5 Ways to Modernize Customer Onboarding and Defeat Account Takeover
Unlock On-Demand Webinar
Video Transcript
Michael Engle:
All right. I think we are about one minute past. Let's jump in and get gone here. So thanks everybody for joining. We're live today on Zoom and LinkedIn, I believe. I'm joined today by Will LaSala from OneSpan. Will, if you could just introduce yourself and say hi, and let everybody know what you do for a living.
Will LaSala:
Yeah, absolutely. Thank you very much, Mike, for having us. I'm Will LaSala, I'm with OneSpan. I'm the field CTO for the Americas. Been with OneSpan for about 20 years. I've been working in cybersecurity for about 25 years, so I've seen quite a few different things and worked with many different large applications as they implement digital fraud strategies and solutions.
Michael Engle:
Excellent. Yeah, 20 years with one company. Impressive. It must be a good company to work for, I'll say that.
Will LaSala:
Absolutely. They've been good to us.
Michael Engle:
Yeah. Yeah, you don't see that anymore. Right? And as I mentioned, my name is Mike Engel, co-founder and head of strategy here at 1Kosmos. Similar to Will, all my career in InfoSec, focusing on just digital identity since 2018. And looking forward to our discussion today. And we're here today to talk about... Let me just go back to the intro slide here, modernizing customer onboarding. We're going to talk about account takeover, synthetic identity, but really, just figuring out a way to prove who it is at the other end of a connection so that we can make better decisions and side product will be better user experiences.
We're going to talk a little bit about the problem statement, show you some technologies that are fresh and new and see if anybody has any questions. I've got a couple of people on standby to answer questions. Just paste them into the chat and we'll take care of them as they come up. And we'll have a little bit of Q&A here at the end as well.
So kicking it off, when you and I were growing up, Will, right? We both have the gray hair to tell old time stories, right? Walking uphill to school both ways and the snow things.
Will LaSala:
Absolutely.
Michael Engle:
But you remember when we got started, Stateful firewalls came out. I'm going way back. And we created the perimeter, we created the firewalls, and then we sprinkled some antivirus around some endpoint protection. We tried to keep people out of the core. As we all know, the cloud and SaaS applications and all that have destroyed that model. And so the hackers aren't hacking in any more like they used to back when I was a kid, the viruses and worms would come in, they'd decimate your environment and that's what we used to protect against.
But today they don't need to do that stuff anymore. You still have your instances of solar, winds and things, but there are rarity. Today, the bad guys log in. And some pretty amazing stats are out there on how bad this problem is. But from the latest Verizon, DBIR, the data breach investigations report, and there's a high number in the eighties, 81% of all breaches today are compromised because of what's called the human element. And that typically means I've given up a username or password or it's been coerced or fished or whatever. And in your capacity as the guy over there at one span, I'm sure not only are you being asked to solve this a lot, but you're seeing these problems impact your customers quite a bit, right, Will?
Will LaSala:
Yeah, absolutely. It does date back to the days when we tried to protect all of our stuff. In the financial vertical, there was this FIC guidance back in 2006 or 2004, and at that time we knew it was a problem. Everybody was getting fished. There were all of these ways to harvest those passwords, but it was really, again, the passwords were just simply that everybody's using static credentials. Today, those static credentials, instead of getting into a network or into an area, you're using those same credentials to get into applications outside your network. And that is the easiest way to get into them. So instead of a hacker trying to get through and find some type of backdoor or something, a problem in the software, just using a username and password, those are 100% the most common things you see out there.
Black market, they're still sold. Millions of these credentials are sold and bought every day. I think I read something about even in mobile hacks that you know can buy mobile username and passwords that log you into applications and those are being sold maybe a hundred dollars or username and password. So there it's big business and it's not just about hacking the app and trying to find some really technical hack to get into there. I just have to listen to what that user's typing and then hijack it and get into the application.
Michael Engle:
Yeah. And there's so many ways to do it now. That's exactly right. You could guess the username and password, right? Because people reuse the same ones. So I'm sure every one of my family members is guilty of that. They use the same password.
Will LaSala:
How many people use the word password, right?
Michael Engle:
Yeah, hopefully it's not that bad, but probably is. Or you coerce it out of the person, call them up and ask him for it. It's so common. And we're going to talk about that with a specific example here in just a minute. That just happened to my family 10 days ago, so that'll be fun. So yeah, we know that credentials are the problem. A lack of real identity is what we're here today to talk about and how we can augment and strengthen that. So just a couple of scary numbers. Every webinar has to have some scary numbers. And this is from our friends over at Oliver Wyman. They put together this research, and I was really staggered to see how much synthetic identity has overtaken account takeover. So synthetic identity, very rough definition, is the bad actors creating an account at a bank, for example, that doesn't exist or it partially exists, but they're tweaking it to get past the KYC checks.
And I think it really accelerated because of COVID. This has become one of the primary ways. And what they'll do is create an account, John Smith, maybe make an address that's very common, and the birthdate that goes with another John Smith, et cetera. They'll build up a little bit of credit. And then you can see these numbers here on the top left in this pie chart where they will build up, say $50,000 of credit over time, and then they do what's called busting out. They will rack up $90,000 worth of charges and then that account is gone. You're never going to see them again. And they're very patient in doing this. It may take them weeks, months, years sometimes to really... But they do it at scale.
Account takeover is much different. That is where like we were just talking about. And the real difference here to the end user is your typical consumer doesn't care about synthetic identity. It doesn't impact them directly, unless the synthetic identity is made in a way that affects my credit file. So if somebody creates a fake Mike Engle, that lives maybe at an address next to mine, then it doesn't impact me. It impacts the banks heavily. You see $20 billion just last year alone. And so we're going to talk about some ways to strengthen this and not just about usernames and passwords.
Will LaSala:
Yeah, I think when you look at synthetic identity, one of the things that we have to think about is all of those breaches that were really public, all the PII you got from all of these breaches, we all thought, "Oh, they're going to steal our identities. They're going to come in and do account takeovers and use those identities, use the information that they sold to take over those accounts." Reality is that they took all that PII data and started to create random users that look so realistic. They fool all of these systems that are in place. And so that synthetic identity, we saw it really in the pandemic, it made big headlines where you had people pretending to be other people so they could claim the tax credits and they could claim all of these benefits that were being given out because of COVID.
And those were just synthetic identities, people just creating identities that could capitalize on this. Account takeover fraud though, that's been around for... That is phishing. That's where we see everything. That's certainly the big boy in the room because just so many of those accounts, we've been fighting this for years now, but there's so many passwords. I don't know how many people use a password manager, but if you go in there and you're getting an alert that, hey, you've got 500 accounts and you haven't changed your password, they're all probably been phished at this point. So it's really dangerous as you go into it.
Michael Engle:
Yeah. So the dark web is what's fueling both of these buckets of attacks as well. So we'll talk more about the dark web here as we get into the fraud story that I'm going to tell. But first, we're going to ask two polling questions today. So I'm going to ask Maureen, our MC here to pop up a question for the audience. And we're going to talk a little bit today about biometrics because biometrics would is one way that you can prevent some of the attacks that we're talking about here today. Oops, next question. Yeah, that was the wrong question. Don't press that button. There we go. Do you use biometrics today in what you do either as a consumer or in your organization?
Will LaSala:
That's a great question. There all different levels of biometrics. So are they really using it, are they not? It's certainly one of those things.
Michael Engle:
Well, not just that, there's two types of biometrics that we'll talk about. There's what's on your device, what Apple and Google give you, touch ID, face ID, or Microsoft with windows hello. And that's not linking you back to a real world identity.
Will LaSala:
Exactly.
Michael Engle:
Right. So then there's real biometrics and we'll give you an example of that here in just a minute.
Will LaSala:
Yeah, I think that's the whole thing. So people think I'm using biometrics, I use touch ID, it's like okay, kind of. But you got to really dig into what that actually means and see where your identity really is.
Michael Engle:
Yeah, they're used as a strong authenticator more often than a strong identifier, and that's where we'll differentiate between those in just a minute. So thank you for that. We had about two thirds of the respondents say they are using some form of biometrics today, so that's great. Thank you for answering. And all of these results will be shared with everybody who signed up after the webinar's over. So here's my own family fraud story that happened 10 days ago and it happens to be with Zelle, which has been in the news a lot lately. So for our overseas visitors, Zelle is a peer-to-peer payment tool here in the US that allows you to send money between two banking customers at different banks. So Chase bank customer says, "I want to Zelle money over to somebody at Goldman Sachs," or whatever it would be. And the reason this is really important for them is because it bypasses the third parties like PayPal or using wires and ACH and all those legacy antiquated models.
It's very powerful. However, the bad actors has figured out how to use this to their advantage. And so, one of my family members received a request that looks like this in their Zelle app. So up popped up their banking application that said, "This person is requesting..." Well, we're not really sure what it says. It says I'm requesting $3,500, but then it says credit reversal. And I have some of this blurred out because this is actually a real victim that's also a victim in this crime. And this credit reversal is what's confusing.
So she gets this pop-up on her phone inside of her trusted banking application. 30 seconds later, she gets a call. And now you know what her bank is, I guess, I should have blurred this out too, but from Bank of America, from the real Bank of America phone number. And this person's on the phone saying, "Hello, Jane, we're calling from Bank of America fraud. Did you authorize $3,500 to leave your bank account?" And Jane says, ""Well, no, of course I didn't." All right, great. "Well, we just sent you a credit reversal, would you just press the button there and that money will be unwired?"
The reality obviously is what's happening is she's about to send the money. It hasn't been sent. That's part of the fraud. And you can see this was 10 days ago. And she was so close to pressing that send button on the left screen. She called me up and I said, drop your phone, flush it down the toilet. Do not press that button because it's really hard to get it back once you send it. And there's all kinds of lawsuits and a lot of bad PR around this stuff now. And she pressed no and declined the request. So lucky that. Very lucky because it'd be so easy to mitigate. But what goes through your mind on this, Will, as you see this one, two, three sequence of what happened?
Will LaSala:
Yeah, this is happening more and more today. I think we in the industry call this social engineering. It's basically attacking the human and then attacking our natural tendencies. So in a peer-to-peer type situation, the hacker is calling and preying on that you're going to believe what you see in front of you or what you're listening to on the phone. So they'll call you up and give you an urgent request or something that makes sense, a credit reversal. Even if you didn't make that payment, you might think, "Oh, I'm getting attacked by someone else, not the person that just called me." And the bank is trying to be helpful here. They're trying to tell me, "Oh, let's stop this before it happens." And luckily your family member here picked up the phone and called you. But most people don't have that option.
They don't have the security guy in their back pocket to call. And so they're releasing these. Yeah, okay, we've got Zelle up here, but it doesn't have to be. It can be any peer-to-peer, or it could just simply be a person calling on the phone. So think back to the static username and password. If someone calls me from my bank and says, "Hey, we've detected some fraud on your account. We want to go ahead and make certain that it's you. Could you go ahead and give me your password." Or generate that password and you read it over the phone to the person that you believe is the bank, well now that person has access to your account. They've the perpetrated an account takeover fraud just by asking you and you've given it to them. So it happens a lot and it's a very dangerous attack now that people really have to watch out for.
Michael Engle:
Yeah, this is a UX disaster. So many things could have been done by the banks here to mitigate this. So why not just at least have one more warning here that says, "Hey, you've never sent money to this person before." That's the first thing you could do. "Are you sure? This is a common fraud." You know what I mean? There's like 10 different things that could go on in the engagement with the recipient here of this message. The second is, why not have something verified that I know that this is actually this person issuing it? We're going to get into the identity side of this in just a minute. And of course, don't get me started on how easy it is to spoof a phone call. These are problems with the telcos that have been going on for, God, since phones have existed, right?
But it's still baffling that there's only three carriers in the US and her, Verizon or AT&T phone rang and this was allowed to happen. So I know it's getting better and there's spam and fraud checks. So I just thought this was pretty interesting real world story here that smacked me in the face.
So Will, let's talk about the definition of digital identity. Again, going back to our pre-gray hair days, when we thought about our identity and access management systems that we worked on 20 years ago, there's really only one option. Your identity remotely was verified by username and password. And going back just a little over 20 years ago, 2FA wasn't even really a thing. But what confusion do you see in the marketplace around the word identity? And I put some terms up here that often get associated with it.
Will LaSala:
Yeah. And that's the whole thing is that a lot of these terms are more... Well, some of these terms are really in the authentication of that identity. It might not be the identity itself. And even in these terms themselves, people are misusing a lot of these technologies. So like in 2FA, you often get just a single form of authentication. Maybe they're just using a one-time password, maybe that's generated by a mobile phone or something, but they're just using that one-time password. Well, if you're just using one that's not 2FA. And then the other things that you have in here that start to look at that authentication, people using SMS authentication and coming through non-secure channels, not being able to authenticate that identity. And so today digital identity is much more than that. It's also everything that is the context around how you perform those transactions and what you're doing in those transactions. So it becomes a much broader term. And as such, you get a lot more data points that you can use to help prove that identity and really verify the right identities being used for those transactions.
Michael Engle:
Yeah, exactly. And you said one term there that stuck with me. It's prove. How do you prove somebody's identity remotely? And it's no 100% just like there's no unhackable system, you try to do as best you can. But there are techniques now that we're going to talk about here today, and specifically the standards around identity. So now there's a bar that's been set of how you prove who somebody is remotely and how you use that proof over and over again.
And imagine if we liken this to the real world will where you get pulled over by a state trooper in your state and you roll down the window and the state trooper says, "All right, Will, what's your password?" And you say, "Password 123." And then he says, "Okay, I'm going to send you a 2FA code." And you get your phone, you read in the six digit code. And he says, "Okay, slow down. Here's your $50 ticket." It just wouldn't work. What do they do? They pull out a credential, they look at your face, they look at the face on the credential. And that's the way we've been doing it since the Safe Conduct Act of 1414 by King Henry V. Check out that research.
Will, let's reproduce what that happens in the real world, that physical world in the digital world. And the standards around that have been established since really going back to 2013 and 2017 when two really important standards evolved. The first is NIST 800-63-3. Now this is the government standard as per NIST that says how do you prove who somebody is remotely? And it involves getting a couple forms of identity verification and verifying them and then matching you to those documents. Very simple in concept. We do it all the time when we open bank accounts or go to the DMV or have other types of secure transactions. And then we have also that same standard tells you how to authenticate somebody. But then of course everybody knows about FIDO, and this is replacing passwords with cryptography, a public private key pair and a biometric.
And so when you put these together, you have a strong identity like proof that you're Will LaSala in the real world, and an authenticator to go along with it. We call this identity-based authentication. And we are one of the only companies that is certified for both of these. And the certifying bodies are Cantera for the NIST side, FIDO for the FIDO side, and iBeta for the biometrics. And there's a couple certifying bodies out there, but these are some of the more popular ones. And so I think in your business, Will, you've got some pretty strict requirements for NIST IAL2, right?
Will LaSala:
Yeah, absolutely. Depending upon the market that you're in, in the financial, especially in the healthcare sector and the government sector, your IAL levels, ratchet up quite a bit. And we didn't really talk about levels, but there are three levels for each of these missed requirements. And you might be able to satisfy maybe a level one with the way that you're looking at your authentication. But really what you're looking for is that level two in both the IAL and the AAL. And that's really the high confidence that the identity is actually the same one that's holding onto the authentication. So that's really where you want to tie those two really together and have a high confidence rate that those are together. And certainly, that's what we're looking at here and the solution. And as you get these certifications on these, that really helps us all understand where you are in that spectrum and what you're able to leverage those technologies for. So it's really important for all of these markets.
Michael Engle:
Yeah, no, thanks for that. And so let's round out the story and get into a little bit of demo here. So the way that identity and authentication had been done over since computers has really been very siloed. And you're seeing the analysts talk about the conversions of these things as being really important. So you onboard users, whether it's a new employee or a new customer or a new citizen for citizen benefits, whatever it is, and then you throw that effort away. Well, now because of modern technology and modern phones and laptops and all these things, you can link these together and create a strong framework.
And so we're going to show you how these all come together here next. But just double clicking a bit on this identity onboarding and showing a little bit of the water as we're drowning in it because we all went through this probably recently, is we still have these painful manual and fraud susceptible ways to onboard an account. Type in your info. This info is freely available in the dark web, not freely, but pretty much. And it's verified against data sources that have been compromised as well. So this is one of the reasons that synthetic identity is possible because it starts with this type of input.
Will LaSala:
And how many people are looking right now and trying to make your workflows easier? That's the name of the game that we've been hearing on the street from our customers is really that the customers want things easy, but you can't have easy if you can't verify that identity or approve that identity. So these forums with all this free information that can be gathered from anywhere to make these synthetic IDs, the forms themselves become a problem even from an ease of use standpoint.
Michael Engle:
Exactly. Yeah. If you make it easy, they'll love you and they'll use your service every day. Look at Amazon, it's like press a button, it shows up my doorstep five minutes later. We need the equivalent of that for the identity and authentication side. On the authentication side, we still deal with create a username, create a password. Oh my god, how many services are just rolling out one time codes to my e-mail or phone number? What are they trying to solve? It was like, I don't know, some really benign art website like enable your 2FA. Like, "No. Not the way you're having me do it." Because it doesn't buy you anything, if somebody has access to my e-mail. So yeah. This is frustrating.
