LinkedIn, there’s all kinds of posts where people have gotten past identity verification company tech. If they do some basic liveness, they will typically stop basic attacks. And so, you can tell who’s certified and who’s not, it’s actually very easy to do. And so, many times when you check those companies that have been bypassed and you go to iBeta, they’re not on there. When you go to NIST, 800-63-3 certifying company, like Kantara, they’re not on there either, and they’re not on the NIST FRVT or FRVE, which is the independent testing that NIST does as well. So it’s easy to tell who’s certified and who’s not. I haven’t seen a post that’s gotten 500 comments on LinkedIn from an iBeta PAD 2 certified company, so it really is the gold standard.

Okay. So this certification that we’ve announced, it proves our ability to stop even some of the most sophisticated identity-based attacks. In reality, day-to-day reality, what kind of threats are organizations facing today and how does this help them mitigate those threats?

Yeah, there’s a couple. So if you’re doing document verification, you scan the front and back of a driver’s license, check all the security features, there’s an attack on that. Is this a live document? So document liveness is a whole thing that’s different from my face. There’s document liveness and there’s face liveness, we test both of them. So imagine if you’re scanning the front and back of a license and you don’t bother checking to see if that’s a live driver’s license. That’s really important and could be skipped by a vendor, or your provider. Or if you’re doing that, but you’re not doing the live face part. Where live face gets really important, is when you’re injecting into a live video feed. So you’re scanning my face, this could be a deep fake injection right now that we’re doing and there’s ways to detect. There’s the positioning of the eyes and the way the artifacts render around my head, et cetera, et cetera. So those are the two types of liveness that we keep an eye on and they’re both very important.

Okay. All right. So the iBeta PAD 2 certification, it’s the latest in a long list of certifications for the 1Kosmos platform. You mentioned, I think, the NIST 800-63-3, of course, we’re also certified to FIDO2. How do all these work together to ensure a high level of security?

No, that’s really important. So iBETA PAD 2, amazing. We got it, it takes a lot of elbow grease to get that done. But the bad guys are not going to stop, we’ll probably need PAD 3 someday, it doesn’t exist yet. So there’s an arms race between bad actors and the good guys, like 1Kosmos. One of the compensating controls is, do I have proof that I proved my identity as an individual, right? So imagine if you could ask me for proof of my plastic driver’s license or my passport every time I go and log in. That’s game changing. You don’t even need to check the video feed when that happens. So if you knew right now that I had my driver’s license and it was legit, do you care about the video feed anymore? Not really, right? Well-

Right.

You do, because yeah, you’re a professional. But so what I’m saying is it’s really a digital signature that can be combined with whatever it is you’re trying to accomplish. Digital signatures are backed by cryptography, not how I look on the screen. So what we do with the whole NIST 800-63-3 thing and a digital wallet, is give the user a certificate that can be trusted in perpetuity. So now you don’t have to rely quite as much on all the liveness and deep fake stuff. So those two go hand in hand. And again, the companies that just scan an image or a face, do they deal with wallets and certificates? Probably not, we do, and that’s a real game changer, I think, for addressing this in the future.

Okay, cool. So we have the digital wallet, which is certified to the rigorous NIST standards and the FIDO2 standards. We’ve got the presentation attack level 2 defense. What do you say to businesses that are still hesitant to adopt biometric authentication?

Well, don’t be scared, it’s okay. Just like any technology, you need to get your feet wet with it, A/B tested on a population of users and stay on top of the current attacks. So there’s all these things and acronyms and false acceptance rates and false rejection rates. There’s testing to give some level of assurance that the tech itself and the user experience will stand up to a business’s risk and the requirements for how much pain or ease of use you want to give your customers. So it’s a balancing act, but it’s here to stay. When you go to the airport now, you are using your biometrics all the time, right.

Right.

And we create a very delightful experience online, which is what customers want. So it’s coming whether companies want to embrace it or not. I think companies that don’t embrace it, are going to be bypassed by the ones that do.

Right. Well, yes, if it’s good enough for the TSA, it should be good enough for regular business, if you’ve got the right technologies and the certifications behind them. So Mike, appreciate your time this morning. It’s a very exciting development, one that hardens the 1Kosmos solution against some of the most advanced presentation attacks. So, very happy with this development and very much appreciate your time today.

Great to be here. I’ll see you soon.