A Customer First Approach to Identity Based Authentication
Unlock On-Demand Webinar
Video Transcript
John Tolbert:
Hi. Welcome to today's webinar. I am John Tolbert, lead analyst here at KuppingerCole and our topic today is a customer-first approach to identity-based authentication, and I'm joined today by Mike Engle, a chief strategy officer at 1Kosmos. Welcome, Mike.
Mike Engle:
Thanks John. It's great to be here.
John Tolbert:
Welcome everyone, thanks for joining us. So a little bit about our next upcoming event before we really dig in here. We have the Cybersecurity Leadership Summit, which will be both hybrid and online and in Berlin on November 9th through the 11th, and we've got quite the agenda already. We have over 200 speakers lined up, more than 500 delegates, 15 exhibitors, and 90 sessions planned already and there will be lots of social events and unlimited networking opportunities. So again, that's November 9th through the 11th, our Cybersecurity Leadership Summit and hope you can join us.
So some logistic information before we begin. We control the audio, everybody's muted, so there's no need to mute or unmute yourself. We will be doing a couple of polls so we'll pause for about 30 seconds so that you can answer the polls and then we'll look at the results at the end. We'll also have Q&A at the end and there's a blank in the go-to webinar control panel where you can type in questions at any time and then we will look at those and answer those at the end, and then we will be recording the webinar and both the recording and the slides should be available in a day or two.
So I'm going to start off and talk about authentication options, the different kinds of solutions, the need for higher identity assurance and identity proofing, and then I will turn it over to Mike and like I said we'll do Q&A at the end.
So let's start with a poll. Has your organization suffered an attack that was caused by breached passwords? We won't show any personal information how it pertains but just the yes/no, we'll do the percentage results at the end.
Okay. So about those password breaches, and some authentication alternatives. So no doubt you all keep up with the news and you've seen ... It seems like day after day, week after week, more and more data breaches and what, 85% of the cases it's caused by passwords that have been compromised. Man, these are happening all over the world to critical infrastructure to vendors and the software supply chain, even security tools here are occasionally being victimized by this so everything from the power grid, election infrastructure, all sorts of things, and passwords, we have been saying for many, many years, we need to get rid of them. The technology is available now and many vendors and their customers are interested and willing to make the move to stronger and yet passwordless alternatives, and I think that's a great thing.
So let's talk about the options. KBA, knowledge-based authentication is the old security questions. This is a terrible method, let's just be honest. It's not really suitable for authentication, a lot of sites have used this historically for account recovery and that's even worse. A lot of the information that are asked in these questions is available online, if it's your high school team name or some of this information is so common, it really does not have any security value at all. And year after year, you look at the various data breach reports, we see passwords like I said are responsible for 80, 85% of all the ways into a company to steal data so passwords really, really need to go away. Then we have SMS OTP, getting texted the one-time password. That's probably the most common form that we see and I think a lot of people have gotten used to that. But that has its security problems too. It's susceptible to attacks, especially things like SIM swaps, where you can redirect that OTP to another device altogether. So SMS OTP really needs to be deprecated.
That leaves us with things like PKI certificates, you could put them in browsers, you can use them with hardware tokens or smart cards, and these are still great options for workforce use cases, but we don't really see and can't really anticipate that it's going to be a longterm solution for consumer-facing businesses and use cases. So that leaves us with things like mobile apps, which do offer a higher degree of security like SMS OTP if done properly and mobile biometrics. So this could be the built-in biometrics on phones and there are a number of third party biometric vendors out there with really good products too.
So we can also do risk-based consumer authentication, and here we're really considering four major categories that need to be evaluated at transaction time. So first off you have the subject user, you might want to find out what the identity assurance level is, how well they were proofed when the account was set up. That may have information associated with an email address, maybe a physical address, other linked accounts or linked devices, and if it's like a family situation, there may be delegations about who can use what device or who has access to the account and with what level of authority. The device can be an interesting and useful factor in risk-based consumer authentication, you can look at the device type, you can look at the device fingerprint, and by this we mean the set of attributes that makes the phone unique, not a fingerprint fingerprint.
The OS patch level, what apps the user may have installed, has it been jailbroken or rooted and then often you can add behavioral biometrics, which is measuring how a user interacts with a device, like with a phone it could be gyroscope information, touchscreen pressure. With a computer it would be keystrokes and how do you use a mouse. The network component is useful as well because it's not just IP address, but maybe WiFi hotspot history, where it's been used and what mobile networks it commonly has been found on. Then lastly we have user behavioral analysis. This can include geolocation, travel and possible travel, and if it's a financial transaction, you can look at things like is this a page to whom funds have been transferred before, is it a new page, does this fit within the pattern of normal user behavior, does the amount look normal, time and date for the transaction, does this make sense in the historical context? So all these things are really good things that can help mitigate the need to have an explicit authentication event on the part of the consumer every time they want to interact with a site.
And this is largely relevant to the enterprise or workforce authentication or B2B2C use cases too. Here we have the same four categories, user device network and UBA. Maybe some of the attributes might be different like in the case of the user, you have an issued credential, that users have probably been assigned roles, they probably have group attributes that allow them access, authorize them to specific kinds of files, applications, and other resources. On the device side, if it's a controlled environment, they probably have endpoint protection clients on their machines, unified endpoint management, clients on their machines and on the network side there maybe VPN information, a different set of IPs than the normal external IPs and then for UBA things like which files or other resources, applications do they normally access? So you see there are some similarities between the categories, just some of the attributes can change but risk-based authentication at the enterprise level can follow similar tactics.
So a little bit about FIDO authentication. FIDO is a standard, it's been around for probably seven or eight years now. FIDO2 is the latest iteration of that standard and it really bridges the gap between mobile and web. Original FIDO had the mobile, UAF, and U2F with the hard token components to it. FIDO2 kind of brings those together and makes it easier to bridge like I said from the mobile device to the web. Users can register and authenticate using their mobile devices and you can turn the phone into the second factor. You can get a code, you can use an application, and then the phone can be your second factor to your laptop or other computer device.
So it's beginning to have really good uptake. I mean Microsoft supports it, Windows 10 and Hello, Google has it and Android 7+ Samsung has a FIDO biometric certification in the S10 series of phones, and now really all the major browsers there support WebAuthn in the browser and looking at the FIDO-certified site, there have been more than 800 authenticators and servers certified against U2F, UAF and the 2.0 specifications, and they have additional certifications for security using things like GlobalPlatform Secure Elements or the trusted execution environment, and they also have a biometric certification which is great in that it can help provide some objectivity in looking at the false acceptance rate, false rejection rate for biometric authenticators. So that I think is a very, very useful thing to have.
So moving on to identity proofing, what is identity proofing? I like these definitions by NIST that come out of two different documents but verifying the claimed identity of an applicant by authenticating the identity source documents and the process by which a credential service provider collects, validates and verifies information about a person. So it really is about matching the claimant to whatever documentation they have that can help prove that that's who they are.
800-63-3 calls out three different levels of identity assurance. Level one is the lowest, there's no real requirement to link the identity to any specific real life person, so any attributes you get from that should be treated that way. It's just self-asserted. No real assurance there. Level two takes it up. You need some evidence that the real world person is associated with the digital identity that's being requested, the credential, and it introduces the need for either remote or some sort of physically present identity proofing. Level three, a physical presence is required, and you have to have trained representatives by the credential service provider. I see there was a draft out there for 63-4 and it may allow some remote supervised video options. In the EU, we have EINETS, and they have remote ID proofing guidelines that were published back in March and they have three levels too and they're somewhat similar. At the low level, self-registration in a web page, no real identity verification. You can use username and password. Again, no real assurance that the information that is provided at registration time is all that accurate, then the middle layer is substantial enrollment as performed by providing some verified identity information and then authenticating with both the user name, password and an OTP sent to the applicant's mobile phone and then you can do what they call a remote automatic and I'll get into that in a moment app-based and video identification options.
On the high side of eIDAS, levels of assurance, we have in-person verification, using a smartcard or a national ID card and there are now remote options that either includes some software-based applications, maybe on a phone for example, and video sessions as well.
So how remote automatic identity of verification happens? We'll look at the happy path assuming that we're going to go through a flow and this works, so the user applies for a credential, they download a remote identity verification app. This is an application that's been built by an IAM vendor or someone who's in the space that they can also provide an SDK so that a customer can take the SDK, write their own app, and use all the backend services to do the remote identity verification. Then as part of the process, you could take a selfie. The app needs to be able to perform liveness detection to ensure that the user is not holding up a picture to a phone or something else like that. It's looking to make sure that the user is actually present, and then the app can be used to scan ID documents both using OCR, optical character recognition, looking in the text let's say on a passport and NFC to read the chip and then assuming all this goes well then the credential can be issued.