Will LaSala:
A great example right here, take that recent post from Twitter from Elon Musk and them charging now for SMS authentication. Everybody was up in arms. Oh my God, why are you charging for two-factor through SMS? The reason that Twitter did that was because of the losses that they were experiencing from SMM. That was what his both said is that the amount of losses that they were experiencing with two-factor SMS authentication, the amount of support time that they were going in, SMS is very easily attacked. So they were pushing people to use a stronger form of two-factor authentication. Move into something that is much stronger to use. And they did it by simply attaching a price to it. But people should be wary of that.
SMS goes through this open communication in the clear. So anyone that wants to sit there and stand up their own tower, they can read all of the SMSs that go through it. And it's clear text, so it's easy for a attacker. A little bit different than your push notifications or your in-app. And those are all strong authentication and generally using cryptographic components. And there's even stronger as we get into FIDO and what you see there.
Michael Engle:
Yeah. At a minimum, this stuff has to go here. And unfortunately, they did a terrible job with the PR on this. They should have said, "Twitter's migrating to better 2FA," right?
Michael Engle:
People thought that they were charging for 2FA full stop. No, they were charging for SMSs. You can still use Google Authenticator and all that stuff, which to your point is much more secure because it's in your control. So yeah, that was unfortunate. And this is how Jack Dorsey's account was compromised four years ago, right?
Will LaSala:
Yes, that's right.
Michael Engle:
Yeah, that should be a lesson for everybody. So we're going to migrate out of this. And the way we do this is by combining identity proofing, which we'll show you here in just a minute on the next slide, and identity verification into one cohesive experience. And when you put these together, this is how in this 800-63-3 identity assurance level is obtained. You can give the users a credential as part of that process, which means you're addressing both the identity and the authentication side at the same time. And that is what we call passwordless. Passwordless without identity is just another form of authentication. It's stronger, but it still has inherent weaknesses. So again, as an identity guy, I'm sure this resonates with you, right, Will?
Will LaSala:
Absolutely. Tying your identity to your authentication can't be more important. We're seeing that everywhere. So you can think of there are many different forms of authentication. A lot of those are commoditized, meaning that you can get them from anywhere. There are a whole bunch of different options and open standards that are out there. But really being able to bring that identity and making certain that that's the correct identity associated with that authentication really helps in everything. Think about the ease of use alone. If you know that the next time that this person comes into your application that you're absolutely certain that this ID behind it because they have their ID associated with that authenticator, that opens up a world where you can offer more services, the ease of use of that becomes much, much better. And certainly, you're able to capitalize more on that, adding more services and offering more ways to do business digitally.
Michael Engle:
Yeah, exactly. And I think it's time to show, all right, not just tell.
Will LaSala:
Yeah, let's do it.
Michael Engle:
Let me run through a two-minute demonstration of a full digital onboarding experience, NIST AIL2 two certified. So the first step in any account creation process for consumer facing applications, at least not necessarily for your workforce, but it's just collect and verify an e-mail and a phone number. There's a hundred ways to do that. We have an API call to do these things. It's very straightforward. So we don't show that here. But typically, you're sending them a link to verify their possession of an e-mail and make them verify the phone number in a similar way. Now the second part is to enable, we've talked about those different types of biometrics. So let's enable touch ID and face ID. This is a one-touch operation.
That's it. We do this billions of times a day as humans, because every smartphone supports this today. And what that does is creates a strong authenticator link to the device. Now, it's not linked to any identity yet, but it is a strong way for you to do that same thing over and over again that's very difficult for somebody else to get their hands on. So that's a factor. It's really something you have that's with you, including something you are.
Now let's verify the actual real world identity. So for most healthcare or banking, crypto, Neobank type applications, you have to verify their government information and their credit information. So we start with an SSN. This unfortunately is still needed because people have to pay taxes and it's what the government uses. So we ask for this and we'll verify this with the credit bureaus. Then we'll verify their government documents. So this example is the front and back of the driver's license.
The front and the back are done in a similar fashion using our high-res camera. And that's it. The camera does the work. The web interface will guide the user through it, handle things like reflective lighting and are you holding it too close or too far? Guide them through that. In real time, all the overt security features are verified and there's literally hundreds of checks that are done, the size and shape of the document, do the millimeters here match the other edge? Is the photo in the right place? Are the fonts right? Is there any tape on the photo? Does something look a little off, on and on? And at the same time, my photo and all the data is extracted and put into my own wallet. I haven't given it to anybody yet. It's a really important privacy design consideration. So we've got the government data and now we'll match it to a live selfie. Very straightforward process.
Again, right distance, right lighting. And now that is matched to the photo on the driver's license. It passes? You continue. The data is extracted and verified. In this example, we're checking the driver's license number with AAMVA, which is the DMV aggregator, which works with the DMVs across the United States. So driver's license is valid, not marked as lost or stolen. And lastly, we take that SSN and the data on the driver's license and check it with the credit bureaus. Does Mike Engel live at the address on that driver's license? So those checks together give you a very high level of assurance. And if you compare that experience to typing in 30 fields next, next, next. Sorry, you mis-typo'd on your address or your state. It's much better. And of course it's much more secure for the issuing bank or whatever it is.
Will LaSala:
I think the one thing that you look at here, so it took us three minutes to explain this, but most of the time when a customer's doing this, this is very quick, it's usually under a minute, and there are already real world examples of this happening out there. Oftentimes as you step through this, you're then ending up with this strong credential that is tied to your identity. And so next time you come in, you're not going to step through all of this. You're just going to authenticate. And the user's going to know because they're doing this strong authentication mechanism that the identity is coming with them and so that they're sharing their identity, whatever they do, their authentication mechanism because they step through this first in getting those.
Michael Engle:
Right. Delight your customers. That's right. So Maureen, if you could pop up that other polling question. This one's really about does your organization already do some digital onboarding for employees or customers today? Do you link your account origination with your authentication today at any time? And we're going to show you some FIDO stuff next. So it's related. So pick one.
Will LaSala:
It's always interesting. I think a lot of people are still dealing with just the onboarding mechanisms itself. Authentication really previous to digital transformation was really just about, "Okay, how do I get an authentication into the user's hands?" If I needed to do strong authentication, maybe that was a hardware device that I was shipping out. And the amount of time that it took me to get from when the user signed up to when they got the hardware device, maybe I could get it overnight to them. But now with everything moving digital, there's still hardware tokens out there, but it's really a lot more about software and how quickly you can get them onboarded. You don't want to let them do it for more than a minute. That would be uncalled-for. People would jump off the ship and move on to the next application out there because there's always the next application. So really doing it quickly, easily, and more secure. I think that's what we're looking for.
Michael Engle:
Yeah, I've changed banks because I just can't handle the 2FA process. They pop up five times in a four-minute exchange where I'm trying to set up a new wire. I'm like, "I can't take it anymore." So I'm sure I'm not the only one. Thanks for doing that, Maureen. Just quick glance at the numbers, about quarter of the respondents aren't sure, maybe our question could have been worded a little better. But we have half that said that their processes are linked to some degree, which doesn't surprise me. The topic of this webinar will attract people into identity that might be thinking about this stuff. And 5% say they're very tightly integrated. So kudos to those that have gotten to that point in the process. All right, so we've onboarded an identity. Now what do we do with it? How can we leverage that strong identity to make transactions, which is why we're online, we're trying to transact.
And so let's run through identity-based authentication and practice. This will be not only using those device biometrics that we spoke about, touch ID, face ID in a modern way, but real biometrics. So let's leverage that live ID, that live selfie that I enrolled to verify against my driver's license to prove that I'm allowed to wire a hundred thousand dollars or allowed to request Zelle money from somebody I've never done before. Wouldn't that be great? So we'll start off with a very straightforward yet modern authentication experience, which is a QR code. And because of COVID, again, almost everybody's familiar with whipping out their phone and scanning a QR code to read a menu. But what that is it's a secure way to engage with a remote service where you can set up a trusted connection between two parties. And so if your bank account, your banking log on has login with QR code, you get out your trusted authenticator and you scan it, you do your touch ID, face ID, and you're staring at the downstream application. It's that simple.
Now there's a couple other ways we could engage. So let's say now we go to move a little bit of money here, and in this example it's going to be... I think I have to press next. Yeah. We're going to ask for face ID one more time to do a transaction. So in this example, we're going to put the dollar amount to something that requires a second knock. All right, so we reach out to that strong mobile authenticator and just say yes or no. Face ID, and we've just wired money or Zelle'd it or whatever it is. Okay?
Third level, and this is getting more into zero trust. This works really well in the workforce when you need to know who somebody is before they log in as route to your infrastructure. But imagine if your bank, Will, would allow you to do this before you added a new payee. And you only had to do this thing once during this session. Instead of being asked five times like I was just complaining about. So in this example, I'm going to wire a hundred thousand dollars or add a new routing number and the bank says, I really want to know it's you on the other end of the line. Would you just look into the camera please? That's it. A thousand times better than fetching a 2FA code for so many reasons. And the transaction's been done. That's what we refer to as identity based because it's linked back to the real world identity.
Will LaSala:
Looking at how each one of these was a different level of risk you're looking at, and as our banks look at this, they looked at each one of these risk factors. And up until now it's been blanketed, right? You're like, "Okay, hit you with another SMS, hit you with another SMS. Here you go five times to do this." And honestly, you're wiring a hundred thousand dollars and SMS is okay to do that? That step up where you need to look at the person, see that face and perform that biometric, that face recognition, that's really what you should be doing if you're trying to move this much money. It really puts that level of assurance where, "Yeah, okay, that is actually the person that we believe it to be that's going to perform this transaction." And that's really where it comes down to the different levels of insurance and putting in the right level for the right risk level that you have.
Michael Engle:
Yeah. And we talk about this real biometrics, they're more popular overseas. The US, we're typically five, 10 years behind the rest of the world in adoption of technologies. For example, how long did it take us to go to chip and pin on credit cards? Europe had been doing it for 10 years and like, "What are you morons doing over there?"
Will LaSala:
And did we even go to chip and pin? I think we went to chip and password.
Michael Engle:
Went to chip. Yeah. So at least it's not the mag stripe anymore. Well, 95% of the time. So the chip is very difficult to clone. And so overseas, you're seeing the use of a real biometric use more and more, right? Go to South Korea or Singapore. And I think we're going to see this get more popular as long as it's trusted, right? There was a whole bunch of issues with one of the big federal agencies and one of the providers that had challenges here because they didn't have the right disclosure, they didn't have the right privacy model around where the faces are stored. So if you store the face in a way that's safe, GDPR-compliant, for example, if that face is encrypted with a private key that's in control of the user and then you just use digital signatures to verify, then you're heading in the right direction. So I think we're going to see this get a lot more popular where it's not just touch ID or face ID and we'll see if I might-
Will LaSala:
I agree. I think when we see that live biometric, and this is again the difference between using the onboard biometric versus using the third party biometric because the onboarded touch ID, face ID or Google Touch or Samsung Fingerprint, a lot of those are just yes or nos. You're just simply saying yes to the application, the biometric risk performed. But you're not actually doing the true biometric behind it or capturing that in any way. And when you look at some of the way that we did the live ID here, you're actually creating a unique signature from that value, from that face value. So that gives you a little bit more assurances. And certainly if you do this, just as Mike was explaining, you meet the GDPR requirements and you're compliant, it gives you that level of assurance that's really necessary to move forward and to put trust there.
Michael Engle:
That's right. And so let's wrap up with a little bit of FIDO, right? Do you have any dogs?
Will LaSala:
I don't. I have cats and I don't name them FIDO.
Michael Engle:
Okay. Yeah, I guess not. So yeah, FIDO, for those that haven't heard of it and been living under a rock, it stands for Fast Identity Online. It's a nonprofit that started in 2013 and all the tech companies that are behind it in the beginning, Google, Microsoft, Apple, Yahoo, and 1Kosmos and OneSpan are both Phyto members for quite a while. And it's a way to authenticate without passwords. It's to migrate from a password experience to a passwordless one. So I have a very straightforward demo application here. This demo application was made by the FIDO Alliance and anybody can go try it out themselves. But what you want to do is get your existing user experience to go passwordless. And you do that by logging in and then just asking the user, would you like to go passwordless?
And you say, yes. It's really not that much to it. Now what happens here, I'm going to pause, is your local platform Authenticator pops up. And what I mean by local platform authenticator is it's the touch ID, face ID in your phone or your iPhone or Android. Or if you're on a laptop or a desktop, whatever it uses, so Microsoft uses Windows Hello, Mac uses Touch ID over there. And it links that experience then to the remote account. So this account that you see right here is ready for Passwordless. And on my next screen as I just simply click the authenticate button, it does that biometric one more time, gives the sign challenge response, and I'm staring at the application again.
So it is the future of consumer authentication. There's a lot of devil in the details. We specialize in making this really easy for merchants to embed into their platform. But Will, I'm sure you're as excited about this as I am because I'd love to use this on every website.
Will LaSala:
FIDO is excellent. It is the Phishing killer. It really is designed to get rid of passwords and really to kill Phishing in general. I think being a technical guy, I'll toss out the term that this is asymmetric keys. People don't understand that. But essentially what you need to know there is that as you're performing this authentication, it's actually the client that's generating these requests. And so unlike, and other ones where both the server and the client need to generate the same information and that same information has to be exchanged between them. Think of a password, if you're passing it over, that password has to match what's in the backend. That's what they call symmetric. FIDO is a little bit different than that and is more secure. And so I know that there's a lot of RFPs out there asking for asymmetric solutions, and FIDO really deals with that. And unless you look at how to implement Passwordless strong authentication with anti phishing built in.
Michael Engle:
Yeah. And there's a new component in FIDO that's being called passkey that allows you to use... It's hard to explain, but they'll store your credentials in a way that you can leverage them over and over again as well. So there used to be a challenge where if I got a new computer or a new phone, I'd have to go set up my FIDO authenticator again. And that's been mitigated with implementations on Passkey. So we'll see it get more and more popular over time.
Will LaSala:
Yeah. FIDO has grown up quite a bit. We started with using different hardware devices, different mobile solutions. But I think today, as people implement these solutions, you're going to find that FIDO is accepted in more places. It works better than more solutions, and ultimately it really does solve this problem.
Michael Engle:
Cool. Well, we are marching along nicely here. I'm going to wrap up with a summary that goes from this slide to where we land here. So we've taken those discrete components, proof of government documents, your biometrics matching, verify everything, and then enroll your private key. That's the identity and onboarding. And tie that together with the user authentication, which makes your fraud much easier. So we want these to get much tighter, makes the fraud, the signals that go into your fraud engine much stronger. So you're not just trying to say, it's an IP address that's bad, or something with their cookie looks a little off. But hey, I know with a very high level of assurance that this is the same person that opened the account. And so we're trying to get from those siloed octagons into something that is much more tighter and cohesive. And, Will, I think you guys offer a platform that we partner up with quite nicely to solve a lot of these problems?
Will LaSala:
Yeah, absolutely. Yeah. The ones been Transaction identity solution, our transaction cloud solution really allows you to quickly and easy implement all of these. So it's a bunch of rest APIs that really tie in the authentication mechanisms and start to deal with some of these risk profiles. So as you're looking at how you're dealing with risk or what your risk is on certain types of transactions or even on different types of agreements. So a lot of what ones span looks at today is where the agreements are and what you're trying to do in those agreements. So yes, it's certainly about the login and onboarding, but ultimately you're going to create a transaction. That's what those demos were showing. And what does that transaction look like? What does that agreement look like? What's the risk that you're associated with that? And how do I properly authenticate and prove my identity in that? And that's certainly what the OneSpan Transaction Cloud does.
Michael Engle:
Awesome. I'll take two. So let's just wrap it up. We've got a couple of events coming up that both OneSpan and 1Kosmos will be at. So because we're identity all the time, we'll be at GartnerIAM coming up on March 20th. So look for us there. And we've got a couple of webinars coming up. You can see them on our website on both 1Kosmos and the OneSpan websites have some upcoming webinars as well.
All right. So with that, I think we've used up quite a bit of time here today. We'll call it a wrap. Will, are you going to be attending any of these shows coming up in the next couple of months?
Will LaSala:
Yeah, absolutely. So I'm speaking at a couple of events coming up, some events in Texas, and I'm hoping to make it at a couple of these events as well as we move through it. But my March is very busy right now. It's going to be full of stuff to do.
Michael Engle:
Exactly. But we'll be all shopping for holiday presents before we know it, so we'll just enjoy it while it's here.
Will LaSala:
Exactly.
Michael Engle:
Awesome. Will, thank you so much for joining. For everybody who attended, thank you. And this will be sent out to everybody who registered and couldn't make it because of crazy calendars. So any questions, feel free to reach out. Both Will and I are accessible via this thing called e-mail. And feel free to reach out with any questions. So Will, thank you so much for joining.
Will LaSala:
Yeah, absolutely, Mike. Thank you so much for having me. Hopefully everybody got everything they needed out of this. I think we talked a lot about ease of use and security and tying your identity in there. I hope you all really enjoyed this. Please feel free to reach out.
Michael Engle:
Thank you. Let's do it again soon.
Will LaSala:
Absolutely.
Michael Engle:
Bye-bye.
Will LaSala:
Bye.