So let's deconstruct the user journey a little bit here in light of this and I'm bringing this up into two major categories, I'm going to call it financial and non-financial. So on the first instance here with non-financial, a user approaches a site with a device, they can either register by typing in the information, they can use autofill from the browser, but that's often pretty messy. If you've ever sent a package somewhere, you wind up with more addresses saved in autofill than you ever need. A lot of CIM vendors have the notion of what they call progressive profiling so you can maybe collect an email address at the beginning and then you get to know the user more through subsequent interactions on the site, and then decentralized identities. You're essentially counting on somebody else who has issued the credential and done some of the identity proofing upfront and be able to federate that in. And then the device that the user brings to the registration event can be associated with that.
So this information can be used by the CIM system of the customer, they are probably using it for marketing analytics assuming consent has been captured properly, and then ID proofing might be optional in some cases like this. Again it depends on the nature of the use case. But on the financial side, most everything you see here is the same but there's going to be a need for strong identity assurance in most cases. So the user approaches either an online banking site or uses the mobile app. They associate the device, they type in the information or get the account created. The difference here before it can be used for transaction processing or used within the CIM system is you're going to have to do ID proofing because it's required for anti-money laundering and know your customer regulations. So how does this work? Well looking again at how eIDAS discussed options for video identification, you can do a web session with a trained representative of the bank. In this example, you can do the selfie match, the OCR and NFC document verification through the remote identity verification app. These are ways that you can satisfy the legal requirements and the increased identity assurance for these kinds of use cases.
To kind of put all this together, we have been doing research on fraud reduction technologies, identity proofing and vetting, I call that as a-number-one, one of the best ways to reduce account takeover fraud and new account synthetic fraud, along with things like credential intelligence, device intelligence, that user behavioral analysis that also gets factored into risk-based authentication decisions, as well as behavioral biometrics and then bot intelligence and bot management, and there are good bots that help get business done on the web and there are bad bots that do bad things like credential stuffing attacks, so you need to be able to include that as part of an overall fraud reduction strategy, but identity proofing and vetting I think are really some of the first things that you need to think about for reducing fraud overall and of course it's very important for identity assurance levels.
So let's take our second poll here. Has anybody ever used a remote identity verification app? And you'll pop up with a yes/no blank and we'll give you a few seconds to enter information there. Really curious to see if these have become as common as I think they are starting to.
Okay, and we'll take a look at the results of both of these at the end of the webinar here. So my last point is on the consumerization of IT, what do we mean by this? Specifically the consumerization of enterprise IT, we may be employees but we're also consumers. We have multiple facets to our lives, so as a consumer, we know what we like in terms of interactions with websites and we also know what we don't like. Most of us prefer mobile-based authenticators and biometrics for the convenience of it. It's much better than remembering 100 or 150 passwords and having changed them and if it's an infrequently used account then a lot of people just use the once a year account recovery mechanism so again if we know that there are ways that ... Some consumer-facing businesses are getting it right. So we want those more user-friendly experience when they're logging into work, and on the plus side for the enterprise administrators is that these fraud reduction techniques we're talking about that get used in consumer authentication scenarios are very useful in doing risk-based authentication for enterprise workforce logins too, and that remote identity verification app that we're talking about, well it's working just fine for onboarding new employees.
I mean this has been going on a lot throughout the pandemic, I mean I know a lot of people have started new jobs, never been to the office but they used a remote identity verification app and it can be used for I9 and other kinds of work eligibility requirement verification, so in addition to being a good way to do increased identity assurance for consumer use cases, remote onboarding for employees through these remote identity proofing apps is really going to be the way forward I think. So with that, I'd like to turn it over to Mike Engle from 1Kosmos.
Mike Engle:
Okay, let's get going. I'm covering a lot of the same topics as John, just with a kind of ... Some real world applications that I'll be getting into, and I just wanted to go over a couple of things. [inaudible 00:22:35] John had some housekeeping, I do as well. First is everybody really in the world is able to go try a lot of what I'll be showing you here today. Just go to our website, you'll see a button that says Experience BlockID, and it will walk you through getting the app and performing a passwordless experience, it will take you like two minutes and you can even go a step further after that. You'll see a subsequent screen that allows you to perform some identity proofing and perform a secondary action after that, so it's a lot of fun, it's safe, nothing is stored in our website and it will allow you to play around with it and do some of the things that I'll be doing here today, so check it out. I'd love your feedback on it.
We're also giving away a $50,000.00 software package, so with that, basically a random attendee from this webinar will be selected and if they are picked and they give consent, they accept the award, et cetera, then we'll be able to work with them to get this package started very quickly. So more to follow.
Let's jump in. I don't want to spend too much time on statistics about what's been going on in the industry. There's just so many out there, but John covered some of these, right? It's all over the headlines but there's some really new useful ones that came out. You might be able to use them in your discussions with management or part of your budget and justifications for the program.
These are statistics from the latest Verizon data breach investigations report. If you haven't seen it, it's like 115 pages long. It gets into every nuance of cybersecurity and breaches, and I've picked a couple of stats that are really relevant for this call that you'll appreciate.
The first one on the left is the fact that social engineering is the way that bad guys are getting credentials from people, and it makes sense, because humans, as you can see in the top right, are the weakest link in any system. 85% of breaches involve a human element. Two-thirds of those involve credentials. Of course we're here to talk about that today, and we all know how bad ransomware has gotten, it's very public and in everybody's face today. So if your C suite is not dialed into this, they will be soon. Even the board of directors now are engaged in these discussions, and just showing how these statistics impact from a real business perspective, so check out these numbers on the left. The range of business email compromise or BEC goes up to almost a million dollars. For one business email compromise and the average being around $100,000.00 each, and ransomware goes up to $1.1 million, so those are a large sampling. Here on the right, this is from The Lockton Group, they're cyber-insurance experts. These are truly staggering numbers. $5 million, average business interruption from ransomware because of credentials. So I'm not trying to fear, uncertainty and doubt anybody here, we get enough of that, but these are real meaningful statistics to help justify our actions to deploy programs like what I'll be showing you here today.
So talking about customer engagement, John really touched on this quite a bit, and I really enjoyed his knocking off of the secrets and some of the other legacy factors, right? We're still doing this today, filling out forms, 2FA. I can't believe how many websites are just moving to email and text codes now, right? It's disturbing. For fun, I went and signed up for a United Airlines account last week and I grabbed this screen. Like John said, they are forcing me to pick five secret questions, right? What was your shoe size when you were 12, this was my favorite one, when you were young, what did you want to be when you grew up and check out some of these answers. It is truly precious, right? How many people wanted to be a clown when they grew up? I wanted to be a rocket scientist, they didn't have that on the dropdown, so I had to move on to another question.
On the workforce side, it's just as bad. Companies are still requiring longer and more complex passwords in case the hashes get stolen. This is from Microsoft's July active directory documentation right on the website, and this just causes employees to get frustrated. We added a new button here on the authentication options, and all they do is increment a number on the end of their existing password. The credential has to go, and FIDO is the path towards that that I'll be talking about.
So John spoke a lot about NIST 800-63-3, he also spoke about FIDO. I'm going to show how putting them together is the right way to deal with customers and employees. So on the identity proofing side, I'm not going to belabor this too much because John really got into how that works. IAL, that's the identity assurance level that he touched on goes from range one through range three, you need multiple documents, and you need real biometrics to do it, and real biometrics is the key here.
Now when combined with FIDO authentication, it's a match made in heaven. Now you can prove who the person is, a strong-proofed identity, and without then requiring a username and password for them to access your systems in the future. Once they have enrolled with a high assurance level, you issue them the keys to prove that they had those credentials, they performed FIDO authentication, there's no longer any passwords in the process. But you can do it from day one, and with this real biometric, you're getting something that you call identity-based authentication. It's one of the principles of zero trust. I can prove cryptographically and with biometrics who you are every time you log into a Windows workstation, into a financial services website, by combining these two standards.
Key to this is any platform you adopt needs to be certified. There's two key certifications here. The Kantara Initiative certifies your NIST process and the FIDO Alliance certifies your FIDO authentication. You need a FIDO2 certified product for example.
So unfortunately, identity-proofing and user authentication have been siloed activity and continue to be for a lot of organizations. If you do not take a holistic view of these activities, you're introducing avoidable technical debt to your operation and your IAM platform. So an entire industry has popped up that do just this thing on the left, scan a document, take a selfie. After that, they throw it away. Now it's up to the authentication system to figure out who it is, and conversely, if you're just using a passwordless tool or a 2FA tool, you're not leveraging a proofed identity, and the way we do this is with cryptographic wallets, public-private key pairs combined with biometrics.
So the combination of these standards can revolutionize both workforce and customer IAM functions. So when do you do it? You don't want to scan everybody's driver's license when they come and access your systems, right? They'll run away, your employees will revolt, you've already proofed them. You've already proofed millions of financial accounts, employer accounts, government accounts. So for this population, we put them through a binding process instead of a proofing process. In essence, you're trading in their legacy credential, their password, 2FA, whatever, for a passwordless experience. When it's time, you proof them again. Documents expire, maybe there's a super high secure transaction and you're like, "I know this person gave me a driver's license five years ago but let me do it," and you can do it inline. You can do it with a rich app experience, it doesn't have to be a burden. So with a single process, you can bind their existing account via ... By scanning the QR code or just clicking a link. They're issued a private key, enroll their biometrics and they're done.
However for new employees or high value customers, you guide them through a self-enrollment process. You do this day one because you have to do it anyway. For financial accounts, you have to do it for AMLKYC. For employees and contractors sometimes, you have to prove who they are so you can pay taxes. So do it right. Proof them digitally, trade in their documents for a certificate and let them be passwordless from day one. They never need to know their username and password.
So in that proofing, John has already covered this, so again, I'm not going to drill into this too much, but there are a couple things you can do. So when you leverage the modern capabilities of your smartphones and computers, this onboarding process takes minutes instead of days. Everything is captured in real-time, the attributes are extracted and stored into a digital wallet, protected with that private key that I'm going to mention probably about a dozen times. Including scanning that NFC chip to get very high quality data, so within seconds, these documents are verified, the user's identity is a matched via a live selfie, and that same live selfie, the one that often gets thrown away for proofing, now becomes a strong authenticator. So you can feed this information directly into your IAM system for either a customer or an employee account. Best of all, if you're using a mobile app and have that rich relationship with a phone, you can get their location, verify their phone number in real-time, get session attributes, et cetera, and we don't treat employees and customers in the real world any differently. This process applies to any type of end user.
Now there's two ways you can handle your users, your end users today. You can do it with an app, and you can do it without an app, and John touched on this as well. Obviously if you can drive your users to use their own app or your customer app I mean, you'll have a much richer experience, better control of the session, you can work with the camera very specifically. But not all services have their own app, right? There's literally millions of websites out there that engage with the users via browser only. So for both of these populations, with an app and without an app, you can still go passwordless thanks to the FIDO WebAuthn standard that I'll be showing you here.
So real quickly, with an app-based digital wallet, you can guide the user step by step to either enroll their identity and be passwordless from day one or do that linking that I mentioned before, with the press of a button, a single click operation. So the way this works is the user is issued a private key, this is transparent to the user, and they enroll their biometrics. The most common type of biometrics would be your touch ID, face ID and whatever they call it and all the different Android worlds. But one of the advantages of having an app is you can use the camera and the microphone to do real face and voice matching, and this can be linked back to that NIST-enrolled digital identity. The use of a live biometric has to be done properly. That must be secured properly, this is where we at 1Kosmos use a private blockchain, keep that image completely encrypted and in control of the user at all times. They will present it to you and unlock it and share it with you when it's time. It's a real game-changer, and one of the key benefits of combining the proofing and the auth together.
If the user has a smart watch too, you have a very rich experience where at the tap of a button you can authorize transactions, depending on the value. And lastly, there's no need for any organization to develop all of these features themselves. ID proofing, FIDO servers, et cetera, they've already been done by companies like 1Kosmos, with one lightweight SDK instead of APIs. All of these features can be embedded in a single experience or presented as a turnkey application, so let the developers develop their business apps and let the identity enrollment and the authentication happen with this adopted framework.
So that's the app experience, and what do you do when you can't force your users to download an app? This is where FIDO WebAuthn comes into play. So this lets you leverage your device's native biometrics, right? It doesn't matter if it's a Mac or a Windows laptop or a Chromebook or a mobile phone with Safari, Firefox or Chrome, and that will store the private key. That becomes almost like the app itself, and it also uses the same ... The device's built-in biometrics to authorize transactions. The alternative without this technology is to send them a code, right? 20-year-old technology. So we use touch ID and face ID to unlock our phones 50 times a day, we've been doing it for years. Users are now trusting it, they like it. So why not use it for a rich web experience?
So now in one platform, you have something you have, a private key stored in TPM, very safe, and something you are, your device biometrics, and the passwordless industry is at an inflection point. This is starting to get into a lot of customers' websites now, and again, just like embedding ID proofing and passwordless into your existing app, you can leverage these features very easily by adopting the right FIDO2 provider. Take all the burden off of the IT and the development teams to do this. So FIDO-certified, developer-first, make sure that you're picking the right vendor here.
So John went through that kind of water flow. I'm going to show you a little more simple version of that that really dumbs it down to its least common denominator parts, and I'll be showing you this via a video I recorded this morning. The enrollment experience is really simple, the user accesses the system just like they do today. They're going to log in, right? It's the only way they can get in today, username, password, 2FA, et cetera. The app if they have one or the native computer, Windows, whatever, will prompt the user to go passwordless. Of course they say yes, they enroll their biometrics via the built-in system, and that's it. They're now enrolled and passwordless, they have the two factors. If the user was previously proofed, if you did that prior in their journey, they've now inherited that proof status, and again, you can proof them again when the time is right, when things expire. There's a lot of reverification needed in some countries for certain financial types of accounts.
Using this experience is really straightforward. An app experience is as simple as scanning a QR code on a screen. We're seeing some forward-leaning banks do that. You're even seeing it in places like if you log into Amazon on your Roku, scan a QR code from the Amazon app. The Amazon app trusts that you are who you are, and it makes this so simple. So you'll scan the app, you'll perform biometrics, either touch ID or live ID or real biometrics, and you're in in one second. On the non-app experience, it's similar. You prompt them, the device biometrics pop up, this is native Windows Hello example here on the left, or on the right, you can see how by scanning that QR code Safari pops up and takes over from there and allows you to go forward without passwords.
So let me show you how this works. Again, I've learned when and where to do live demos, so this is not the time. But again, a lot of this can be done on our website, so we'd be happy to show you how all this works at your leisure. So I'm going to go through a binding process on both Windows Workstation and on Safari on an IOS. So we'll start here by entering a username and a password. Now you could go on and do 2FA, you have to verify them, right? If you're not doing 2FA, you're asking for trouble. Let's convert this credential into a passwordless experience, so they are asked and they say yes.
Now there's two options here. You could say, and you'll guide them depending on the platform that they're logging in from. In this example, we give both options. So let's click on register this device's biometrics. I'm on a Windows workstation. You see, this is my Windows Hello popping up, right? Almost jumping through the browser in my face and saying, "Scan your face or your finger." My face ID kicks in, I say, okay, private key is then stored in the TPM of my Windows workstation, and I have linked with my biometrics. It's done, it took two seconds.
Now the logon experience is very simple. Simply type in a user name and you can even avoid that if there's a cookie on the machine and click login. Again, the Windows biometrics pops up. Here you can see, I have four types of biometrics on my Windows machine, I've got face fingerprint, a YubiKey and a PIN. I'm going back to face, I'm staring at my financial application. It took one second, did not have a password. This is available for billions of users today, and just rounding out and showing you what the experience would be like if they're using their mobile as the WebAuthn authenticator, again, type in the username and password for one last time, authenticate them and exchange that for a WebAuthn experience.
So this time, I'm going to launch the camera on the right, not an app. Dramatic pause for effect, okay? Scan this and now you see Safari popping up at the top. You've seen how QR codes work, right? Everybody in the pandemic has scanned a QR code menu. I say okay, Safari takes over, engages with the user to store the private key, face ID with the press of a button. My two credentials are stored, my private key, my biometrics are linked back to this service. Logging in, just as easy. Username, scan the QR code, passwordless, and you're staring at the application, and you're done. So again, there's some mechanics to this, right? How you walk the users through the journey is up to you, but let the key handling, the biometrics, the linking be done by these systems that now do it very well.
Now for a rich app experience, it is a little bit different. You don't have to worry about the device biometrics popping up. As I mentioned on our website, you can actually get to this demo yourself. So a consumer experience or workforce experience are as simple as ... I'll pop up my phone here, scanning a QR code. Now this will be me doing my live ID to get into this website. I said I wouldn't do a live demo but I did it anyway, and now I'm staring at my workforce applications. The exact same process, the exact same key cryptography and biometrics, work just fine for your customer experiences as well.
All right? So that's the end of my demo. I will simply wrap up with two things. There's a couple differences when you use an app-based versus appless and I figured I'd sum them up here. When you're in-app, you can do real biometrics, you can engage directly with the camera and the microphone in a very easy way, giving you a super high level of security for when you need it. It's perfect for verifying that the contractor you hired is the contractor that's sitting in that seat on day two, there's a huge problem with contractor [inaudible 00:42:51], right? An app allows you to do that. It also allows you to do some key backup and recovery, there's a TOFU issue with some experiences, trust on first use. When you're using an app, you can avoid that as well. Appless allows for these three very important things as well.