All right. I think we are about one minute past. Let's jump in and get gone here. So thanks everybody for joining. We're live today on Zoom and LinkedIn, I believe. I'm joined today by Will LaSala from OneSpan. Will, if you could just introduce yourself and say hi, and let everybody know what you do for a living.
Will LaSala:
Yeah, absolutely. Thank you very much, Mike, for having us. I'm Will LaSala, I'm with OneSpan. I'm the field CTO for the Americas. Been with OneSpan for about 20 years. I've been working in cybersecurity for about 25 years, so I've seen quite a few different things and worked with many different large applications as they implement digital fraud strategies and solutions.
Michael Engle:
Excellent. Yeah, 20 years with one company. Impressive. It must be a good company to work for, I'll say that.
Will LaSala:
Absolutely. They've been good to us.
Michael Engle:
Yeah. Yeah, you don't see that anymore. Right? And as I mentioned, my name is Mike Engel, co-founder and head of strategy here at 1Kosmos. Similar to Will, all my career in InfoSec, focusing on just digital identity since 2018. And looking forward to our discussion today. And we're here today to talk about... Let me just go back to the intro slide here, modernizing customer onboarding. We're going to talk about account takeover, synthetic identity, but really, just figuring out a way to prove who it is at the other end of a connection so that we can make better decisions and side product will be better user experiences.
We're going to talk a little bit about the problem statement, show you some technologies that are fresh and new and see if anybody has any questions. I've got a couple of people on standby to answer questions. Just paste them into the chat and we'll take care of them as they come up. And we'll have a little bit of Q&A here at the end as well.
So kicking it off, when you and I were growing up, Will, right? We both have the gray hair to tell old time stories, right? Walking uphill to school both ways and the snow things.
Will LaSala:
Absolutely.
Michael Engle:
But you remember when we got started, Stateful firewalls came out. I'm going way back. And we created the perimeter, we created the firewalls, and then we sprinkled some antivirus around some endpoint protection. We tried to keep people out of the core. As we all know, the cloud and SaaS applications and all that have destroyed that model. And so the hackers aren't hacking in any more like they used to back when I was a kid, the viruses and worms would come in, they'd decimate your environment and that's what we used to protect against.
But today they don't need to do that stuff anymore. You still have your instances of solar, winds and things, but there are rarity. Today, the bad guys log in. And some pretty amazing stats are out there on how bad this problem is. But from the latest Verizon, DBIR, the data breach investigations report, and there's a high number in the eighties, 81% of all breaches today are compromised because of what's called the human element. And that typically means I've given up a username or password or it's been coerced or fished or whatever. And in your capacity as the guy over there at one span, I'm sure not only are you being asked to solve this a lot, but you're seeing these problems impact your customers quite a bit, right, Will?
Will LaSala:
Yeah, absolutely. It does date back to the days when we tried to protect all of our stuff. In the financial vertical, there was this FIC guidance back in 2006 or 2004, and at that time we knew it was a problem. Everybody was getting fished. There were all of these ways to harvest those passwords, but it was really, again, the passwords were just simply that everybody's using static credentials. Today, those static credentials, instead of getting into a network or into an area, you're using those same credentials to get into applications outside your network. And that is the easiest way to get into them. So instead of a hacker trying to get through and find some type of backdoor or something, a problem in the software, just using a username and password, those are 100% the most common things you see out there.
Black market, they're still sold. Millions of these credentials are sold and bought every day. I think I read something about even in mobile hacks that you know can buy mobile username and passwords that log you into applications and those are being sold maybe a hundred dollars or username and password. So there it's big business and it's not just about hacking the app and trying to find some really technical hack to get into there. I just have to listen to what that user's typing and then hijack it and get into the application.
Michael Engle:
Yeah. And there's so many ways to do it now. That's exactly right. You could guess the username and password, right? Because people reuse the same ones. So I'm sure every one of my family members is guilty of that. They use the same password.
Will LaSala:
How many people use the word password, right?
Michael Engle:
Yeah, hopefully it's not that bad, but probably is. Or you coerce it out of the person, call them up and ask him for it. It's so common. And we're going to talk about that with a specific example here in just a minute. That just happened to my family 10 days ago, so that'll be fun. So yeah, we know that credentials are the problem. A lack of real identity is what we're here today to talk about and how we can augment and strengthen that. So just a couple of scary numbers. Every webinar has to have some scary numbers. And this is from our friends over at Oliver Wyman. They put together this research, and I was really staggered to see how much synthetic identity has overtaken account takeover. So synthetic identity, very rough definition, is the bad actors creating an account at a bank, for example, that doesn't exist or it partially exists, but they're tweaking it to get past the KYC checks.
And I think it really accelerated because of COVID. This has become one of the primary ways. And what they'll do is create an account, John Smith, maybe make an address that's very common, and the birthdate that goes with another John Smith, et cetera. They'll build up a little bit of credit. And then you can see these numbers here on the top left in this pie chart where they will build up, say $50,000 of credit over time, and then they do what's called busting out. They will rack up $90,000 worth of charges and then that account is gone. You're never going to see them again. And they're very patient in doing this. It may take them weeks, months, years sometimes to really... But they do it at scale.
Account takeover is much different. That is where like we were just talking about. And the real difference here to the end user is your typical consumer doesn't care about synthetic identity. It doesn't impact them directly, unless the synthetic identity is made in a way that affects my credit file. So if somebody creates a fake Mike Engle, that lives maybe at an address next to mine, then it doesn't impact me. It impacts the banks heavily. You see $20 billion just last year alone. And so we're going to talk about some ways to strengthen this and not just about usernames and passwords.
Will LaSala:
Yeah, I think when you look at synthetic identity, one of the things that we have to think about is all of those breaches that were really public, all the PII you got from all of these breaches, we all thought, "Oh, they're going to steal our identities. They're going to come in and do account takeovers and use those identities, use the information that they sold to take over those accounts." Reality is that they took all that PII data and started to create random users that look so realistic. They fool all of these systems that are in place. And so that synthetic identity, we saw it really in the pandemic, it made big headlines where you had people pretending to be other people so they could claim the tax credits and they could claim all of these benefits that were being given out because of COVID.
And those were just synthetic identities, people just creating identities that could capitalize on this. Account takeover fraud though, that's been around for... That is phishing. That's where we see everything. That's certainly the big boy in the room because just so many of those accounts, we've been fighting this for years now, but there's so many passwords. I don't know how many people use a password manager, but if you go in there and you're getting an alert that, hey, you've got 500 accounts and you haven't changed your password, they're all probably been phished at this point. So it's really dangerous as you go into it.
Michael Engle:
Yeah. So the dark web is what's fueling both of these buckets of attacks as well. So we'll talk more about the dark web here as we get into the fraud story that I'm going to tell. But first, we're going to ask two polling questions today. So I'm going to ask Maureen, our MC here to pop up a question for the audience. And we're going to talk a little bit today about biometrics because biometrics would is one way that you can prevent some of the attacks that we're talking about here today. Oops, next question. Yeah, that was the wrong question. Don't press that button. There we go. Do you use biometrics today in what you do either as a consumer or in your organization?
Will LaSala:
That's a great question. There all different levels of biometrics. So are they really using it, are they not? It's certainly one of those things.
Michael Engle:
Well, not just that, there's two types of biometrics that we'll talk about. There's what's on your device, what Apple and Google give you, touch ID, face ID, or Microsoft with windows hello. And that's not linking you back to a real world identity.
Will LaSala:
Exactly.
Michael Engle:
Right. So then there's real biometrics and we'll give you an example of that here in just a minute.
Will LaSala:
Yeah, I think that's the whole thing. So people think I'm using biometrics, I use touch ID, it's like okay, kind of. But you got to really dig into what that actually means and see where your identity really is.
Michael Engle:
Yeah, they're used as a strong authenticator more often than a strong identifier, and that's where we'll differentiate between those in just a minute. So thank you for that. We had about two thirds of the respondents say they are using some form of biometrics today, so that's great. Thank you for answering. And all of these results will be shared with everybody who signed up after the webinar's over. So here's my own family fraud story that happened 10 days ago and it happens to be with Zelle, which has been in the news a lot lately. So for our overseas visitors, Zelle is a peer-to-peer payment tool here in the US that allows you to send money between two banking customers at different banks. So Chase bank customer says, "I want to Zelle money over to somebody at Goldman Sachs," or whatever it would be. And the reason this is really important for them is because it bypasses the third parties like PayPal or using wires and ACH and all those legacy antiquated models.
It's very powerful. However, the bad actors has figured out how to use this to their advantage. And so, one of my family members received a request that looks like this in their Zelle app. So up popped up their banking application that said, "This person is requesting..." Well, we're not really sure what it says. It says I'm requesting $3,500, but then it says credit reversal. And I have some of this blurred out because this is actually a real victim that's also a victim in this crime. And this credit reversal is what's confusing.
So she gets this pop-up on her phone inside of her trusted banking application. 30 seconds later, she gets a call. And now you know what her bank is, I guess, I should have blurred this out too, but from Bank of America, from the real Bank of America phone number. And this person's on the phone saying, "Hello, Jane, we're calling from Bank of America fraud. Did you authorize $3,500 to leave your bank account?" And Jane says, ""Well, no, of course I didn't." All right, great. "Well, we just sent you a credit reversal, would you just press the button there and that money will be unwired?"
The reality obviously is what's happening is she's about to send the money. It hasn't been sent. That's part of the fraud. And you can see this was 10 days ago. And she was so close to pressing that send button on the left screen. She called me up and I said, drop your phone, flush it down the toilet. Do not press that button because it's really hard to get it back once you send it. And there's all kinds of lawsuits and a lot of bad PR around this stuff now. And she pressed no and declined the request. So lucky that. Very lucky because it'd be so easy to mitigate. But what goes through your mind on this, Will, as you see this one, two, three sequence of what happened?
Will LaSala:
Yeah, this is happening more and more today. I think we in the industry call this social engineering. It's basically attacking the human and then attacking our natural tendencies. So in a peer-to-peer type situation, the hacker is calling and preying on that you're going to believe what you see in front of you or what you're listening to on the phone. So they'll call you up and give you an urgent request or something that makes sense, a credit reversal. Even if you didn't make that payment, you might think, "Oh, I'm getting attacked by someone else, not the person that just called me." And the bank is trying to be helpful here. They're trying to tell me, "Oh, let's stop this before it happens." And luckily your family member here picked up the phone and called you. But most people don't have that option.
They don't have the security guy in their back pocket to call. And so they're releasing these. Yeah, okay, we've got Zelle up here, but it doesn't have to be. It can be any peer-to-peer, or it could just simply be a person calling on the phone. So think back to the static username and password. If someone calls me from my bank and says, "Hey, we've detected some fraud on your account. We want to go ahead and make certain that it's you. Could you go ahead and give me your password." Or generate that password and you read it over the phone to the person that you believe is the bank, well now that person has access to your account. They've the perpetrated an account takeover fraud just by asking you and you've given it to them. So it happens a lot and it's a very dangerous attack now that people really have to watch out for.
Michael Engle:
Yeah, this is a UX disaster. So many things could have been done by the banks here to mitigate this. So why not just at least have one more warning here that says, "Hey, you've never sent money to this person before." That's the first thing you could do. "Are you sure? This is a common fraud." You know what I mean? There's like 10 different things that could go on in the engagement with the recipient here of this message. The second is, why not have something verified that I know that this is actually this person issuing it? We're going to get into the identity side of this in just a minute. And of course, don't get me started on how easy it is to spoof a phone call. These are problems with the telcos that have been going on for, God, since phones have existed, right?
But it's still baffling that there's only three carriers in the US and her, Verizon or AT&T phone rang and this was allowed to happen. So I know it's getting better and there's spam and fraud checks. So I just thought this was pretty interesting real world story here that smacked me in the face.
So Will, let's talk about the definition of digital identity. Again, going back to our pre-gray hair days, when we thought about our identity and access management systems that we worked on 20 years ago, there's really only one option. Your identity remotely was verified by username and password. And going back just a little over 20 years ago, 2FA wasn't even really a thing. But what confusion do you see in the marketplace around the word identity? And I put some terms up here that often get associated with it.
Will LaSala:
Yeah. And that's the whole thing is that a lot of these terms are more... Well, some of these terms are really in the authentication of that identity. It might not be the identity itself. And even in these terms themselves, people are misusing a lot of these technologies. So like in 2FA, you often get just a single form of authentication. Maybe they're just using a one-time password, maybe that's generated by a mobile phone or something, but they're just using that one-time password. Well, if you're just using one that's not 2FA. And then the other things that you have in here that start to look at that authentication, people using SMS authentication and coming through non-secure channels, not being able to authenticate that identity. And so today digital identity is much more than that. It's also everything that is the context around how you perform those transactions and what you're doing in those transactions. So it becomes a much broader term. And as such, you get a lot more data points that you can use to help prove that identity and really verify the right identities being used for those transactions.
Michael Engle:
Yeah, exactly. And you said one term there that stuck with me. It's prove. How do you prove somebody's identity remotely? And it's no 100% just like there's no unhackable system, you try to do as best you can. But there are techniques now that we're going to talk about here today, and specifically the standards around identity. So now there's a bar that's been set of how you prove who somebody is remotely and how you use that proof over and over again.
And imagine if we liken this to the real world will where you get pulled over by a state trooper in your state and you roll down the window and the state trooper says, "All right, Will, what's your password?" And you say, "Password 123." And then he says, "Okay, I'm going to send you a 2FA code." And you get your phone, you read in the six digit code. And he says, "Okay, slow down. Here's your $50 ticket." It just wouldn't work. What do they do? They pull out a credential, they look at your face, they look at the face on the credential. And that's the way we've been doing it since the Safe Conduct Act of 1414 by King Henry V. Check out that research.
Will, let's reproduce what that happens in the real world, that physical world in the digital world. And the standards around that have been established since really going back to 2013 and 2017 when two really important standards evolved. The first is NIST 800-63-3. Now this is the government standard as per NIST that says how do you prove who somebody is remotely? And it involves getting a couple forms of identity verification and verifying them and then matching you to those documents. Very simple in concept. We do it all the time when we open bank accounts or go to the DMV or have other types of secure transactions. And then we have also that same standard tells you how to authenticate somebody. But then of course everybody knows about FIDO, and this is replacing passwords with cryptography, a public private key pair and a biometric.
And so when you put these together, you have a strong identity like proof that you're Will LaSala in the real world, and an authenticator to go along with it. We call this identity-based authentication. And we are one of the only companies that is certified for both of these. And the certifying bodies are Cantera for the NIST side, FIDO for the FIDO side, and iBeta for the biometrics. And there's a couple certifying bodies out there, but these are some of the more popular ones. And so I think in your business, Will, you've got some pretty strict requirements for NIST IAL2, right?
Will LaSala:
Yeah, absolutely. Depending upon the market that you're in, in the financial, especially in the healthcare sector and the government sector, your IAL levels, ratchet up quite a bit. And we didn't really talk about levels, but there are three levels for each of these missed requirements. And you might be able to satisfy maybe a level one with the way that you're looking at your authentication. But really what you're looking for is that level two in both the IAL and the AAL. And that's really the high confidence that the identity is actually the same one that's holding onto the authentication. So that's really where you want to tie those two really together and have a high confidence rate that those are together. And certainly, that's what we're looking at here and the solution. And as you get these certifications on these, that really helps us all understand where you are in that spectrum and what you're able to leverage those technologies for. So it's really important for all of these markets.
Michael Engle:
Yeah, no, thanks for that. And so let's round out the story and get into a little bit of demo here. So the way that identity and authentication had been done over since computers has really been very siloed. And you're seeing the analysts talk about the conversions of these things as being really important. So you onboard users, whether it's a new employee or a new customer or a new citizen for citizen benefits, whatever it is, and then you throw that effort away. Well, now because of modern technology and modern phones and laptops and all these things, you can link these together and create a strong framework.
And so we're going to show you how these all come together here next. But just double clicking a bit on this identity onboarding and showing a little bit of the water as we're drowning in it because we all went through this probably recently, is we still have these painful manual and fraud susceptible ways to onboard an account. Type in your info. This info is freely available in the dark web, not freely, but pretty much. And it's verified against data sources that have been compromised as well. So this is one of the reasons that synthetic identity is possible because it starts with this type of input.
Will LaSala:
And how many people are looking right now and trying to make your workflows easier? That's the name of the game that we've been hearing on the street from our customers is really that the customers want things easy, but you can't have easy if you can't verify that identity or approve that identity. So these forums with all this free information that can be gathered from anywhere to make these synthetic IDs, the forms themselves become a problem even from an ease of use standpoint.
Michael Engle:
Exactly. Yeah. If you make it easy, they'll love you and they'll use your service every day. Look at Amazon, it's like press a button, it shows up my doorstep five minutes later. We need the equivalent of that for the identity and authentication side. On the authentication side, we still deal with create a username, create a password. Oh my god, how many services are just rolling out one time codes to my e-mail or phone number? What are they trying to solve? It was like, I don't know, some really benign art website like enable your 2FA. Like, "No. Not the way you're having me do it." Because it doesn't buy you anything, if somebody has access to my e-mail. So yeah. This is frustrating.
Will LaSala:
A great example right here, take that recent post from Twitter from Elon Musk and them charging now for SMS authentication. Everybody was up in arms. Oh my God, why are you charging for two-factor through SMS? The reason that Twitter did that was because of the losses that they were experiencing from SMM. That was what his both said is that the amount of losses that they were experiencing with two-factor SMS authentication, the amount of support time that they were going in, SMS is very easily attacked. So they were pushing people to use a stronger form of two-factor authentication. Move into something that is much stronger to use. And they did it by simply attaching a price to it. But people should be wary of that.
SMS goes through this open communication in the clear. So anyone that wants to sit there and stand up their own tower, they can read all of the SMSs that go through it. And it's clear text, so it's easy for a attacker. A little bit different than your push notifications or your in-app. And those are all strong authentication and generally using cryptographic components. And there's even stronger as we get into FIDO and what you see there.
Michael Engle:
Yeah. At a minimum, this stuff has to go here. And unfortunately, they did a terrible job with the PR on this. They should have said, "Twitter's migrating to better 2FA," right?
Michael Engle:
People thought that they were charging for 2FA full stop. No, they were charging for SMSs. You can still use Google Authenticator and all that stuff, which to your point is much more secure because it's in your control. So yeah, that was unfortunate. And this is how Jack Dorsey's account was compromised four years ago, right?
Will LaSala:
Yes, that's right.
Michael Engle:
Yeah, that should be a lesson for everybody. So we're going to migrate out of this. And the way we do this is by combining identity proofing, which we'll show you here in just a minute on the next slide, and identity verification into one cohesive experience. And when you put these together, this is how in this 800-63-3 identity assurance level is obtained. You can give the users a credential as part of that process, which means you're addressing both the identity and the authentication side at the same time. And that is what we call passwordless. Passwordless without identity is just another form of authentication. It's stronger, but it still has inherent weaknesses. So again, as an identity guy, I'm sure this resonates with you, right, Will?
Will LaSala:
Absolutely. Tying your identity to your authentication can't be more important. We're seeing that everywhere. So you can think of there are many different forms of authentication. A lot of those are commoditized, meaning that you can get them from anywhere. There are a whole bunch of different options and open standards that are out there. But really being able to bring that identity and making certain that that's the correct identity associated with that authentication really helps in everything. Think about the ease of use alone. If you know that the next time that this person comes into your application that you're absolutely certain that this ID behind it because they have their ID associated with that authenticator, that opens up a world where you can offer more services, the ease of use of that becomes much, much better. And certainly, you're able to capitalize more on that, adding more services and offering more ways to do business digitally.
Michael Engle:
Yeah, exactly. And I think it's time to show, all right, not just tell.
Will LaSala:
Yeah, let's do it.
Michael Engle:
Let me run through a two-minute demonstration of a full digital onboarding experience, NIST AIL2 two certified. So the first step in any account creation process for consumer facing applications, at least not necessarily for your workforce, but it's just collect and verify an e-mail and a phone number. There's a hundred ways to do that. We have an API call to do these things. It's very straightforward. So we don't show that here. But typically, you're sending them a link to verify their possession of an e-mail and make them verify the phone number in a similar way. Now the second part is to enable, we've talked about those different types of biometrics. So let's enable touch ID and face ID. This is a one-touch operation.
That's it. We do this billions of times a day as humans, because every smartphone supports this today. And what that does is creates a strong authenticator link to the device. Now, it's not linked to any identity yet, but it is a strong way for you to do that same thing over and over again that's very difficult for somebody else to get their hands on. So that's a factor. It's really something you have that's with you, including something you are.
Now let's verify the actual real world identity. So for most healthcare or banking, crypto, Neobank type applications, you have to verify their government information and their credit information. So we start with an SSN. This unfortunately is still needed because people have to pay taxes and it's what the government uses. So we ask for this and we'll verify this with the credit bureaus. Then we'll verify their government documents. So this example is the front and back of the driver's license.
The front and the back are done in a similar fashion using our high-res camera. And that's it. The camera does the work. The web interface will guide the user through it, handle things like reflective lighting and are you holding it too close or too far? Guide them through that. In real time, all the overt security features are verified and there's literally hundreds of checks that are done, the size and shape of the document, do the millimeters here match the other edge? Is the photo in the right place? Are the fonts right? Is there any tape on the photo? Does something look a little off, on and on? And at the same time, my photo and all the data is extracted and put into my own wallet. I haven't given it to anybody yet. It's a really important privacy design consideration. So we've got the government data and now we'll match it to a live selfie. Very straightforward process.
Again, right distance, right lighting. And now that is matched to the photo on the driver's license. It passes? You continue. The data is extracted and verified. In this example, we're checking the driver's license number with AAMVA, which is the DMV aggregator, which works with the DMVs across the United States. So driver's license is valid, not marked as lost or stolen. And lastly, we take that SSN and the data on the driver's license and check it with the credit bureaus. Does Mike Engel live at the address on that driver's license? So those checks together give you a very high level of assurance. And if you compare that experience to typing in 30 fields next, next, next. Sorry, you mis-typo'd on your address or your state. It's much better. And of course it's much more secure for the issuing bank or whatever it is.
Will LaSala:
I think the one thing that you look at here, so it took us three minutes to explain this, but most of the time when a customer's doing this, this is very quick, it's usually under a minute, and there are already real world examples of this happening out there. Oftentimes as you step through this, you're then ending up with this strong credential that is tied to your identity. And so next time you come in, you're not going to step through all of this. You're just going to authenticate. And the user's going to know because they're doing this strong authentication mechanism that the identity is coming with them and so that they're sharing their identity, whatever they do, their authentication mechanism because they step through this first in getting those.
Michael Engle:
Right. Delight your customers. That's right. So Maureen, if you could pop up that other polling question. This one's really about does your organization already do some digital onboarding for employees or customers today? Do you link your account origination with your authentication today at any time? And we're going to show you some FIDO stuff next. So it's related. So pick one.
Will LaSala:
It's always interesting. I think a lot of people are still dealing with just the onboarding mechanisms itself. Authentication really previous to digital transformation was really just about, "Okay, how do I get an authentication into the user's hands?" If I needed to do strong authentication, maybe that was a hardware device that I was shipping out. And the amount of time that it took me to get from when the user signed up to when they got the hardware device, maybe I could get it overnight to them. But now with everything moving digital, there's still hardware tokens out there, but it's really a lot more about software and how quickly you can get them onboarded. You don't want to let them do it for more than a minute. That would be uncalled-for. People would jump off the ship and move on to the next application out there because there's always the next application. So really doing it quickly, easily, and more secure. I think that's what we're looking for.
Michael Engle:
Yeah, I've changed banks because I just can't handle the 2FA process. They pop up five times in a four-minute exchange where I'm trying to set up a new wire. I'm like, "I can't take it anymore." So I'm sure I'm not the only one. Thanks for doing that, Maureen. Just quick glance at the numbers, about quarter of the respondents aren't sure, maybe our question could have been worded a little better. But we have half that said that their processes are linked to some degree, which doesn't surprise me. The topic of this webinar will attract people into identity that might be thinking about this stuff. And 5% say they're very tightly integrated. So kudos to those that have gotten to that point in the process. All right, so we've onboarded an identity. Now what do we do with it? How can we leverage that strong identity to make transactions, which is why we're online, we're trying to transact.
And so let's run through identity-based authentication and practice. This will be not only using those device biometrics that we spoke about, touch ID, face ID in a modern way, but real biometrics. So let's leverage that live ID, that live selfie that I enrolled to verify against my driver's license to prove that I'm allowed to wire a hundred thousand dollars or allowed to request Zelle money from somebody I've never done before. Wouldn't that be great? So we'll start off with a very straightforward yet modern authentication experience, which is a QR code. And because of COVID, again, almost everybody's familiar with whipping out their phone and scanning a QR code to read a menu. But what that is it's a secure way to engage with a remote service where you can set up a trusted connection between two parties. And so if your bank account, your banking log on has login with QR code, you get out your trusted authenticator and you scan it, you do your touch ID, face ID, and you're staring at the downstream application. It's that simple.
Now there's a couple other ways we could engage. So let's say now we go to move a little bit of money here, and in this example it's going to be... I think I have to press next. Yeah. We're going to ask for face ID one more time to do a transaction. So in this example, we're going to put the dollar amount to something that requires a second knock. All right, so we reach out to that strong mobile authenticator and just say yes or no. Face ID, and we've just wired money or Zelle'd it or whatever it is. Okay?
Third level, and this is getting more into zero trust. This works really well in the workforce when you need to know who somebody is before they log in as route to your infrastructure. But imagine if your bank, Will, would allow you to do this before you added a new payee. And you only had to do this thing once during this session. Instead of being asked five times like I was just complaining about. So in this example, I'm going to wire a hundred thousand dollars or add a new routing number and the bank says, I really want to know it's you on the other end of the line. Would you just look into the camera please? That's it. A thousand times better than fetching a 2FA code for so many reasons. And the transaction's been done. That's what we refer to as identity based because it's linked back to the real world identity.
Will LaSala:
Looking at how each one of these was a different level of risk you're looking at, and as our banks look at this, they looked at each one of these risk factors. And up until now it's been blanketed, right? You're like, "Okay, hit you with another SMS, hit you with another SMS. Here you go five times to do this." And honestly, you're wiring a hundred thousand dollars and SMS is okay to do that? That step up where you need to look at the person, see that face and perform that biometric, that face recognition, that's really what you should be doing if you're trying to move this much money. It really puts that level of assurance where, "Yeah, okay, that is actually the person that we believe it to be that's going to perform this transaction." And that's really where it comes down to the different levels of insurance and putting in the right level for the right risk level that you have.
Michael Engle:
Yeah. And we talk about this real biometrics, they're more popular overseas. The US, we're typically five, 10 years behind the rest of the world in adoption of technologies. For example, how long did it take us to go to chip and pin on credit cards? Europe had been doing it for 10 years and like, "What are you morons doing over there?"
Will LaSala:
And did we even go to chip and pin? I think we went to chip and password.
Michael Engle:
Went to chip. Yeah. So at least it's not the mag stripe anymore. Well, 95% of the time. So the chip is very difficult to clone. And so overseas, you're seeing the use of a real biometric use more and more, right? Go to South Korea or Singapore. And I think we're going to see this get more popular as long as it's trusted, right? There was a whole bunch of issues with one of the big federal agencies and one of the providers that had challenges here because they didn't have the right disclosure, they didn't have the right privacy model around where the faces are stored. So if you store the face in a way that's safe, GDPR-compliant, for example, if that face is encrypted with a private key that's in control of the user and then you just use digital signatures to verify, then you're heading in the right direction. So I think we're going to see this get a lot more popular where it's not just touch ID or face ID and we'll see if I might-
Will LaSala:
I agree. I think when we see that live biometric, and this is again the difference between using the onboard biometric versus using the third party biometric because the onboarded touch ID, face ID or Google Touch or Samsung Fingerprint, a lot of those are just yes or nos. You're just simply saying yes to the application, the biometric risk performed. But you're not actually doing the true biometric behind it or capturing that in any way. And when you look at some of the way that we did the live ID here, you're actually creating a unique signature from that value, from that face value. So that gives you a little bit more assurances. And certainly if you do this, just as Mike was explaining, you meet the GDPR requirements and you're compliant, it gives you that level of assurance that's really necessary to move forward and to put trust there.
Michael Engle:
That's right. And so let's wrap up with a little bit of FIDO, right? Do you have any dogs?
Will LaSala:
I don't. I have cats and I don't name them FIDO.
Michael Engle:
Okay. Yeah, I guess not. So yeah, FIDO, for those that haven't heard of it and been living under a rock, it stands for Fast Identity Online. It's a nonprofit that started in 2013 and all the tech companies that are behind it in the beginning, Google, Microsoft, Apple, Yahoo, and 1Kosmos and OneSpan are both Phyto members for quite a while. And it's a way to authenticate without passwords. It's to migrate from a password experience to a passwordless one. So I have a very straightforward demo application here. This demo application was made by the FIDO Alliance and anybody can go try it out themselves. But what you want to do is get your existing user experience to go passwordless. And you do that by logging in and then just asking the user, would you like to go passwordless?
And you say, yes. It's really not that much to it. Now what happens here, I'm going to pause, is your local platform Authenticator pops up. And what I mean by local platform authenticator is it's the touch ID, face ID in your phone or your iPhone or Android. Or if you're on a laptop or a desktop, whatever it uses, so Microsoft uses Windows Hello, Mac uses Touch ID over there. And it links that experience then to the remote account. So this account that you see right here is ready for Passwordless. And on my next screen as I just simply click the authenticate button, it does that biometric one more time, gives the sign challenge response, and I'm staring at the application again.
So it is the future of consumer authentication. There's a lot of devil in the details. We specialize in making this really easy for merchants to embed into their platform. But Will, I'm sure you're as excited about this as I am because I'd love to use this on every website.
Will LaSala:
FIDO is excellent. It is the Phishing killer. It really is designed to get rid of passwords and really to kill Phishing in general. I think being a technical guy, I'll toss out the term that this is asymmetric keys. People don't understand that. But essentially what you need to know there is that as you're performing this authentication, it's actually the client that's generating these requests. And so unlike, and other ones where both the server and the client need to generate the same information and that same information has to be exchanged between them. Think of a password, if you're passing it over, that password has to match what's in the backend. That's what they call symmetric. FIDO is a little bit different than that and is more secure. And so I know that there's a lot of RFPs out there asking for asymmetric solutions, and FIDO really deals with that. And unless you look at how to implement Passwordless strong authentication with anti phishing built in.
Michael Engle:
Yeah. And there's a new component in FIDO that's being called passkey that allows you to use... It's hard to explain, but they'll store your credentials in a way that you can leverage them over and over again as well. So there used to be a challenge where if I got a new computer or a new phone, I'd have to go set up my FIDO authenticator again. And that's been mitigated with implementations on Passkey. So we'll see it get more and more popular over time.
Will LaSala:
Yeah. FIDO has grown up quite a bit. We started with using different hardware devices, different mobile solutions. But I think today, as people implement these solutions, you're going to find that FIDO is accepted in more places. It works better than more solutions, and ultimately it really does solve this problem.
Michael Engle:
Cool. Well, we are marching along nicely here. I'm going to wrap up with a summary that goes from this slide to where we land here. So we've taken those discrete components, proof of government documents, your biometrics matching, verify everything, and then enroll your private key. That's the identity and onboarding. And tie that together with the user authentication, which makes your fraud much easier. So we want these to get much tighter, makes the fraud, the signals that go into your fraud engine much stronger. So you're not just trying to say, it's an IP address that's bad, or something with their cookie looks a little off. But hey, I know with a very high level of assurance that this is the same person that opened the account. And so we're trying to get from those siloed octagons into something that is much more tighter and cohesive. And, Will, I think you guys offer a platform that we partner up with quite nicely to solve a lot of these problems?
Will LaSala:
Yeah, absolutely. Yeah. The ones been Transaction identity solution, our transaction cloud solution really allows you to quickly and easy implement all of these. So it's a bunch of rest APIs that really tie in the authentication mechanisms and start to deal with some of these risk profiles. So as you're looking at how you're dealing with risk or what your risk is on certain types of transactions or even on different types of agreements. So a lot of what ones span looks at today is where the agreements are and what you're trying to do in those agreements. So yes, it's certainly about the login and onboarding, but ultimately you're going to create a transaction. That's what those demos were showing. And what does that transaction look like? What does that agreement look like? What's the risk that you're associated with that? And how do I properly authenticate and prove my identity in that? And that's certainly what the OneSpan Transaction Cloud does.
Michael Engle:
Awesome. I'll take two. So let's just wrap it up. We've got a couple of events coming up that both OneSpan and 1Kosmos will be at. So because we're identity all the time, we'll be at GartnerIAM coming up on March 20th. So look for us there. And we've got a couple of webinars coming up. You can see them on our website on both 1Kosmos and the OneSpan websites have some upcoming webinars as well.
All right. So with that, I think we've used up quite a bit of time here today. We'll call it a wrap. Will, are you going to be attending any of these shows coming up in the next couple of months?
Will LaSala:
Yeah, absolutely. So I'm speaking at a couple of events coming up, some events in Texas, and I'm hoping to make it at a couple of these events as well as we move through it. But my March is very busy right now. It's going to be full of stuff to do.
Michael Engle:
Exactly. But we'll be all shopping for holiday presents before we know it, so we'll just enjoy it while it's here.
Will LaSala:
Exactly.
Michael Engle:
Awesome. Will, thank you so much for joining. For everybody who attended, thank you. And this will be sent out to everybody who registered and couldn't make it because of crazy calendars. So any questions, feel free to reach out. Both Will and I are accessible via this thing called e-mail. And feel free to reach out with any questions. So Will, thank you so much for joining.
Will LaSala:
Yeah, absolutely, Mike. Thank you so much for having me. Hopefully everybody got everything they needed out of this. I think we talked a lot about ease of use and security and tying your identity in there. I hope you all really enjoyed this. Please feel free to reach out.
Michael Engle:
Thank you. Let's do it again soon.
Will LaSala:
Absolutely.
Michael Engle:
Bye-bye.
Will LaSala:
Bye.