And finally, KuppingerCole has something they call their identity fabric. It's a wonderful, full comprehensive diagram that shows all the moving parts in an IAM stack. We're going to work with KuppingerCole, they don't know it yet, to embed identity-proofing and passwordless as its own discrete engine combined into that identity fabric. All right? So let's ask a user who they are. Let's onboard them for whatever experience is needed, and let's get rid of passwords as part of that. It's a service that should flow through to every downstream application, and then let your SSO gateways, your Azure ADs, [inaudible 00:43:46] et cetera go do what they do. They do SSO, let's let your applications not worry about the authentication anymore, and come in with true-proofed IAL2 identity.
And finally, and then back over to you John, we do have one other webinar coming up in a few weeks. It's more of a focus on passwordless experience linked back to how it's being embraced in the industry. So you'll see some more real-world examples of this and we'll be doing this with the IAT group. All right? So I thank everyone for their time. I think we're going to get into Q&A with John now. If anybody has questions, hopefully you've been putting them into the chat.
John Tolbert:
Yeah, before we get into the Q&A, why don't we take a look at our poll results. Let's see. So has your organization suffered an attack that was caused by password breaches? 24% said yes, 76% said no.
Mike Engle:
That's a lot of people that would even admit that, so that's still a scary number in my opinion.
John Tolbert:
Yeah. Okay, next. Let's see. Have you used a remote identity verification app? Yes, 72%. Wow, that's even better than I thought. No, 28%. So that's very interesting. Cool. I guess I'd like to even drill down, can't really do it now but drill down, figure out is it a workforce or consumer use case for which you've done the ...
Mike Engle:
Yeah. I mean anybody joining a company today, they would be in that bucket. But not many companies are doing it digitally yet for workforce but it's definitely ... It's required on the customer side, so you're seeing a lot of it there. Especially with crypto accounts. They're getting hit from every direction for this.
John Tolbert:
Yeah. Okay, well let's launch into the questions. So first question says, "I am experiencing MFA and passwordless authentication vendor fatigue. They all seem to offer similar things. What makes 1Kosmos stand out?"
Mike Engle:
Yeah no, that's a great question. The passwordless bandwagon is definitely full. A lot of people these days, a lot of companies. There's four things that I'll mention that makes us unique. One is we're the only company that's combined strong identity-proofing into the same platform. The only one. We're the only one that's Kantara-certified for identity-proofing. That is the international body for certification and FIDO-certified together. So as I mentioned you have these silos popping up and there's a thousand of them over here in passwordless-only, and there's dozens over here in identity-proofing only. They need to be put together. It's not just us saying that, it's the industry, it's analysts. So that's one reason.
The second is that use of live ID that you saw, that's not just passwordless tricks. That is proving the identity that I enrolled two weeks ago when I installed that app. That is a unique differentiator. You will not find others doing that. Of those thousand, there might be five that do that and then you have to ask where are they storing that live biometric? If it's in the phone only, you lose the phone, it's gone, and if it's stored in a centralized database that's not using blockchain for encryption, private blockchain, then who is protecting that? So that's the second big differentiator as well and the blockchain itself is the third, right? Provides an immutable log, an audit trail, and the fourth is just that we're incredibly developer-friendly, we're very open, right? Go to any of the competitors' websites and see if you can do a live demo. See if their API and SDK documents are online on their website. They're probably not.
John Tolbert:
Yeah. That sounds good. I think about passwordless, we do hear that a lot. In many cases, it becomes password fewer I would say. You enter it fewer times but there's still an underlying password credential that needs to be eventually gotten rid of. Next question is, "For non-app experienced users, what are some of the recovery options, what are some of the recovery options? Let's say the individual's computer is stolen and can't be recovered."
Mike Engle:
Yeah, that is a challenge with WebAuthn, and the FIDO Alliance is working towards, just like I said in my last response, introducing identity to the passwordless experience. So once you do that, there might be a mechanism where you can have key recovery as part of a WebAuthn experience. But you might have to fall back to other mechanisms in that scenario. So I don't know John if you've seen any elegant ways to handle that in a WebAuthn channel?
John Tolbert:
I guess there's no perfect solution, there's always multiple devices, multiple accounts that could be linked. There's always a potential for a weak link in that chain, but yeah. There are better approaches than others in this space. Let's see, good questions coming in. Keep them coming, feel free to type them in that go to webinar questions blank. Next one is, "Do you see 1Kosmos entering the world of self-sovereign identity with other verifiable credentials?"
Mike Engle:
Yeah, that's something I didn't touch on just for the sake of time, and that's really another big differentiator of our platform is it is built on W3C verifiable credentials and decentralized identity under the hood, and we're members of the Trust Over IP Foundation which is part of the Linux Foundation and very actively participate in all those standards. So when identity gets to that next stage of its evolution, identity becomes your own and it can go across industry, across country, right? W3C verifiable credentials are used for COVID vaccinations, education degrees, proof of employer, right? That stuff is built into the platform today, and it can be exposed when you're ready.
So let's say you're Bank One and you have a B2B relationship with Bank Two for custodial accounts or something. Don't go set up some heavy federated login. Instead, use a verifiable credential so they can prove who they are to each other. It is the future of identity according to a lot of people and we are ready for it, so again, standards, platform, et cetera come into play for that.
John Tolbert:
Okay, and what are the ways an app can be delivered to employees and customers for passwordless authentication?
Mike Engle:
Yes, well it's made so easy today by the app stores, right? So the experience you'll see on the live 1Kosmos page is just go get it from the store, one click, installed and done. User self-enrolls, it's verified behind the scenes. So that's the easiest way you can have your employees, contractors or customers do it that way. If you have an existing app already, you're doing an app update and just putting the SDK in there that now handles the public private key cryptography, the authentication, the biometrics if you need them, et cetera. So that's transparent to the user. They'll just get the features and you'll have to enable them with a press of a button. And also, any app can be delivered in an employer setting via the MDM, their mobile device management, so you can push the app down to them that way, that's very common.
John Tolbert:
Yep, and the app stores provide some security with application scanning and then in some cases I think it's a little bit more trustworthy than just downloading an app from another source. Let's see, next one. How do you handle account recovery?
Mike Engle:
Yeah, we touched on that on the WebAuthn side, right? There's not a strong solution there in the industry, right? Because that's a standards-based, so we really can't move out of the box too much on that. But in an app experience, we do have wallet recovery that involves a standard called BIP39. It's the same standard that is used to back up and recover your crypto wallets. So if you've ever done that experience, 12 word pneumonic phrase for example, that can be backed up and stored in a number of different ways. So that's the most common type. Then we also have some experience with multi-party computing to recover your private key and some ways to use your biometrics as a recovery mechanism as well. So a lot of options there. Especially when you get into more of an app experience.
John Tolbert:
Let's see, "How does this get applied to dozens of systems that employees use such as OSS and privileged account management systems?"
Mike Engle:
Yeah, that's a great question because in an enterprise, right? This isn't really a problem for a customer, a customer has one or two places they log in, so you handle them those two ways. On the enterprise, you need plugins, you need connectors and adapters. Many of them can be handled via federated authentication protocols, so SAML, OIDC for example where 1Kosmos becomes the IDP and gives a trusted proof digital identity into those systems. So that's just a configuration. It takes an hour or two, setting up secrets whatever to do that assertion. Then connectors into non-standard systems, Windows, Mac, Unix, et cetera. There's a lightweight plugin that goes in there, and that enables QR code, push messages, et cetera to work with the press of a button as well, and then there's custom adapters for lots of systems that need that. So remote access systems like Citrix and Zscaler, et cetera. It's a simple integration. We're in a lot of the marketplaces for connectors, into [inaudible 00:54:14] et cetera as well. So we've made that, we've reduced the friction to go passwordless across those dozens or hundreds of systems really to handle any situation.
John Tolbert:
And one more question here. "How many countries does the identity proofing work in and what types of documents does it support?"
Mike Engle:
Yeah, that's always a question, can you scan an Uzbekistan document, yes or no, right? But no, we have a very robust document scanning engine. We have coverage for over 150 countries and the document types vary country by country. So for example, in the Dominican Republic, we will scan ... It's called the national identity card, it's not a driver's license. The U.S., the standards are obviously driver's license which varies across 50 states and passports. So it varies country to country. The other thing is, when that process goes badly, sometimes you can't scan a document for some reason, it's an old photo or your document is mutilated. We have something called agent-assisted, so in that scenario, we can route the session to a live agent in a certified data center, and they can take over and give that kind of white glove approach to make sure that user gets onboarded properly.