Mike Engle
CSO
1Kosmos
Will LaSala
Field Chief Technology Officer
OneSpan
This webinar focused on how to deliver the privacy, security and convenience people have come to expect online. We covered:
- How to accelerate customer onboarding and new account origination
- A modern reference architecture for agile identity and access management
- The role of a digital wallet in modernizing the user experience
- Ways to deliver concierge digital services while shutting down fraud
- Why ignoring privacy and compliance can destine you to failure before you start
Customer satisfaction with your digital business likely defines the most efficient path to growth. It’s why financial institutions, government agencies, healthcare payers, providers, retailers … just about any organization that delivers a product or service online cares about their digital brand experience.
Mike Engle
CSO
1Kosmos
Will LaSala
Field Chief Technology Officer
OneSpan
Video Transcript
Michael Engle:
All right. I think we are about one minute past. Let's jump in and get gone here. So thanks everybody for joining. We're live today on Zoom and LinkedIn, I believe. I'm joined today by Will LaSala from OneSpan. Will, if you could just introduce yourself and say hi, and let everybody know what you do for a living.
Will LaSala:
Yeah, absolutely. Thank you very much, Mike, for having us. I'm Will LaSala, I'm with OneSpan. I'm the field CTO for the Americas. Been with OneSpan for about 20 years. I've been working in cybersecurity for about 25 years, so I've seen quite a few different things and worked with many different large applications as they implement digital fraud strategies and solutions.
Michael Engle:
Excellent. Yeah, 20 years with one company. Impressive. It must be a good company to work for, I'll say that.
Will LaSala:
Absolutely. They've been good to us.
Michael Engle:
Yeah. Yeah, you don't see that anymore. Right? And as I mentioned, my name is Mike Engel, co-founder and head of strategy here at 1Kosmos. Similar to Will, all my career in InfoSec, focusing on just digital identity since 2018. And looking forward to our discussion today. And we're here today to talk about... Let me just go back to the intro slide here, modernizing customer onboarding. We're going to talk about account takeover, synthetic identity, but really, just figuring out a way to prove who it is at the other end of a connection so that we can make better decisions and side product will be better user experiences.
We're going to talk a little bit about the problem statement, show you some technologies that are fresh and new and see if anybody has any questions. I've got a couple of people on standby to answer questions. Just paste them into the chat and we'll take care of them as they come up. And we'll have a little bit of Q&A here at the end as well.
So kicking it off, when you and I were growing up, Will, right? We both have the gray hair to tell old time stories, right? Walking uphill to school both ways and the snow things.
Will LaSala:
Absolutely.
Michael Engle:
But you remember when we got started, Stateful firewalls came out. I'm going way back. And we created the perimeter, we created the firewalls, and then we sprinkled some antivirus around some endpoint protection. We tried to keep people out of the core. As we all know, the cloud and SaaS applications and all that have destroyed that model. And so the hackers aren't hacking in any more like they used to back when I was a kid, the viruses and worms would come in, they'd decimate your environment and that's what we used to protect against.
But today they don't need to do that stuff anymore. You still have your instances of solar, winds and things, but there are rarity. Today, the bad guys log in. And some pretty amazing stats are out there on how bad this problem is. But from the latest Verizon, DBIR, the data breach investigations report, and there's a high number in the eighties, 81% of all breaches today are compromised because of what's called the human element. And that typically means I've given up a username or password or it's been coerced or fished or whatever. And in your capacity as the guy over there at one span, I'm sure not only are you being asked to solve this a lot, but you're seeing these problems impact your customers quite a bit, right, Will?
Will LaSala:
Yeah, absolutely. It does date back to the days when we tried to protect all of our stuff. In the financial vertical, there was this FIC guidance back in 2006 or 2004, and at that time we knew it was a problem. Everybody was getting fished. There were all of these ways to harvest those passwords, but it was really, again, the passwords were just simply that everybody's using static credentials. Today, those static credentials, instead of getting into a network or into an area, you're using those same credentials to get into applications outside your network. And that is the easiest way to get into them. So instead of a hacker trying to get through and find some type of backdoor or something, a problem in the software, just using a username and password, those are 100% the most common things you see out there.
Black market, they're still sold. Millions of these credentials are sold and bought every day. I think I read something about even in mobile hacks that you know can buy mobile username and passwords that log you into applications and those are being sold maybe a hundred dollars or username and password. So there it's big business and it's not just about hacking the app and trying to find some really technical hack to get into there. I just have to listen to what that user's typing and then hijack it and get into the application.
Michael Engle:
Yeah. And there's so many ways to do it now. That's exactly right. You could guess the username and password, right? Because people reuse the same ones. So I'm sure every one of my family members is guilty of that. They use the same password.
Will LaSala:
How many people use the word password, right?
Michael Engle:
Yeah, hopefully it's not that bad, but probably is. Or you coerce it out of the person, call them up and ask him for it. It's so common. And we're going to talk about that with a specific example here in just a minute. That just happened to my family 10 days ago, so that'll be fun. So yeah, we know that credentials are the problem. A lack of real identity is what we're here today to talk about and how we can augment and strengthen that. So just a couple of scary numbers. Every webinar has to have some scary numbers. And this is from our friends over at Oliver Wyman. They put together this research, and I was really staggered to see how much synthetic identity has overtaken account takeover. So synthetic identity, very rough definition, is the bad actors creating an account at a bank, for example, that doesn't exist or it partially exists, but they're tweaking it to get past the KYC checks.
And I think it really accelerated because of COVID. This has become one of the primary ways. And what they'll do is create an account, John Smith, maybe make an address that's very common, and the birthdate that goes with another John Smith, et cetera. They'll build up a little bit of credit. And then you can see these numbers here on the top left in this pie chart where they will build up, say $50,000 of credit over time, and then they do what's called busting out. They will rack up $90,000 worth of charges and then that account is gone. You're never going to see them again. And they're very patient in doing this. It may take them weeks, months, years sometimes to really... But they do it at scale.
Account takeover is much different. That is where like we were just talking about. And the real difference here to the end user is your typical consumer doesn't care about synthetic identity. It doesn't impact them directly, unless the synthetic identity is made in a way that affects my credit file. So if somebody creates a fake Mike Engle, that lives maybe at an address next to mine, then it doesn't impact me. It impacts the banks heavily. You see $20 billion just last year alone. And so we're going to talk about some ways to strengthen this and not just about usernames and passwords.
Will LaSala:
Yeah, I think when you look at synthetic identity, one of the things that we have to think about is all of those breaches that were really public, all the PII you got from all of these breaches, we all thought, "Oh, they're going to steal our identities. They're going to come in and do account takeovers and use those identities, use the information that they sold to take over those accounts." Reality is that they took all that PII data and started to create random users that look so realistic. They fool all of these systems that are in place. And so that synthetic identity, we saw it really in the pandemic, it made big headlines where you had people pretending to be other people so they could claim the tax credits and they could claim all of these benefits that were being given out because of COVID.
And those were just synthetic identities, people just creating identities that could capitalize on this. Account takeover fraud though, that's been around for... That is phishing. That's where we see everything. That's certainly the big boy in the room because just so many of those accounts, we've been fighting this for years now, but there's so many passwords. I don't know how many people use a password manager, but if you go in there and you're getting an alert that, hey, you've got 500 accounts and you haven't changed your password, they're all probably been phished at this point. So it's really dangerous as you go into it.
Michael Engle:
Yeah. So the dark web is what's fueling both of these buckets of attacks as well. So we'll talk more about the dark web here as we get into the fraud story that I'm going to tell. But first, we're going to ask two polling questions today. So I'm going to ask Maureen, our MC here to pop up a question for the audience. And we're going to talk a little bit today about biometrics because biometrics would is one way that you can prevent some of the attacks that we're talking about here today. Oops, next question. Yeah, that was the wrong question. Don't press that button. There we go. Do you use biometrics today in what you do either as a consumer or in your organization?
Will LaSala:
That's a great question. There all different levels of biometrics. So are they really using it, are they not? It's certainly one of those things.
Michael Engle:
Well, not just that, there's two types of biometrics that we'll talk about. There's what's on your device, what Apple and Google give you, touch ID, face ID, or Microsoft with windows hello. And that's not linking you back to a real world identity.
Will LaSala:
Exactly.
Michael Engle:
Right. So then there's real biometrics and we'll give you an example of that here in just a minute.
Will LaSala:
Yeah, I think that's the whole thing. So people think I'm using biometrics, I use touch ID, it's like okay, kind of. But you got to really dig into what that actually means and see where your identity really is.
Michael Engle:
Yeah, they're used as a strong authenticator more often than a strong identifier, and that's where we'll differentiate between those in just a minute. So thank you for that. We had about two thirds of the respondents say they are using some form of biometrics today, so that's great. Thank you for answering. And all of these results will be shared with everybody who signed up after the webinar's over. So here's my own family fraud story that happened 10 days ago and it happens to be with Zelle, which has been in the news a lot lately. So for our overseas visitors, Zelle is a peer-to-peer payment tool here in the US that allows you to send money between two banking customers at different banks. So Chase bank customer says, "I want to Zelle money over to somebody at Goldman Sachs," or whatever it would be. And the reason this is really important for them is because it bypasses the third parties like PayPal or using wires and ACH and all those legacy antiquated models.
It's very powerful. However, the bad actors has figured out how to use this to their advantage. And so, one of my family members received a request that looks like this in their Zelle app. So up popped up their banking application that said, "This person is requesting..." Well, we're not really sure what it says. It says I'm requesting $3,500, but then it says credit reversal. And I have some of this blurred out because this is actually a real victim that's also a victim in this crime. And this credit reversal is what's confusing.
So she gets this pop-up on her phone inside of her trusted banking application. 30 seconds later, she gets a call. And now you know what her bank is, I guess, I should have blurred this out too, but from Bank of America, from the real Bank of America phone number. And this person's on the phone saying, "Hello, Jane, we're calling from Bank of America fraud. Did you authorize $3,500 to leave your bank account?" And Jane says, ""Well, no, of course I didn't." All right, great. "Well, we just sent you a credit reversal, would you just press the button there and that money will be unwired?"
The reality obviously is what's happening is she's about to send the money. It hasn't been sent. That's part of the fraud. And you can see this was 10 days ago. And she was so close to pressing that send button on the left screen. She called me up and I said, drop your phone, flush it down the toilet. Do not press that button because it's really hard to get it back once you send it. And there's all kinds of lawsuits and a lot of bad PR around this stuff now. And she pressed no and declined the request. So lucky that. Very lucky because it'd be so easy to mitigate. But what goes through your mind on this, Will, as you see this one, two, three sequence of what happened?
Will LaSala:
Yeah, this is happening more and more today. I think we in the industry call this social engineering. It's basically attacking the human and then attacking our natural tendencies. So in a peer-to-peer type situation, the hacker is calling and preying on that you're going to believe what you see in front of you or what you're listening to on the phone. So they'll call you up and give you an urgent request or something that makes sense, a credit reversal. Even if you didn't make that payment, you might think, "Oh, I'm getting attacked by someone else, not the person that just called me." And the bank is trying to be helpful here. They're trying to tell me, "Oh, let's stop this before it happens." And luckily your family member here picked up the phone and called you. But most people don't have that option.
They don't have the security guy in their back pocket to call. And so they're releasing these. Yeah, okay, we've got Zelle up here, but it doesn't have to be. It can be any peer-to-peer, or it could just simply be a person calling on the phone. So think back to the static username and password. If someone calls me from my bank and says, "Hey, we've detected some fraud on your account. We want to go ahead and make certain that it's you. Could you go ahead and give me your password." Or generate that password and you read it over the phone to the person that you believe is the bank, well now that person has access to your account. They've the perpetrated an account takeover fraud just by asking you and you've given it to them. So it happens a lot and it's a very dangerous attack now that people really have to watch out for.
Michael Engle:
Yeah, this is a UX disaster. So many things could have been done by the banks here to mitigate this. So why not just at least have one more warning here that says, "Hey, you've never sent money to this person before." That's the first thing you could do. "Are you sure? This is a common fraud." You know what I mean? There's like 10 different things that could go on in the engagement with the recipient here of this message. The second is, why not have something verified that I know that this is actually this person issuing it? We're going to get into the identity side of this in just a minute. And of course, don't get me started on how easy it is to spoof a phone call. These are problems with the telcos that have been going on for, God, since phones have existed, right?
But it's still baffling that there's only three carriers in the US and her, Verizon or AT&T phone rang and this was allowed to happen. So I know it's getting better and there's spam and fraud checks. So I just thought this was pretty interesting real world story here that smacked me in the face.
So Will, let's talk about the definition of digital identity. Again, going back to our pre-gray hair days, when we thought about our identity and access management systems that we worked on 20 years ago, there's really only one option. Your identity remotely was verified by username and password. And going back just a little over 20 years ago, 2FA wasn't even really a thing. But what confusion do you see in the marketplace around the word identity? And I put some terms up here that often get associated with it.
Will LaSala:
Yeah. And that's the whole thing is that a lot of these terms are more... Well, some of these terms are really in the authentication of that identity. It might not be the identity itself. And even in these terms themselves, people are misusing a lot of these technologies. So like in 2FA, you often get just a single form of authentication. Maybe they're just using a one-time password, maybe that's generated by a mobile phone or something, but they're just using that one-time password. Well, if you're just using one that's not 2FA. And then the other things that you have in here that start to look at that authentication, people using SMS authentication and coming through non-secure channels, not being able to authenticate that identity. And so today digital identity is much more than that. It's also everything that is the context around how you perform those transactions and what you're doing in those transactions. So it becomes a much broader term. And as such, you get a lot more data points that you can use to help prove that identity and really verify the right identities being used for those transactions.
Michael Engle:
Yeah, exactly. And you said one term there that stuck with me. It's prove. How do you prove somebody's identity remotely? And it's no 100% just like there's no unhackable system, you try to do as best you can. But there are techniques now that we're going to talk about here today, and specifically the standards around identity. So now there's a bar that's been set of how you prove who somebody is remotely and how you use that proof over and over again.
And imagine if we liken this to the real world will where you get pulled over by a state trooper in your state and you roll down the window and the state trooper says, "All right, Will, what's your password?" And you say, "Password 123." And then he says, "Okay, I'm going to send you a 2FA code." And you get your phone, you read in the six digit code. And he says, "Okay, slow down. Here's your $50 ticket." It just wouldn't work. What do they do? They pull out a credential, they look at your face, they look at the face on the credential. And that's the way we've been doing it since the Safe Conduct Act of 1414 by King Henry V. Check out that research.
Will, let's reproduce what that happens in the real world, that physical world in the digital world. And the standards around that have been established since really going back to 2013 and 2017 when two really important standards evolved. The first is NIST 800-63-3. Now this is the government standard as per NIST that says how do you prove who somebody is remotely? And it involves getting a couple forms of identity verification and verifying them and then matching you to those documents. Very simple in concept. We do it all the time when we open bank accounts or go to the DMV or have other types of secure transactions. And then we have also that same standard tells you how to authenticate somebody. But then of course everybody knows about FIDO, and this is replacing passwords with cryptography, a public private key pair and a biometric.
And so when you put these together, you have a strong identity like proof that you're Will LaSala in the real world, and an authenticator to go along with it. We call this identity-based authentication. And we are one of the only companies that is certified for both of these. And the certifying bodies are Cantera for the NIST side, FIDO for the FIDO side, and iBeta for the biometrics. And there's a couple certifying bodies out there, but these are some of the more popular ones. And so I think in your business, Will, you've got some pretty strict requirements for NIST IAL2, right?
Will LaSala:
Yeah, absolutely. Depending upon the market that you're in, in the financial, especially in the healthcare sector and the government sector, your IAL levels, ratchet up quite a bit. And we didn't really talk about levels, but there are three levels for each of these missed requirements. And you might be able to satisfy maybe a level one with the way that you're looking at your authentication. But really what you're looking for is that level two in both the IAL and the AAL. And that's really the high confidence that the identity is actually the same one that's holding onto the authentication. So that's really where you want to tie those two really together and have a high confidence rate that those are together. And certainly, that's what we're looking at here and the solution. And as you get these certifications on these, that really helps us all understand where you are in that spectrum and what you're able to leverage those technologies for. So it's really important for all of these markets.
Michael Engle:
Yeah, no, thanks for that. And so let's round out the story and get into a little bit of demo here. So the way that identity and authentication had been done over since computers has really been very siloed. And you're seeing the analysts talk about the conversions of these things as being really important. So you onboard users, whether it's a new employee or a new customer or a new citizen for citizen benefits, whatever it is, and then you throw that effort away. Well, now because of modern technology and modern phones and laptops and all these things, you can link these together and create a strong framework.
And so we're going to show you how these all come together here next. But just double clicking a bit on this identity onboarding and showing a little bit of the water as we're drowning in it because we all went through this probably recently, is we still have these painful manual and fraud susceptible ways to onboard an account. Type in your info. This info is freely available in the dark web, not freely, but pretty much. And it's verified against data sources that have been compromised as well. So this is one of the reasons that synthetic identity is possible because it starts with this type of input.
Will LaSala:
And how many people are looking right now and trying to make your workflows easier? That's the name of the game that we've been hearing on the street from our customers is really that the customers want things easy, but you can't have easy if you can't verify that identity or approve that identity. So these forums with all this free information that can be gathered from anywhere to make these synthetic IDs, the forms themselves become a problem even from an ease of use standpoint.