John Tolbert:
Yep. That sounds great. There are many different document types and there's ICAO and non-ICAO passports. There's the eIDAS standard and like you said there's lots of different things in the U.S. and it's kind of a very fragmented thing. We see that there are in many cases country-specific identity proofing service providers and yeah, rolling those up into like a much larger CIAM service is something that can be very useful for companies that are dealing with consumers or employees from multiple countries, multiple regions around the world [inaudible 00:56:18] it's a complex thing that it would be great if it could be simplified but I don't see any easy ways for that particular piece of it for the near future.
Well with that, I'd like to thank everyone for attending and thanks for your participation on the polls and questions and thanks to Mike and 1Kosmos for helping out here. Any final comments Mike?
Mike Engle:
No. No, thanks for having me on. I enjoyed it. Our entire world is on our website. We don't hold anything back so please check us out. Thanks for your time as well John and let's do it again soon.
John Tolbert:
Great. Sounds good. Well thanks again everyone. Have a good rest of your day.
Mike Engle:
Take care.
Hi. Welcome to today's webinar. I am John Tolbert, lead analyst here at KuppingerCole and our topic today is a customer-first approach to identity-based authentication, and I'm joined today by Mike Engle, a chief strategy officer at 1Kosmos. Welcome, Mike.
Mike Engle:
Thanks John. It's great to be here.
John Tolbert:
Welcome everyone, thanks for joining us. So a little bit about our next upcoming event before we really dig in here. We have the Cybersecurity Leadership Summit, which will be both hybrid and online and in Berlin on November 9th through the 11th, and we've got quite the agenda already. We have over 200 speakers lined up, more than 500 delegates, 15 exhibitors, and 90 sessions planned already and there will be lots of social events and unlimited networking opportunities. So again, that's November 9th through the 11th, our Cybersecurity Leadership Summit and hope you can join us.
So some logistic information before we begin. We control the audio, everybody's muted, so there's no need to mute or unmute yourself. We will be doing a couple of polls so we'll pause for about 30 seconds so that you can answer the polls and then we'll look at the results at the end. We'll also have Q&A at the end and there's a blank in the go-to webinar control panel where you can type in questions at any time and then we will look at those and answer those at the end, and then we will be recording the webinar and both the recording and the slides should be available in a day or two.
So I'm going to start off and talk about authentication options, the different kinds of solutions, the need for higher identity assurance and identity proofing, and then I will turn it over to Mike and like I said we'll do Q&A at the end.
So let's start with a poll. Has your organization suffered an attack that was caused by breached passwords? We won't show any personal information how it pertains but just the yes/no, we'll do the percentage results at the end.
Okay. So about those password breaches, and some authentication alternatives. So no doubt you all keep up with the news and you've seen ... It seems like day after day, week after week, more and more data breaches and what, 85% of the cases it's caused by passwords that have been compromised. Man, these are happening all over the world to critical infrastructure to vendors and the software supply chain, even security tools here are occasionally being victimized by this so everything from the power grid, election infrastructure, all sorts of things, and passwords, we have been saying for many, many years, we need to get rid of them. The technology is available now and many vendors and their customers are interested and willing to make the move to stronger and yet passwordless alternatives, and I think that's a great thing.
So let's talk about the options. KBA, knowledge-based authentication is the old security questions. This is a terrible method, let's just be honest. It's not really suitable for authentication, a lot of sites have used this historically for account recovery and that's even worse. A lot of the information that are asked in these questions is available online, if it's your high school team name or some of this information is so common, it really does not have any security value at all. And year after year, you look at the various data breach reports, we see passwords like I said are responsible for 80, 85% of all the ways into a company to steal data so passwords really, really need to go away. Then we have SMS OTP, getting texted the one-time password. That's probably the most common form that we see and I think a lot of people have gotten used to that. But that has its security problems too. It's susceptible to attacks, especially things like SIM swaps, where you can redirect that OTP to another device altogether. So SMS OTP really needs to be deprecated.
That leaves us with things like PKI certificates, you could put them in browsers, you can use them with hardware tokens or smart cards, and these are still great options for workforce use cases, but we don't really see and can't really anticipate that it's going to be a longterm solution for consumer-facing businesses and use cases. So that leaves us with things like mobile apps, which do offer a higher degree of security like SMS OTP if done properly and mobile biometrics. So this could be the built-in biometrics on phones and there are a number of third party biometric vendors out there with really good products too.
So we can also do risk-based consumer authentication, and here we're really considering four major categories that need to be evaluated at transaction time. So first off you have the subject user, you might want to find out what the identity assurance level is, how well they were proofed when the account was set up. That may have information associated with an email address, maybe a physical address, other linked accounts or linked devices, and if it's like a family situation, there may be delegations about who can use what device or who has access to the account and with what level of authority. The device can be an interesting and useful factor in risk-based consumer authentication, you can look at the device type, you can look at the device fingerprint, and by this we mean the set of attributes that makes the phone unique, not a fingerprint fingerprint.
The OS patch level, what apps the user may have installed, has it been jailbroken or rooted and then often you can add behavioral biometrics, which is measuring how a user interacts with a device, like with a phone it could be gyroscope information, touchscreen pressure. With a computer it would be keystrokes and how do you use a mouse. The network component is useful as well because it's not just IP address, but maybe WiFi hotspot history, where it's been used and what mobile networks it commonly has been found on. Then lastly we have user behavioral analysis. This can include geolocation, travel and possible travel, and if it's a financial transaction, you can look at things like is this a page to whom funds have been transferred before, is it a new page, does this fit within the pattern of normal user behavior, does the amount look normal, time and date for the transaction, does this make sense in the historical context? So all these things are really good things that can help mitigate the need to have an explicit authentication event on the part of the consumer every time they want to interact with a site.
And this is largely relevant to the enterprise or workforce authentication or B2B2C use cases too. Here we have the same four categories, user device network and UBA. Maybe some of the attributes might be different like in the case of the user, you have an issued credential, that users have probably been assigned roles, they probably have group attributes that allow them access, authorize them to specific kinds of files, applications, and other resources. On the device side, if it's a controlled environment, they probably have endpoint protection clients on their machines, unified endpoint management, clients on their machines and on the network side there maybe VPN information, a different set of IPs than the normal external IPs and then for UBA things like which files or other resources, applications do they normally access? So you see there are some similarities between the categories, just some of the attributes can change but risk-based authentication at the enterprise level can follow similar tactics.
So a little bit about FIDO authentication. FIDO is a standard, it's been around for probably seven or eight years now. FIDO2 is the latest iteration of that standard and it really bridges the gap between mobile and web. Original FIDO had the mobile, UAF, and U2F with the hard token components to it. FIDO2 kind of brings those together and makes it easier to bridge like I said from the mobile device to the web. Users can register and authenticate using their mobile devices and you can turn the phone into the second factor. You can get a code, you can use an application, and then the phone can be your second factor to your laptop or other computer device.
So it's beginning to have really good uptake. I mean Microsoft supports it, Windows 10 and Hello, Google has it and Android 7+ Samsung has a FIDO biometric certification in the S10 series of phones, and now really all the major browsers there support WebAuthn in the browser and looking at the FIDO-certified site, there have been more than 800 authenticators and servers certified against U2F, UAF and the 2.0 specifications, and they have additional certifications for security using things like GlobalPlatform Secure Elements or the trusted execution environment, and they also have a biometric certification which is great in that it can help provide some objectivity in looking at the false acceptance rate, false rejection rate for biometric authenticators. So that I think is a very, very useful thing to have.
So moving on to identity proofing, what is identity proofing? I like these definitions by NIST that come out of two different documents but verifying the claimed identity of an applicant by authenticating the identity source documents and the process by which a credential service provider collects, validates and verifies information about a person. So it really is about matching the claimant to whatever documentation they have that can help prove that that's who they are.
800-63-3 calls out three different levels of identity assurance. Level one is the lowest, there's no real requirement to link the identity to any specific real life person, so any attributes you get from that should be treated that way. It's just self-asserted. No real assurance there. Level two takes it up. You need some evidence that the real world person is associated with the digital identity that's being requested, the credential, and it introduces the need for either remote or some sort of physically present identity proofing. Level three, a physical presence is required, and you have to have trained representatives by the credential service provider. I see there was a draft out there for 63-4 and it may allow some remote supervised video options. In the EU, we have EINETS, and they have remote ID proofing guidelines that were published back in March and they have three levels too and they're somewhat similar. At the low level, self-registration in a web page, no real identity verification. You can use username and password. Again, no real assurance that the information that is provided at registration time is all that accurate, then the middle layer is substantial enrollment as performed by providing some verified identity information and then authenticating with both the user name, password and an OTP sent to the applicant's mobile phone and then you can do what they call a remote automatic and I'll get into that in a moment app-based and video identification options.