Michael Engle:
Exactly. Yeah. If you make it easy, they'll love you and they'll use your service every day. Look at Amazon, it's like press a button, it shows up my doorstep five minutes later. We need the equivalent of that for the identity and authentication side. On the authentication side, we still deal with create a username, create a password. Oh my god, how many services are just rolling out one time codes to my e-mail or phone number? What are they trying to solve? It was like, I don't know, some really benign art website like enable your 2FA. Like, "No. Not the way you're having me do it." Because it doesn't buy you anything, if somebody has access to my e-mail. So yeah. This is frustrating.
Will LaSala:
A great example right here, take that recent post from Twitter from Elon Musk and them charging now for SMS authentication. Everybody was up in arms. Oh my God, why are you charging for two-factor through SMS? The reason that Twitter did that was because of the losses that they were experiencing from SMM. That was what his both said is that the amount of losses that they were experiencing with two-factor SMS authentication, the amount of support time that they were going in, SMS is very easily attacked. So they were pushing people to use a stronger form of two-factor authentication. Move into something that is much stronger to use. And they did it by simply attaching a price to it. But people should be wary of that.
SMS goes through this open communication in the clear. So anyone that wants to sit there and stand up their own tower, they can read all of the SMSs that go through it. And it's clear text, so it's easy for a attacker. A little bit different than your push notifications or your in-app. And those are all strong authentication and generally using cryptographic components. And there's even stronger as we get into FIDO and what you see there.
Michael Engle:
Yeah. At a minimum, this stuff has to go here. And unfortunately, they did a terrible job with the PR on this. They should have said, "Twitter's migrating to better 2FA," right?
Michael Engle:
People thought that they were charging for 2FA full stop. No, they were charging for SMSs. You can still use Google Authenticator and all that stuff, which to your point is much more secure because it's in your control. So yeah, that was unfortunate. And this is how Jack Dorsey's account was compromised four years ago, right?
Will LaSala:
Yes, that's right.
Michael Engle:
Yeah, that should be a lesson for everybody. So we're going to migrate out of this. And the way we do this is by combining identity proofing, which we'll show you here in just a minute on the next slide, and identity verification into one cohesive experience. And when you put these together, this is how in this 800-63-3 identity assurance level is obtained. You can give the users a credential as part of that process, which means you're addressing both the identity and the authentication side at the same time. And that is what we call passwordless. Passwordless without identity is just another form of authentication. It's stronger, but it still has inherent weaknesses. So again, as an identity guy, I'm sure this resonates with you, right, Will?
Will LaSala:
Absolutely. Tying your identity to your authentication can't be more important. We're seeing that everywhere. So you can think of there are many different forms of authentication. A lot of those are commoditized, meaning that you can get them from anywhere. There are a whole bunch of different options and open standards that are out there. But really being able to bring that identity and making certain that that's the correct identity associated with that authentication really helps in everything. Think about the ease of use alone. If you know that the next time that this person comes into your application that you're absolutely certain that this ID behind it because they have their ID associated with that authenticator, that opens up a world where you can offer more services, the ease of use of that becomes much, much better. And certainly, you're able to capitalize more on that, adding more services and offering more ways to do business digitally.
Michael Engle:
Yeah, exactly. And I think it's time to show, all right, not just tell.
Will LaSala:
Yeah, let's do it.
Michael Engle:
Let me run through a two-minute demonstration of a full digital onboarding experience, NIST AIL2 two certified. So the first step in any account creation process for consumer facing applications, at least not necessarily for your workforce, but it's just collect and verify an e-mail and a phone number. There's a hundred ways to do that. We have an API call to do these things. It's very straightforward. So we don't show that here. But typically, you're sending them a link to verify their possession of an e-mail and make them verify the phone number in a similar way. Now the second part is to enable, we've talked about those different types of biometrics. So let's enable touch ID and face ID. This is a one-touch operation.
That's it. We do this billions of times a day as humans, because every smartphone supports this today. And what that does is creates a strong authenticator link to the device. Now, it's not linked to any identity yet, but it is a strong way for you to do that same thing over and over again that's very difficult for somebody else to get their hands on. So that's a factor. It's really something you have that's with you, including something you are.
Now let's verify the actual real world identity. So for most healthcare or banking, crypto, Neobank type applications, you have to verify their government information and their credit information. So we start with an SSN. This unfortunately is still needed because people have to pay taxes and it's what the government uses. So we ask for this and we'll verify this with the credit bureaus. Then we'll verify their government documents. So this example is the front and back of the driver's license.
The front and the back are done in a similar fashion using our high-res camera. And that's it. The camera does the work. The web interface will guide the user through it, handle things like reflective lighting and are you holding it too close or too far? Guide them through that. In real time, all the overt security features are verified and there's literally hundreds of checks that are done, the size and shape of the document, do the millimeters here match the other edge? Is the photo in the right place? Are the fonts right? Is there any tape on the photo? Does something look a little off, on and on? And at the same time, my photo and all the data is extracted and put into my own wallet. I haven't given it to anybody yet. It's a really important privacy design consideration. So we've got the government data and now we'll match it to a live selfie. Very straightforward process.
Again, right distance, right lighting. And now that is matched to the photo on the driver's license. It passes? You continue. The data is extracted and verified. In this example, we're checking the driver's license number with AAMVA, which is the DMV aggregator, which works with the DMVs across the United States. So driver's license is valid, not marked as lost or stolen. And lastly, we take that SSN and the data on the driver's license and check it with the credit bureaus. Does Mike Engel live at the address on that driver's license? So those checks together give you a very high level of assurance. And if you compare that experience to typing in 30 fields next, next, next. Sorry, you mis-typo'd on your address or your state. It's much better. And of course it's much more secure for the issuing bank or whatever it is.
Will LaSala:
I think the one thing that you look at here, so it took us three minutes to explain this, but most of the time when a customer's doing this, this is very quick, it's usually under a minute, and there are already real world examples of this happening out there. Oftentimes as you step through this, you're then ending up with this strong credential that is tied to your identity. And so next time you come in, you're not going to step through all of this. You're just going to authenticate. And the user's going to know because they're doing this strong authentication mechanism that the identity is coming with them and so that they're sharing their identity, whatever they do, their authentication mechanism because they step through this first in getting those.
Michael Engle:
Right. Delight your customers. That's right. So Maureen, if you could pop up that other polling question. This one's really about does your organization already do some digital onboarding for employees or customers today? Do you link your account origination with your authentication today at any time? And we're going to show you some FIDO stuff next. So it's related. So pick one.
Will LaSala:
It's always interesting. I think a lot of people are still dealing with just the onboarding mechanisms itself. Authentication really previous to digital transformation was really just about, "Okay, how do I get an authentication into the user's hands?" If I needed to do strong authentication, maybe that was a hardware device that I was shipping out. And the amount of time that it took me to get from when the user signed up to when they got the hardware device, maybe I could get it overnight to them. But now with everything moving digital, there's still hardware tokens out there, but it's really a lot more about software and how quickly you can get them onboarded. You don't want to let them do it for more than a minute. That would be uncalled-for. People would jump off the ship and move on to the next application out there because there's always the next application. So really doing it quickly, easily, and more secure. I think that's what we're looking for.
Michael Engle:
Yeah, I've changed banks because I just can't handle the 2FA process. They pop up five times in a four-minute exchange where I'm trying to set up a new wire. I'm like, "I can't take it anymore." So I'm sure I'm not the only one. Thanks for doing that, Maureen. Just quick glance at the numbers, about quarter of the respondents aren't sure, maybe our question could have been worded a little better. But we have half that said that their processes are linked to some degree, which doesn't surprise me. The topic of this webinar will attract people into identity that might be thinking about this stuff. And 5% say they're very tightly integrated. So kudos to those that have gotten to that point in the process. All right, so we've onboarded an identity. Now what do we do with it? How can we leverage that strong identity to make transactions, which is why we're online, we're trying to transact.
And so let's run through identity-based authentication and practice. This will be not only using those device biometrics that we spoke about, touch ID, face ID in a modern way, but real biometrics. So let's leverage that live ID, that live selfie that I enrolled to verify against my driver's license to prove that I'm allowed to wire a hundred thousand dollars or allowed to request Zelle money from somebody I've never done before. Wouldn't that be great? So we'll start off with a very straightforward yet modern authentication experience, which is a QR code. And because of COVID, again, almost everybody's familiar with whipping out their phone and scanning a QR code to read a menu. But what that is it's a secure way to engage with a remote service where you can set up a trusted connection between two parties. And so if your bank account, your banking log on has login with QR code, you get out your trusted authenticator and you scan it, you do your touch ID, face ID, and you're staring at the downstream application. It's that simple.
Now there's a couple other ways we could engage. So let's say now we go to move a little bit of money here, and in this example it's going to be... I think I have to press next. Yeah. We're going to ask for face ID one more time to do a transaction. So in this example, we're going to put the dollar amount to something that requires a second knock. All right, so we reach out to that strong mobile authenticator and just say yes or no. Face ID, and we've just wired money or Zelle'd it or whatever it is. Okay?
Third level, and this is getting more into zero trust. This works really well in the workforce when you need to know who somebody is before they log in as route to your infrastructure. But imagine if your bank, Will, would allow you to do this before you added a new payee. And you only had to do this thing once during this session. Instead of being asked five times like I was just complaining about. So in this example, I'm going to wire a hundred thousand dollars or add a new routing number and the bank says, I really want to know it's you on the other end of the line. Would you just look into the camera please? That's it. A thousand times better than fetching a 2FA code for so many reasons. And the transaction's been done. That's what we refer to as identity based because it's linked back to the real world identity.
Will LaSala:
Looking at how each one of these was a different level of risk you're looking at, and as our banks look at this, they looked at each one of these risk factors. And up until now it's been blanketed, right? You're like, "Okay, hit you with another SMS, hit you with another SMS. Here you go five times to do this." And honestly, you're wiring a hundred thousand dollars and SMS is okay to do that? That step up where you need to look at the person, see that face and perform that biometric, that face recognition, that's really what you should be doing if you're trying to move this much money. It really puts that level of assurance where, "Yeah, okay, that is actually the person that we believe it to be that's going to perform this transaction." And that's really where it comes down to the different levels of insurance and putting in the right level for the right risk level that you have.
Michael Engle:
Yeah. And we talk about this real biometrics, they're more popular overseas. The US, we're typically five, 10 years behind the rest of the world in adoption of technologies. For example, how long did it take us to go to chip and pin on credit cards? Europe had been doing it for 10 years and like, "What are you morons doing over there?"
Will LaSala:
And did we even go to chip and pin? I think we went to chip and password.
Michael Engle:
Went to chip. Yeah. So at least it's not the mag stripe anymore. Well, 95% of the time. So the chip is very difficult to clone. And so overseas, you're seeing the use of a real biometric use more and more, right? Go to South Korea or Singapore. And I think we're going to see this get more popular as long as it's trusted, right? There was a whole bunch of issues with one of the big federal agencies and one of the providers that had challenges here because they didn't have the right disclosure, they didn't have the right privacy model around where the faces are stored. So if you store the face in a way that's safe, GDPR-compliant, for example, if that face is encrypted with a private key that's in control of the user and then you just use digital signatures to verify, then you're heading in the right direction. So I think we're going to see this get a lot more popular where it's not just touch ID or face ID and we'll see if I might-
Will LaSala:
I agree. I think when we see that live biometric, and this is again the difference between using the onboard biometric versus using the third party biometric because the onboarded touch ID, face ID or Google Touch or Samsung Fingerprint, a lot of those are just yes or nos. You're just simply saying yes to the application, the biometric risk performed. But you're not actually doing the true biometric behind it or capturing that in any way. And when you look at some of the way that we did the live ID here, you're actually creating a unique signature from that value, from that face value. So that gives you a little bit more assurances. And certainly if you do this, just as Mike was explaining, you meet the GDPR requirements and you're compliant, it gives you that level of assurance that's really necessary to move forward and to put trust there.
Michael Engle:
That's right. And so let's wrap up with a little bit of FIDO, right? Do you have any dogs?
Will LaSala:
I don't. I have cats and I don't name them FIDO.
Michael Engle:
Okay. Yeah, I guess not. So yeah, FIDO, for those that haven't heard of it and been living under a rock, it stands for Fast Identity Online. It's a nonprofit that started in 2013 and all the tech companies that are behind it in the beginning, Google, Microsoft, Apple, Yahoo, and 1Kosmos and OneSpan are both Phyto members for quite a while. And it's a way to authenticate without passwords. It's to migrate from a password experience to a passwordless one. So I have a very straightforward demo application here. This demo application was made by the FIDO Alliance and anybody can go try it out themselves. But what you want to do is get your existing user experience to go passwordless. And you do that by logging in and then just asking the user, would you like to go passwordless?
And you say, yes. It's really not that much to it. Now what happens here, I'm going to pause, is your local platform Authenticator pops up. And what I mean by local platform authenticator is it's the touch ID, face ID in your phone or your iPhone or Android. Or if you're on a laptop or a desktop, whatever it uses, so Microsoft uses Windows Hello, Mac uses Touch ID over there. And it links that experience then to the remote account. So this account that you see right here is ready for Passwordless. And on my next screen as I just simply click the authenticate button, it does that biometric one more time, gives the sign challenge response, and I'm staring at the application again.
So it is the future of consumer authentication. There's a lot of devil in the details. We specialize in making this really easy for merchants to embed into their platform. But Will, I'm sure you're as excited about this as I am because I'd love to use this on every website.
Will LaSala:
FIDO is excellent. It is the Phishing killer. It really is designed to get rid of passwords and really to kill Phishing in general. I think being a technical guy, I'll toss out the term that this is asymmetric keys. People don't understand that. But essentially what you need to know there is that as you're performing this authentication, it's actually the client that's generating these requests. And so unlike, and other ones where both the server and the client need to generate the same information and that same information has to be exchanged between them. Think of a password, if you're passing it over, that password has to match what's in the backend. That's what they call symmetric. FIDO is a little bit different than that and is more secure. And so I know that there's a lot of RFPs out there asking for asymmetric solutions, and FIDO really deals with that. And unless you look at how to implement Passwordless strong authentication with anti phishing built in.
Michael Engle:
Yeah. And there's a new component in FIDO that's being called passkey that allows you to use... It's hard to explain, but they'll store your credentials in a way that you can leverage them over and over again as well. So there used to be a challenge where if I got a new computer or a new phone, I'd have to go set up my FIDO authenticator again. And that's been mitigated with implementations on Passkey. So we'll see it get more and more popular over time.
Will LaSala:
Yeah. FIDO has grown up quite a bit. We started with using different hardware devices, different mobile solutions. But I think today, as people implement these solutions, you're going to find that FIDO is accepted in more places. It works better than more solutions, and ultimately it really does solve this problem.
Michael Engle:
Cool. Well, we are marching along nicely here. I'm going to wrap up with a summary that goes from this slide to where we land here. So we've taken those discrete components, proof of government documents, your biometrics matching, verify everything, and then enroll your private key. That's the identity and onboarding. And tie that together with the user authentication, which makes your fraud much easier. So we want these to get much tighter, makes the fraud, the signals that go into your fraud engine much stronger. So you're not just trying to say, it's an IP address that's bad, or something with their cookie looks a little off. But hey, I know with a very high level of assurance that this is the same person that opened the account. And so we're trying to get from those siloed octagons into something that is much more tighter and cohesive. And, Will, I think you guys offer a platform that we partner up with quite nicely to solve a lot of these problems?
Will LaSala:
Yeah, absolutely. Yeah. The ones been Transaction identity solution, our transaction cloud solution really allows you to quickly and easy implement all of these. So it's a bunch of rest APIs that really tie in the authentication mechanisms and start to deal with some of these risk profiles. So as you're looking at how you're dealing with risk or what your risk is on certain types of transactions or even on different types of agreements. So a lot of what ones span looks at today is where the agreements are and what you're trying to do in those agreements. So yes, it's certainly about the login and onboarding, but ultimately you're going to create a transaction. That's what those demos were showing. And what does that transaction look like? What does that agreement look like? What's the risk that you're associated with that? And how do I properly authenticate and prove my identity in that? And that's certainly what the OneSpan Transaction Cloud does.
Michael Engle:
Awesome. I'll take two. So let's just wrap it up. We've got a couple of events coming up that both OneSpan and 1Kosmos will be at. So because we're identity all the time, we'll be at GartnerIAM coming up on March 20th. So look for us there. And we've got a couple of webinars coming up. You can see them on our website on both 1Kosmos and the OneSpan websites have some upcoming webinars as well.
All right. So with that, I think we've used up quite a bit of time here today. We'll call it a wrap. Will, are you going to be attending any of these shows coming up in the next couple of months?
Will LaSala:
Yeah, absolutely. So I'm speaking at a couple of events coming up, some events in Texas, and I'm hoping to make it at a couple of these events as well as we move through it. But my March is very busy right now. It's going to be full of stuff to do.
Michael Engle:
Exactly. But we'll be all shopping for holiday presents before we know it, so we'll just enjoy it while it's here.
Will LaSala:
Exactly.
Michael Engle:
Awesome. Will, thank you so much for joining. For everybody who attended, thank you. And this will be sent out to everybody who registered and couldn't make it because of crazy calendars. So any questions, feel free to reach out. Both Will and I are accessible via this thing called e-mail. And feel free to reach out with any questions. So Will, thank you so much for joining.
Will LaSala:
Yeah, absolutely, Mike. Thank you so much for having me. Hopefully everybody got everything they needed out of this. I think we talked a lot about ease of use and security and tying your identity in there. I hope you all really enjoyed this. Please feel free to reach out.