On the high side of eIDAS, levels of assurance, we have in-person verification, using a smartcard or a national ID card and there are now remote options that either includes some software-based applications, maybe on a phone for example, and video sessions as well.
So how remote automatic identity of verification happens? We'll look at the happy path assuming that we're going to go through a flow and this works, so the user applies for a credential, they download a remote identity verification app. This is an application that's been built by an IAM vendor or someone who's in the space that they can also provide an SDK so that a customer can take the SDK, write their own app, and use all the backend services to do the remote identity verification. Then as part of the process, you could take a selfie. The app needs to be able to perform liveness detection to ensure that the user is not holding up a picture to a phone or something else like that. It's looking to make sure that the user is actually present, and then the app can be used to scan ID documents both using OCR, optical character recognition, looking in the text let's say on a passport and NFC to read the chip and then assuming all this goes well then the credential can be issued.
So let's deconstruct the user journey a little bit here in light of this and I'm bringing this up into two major categories, I'm going to call it financial and non-financial. So on the first instance here with non-financial, a user approaches a site with a device, they can either register by typing in the information, they can use autofill from the browser, but that's often pretty messy. If you've ever sent a package somewhere, you wind up with more addresses saved in autofill than you ever need. A lot of CIM vendors have the notion of what they call progressive profiling so you can maybe collect an email address at the beginning and then you get to know the user more through subsequent interactions on the site, and then decentralized identities. You're essentially counting on somebody else who has issued the credential and done some of the identity proofing upfront and be able to federate that in. And then the device that the user brings to the registration event can be associated with that.
So this information can be used by the CIM system of the customer, they are probably using it for marketing analytics assuming consent has been captured properly, and then ID proofing might be optional in some cases like this. Again it depends on the nature of the use case. But on the financial side, most everything you see here is the same but there's going to be a need for strong identity assurance in most cases. So the user approaches either an online banking site or uses the mobile app. They associate the device, they type in the information or get the account created. The difference here before it can be used for transaction processing or used within the CIM system is you're going to have to do ID proofing because it's required for anti-money laundering and know your customer regulations. So how does this work? Well looking again at how eIDAS discussed options for video identification, you can do a web session with a trained representative of the bank. In this example, you can do the selfie match, the OCR and NFC document verification through the remote identity verification app. These are ways that you can satisfy the legal requirements and the increased identity assurance for these kinds of use cases.
To kind of put all this together, we have been doing research on fraud reduction technologies, identity proofing and vetting, I call that as a-number-one, one of the best ways to reduce account takeover fraud and new account synthetic fraud, along with things like credential intelligence, device intelligence, that user behavioral analysis that also gets factored into risk-based authentication decisions, as well as behavioral biometrics and then bot intelligence and bot management, and there are good bots that help get business done on the web and there are bad bots that do bad things like credential stuffing attacks, so you need to be able to include that as part of an overall fraud reduction strategy, but identity proofing and vetting I think are really some of the first things that you need to think about for reducing fraud overall and of course it's very important for identity assurance levels.
So let's take our second poll here. Has anybody ever used a remote identity verification app? And you'll pop up with a yes/no blank and we'll give you a few seconds to enter information there. Really curious to see if these have become as common as I think they are starting to.
Okay, and we'll take a look at the results of both of these at the end of the webinar here. So my last point is on the consumerization of IT, what do we mean by this? Specifically the consumerization of enterprise IT, we may be employees but we're also consumers. We have multiple facets to our lives, so as a consumer, we know what we like in terms of interactions with websites and we also know what we don't like. Most of us prefer mobile-based authenticators and biometrics for the convenience of it. It's much better than remembering 100 or 150 passwords and having changed them and if it's an infrequently used account then a lot of people just use the once a year account recovery mechanism so again if we know that there are ways that ... Some consumer-facing businesses are getting it right. So we want those more user-friendly experience when they're logging into work, and on the plus side for the enterprise administrators is that these fraud reduction techniques we're talking about that get used in consumer authentication scenarios are very useful in doing risk-based authentication for enterprise workforce logins too, and that remote identity verification app that we're talking about, well it's working just fine for onboarding new employees.
I mean this has been going on a lot throughout the pandemic, I mean I know a lot of people have started new jobs, never been to the office but they used a remote identity verification app and it can be used for I9 and other kinds of work eligibility requirement verification, so in addition to being a good way to do increased identity assurance for consumer use cases, remote onboarding for employees through these remote identity proofing apps is really going to be the way forward I think. So with that, I'd like to turn it over to Mike Engle from 1Kosmos.
Mike Engle:
Okay, let's get going. I'm covering a lot of the same topics as John, just with a kind of ... Some real world applications that I'll be getting into, and I just wanted to go over a couple of things. [inaudible 00:22:35] John had some housekeeping, I do as well. First is everybody really in the world is able to go try a lot of what I'll be showing you here today. Just go to our website, you'll see a button that says Experience BlockID, and it will walk you through getting the app and performing a passwordless experience, it will take you like two minutes and you can even go a step further after that. You'll see a subsequent screen that allows you to perform some identity proofing and perform a secondary action after that, so it's a lot of fun, it's safe, nothing is stored in our website and it will allow you to play around with it and do some of the things that I'll be doing here today, so check it out. I'd love your feedback on it.
We're also giving away a $50,000.00 software package, so with that, basically a random attendee from this webinar will be selected and if they are picked and they give consent, they accept the award, et cetera, then we'll be able to work with them to get this package started very quickly. So more to follow.
Let's jump in. I don't want to spend too much time on statistics about what's been going on in the industry. There's just so many out there, but John covered some of these, right? It's all over the headlines but there's some really new useful ones that came out. You might be able to use them in your discussions with management or part of your budget and justifications for the program.
These are statistics from the latest Verizon data breach investigations report. If you haven't seen it, it's like 115 pages long. It gets into every nuance of cybersecurity and breaches, and I've picked a couple of stats that are really relevant for this call that you'll appreciate.
The first one on the left is the fact that social engineering is the way that bad guys are getting credentials from people, and it makes sense, because humans, as you can see in the top right, are the weakest link in any system. 85% of breaches involve a human element. Two-thirds of those involve credentials. Of course we're here to talk about that today, and we all know how bad ransomware has gotten, it's very public and in everybody's face today. So if your C suite is not dialed into this, they will be soon. Even the board of directors now are engaged in these discussions, and just showing how these statistics impact from a real business perspective, so check out these numbers on the left. The range of business email compromise or BEC goes up to almost a million dollars. For one business email compromise and the average being around $100,000.00 each, and ransomware goes up to $1.1 million, so those are a large sampling. Here on the right, this is from The Lockton Group, they're cyber-insurance experts. These are truly staggering numbers. $5 million, average business interruption from ransomware because of credentials. So I'm not trying to fear, uncertainty and doubt anybody here, we get enough of that, but these are real meaningful statistics to help justify our actions to deploy programs like what I'll be showing you here today.
So talking about customer engagement, John really touched on this quite a bit, and I really enjoyed his knocking off of the secrets and some of the other legacy factors, right? We're still doing this today, filling out forms, 2FA. I can't believe how many websites are just moving to email and text codes now, right? It's disturbing. For fun, I went and signed up for a United Airlines account last week and I grabbed this screen. Like John said, they are forcing me to pick five secret questions, right? What was your shoe size when you were 12, this was my favorite one, when you were young, what did you want to be when you grew up and check out some of these answers. It is truly precious, right? How many people wanted to be a clown when they grew up? I wanted to be a rocket scientist, they didn't have that on the dropdown, so I had to move on to another question.
On the workforce side, it's just as bad. Companies are still requiring longer and more complex passwords in case the hashes get stolen. This is from Microsoft's July active directory documentation right on the website, and this just causes employees to get frustrated. We added a new button here on the authentication options, and all they do is increment a number on the end of their existing password. The credential has to go, and FIDO is the path towards that that I'll be talking about.
So John spoke a lot about NIST 800-63-3, he also spoke about FIDO. I'm going to show how putting them together is the right way to deal with customers and employees. So on the identity proofing side, I'm not going to belabor this too much because John really got into how that works. IAL, that's the identity assurance level that he touched on goes from range one through range three, you need multiple documents, and you need real biometrics to do it, and real biometrics is the key here.
Now when combined with FIDO authentication, it's a match made in heaven. Now you can prove who the person is, a strong-proofed identity, and without then requiring a username and password for them to access your systems in the future. Once they have enrolled with a high assurance level, you issue them the keys to prove that they had those credentials, they performed FIDO authentication, there's no longer any passwords in the process. But you can do it from day one, and with this real biometric, you're getting something that you call identity-based authentication. It's one of the principles of zero trust. I can prove cryptographically and with biometrics who you are every time you log into a Windows workstation, into a financial services website, by combining these two standards.