Michael Engle:
Thank you. Let's do it again soon.
Will LaSala:
Absolutely.
Michael Engle:
Bye-bye.
Will LaSala:
Bye.
All right. I think we are about one minute past. Let's jump in and get gone here. So thanks everybody for joining. We're live today on Zoom and LinkedIn, I believe. I'm joined today by Will LaSala from OneSpan. Will, if you could just introduce yourself and say hi, and let everybody know what you do for a living.
Will LaSala:
Yeah, absolutely. Thank you very much, Mike, for having us. I'm Will LaSala, I'm with OneSpan. I'm the field CTO for the Americas. Been with OneSpan for about 20 years. I've been working in cybersecurity for about 25 years, so I've seen quite a few different things and worked with many different large applications as they implement digital fraud strategies and solutions.
Michael Engle:
Excellent. Yeah, 20 years with one company. Impressive. It must be a good company to work for, I'll say that.
Will LaSala:
Absolutely. They've been good to us.
Michael Engle:
Yeah. Yeah, you don't see that anymore. Right? And as I mentioned, my name is Mike Engel, co-founder and head of strategy here at 1Kosmos. Similar to Will, all my career in InfoSec, focusing on just digital identity since 2018. And looking forward to our discussion today. And we're here today to talk about... Let me just go back to the intro slide here, modernizing customer onboarding. We're going to talk about account takeover, synthetic identity, but really, just figuring out a way to prove who it is at the other end of a connection so that we can make better decisions and side product will be better user experiences.
We're going to talk a little bit about the problem statement, show you some technologies that are fresh and new and see if anybody has any questions. I've got a couple of people on standby to answer questions. Just paste them into the chat and we'll take care of them as they come up. And we'll have a little bit of Q&A here at the end as well.
So kicking it off, when you and I were growing up, Will, right? We both have the gray hair to tell old time stories, right? Walking uphill to school both ways and the snow things.
Will LaSala:
Absolutely.
Michael Engle:
But you remember when we got started, Stateful firewalls came out. I'm going way back. And we created the perimeter, we created the firewalls, and then we sprinkled some antivirus around some endpoint protection. We tried to keep people out of the core. As we all know, the cloud and SaaS applications and all that have destroyed that model. And so the hackers aren't hacking in any more like they used to back when I was a kid, the viruses and worms would come in, they'd decimate your environment and that's what we used to protect against.
But today they don't need to do that stuff anymore. You still have your instances of solar, winds and things, but there are rarity. Today, the bad guys log in. And some pretty amazing stats are out there on how bad this problem is. But from the latest Verizon, DBIR, the data breach investigations report, and there's a high number in the eighties, 81% of all breaches today are compromised because of what's called the human element. And that typically means I've given up a username or password or it's been coerced or fished or whatever. And in your capacity as the guy over there at one span, I'm sure not only are you being asked to solve this a lot, but you're seeing these problems impact your customers quite a bit, right, Will?
Will LaSala:
Yeah, absolutely. It does date back to the days when we tried to protect all of our stuff. In the financial vertical, there was this FIC guidance back in 2006 or 2004, and at that time we knew it was a problem. Everybody was getting fished. There were all of these ways to harvest those passwords, but it was really, again, the passwords were just simply that everybody's using static credentials. Today, those static credentials, instead of getting into a network or into an area, you're using those same credentials to get into applications outside your network. And that is the easiest way to get into them. So instead of a hacker trying to get through and find some type of backdoor or something, a problem in the software, just using a username and password, those are 100% the most common things you see out there.
Black market, they're still sold. Millions of these credentials are sold and bought every day. I think I read something about even in mobile hacks that you know can buy mobile username and passwords that log you into applications and those are being sold maybe a hundred dollars or username and password. So there it's big business and it's not just about hacking the app and trying to find some really technical hack to get into there. I just have to listen to what that user's typing and then hijack it and get into the application.
Michael Engle:
Yeah. And there's so many ways to do it now. That's exactly right. You could guess the username and password, right? Because people reuse the same ones. So I'm sure every one of my family members is guilty of that. They use the same password.
Will LaSala:
How many people use the word password, right?
Michael Engle:
Yeah, hopefully it's not that bad, but probably is. Or you coerce it out of the person, call them up and ask him for it. It's so common. And we're going to talk about that with a specific example here in just a minute. That just happened to my family 10 days ago, so that'll be fun. So yeah, we know that credentials are the problem. A lack of real identity is what we're here today to talk about and how we can augment and strengthen that. So just a couple of scary numbers. Every webinar has to have some scary numbers. And this is from our friends over at Oliver Wyman. They put together this research, and I was really staggered to see how much synthetic identity has overtaken account takeover. So synthetic identity, very rough definition, is the bad actors creating an account at a bank, for example, that doesn't exist or it partially exists, but they're tweaking it to get past the KYC checks.
And I think it really accelerated because of COVID. This has become one of the primary ways. And what they'll do is create an account, John Smith, maybe make an address that's very common, and the birthdate that goes with another John Smith, et cetera. They'll build up a little bit of credit. And then you can see these numbers here on the top left in this pie chart where they will build up, say $50,000 of credit over time, and then they do what's called busting out. They will rack up $90,000 worth of charges and then that account is gone. You're never going to see them again. And they're very patient in doing this. It may take them weeks, months, years sometimes to really... But they do it at scale.
Account takeover is much different. That is where like we were just talking about. And the real difference here to the end user is your typical consumer doesn't care about synthetic identity. It doesn't impact them directly, unless the synthetic identity is made in a way that affects my credit file. So if somebody creates a fake Mike Engle, that lives maybe at an address next to mine, then it doesn't impact me. It impacts the banks heavily. You see $20 billion just last year alone. And so we're going to talk about some ways to strengthen this and not just about usernames and passwords.
Will LaSala:
Yeah, I think when you look at synthetic identity, one of the things that we have to think about is all of those breaches that were really public, all the PII you got from all of these breaches, we all thought, "Oh, they're going to steal our identities. They're going to come in and do account takeovers and use those identities, use the information that they sold to take over those accounts." Reality is that they took all that PII data and started to create random users that look so realistic. They fool all of these systems that are in place. And so that synthetic identity, we saw it really in the pandemic, it made big headlines where you had people pretending to be other people so they could claim the tax credits and they could claim all of these benefits that were being given out because of COVID.
And those were just synthetic identities, people just creating identities that could capitalize on this. Account takeover fraud though, that's been around for... That is phishing. That's where we see everything. That's certainly the big boy in the room because just so many of those accounts, we've been fighting this for years now, but there's so many passwords. I don't know how many people use a password manager, but if you go in there and you're getting an alert that, hey, you've got 500 accounts and you haven't changed your password, they're all probably been phished at this point. So it's really dangerous as you go into it.
Michael Engle:
Yeah. So the dark web is what's fueling both of these buckets of attacks as well. So we'll talk more about the dark web here as we get into the fraud story that I'm going to tell. But first, we're going to ask two polling questions today. So I'm going to ask Maureen, our MC here to pop up a question for the audience. And we're going to talk a little bit today about biometrics because biometrics would is one way that you can prevent some of the attacks that we're talking about here today. Oops, next question. Yeah, that was the wrong question. Don't press that button. There we go. Do you use biometrics today in what you do either as a consumer or in your organization?
Will LaSala:
That's a great question. There all different levels of biometrics. So are they really using it, are they not? It's certainly one of those things.
Michael Engle:
Well, not just that, there's two types of biometrics that we'll talk about. There's what's on your device, what Apple and Google give you, touch ID, face ID, or Microsoft with windows hello. And that's not linking you back to a real world identity.
Will LaSala:
Exactly.
Michael Engle:
Right. So then there's real biometrics and we'll give you an example of that here in just a minute.
Will LaSala:
Yeah, I think that's the whole thing. So people think I'm using biometrics, I use touch ID, it's like okay, kind of. But you got to really dig into what that actually means and see where your identity really is.
Michael Engle:
Yeah, they're used as a strong authenticator more often than a strong identifier, and that's where we'll differentiate between those in just a minute. So thank you for that. We had about two thirds of the respondents say they are using some form of biometrics today, so that's great. Thank you for answering. And all of these results will be shared with everybody who signed up after the webinar's over. So here's my own family fraud story that happened 10 days ago and it happens to be with Zelle, which has been in the news a lot lately. So for our overseas visitors, Zelle is a peer-to-peer payment tool here in the US that allows you to send money between two banking customers at different banks. So Chase bank customer says, "I want to Zelle money over to somebody at Goldman Sachs," or whatever it would be. And the reason this is really important for them is because it bypasses the third parties like PayPal or using wires and ACH and all those legacy antiquated models.
It's very powerful. However, the bad actors has figured out how to use this to their advantage. And so, one of my family members received a request that looks like this in their Zelle app. So up popped up their banking application that said, "This person is requesting..." Well, we're not really sure what it says. It says I'm requesting $3,500, but then it says credit reversal. And I have some of this blurred out because this is actually a real victim that's also a victim in this crime. And this credit reversal is what's confusing.
So she gets this pop-up on her phone inside of her trusted banking application. 30 seconds later, she gets a call. And now you know what her bank is, I guess, I should have blurred this out too, but from Bank of America, from the real Bank of America phone number. And this person's on the phone saying, "Hello, Jane, we're calling from Bank of America fraud. Did you authorize $3,500 to leave your bank account?" And Jane says, ""Well, no, of course I didn't." All right, great. "Well, we just sent you a credit reversal, would you just press the button there and that money will be unwired?"
The reality obviously is what's happening is she's about to send the money. It hasn't been sent. That's part of the fraud. And you can see this was 10 days ago. And she was so close to pressing that send button on the left screen. She called me up and I said, drop your phone, flush it down the toilet. Do not press that button because it's really hard to get it back once you send it. And there's all kinds of lawsuits and a lot of bad PR around this stuff now. And she pressed no and declined the request. So lucky that. Very lucky because it'd be so easy to mitigate. But what goes through your mind on this, Will, as you see this one, two, three sequence of what happened?
Will LaSala:
Yeah, this is happening more and more today. I think we in the industry call this social engineering. It's basically attacking the human and then attacking our natural tendencies. So in a peer-to-peer type situation, the hacker is calling and preying on that you're going to believe what you see in front of you or what you're listening to on the phone. So they'll call you up and give you an urgent request or something that makes sense, a credit reversal. Even if you didn't make that payment, you might think, "Oh, I'm getting attacked by someone else, not the person that just called me." And the bank is trying to be helpful here. They're trying to tell me, "Oh, let's stop this before it happens." And luckily your family member here picked up the phone and called you. But most people don't have that option.
They don't have the security guy in their back pocket to call. And so they're releasing these. Yeah, okay, we've got Zelle up here, but it doesn't have to be. It can be any peer-to-peer, or it could just simply be a person calling on the phone. So think back to the static username and password. If someone calls me from my bank and says, "Hey, we've detected some fraud on your account. We want to go ahead and make certain that it's you. Could you go ahead and give me your password." Or generate that password and you read it over the phone to the person that you believe is the bank, well now that person has access to your account. They've the perpetrated an account takeover fraud just by asking you and you've given it to them. So it happens a lot and it's a very dangerous attack now that people really have to watch out for.
Michael Engle:
Yeah, this is a UX disaster. So many things could have been done by the banks here to mitigate this. So why not just at least have one more warning here that says, "Hey, you've never sent money to this person before." That's the first thing you could do. "Are you sure? This is a common fraud." You know what I mean? There's like 10 different things that could go on in the engagement with the recipient here of this message. The second is, why not have something verified that I know that this is actually this person issuing it? We're going to get into the identity side of this in just a minute. And of course, don't get me started on how easy it is to spoof a phone call. These are problems with the telcos that have been going on for, God, since phones have existed, right?
But it's still baffling that there's only three carriers in the US and her, Verizon or AT&T phone rang and this was allowed to happen. So I know it's getting better and there's spam and fraud checks. So I just thought this was pretty interesting real world story here that smacked me in the face.
So Will, let's talk about the definition of digital identity. Again, going back to our pre-gray hair days, when we thought about our identity and access management systems that we worked on 20 years ago, there's really only one option. Your identity remotely was verified by username and password. And going back just a little over 20 years ago, 2FA wasn't even really a thing. But what confusion do you see in the marketplace around the word identity? And I put some terms up here that often get associated with it.
Will LaSala:
Yeah. And that's the whole thing is that a lot of these terms are more... Well, some of these terms are really in the authentication of that identity. It might not be the identity itself. And even in these terms themselves, people are misusing a lot of these technologies. So like in 2FA, you often get just a single form of authentication. Maybe they're just using a one-time password, maybe that's generated by a mobile phone or something, but they're just using that one-time password. Well, if you're just using one that's not 2FA. And then the other things that you have in here that start to look at that authentication, people using SMS authentication and coming through non-secure channels, not being able to authenticate that identity. And so today digital identity is much more than that. It's also everything that is the context around how you perform those transactions and what you're doing in those transactions. So it becomes a much broader term. And as such, you get a lot more data points that you can use to help prove that identity and really verify the right identities being used for those transactions.
Michael Engle:
Yeah, exactly. And you said one term there that stuck with me. It's prove. How do you prove somebody's identity remotely? And it's no 100% just like there's no unhackable system, you try to do as best you can. But there are techniques now that we're going to talk about here today, and specifically the standards around identity. So now there's a bar that's been set of how you prove who somebody is remotely and how you use that proof over and over again.
And imagine if we liken this to the real world will where you get pulled over by a state trooper in your state and you roll down the window and the state trooper says, "All right, Will, what's your password?" And you say, "Password 123." And then he says, "Okay, I'm going to send you a 2FA code." And you get your phone, you read in the six digit code. And he says, "Okay, slow down. Here's your $50 ticket." It just wouldn't work. What do they do? They pull out a credential, they look at your face, they look at the face on the credential. And that's the way we've been doing it since the Safe Conduct Act of 1414 by King Henry V. Check out that research.
Will, let's reproduce what that happens in the real world, that physical world in the digital world. And the standards around that have been established since really going back to 2013 and 2017 when two really important standards evolved. The first is NIST 800-63-3. Now this is the government standard as per NIST that says how do you prove who somebody is remotely? And it involves getting a couple forms of identity verification and verifying them and then matching you to those documents. Very simple in concept. We do it all the time when we open bank accounts or go to the DMV or have other types of secure transactions. And then we have also that same standard tells you how to authenticate somebody. But then of course everybody knows about FIDO, and this is replacing passwords with cryptography, a public private key pair and a biometric.
And so when you put these together, you have a strong identity like proof that you're Will LaSala in the real world, and an authenticator to go along with it. We call this identity-based authentication. And we are one of the only companies that is certified for both of these. And the certifying bodies are Cantera for the NIST side, FIDO for the FIDO side, and iBeta for the biometrics. And there's a couple certifying bodies out there, but these are some of the more popular ones. And so I think in your business, Will, you've got some pretty strict requirements for NIST IAL2, right?
Will LaSala:
Yeah, absolutely. Depending upon the market that you're in, in the financial, especially in the healthcare sector and the government sector, your IAL levels, ratchet up quite a bit. And we didn't really talk about levels, but there are three levels for each of these missed requirements. And you might be able to satisfy maybe a level one with the way that you're looking at your authentication. But really what you're looking for is that level two in both the IAL and the AAL. And that's really the high confidence that the identity is actually the same one that's holding onto the authentication. So that's really where you want to tie those two really together and have a high confidence rate that those are together. And certainly, that's what we're looking at here and the solution. And as you get these certifications on these, that really helps us all understand where you are in that spectrum and what you're able to leverage those technologies for. So it's really important for all of these markets.
Michael Engle:
Yeah, no, thanks for that. And so let's round out the story and get into a little bit of demo here. So the way that identity and authentication had been done over since computers has really been very siloed. And you're seeing the analysts talk about the conversions of these things as being really important. So you onboard users, whether it's a new employee or a new customer or a new citizen for citizen benefits, whatever it is, and then you throw that effort away. Well, now because of modern technology and modern phones and laptops and all these things, you can link these together and create a strong framework.
And so we're going to show you how these all come together here next. But just double clicking a bit on this identity onboarding and showing a little bit of the water as we're drowning in it because we all went through this probably recently, is we still have these painful manual and fraud susceptible ways to onboard an account. Type in your info. This info is freely available in the dark web, not freely, but pretty much. And it's verified against data sources that have been compromised as well. So this is one of the reasons that synthetic identity is possible because it starts with this type of input.
Will LaSala:
And how many people are looking right now and trying to make your workflows easier? That's the name of the game that we've been hearing on the street from our customers is really that the customers want things easy, but you can't have easy if you can't verify that identity or approve that identity. So these forums with all this free information that can be gathered from anywhere to make these synthetic IDs, the forms themselves become a problem even from an ease of use standpoint.
Michael Engle:
Exactly. Yeah. If you make it easy, they'll love you and they'll use your service every day. Look at Amazon, it's like press a button, it shows up my doorstep five minutes later. We need the equivalent of that for the identity and authentication side. On the authentication side, we still deal with create a username, create a password. Oh my god, how many services are just rolling out one time codes to my e-mail or phone number? What are they trying to solve? It was like, I don't know, some really benign art website like enable your 2FA. Like, "No. Not the way you're having me do it." Because it doesn't buy you anything, if somebody has access to my e-mail. So yeah. This is frustrating.