Key to this is any platform you adopt needs to be certified. There's two key certifications here. The Kantara Initiative certifies your NIST process and the FIDO Alliance certifies your FIDO authentication. You need a FIDO2 certified product for example.
So unfortunately, identity-proofing and user authentication have been siloed activity and continue to be for a lot of organizations. If you do not take a holistic view of these activities, you're introducing avoidable technical debt to your operation and your IAM platform. So an entire industry has popped up that do just this thing on the left, scan a document, take a selfie. After that, they throw it away. Now it's up to the authentication system to figure out who it is, and conversely, if you're just using a passwordless tool or a 2FA tool, you're not leveraging a proofed identity, and the way we do this is with cryptographic wallets, public-private key pairs combined with biometrics.
So the combination of these standards can revolutionize both workforce and customer IAM functions. So when do you do it? You don't want to scan everybody's driver's license when they come and access your systems, right? They'll run away, your employees will revolt, you've already proofed them. You've already proofed millions of financial accounts, employer accounts, government accounts. So for this population, we put them through a binding process instead of a proofing process. In essence, you're trading in their legacy credential, their password, 2FA, whatever, for a passwordless experience. When it's time, you proof them again. Documents expire, maybe there's a super high secure transaction and you're like, "I know this person gave me a driver's license five years ago but let me do it," and you can do it inline. You can do it with a rich app experience, it doesn't have to be a burden. So with a single process, you can bind their existing account via ... By scanning the QR code or just clicking a link. They're issued a private key, enroll their biometrics and they're done.
However for new employees or high value customers, you guide them through a self-enrollment process. You do this day one because you have to do it anyway. For financial accounts, you have to do it for AMLKYC. For employees and contractors sometimes, you have to prove who they are so you can pay taxes. So do it right. Proof them digitally, trade in their documents for a certificate and let them be passwordless from day one. They never need to know their username and password.
So in that proofing, John has already covered this, so again, I'm not going to drill into this too much, but there are a couple things you can do. So when you leverage the modern capabilities of your smartphones and computers, this onboarding process takes minutes instead of days. Everything is captured in real-time, the attributes are extracted and stored into a digital wallet, protected with that private key that I'm going to mention probably about a dozen times. Including scanning that NFC chip to get very high quality data, so within seconds, these documents are verified, the user's identity is a matched via a live selfie, and that same live selfie, the one that often gets thrown away for proofing, now becomes a strong authenticator. So you can feed this information directly into your IAM system for either a customer or an employee account. Best of all, if you're using a mobile app and have that rich relationship with a phone, you can get their location, verify their phone number in real-time, get session attributes, et cetera, and we don't treat employees and customers in the real world any differently. This process applies to any type of end user.
Now there's two ways you can handle your users, your end users today. You can do it with an app, and you can do it without an app, and John touched on this as well. Obviously if you can drive your users to use their own app or your customer app I mean, you'll have a much richer experience, better control of the session, you can work with the camera very specifically. But not all services have their own app, right? There's literally millions of websites out there that engage with the users via browser only. So for both of these populations, with an app and without an app, you can still go passwordless thanks to the FIDO WebAuthn standard that I'll be showing you here.
So real quickly, with an app-based digital wallet, you can guide the user step by step to either enroll their identity and be passwordless from day one or do that linking that I mentioned before, with the press of a button, a single click operation. So the way this works is the user is issued a private key, this is transparent to the user, and they enroll their biometrics. The most common type of biometrics would be your touch ID, face ID and whatever they call it and all the different Android worlds. But one of the advantages of having an app is you can use the camera and the microphone to do real face and voice matching, and this can be linked back to that NIST-enrolled digital identity. The use of a live biometric has to be done properly. That must be secured properly, this is where we at 1Kosmos use a private blockchain, keep that image completely encrypted and in control of the user at all times. They will present it to you and unlock it and share it with you when it's time. It's a real game-changer, and one of the key benefits of combining the proofing and the auth together.
If the user has a smart watch too, you have a very rich experience where at the tap of a button you can authorize transactions, depending on the value. And lastly, there's no need for any organization to develop all of these features themselves. ID proofing, FIDO servers, et cetera, they've already been done by companies like 1Kosmos, with one lightweight SDK instead of APIs. All of these features can be embedded in a single experience or presented as a turnkey application, so let the developers develop their business apps and let the identity enrollment and the authentication happen with this adopted framework.
So that's the app experience, and what do you do when you can't force your users to download an app? This is where FIDO WebAuthn comes into play. So this lets you leverage your device's native biometrics, right? It doesn't matter if it's a Mac or a Windows laptop or a Chromebook or a mobile phone with Safari, Firefox or Chrome, and that will store the private key. That becomes almost like the app itself, and it also uses the same ... The device's built-in biometrics to authorize transactions. The alternative without this technology is to send them a code, right? 20-year-old technology. So we use touch ID and face ID to unlock our phones 50 times a day, we've been doing it for years. Users are now trusting it, they like it. So why not use it for a rich web experience?
So now in one platform, you have something you have, a private key stored in TPM, very safe, and something you are, your device biometrics, and the passwordless industry is at an inflection point. This is starting to get into a lot of customers' websites now, and again, just like embedding ID proofing and passwordless into your existing app, you can leverage these features very easily by adopting the right FIDO2 provider. Take all the burden off of the IT and the development teams to do this. So FIDO-certified, developer-first, make sure that you're picking the right vendor here.
So John went through that kind of water flow. I'm going to show you a little more simple version of that that really dumbs it down to its least common denominator parts, and I'll be showing you this via a video I recorded this morning. The enrollment experience is really simple, the user accesses the system just like they do today. They're going to log in, right? It's the only way they can get in today, username, password, 2FA, et cetera. The app if they have one or the native computer, Windows, whatever, will prompt the user to go passwordless. Of course they say yes, they enroll their biometrics via the built-in system, and that's it. They're now enrolled and passwordless, they have the two factors. If the user was previously proofed, if you did that prior in their journey, they've now inherited that proof status, and again, you can proof them again when the time is right, when things expire. There's a lot of reverification needed in some countries for certain financial types of accounts.
Using this experience is really straightforward. An app experience is as simple as scanning a QR code on a screen. We're seeing some forward-leaning banks do that. You're even seeing it in places like if you log into Amazon on your Roku, scan a QR code from the Amazon app. The Amazon app trusts that you are who you are, and it makes this so simple. So you'll scan the app, you'll perform biometrics, either touch ID or live ID or real biometrics, and you're in in one second. On the non-app experience, it's similar. You prompt them, the device biometrics pop up, this is native Windows Hello example here on the left, or on the right, you can see how by scanning that QR code Safari pops up and takes over from there and allows you to go forward without passwords.
So let me show you how this works. Again, I've learned when and where to do live demos, so this is not the time. But again, a lot of this can be done on our website, so we'd be happy to show you how all this works at your leisure. So I'm going to go through a binding process on both Windows Workstation and on Safari on an IOS. So we'll start here by entering a username and a password. Now you could go on and do 2FA, you have to verify them, right? If you're not doing 2FA, you're asking for trouble. Let's convert this credential into a passwordless experience, so they are asked and they say yes.
Now there's two options here. You could say, and you'll guide them depending on the platform that they're logging in from. In this example, we give both options. So let's click on register this device's biometrics. I'm on a Windows workstation. You see, this is my Windows Hello popping up, right? Almost jumping through the browser in my face and saying, "Scan your face or your finger." My face ID kicks in, I say, okay, private key is then stored in the TPM of my Windows workstation, and I have linked with my biometrics. It's done, it took two seconds.
Now the logon experience is very simple. Simply type in a user name and you can even avoid that if there's a cookie on the machine and click login. Again, the Windows biometrics pops up. Here you can see, I have four types of biometrics on my Windows machine, I've got face fingerprint, a YubiKey and a PIN. I'm going back to face, I'm staring at my financial application. It took one second, did not have a password. This is available for billions of users today, and just rounding out and showing you what the experience would be like if they're using their mobile as the WebAuthn authenticator, again, type in the username and password for one last time, authenticate them and exchange that for a WebAuthn experience.
So this time, I'm going to launch the camera on the right, not an app. Dramatic pause for effect, okay? Scan this and now you see Safari popping up at the top. You've seen how QR codes work, right? Everybody in the pandemic has scanned a QR code menu. I say okay, Safari takes over, engages with the user to store the private key, face ID with the press of a button. My two credentials are stored, my private key, my biometrics are linked back to this service. Logging in, just as easy. Username, scan the QR code, passwordless, and you're staring at the application, and you're done. So again, there's some mechanics to this, right? How you walk the users through the journey is up to you, but let the key handling, the biometrics, the linking be done by these systems that now do it very well.