Will LaSala:
A great example right here, take that recent post from Twitter from Elon Musk and them charging now for SMS authentication. Everybody was up in arms. Oh my God, why are you charging for two-factor through SMS? The reason that Twitter did that was because of the losses that they were experiencing from SMM. That was what his both said is that the amount of losses that they were experiencing with two-factor SMS authentication, the amount of support time that they were going in, SMS is very easily attacked. So they were pushing people to use a stronger form of two-factor authentication. Move into something that is much stronger to use. And they did it by simply attaching a price to it. But people should be wary of that.
SMS goes through this open communication in the clear. So anyone that wants to sit there and stand up their own tower, they can read all of the SMSs that go through it. And it's clear text, so it's easy for a attacker. A little bit different than your push notifications or your in-app. And those are all strong authentication and generally using cryptographic components. And there's even stronger as we get into FIDO and what you see there.
Michael Engle:
Yeah. At a minimum, this stuff has to go here. And unfortunately, they did a terrible job with the PR on this. They should have said, "Twitter's migrating to better 2FA," right?
Michael Engle:
People thought that they were charging for 2FA full stop. No, they were charging for SMSs. You can still use Google Authenticator and all that stuff, which to your point is much more secure because it's in your control. So yeah, that was unfortunate. And this is how Jack Dorsey's account was compromised four years ago, right?
Will LaSala:
Yes, that's right.
Michael Engle:
Yeah, that should be a lesson for everybody. So we're going to migrate out of this. And the way we do this is by combining identity proofing, which we'll show you here in just a minute on the next slide, and identity verification into one cohesive experience. And when you put these together, this is how in this 800-63-3 identity assurance level is obtained. You can give the users a credential as part of that process, which means you're addressing both the identity and the authentication side at the same time. And that is what we call passwordless. Passwordless without identity is just another form of authentication. It's stronger, but it still has inherent weaknesses. So again, as an identity guy, I'm sure this resonates with you, right, Will?
Will LaSala:
Absolutely. Tying your identity to your authentication can't be more important. We're seeing that everywhere. So you can think of there are many different forms of authentication. A lot of those are commoditized, meaning that you can get them from anywhere. There are a whole bunch of different options and open standards that are out there. But really being able to bring that identity and making certain that that's the correct identity associated with that authentication really helps in everything. Think about the ease of use alone. If you know that the next time that this person comes into your application that you're absolutely certain that this ID behind it because they have their ID associated with that authenticator, that opens up a world where you can offer more services, the ease of use of that becomes much, much better. And certainly, you're able to capitalize more on that, adding more services and offering more ways to do business digitally.
Michael Engle:
Yeah, exactly. And I think it's time to show, all right, not just tell.
Will LaSala:
Yeah, let's do it.
Michael Engle:
Let me run through a two-minute demonstration of a full digital onboarding experience, NIST AIL2 two certified. So the first step in any account creation process for consumer facing applications, at least not necessarily for your workforce, but it's just collect and verify an e-mail and a phone number. There's a hundred ways to do that. We have an API call to do these things. It's very straightforward. So we don't show that here. But typically, you're sending them a link to verify their possession of an e-mail and make them verify the phone number in a similar way. Now the second part is to enable, we've talked about those different types of biometrics. So let's enable touch ID and face ID. This is a one-touch operation.
That's it. We do this billions of times a day as humans, because every smartphone supports this today. And what that does is creates a strong authenticator link to the device. Now, it's not linked to any identity yet, but it is a strong way for you to do that same thing over and over again that's very difficult for somebody else to get their hands on. So that's a factor. It's really something you have that's with you, including something you are.
Now let's verify the actual real world identity. So for most healthcare or banking, crypto, Neobank type applications, you have to verify their government information and their credit information. So we start with an SSN. This unfortunately is still needed because people have to pay taxes and it's what the government uses. So we ask for this and we'll verify this with the credit bureaus. Then we'll verify their government documents. So this example is the front and back of the driver's license.
The front and the back are done in a similar fashion using our high-res camera. And that's it. The camera does the work. The web interface will guide the user through it, handle things like reflective lighting and are you holding it too close or too far? Guide them through that. In real time, all the overt security features are verified and there's literally hundreds of checks that are done, the size and shape of the document, do the millimeters here match the other edge? Is the photo in the right place? Are the fonts right? Is there any tape on the photo? Does something look a little off, on and on? And at the same time, my photo and all the data is extracted and put into my own wallet. I haven't given it to anybody yet. It's a really important privacy design consideration. So we've got the government data and now we'll match it to a live selfie. Very straightforward process.
Again, right distance, right lighting. And now that is matched to the photo on the driver's license. It passes? You continue. The data is extracted and verified. In this example, we're checking the driver's license number with AAMVA, which is the DMV aggregator, which works with the DMVs across the United States. So driver's license is valid, not marked as lost or stolen. And lastly, we take that SSN and the data on the driver's license and check it with the credit bureaus. Does Mike Engel live at the address on that driver's license? So those checks together give you a very high level of assurance. And if you compare that experience to typing in 30 fields next, next, next. Sorry, you mis-typo'd on your address or your state. It's much better. And of course it's much more secure for the issuing bank or whatever it is.
Will LaSala:
I think the one thing that you look at here, so it took us three minutes to explain this, but most of the time when a customer's doing this, this is very quick, it's usually under a minute, and there are already real world examples of this happening out there. Oftentimes as you step through this, you're then ending up with this strong credential that is tied to your identity. And so next time you come in, you're not going to step through all of this. You're just going to authenticate. And the user's going to know because they're doing this strong authentication mechanism that the identity is coming with them and so that they're sharing their identity, whatever they do, their authentication mechanism because they step through this first in getting those.
Michael Engle:
Right. Delight your customers. That's right. So Maureen, if you could pop up that other polling question. This one's really about does your organization already do some digital onboarding for employees or customers today? Do you link your account origination with your authentication today at any time? And we're going to show you some FIDO stuff next. So it's related. So pick one.
Will LaSala:
It's always interesting. I think a lot of people are still dealing with just the onboarding mechanisms itself. Authentication really previous to digital transformation was really just about, "Okay, how do I get an authentication into the user's hands?" If I needed to do strong authentication, maybe that was a hardware device that I was shipping out. And the amount of time that it took me to get from when the user signed up to when they got the hardware device, maybe I could get it overnight to them. But now with everything moving digital, there's still hardware tokens out there, but it's really a lot more about software and how quickly you can get them onboarded. You don't want to let them do it for more than a minute. That would be uncalled-for. People would jump off the ship and move on to the next application out there because there's always the next application. So really doing it quickly, easily, and more secure. I think that's what we're looking for.
Michael Engle:
Yeah, I've changed banks because I just can't handle the 2FA process. They pop up five times in a four-minute exchange where I'm trying to set up a new wire. I'm like, "I can't take it anymore." So I'm sure I'm not the only one. Thanks for doing that, Maureen. Just quick glance at the numbers, about quarter of the respondents aren't sure, maybe our question could have been worded a little better. But we have half that said that their processes are linked to some degree, which doesn't surprise me. The topic of this webinar will attract people into identity that might be thinking about this stuff. And 5% say they're very tightly integrated. So kudos to those that have gotten to that point in the process. All right, so we've onboarded an identity. Now what do we do with it? How can we leverage that strong identity to make transactions, which is why we're online, we're trying to transact.
And so let's run through identity-based authentication and practice. This will be not only using those device biometrics that we spoke about, touch ID, face ID in a modern way, but real biometrics. So let's leverage that live ID, that live selfie that I enrolled to verify against my driver's license to prove that I'm allowed to wire a hundred thousand dollars or allowed to request Zelle money from somebody I've never done before. Wouldn't that be great? So we'll start off with a very straightforward yet modern authentication experience, which is a QR code. And because of COVID, again, almost everybody's familiar with whipping out their phone and scanning a QR code to read a menu. But what that is it's a secure way to engage with a remote service where you can set up a trusted connection between two parties. And so if your bank account, your banking log on has login with QR code, you get out your trusted authenticator and you scan it, you do your touch ID, face ID, and you're staring at the downstream application. It's that simple.
Now there's a couple other ways we could engage. So let's say now we go to move a little bit of money here, and in this example it's going to be... I think I have to press next. Yeah. We're going to ask for face ID one more time to do a transaction. So in this example, we're going to put the dollar amount to something that requires a second knock. All right, so we reach out to that strong mobile authenticator and just say yes or no. Face ID, and we've just wired money or Zelle'd it or whatever it is. Okay?
Third level, and this is getting more into zero trust. This works really well in the workforce when you need to know who somebody is before they log in as route to your infrastructure. But imagine if your bank, Will, would allow you to do this before you added a new payee. And you only had to do this thing once during this session. Instead of being asked five times like I was just complaining about. So in this example, I'm going to wire a hundred thousand dollars or add a new routing number and the bank says, I really want to know it's you on the other end of the line. Would you just look into the camera please? That's it. A thousand times better than fetching a 2FA code for so many reasons. And the transaction's been done. That's what we refer to as identity based because it's linked back to the real world identity.
Will LaSala:
Looking at how each one of these was a different level of risk you're looking at, and as our banks look at this, they looked at each one of these risk factors. And up until now it's been blanketed, right? You're like, "Okay, hit you with another SMS, hit you with another SMS. Here you go five times to do this." And honestly, you're wiring a hundred thousand dollars and SMS is okay to do that? That step up where you need to look at the person, see that face and perform that biometric, that face recognition, that's really what you should be doing if you're trying to move this much money. It really puts that level of assurance where, "Yeah, okay, that is actually the person that we believe it to be that's going to perform this transaction." And that's really where it comes down to the different levels of insurance and putting in the right level for the right risk level that you have.
Michael Engle:
Yeah. And we talk about this real biometrics, they're more popular overseas. The US, we're typically five, 10 years behind the rest of the world in adoption of technologies. For example, how long did it take us to go to chip and pin on credit cards? Europe had been doing it for 10 years and like, "What are you morons doing over there?"
Will LaSala:
And did we even go to chip and pin? I think we went to chip and password.
Michael Engle:
Went to chip. Yeah. So at least it's not the mag stripe anymore. Well, 95% of the time. So the chip is very difficult to clone. And so overseas, you're seeing the use of a real biometric use more and more, right? Go to South Korea or Singapore. And I think we're going to see this get more popular as long as it's trusted, right? There was a whole bunch of issues with one of the big federal agencies and one of the providers that had challenges here because they didn't have the right disclosure, they didn't have the right privacy model around where the faces are stored. So if you store the face in a way that's safe, GDPR-compliant, for example, if that face is encrypted with a private key that's in control of the user and then you just use digital signatures to verify, then you're heading in the right direction. So I think we're going to see this get a lot more popular where it's not just touch ID or face ID and we'll see if I might-
Will LaSala:
I agree. I think when we see that live biometric, and this is again the difference between using the onboard biometric versus using the third party biometric because the onboarded touch ID, face ID or Google Touch or Samsung Fingerprint, a lot of those are just yes or nos. You're just simply saying yes to the application, the biometric risk performed. But you're not actually doing the true biometric behind it or capturing that in any way. And when you look at some of the way that we did the live ID here, you're actually creating a unique signature from that value, from that face value. So that gives you a little bit more assurances. And certainly if you do this, just as Mike was explaining, you meet the GDPR requirements and you're compliant, it gives you that level of assurance that's really necessary to move forward and to put trust there.
Michael Engle:
That's right. And so let's wrap up with a little bit of FIDO, right? Do you have any dogs?
Will LaSala:
I don't. I have cats and I don't name them FIDO.
Michael Engle:
Okay. Yeah, I guess not. So yeah, FIDO, for those that haven't heard of it and been living under a rock, it stands for Fast Identity Online. It's a nonprofit that started in 2013 and all the tech companies that are behind it in the beginning, Google, Microsoft, Apple, Yahoo, and 1Kosmos and OneSpan are both Phyto members for quite a while. And it's a way to authenticate without passwords. It's to migrate from a password experience to a passwordless one. So I have a very straightforward demo application here. This demo application was made by the FIDO Alliance and anybody can go try it out themselves. But what you want to do is get your existing user experience to go passwordless. And you do that by logging in and then just asking the user, would you like to go passwordless?
And you say, yes. It's really not that much to it. Now what happens here, I'm going to pause, is your local platform Authenticator pops up. And what I mean by local platform authenticator is it's the touch ID, face ID in your phone or your iPhone or Android. Or if you're on a laptop or a desktop, whatever it uses, so Microsoft uses Windows Hello, Mac uses Touch ID over there. And it links that experience then to the remote account. So this account that you see right here is ready for Passwordless. And on my next screen as I just simply click the authenticate button, it does that biometric one more time, gives the sign challenge response, and I'm staring at the application again.
So it is the future of consumer authentication. There's a lot of devil in the details. We specialize in making this really easy for merchants to embed into their platform. But Will, I'm sure you're as excited about this as I am because I'd love to use this on every website.
Will LaSala:
FIDO is excellent. It is the Phishing killer. It really is designed to get rid of passwords and really to kill Phishing in general. I think being a technical guy, I'll toss out the term that this is asymmetric keys. People don't understand that. But essentially what you need to know there is that as you're performing this authentication, it's actually the client that's generating these requests. And so unlike, and other ones where both the server and the client need to generate the same information and that same information has to be exchanged between them. Think of a password, if you're passing it over, that password has to match what's in the backend. That's what they call symmetric. FIDO is a little bit different than that and is more secure. And so I know that there's a lot of RFPs out there asking for asymmetric solutions, and FIDO really deals with that. And unless you look at how to implement Passwordless strong authentication with anti phishing built in.
Michael Engle:
Yeah. And there's a new component in FIDO that's being called passkey that allows you to use... It's hard to explain, but they'll store your credentials in a way that you can leverage them over and over again as well. So there used to be a challenge where if I got a new computer or a new phone, I'd have to go set up my FIDO authenticator again. And that's been mitigated with implementations on Passkey. So we'll see it get more and more popular over time.
Will LaSala:
Yeah. FIDO has grown up quite a bit. We started with using different hardware devices, different mobile solutions. But I think today, as people implement these solutions, you're going to find that FIDO is accepted in more places. It works better than more solutions, and ultimately it really does solve this problem.
Michael Engle:
Cool. Well, we are marching along nicely here. I'm going to wrap up with a summary that goes from this slide to where we land here. So we've taken those discrete components, proof of government documents, your biometrics matching, verify everything, and then enroll your private key. That's the identity and onboarding. And tie that together with the user authentication, which makes your fraud much easier. So we want these to get much tighter, makes the fraud, the signals that go into your fraud engine much stronger. So you're not just trying to say, it's an IP address that's bad, or something with their cookie looks a little off. But hey, I know with a very high level of assurance that this is the same person that opened the account. And so we're trying to get from those siloed octagons into something that is much more tighter and cohesive. And, Will, I think you guys offer a platform that we partner up with quite nicely to solve a lot of these problems?
Will LaSala:
Yeah, absolutely. Yeah. The ones been Transaction identity solution, our transaction cloud solution really allows you to quickly and easy implement all of these. So it's a bunch of rest APIs that really tie in the authentication mechanisms and start to deal with some of these risk profiles. So as you're looking at how you're dealing with risk or what your risk is on certain types of transactions or even on different types of agreements. So a lot of what ones span looks at today is where the agreements are and what you're trying to do in those agreements. So yes, it's certainly about the login and onboarding, but ultimately you're going to create a transaction. That's what those demos were showing. And what does that transaction look like? What does that agreement look like? What's the risk that you're associated with that? And how do I properly authenticate and prove my identity in that? And that's certainly what the OneSpan Transaction Cloud does.
Michael Engle:
Awesome. I'll take two. So let's just wrap it up. We've got a couple of events coming up that both OneSpan and 1Kosmos will be at. So because we're identity all the time, we'll be at GartnerIAM coming up on March 20th. So look for us there. And we've got a couple of webinars coming up. You can see them on our website on both 1Kosmos and the OneSpan websites have some upcoming webinars as well.
All right. So with that, I think we've used up quite a bit of time here today. We'll call it a wrap. Will, are you going to be attending any of these shows coming up in the next couple of months?
Will LaSala:
Yeah, absolutely. So I'm speaking at a couple of events coming up, some events in Texas, and I'm hoping to make it at a couple of these events as well as we move through it. But my March is very busy right now. It's going to be full of stuff to do.
Michael Engle:
Exactly. But we'll be all shopping for holiday presents before we know it, so we'll just enjoy it while it's here.
Will LaSala:
Exactly.
Michael Engle:
Awesome. Will, thank you so much for joining. For everybody who attended, thank you. And this will be sent out to everybody who registered and couldn't make it because of crazy calendars. So any questions, feel free to reach out. Both Will and I are accessible via this thing called e-mail. And feel free to reach out with any questions. So Will, thank you so much for joining.
Will LaSala:
Yeah, absolutely, Mike. Thank you so much for having me. Hopefully everybody got everything they needed out of this. I think we talked a lot about ease of use and security and tying your identity in there. I hope you all really enjoyed this. Please feel free to reach out.
Michael Engle:
Thank you. Let's do it again soon.
Will LaSala:
Absolutely.
Michael Engle:
Bye-bye.
Will LaSala:
Bye.