Now for a rich app experience, it is a little bit different. You don't have to worry about the device biometrics popping up. As I mentioned on our website, you can actually get to this demo yourself. So a consumer experience or workforce experience are as simple as ... I'll pop up my phone here, scanning a QR code. Now this will be me doing my live ID to get into this website. I said I wouldn't do a live demo but I did it anyway, and now I'm staring at my workforce applications. The exact same process, the exact same key cryptography and biometrics, work just fine for your customer experiences as well.
All right? So that's the end of my demo. I will simply wrap up with two things. There's a couple differences when you use an app-based versus appless and I figured I'd sum them up here. When you're in-app, you can do real biometrics, you can engage directly with the camera and the microphone in a very easy way, giving you a super high level of security for when you need it. It's perfect for verifying that the contractor you hired is the contractor that's sitting in that seat on day two, there's a huge problem with contractor [inaudible 00:42:51], right? An app allows you to do that. It also allows you to do some key backup and recovery, there's a TOFU issue with some experiences, trust on first use. When you're using an app, you can avoid that as well. Appless allows for these three very important things as well.
And finally, KuppingerCole has something they call their identity fabric. It's a wonderful, full comprehensive diagram that shows all the moving parts in an IAM stack. We're going to work with KuppingerCole, they don't know it yet, to embed identity-proofing and passwordless as its own discrete engine combined into that identity fabric. All right? So let's ask a user who they are. Let's onboard them for whatever experience is needed, and let's get rid of passwords as part of that. It's a service that should flow through to every downstream application, and then let your SSO gateways, your Azure ADs, [inaudible 00:43:46] et cetera go do what they do. They do SSO, let's let your applications not worry about the authentication anymore, and come in with true-proofed IAL2 identity.
And finally, and then back over to you John, we do have one other webinar coming up in a few weeks. It's more of a focus on passwordless experience linked back to how it's being embraced in the industry. So you'll see some more real-world examples of this and we'll be doing this with the IAT group. All right? So I thank everyone for their time. I think we're going to get into Q&A with John now. If anybody has questions, hopefully you've been putting them into the chat.
John Tolbert:
Yeah, before we get into the Q&A, why don't we take a look at our poll results. Let's see. So has your organization suffered an attack that was caused by password breaches? 24% said yes, 76% said no.
Mike Engle:
That's a lot of people that would even admit that, so that's still a scary number in my opinion.
John Tolbert:
Yeah. Okay, next. Let's see. Have you used a remote identity verification app? Yes, 72%. Wow, that's even better than I thought. No, 28%. So that's very interesting. Cool. I guess I'd like to even drill down, can't really do it now but drill down, figure out is it a workforce or consumer use case for which you've done the ...
Mike Engle:
Yeah. I mean anybody joining a company today, they would be in that bucket. But not many companies are doing it digitally yet for workforce but it's definitely ... It's required on the customer side, so you're seeing a lot of it there. Especially with crypto accounts. They're getting hit from every direction for this.
John Tolbert:
Yeah. Okay, well let's launch into the questions. So first question says, "I am experiencing MFA and passwordless authentication vendor fatigue. They all seem to offer similar things. What makes 1Kosmos stand out?"
Mike Engle:
Yeah no, that's a great question. The passwordless bandwagon is definitely full. A lot of people these days, a lot of companies. There's four things that I'll mention that makes us unique. One is we're the only company that's combined strong identity-proofing into the same platform. The only one. We're the only one that's Kantara-certified for identity-proofing. That is the international body for certification and FIDO-certified together. So as I mentioned you have these silos popping up and there's a thousand of them over here in passwordless-only, and there's dozens over here in identity-proofing only. They need to be put together. It's not just us saying that, it's the industry, it's analysts. So that's one reason.
The second is that use of live ID that you saw, that's not just passwordless tricks. That is proving the identity that I enrolled two weeks ago when I installed that app. That is a unique differentiator. You will not find others doing that. Of those thousand, there might be five that do that and then you have to ask where are they storing that live biometric? If it's in the phone only, you lose the phone, it's gone, and if it's stored in a centralized database that's not using blockchain for encryption, private blockchain, then who is protecting that? So that's the second big differentiator as well and the blockchain itself is the third, right? Provides an immutable log, an audit trail, and the fourth is just that we're incredibly developer-friendly, we're very open, right? Go to any of the competitors' websites and see if you can do a live demo. See if their API and SDK documents are online on their website. They're probably not.
John Tolbert:
Yeah. That sounds good. I think about passwordless, we do hear that a lot. In many cases, it becomes password fewer I would say. You enter it fewer times but there's still an underlying password credential that needs to be eventually gotten rid of. Next question is, "For non-app experienced users, what are some of the recovery options, what are some of the recovery options? Let's say the individual's computer is stolen and can't be recovered."
Mike Engle:
Yeah, that is a challenge with WebAuthn, and the FIDO Alliance is working towards, just like I said in my last response, introducing identity to the passwordless experience. So once you do that, there might be a mechanism where you can have key recovery as part of a WebAuthn experience. But you might have to fall back to other mechanisms in that scenario. So I don't know John if you've seen any elegant ways to handle that in a WebAuthn channel?
John Tolbert:
I guess there's no perfect solution, there's always multiple devices, multiple accounts that could be linked. There's always a potential for a weak link in that chain, but yeah. There are better approaches than others in this space. Let's see, good questions coming in. Keep them coming, feel free to type them in that go to webinar questions blank. Next one is, "Do you see 1Kosmos entering the world of self-sovereign identity with other verifiable credentials?"
Mike Engle:
Yeah, that's something I didn't touch on just for the sake of time, and that's really another big differentiator of our platform is it is built on W3C verifiable credentials and decentralized identity under the hood, and we're members of the Trust Over IP Foundation which is part of the Linux Foundation and very actively participate in all those standards. So when identity gets to that next stage of its evolution, identity becomes your own and it can go across industry, across country, right? W3C verifiable credentials are used for COVID vaccinations, education degrees, proof of employer, right? That stuff is built into the platform today, and it can be exposed when you're ready.
So let's say you're Bank One and you have a B2B relationship with Bank Two for custodial accounts or something. Don't go set up some heavy federated login. Instead, use a verifiable credential so they can prove who they are to each other. It is the future of identity according to a lot of people and we are ready for it, so again, standards, platform, et cetera come into play for that.
John Tolbert:
Okay, and what are the ways an app can be delivered to employees and customers for passwordless authentication?
Mike Engle:
Yes, well it's made so easy today by the app stores, right? So the experience you'll see on the live 1Kosmos page is just go get it from the store, one click, installed and done. User self-enrolls, it's verified behind the scenes. So that's the easiest way you can have your employees, contractors or customers do it that way. If you have an existing app already, you're doing an app update and just putting the SDK in there that now handles the public private key cryptography, the authentication, the biometrics if you need them, et cetera. So that's transparent to the user. They'll just get the features and you'll have to enable them with a press of a button. And also, any app can be delivered in an employer setting via the MDM, their mobile device management, so you can push the app down to them that way, that's very common.
John Tolbert:
Yep, and the app stores provide some security with application scanning and then in some cases I think it's a little bit more trustworthy than just downloading an app from another source. Let's see, next one. How do you handle account recovery?
Mike Engle:
Yeah, we touched on that on the WebAuthn side, right? There's not a strong solution there in the industry, right? Because that's a standards-based, so we really can't move out of the box too much on that. But in an app experience, we do have wallet recovery that involves a standard called BIP39. It's the same standard that is used to back up and recover your crypto wallets. So if you've ever done that experience, 12 word pneumonic phrase for example, that can be backed up and stored in a number of different ways. So that's the most common type. Then we also have some experience with multi-party computing to recover your private key and some ways to use your biometrics as a recovery mechanism as well. So a lot of options there. Especially when you get into more of an app experience.
John Tolbert:
Let's see, "How does this get applied to dozens of systems that employees use such as OSS and privileged account management systems?"
Mike Engle:
Yeah, that's a great question because in an enterprise, right? This isn't really a problem for a customer, a customer has one or two places they log in, so you handle them those two ways. On the enterprise, you need plugins, you need connectors and adapters. Many of them can be handled via federated authentication protocols, so SAML, OIDC for example where 1Kosmos becomes the IDP and gives a trusted proof digital identity into those systems. So that's just a configuration. It takes an hour or two, setting up secrets whatever to do that assertion. Then connectors into non-standard systems, Windows, Mac, Unix, et cetera. There's a lightweight plugin that goes in there, and that enables QR code, push messages, et cetera to work with the press of a button as well, and then there's custom adapters for lots of systems that need that. So remote access systems like Citrix and Zscaler, et cetera. It's a simple integration. We're in a lot of the marketplaces for connectors, into [inaudible 00:54:14] et cetera as well. So we've made that, we've reduced the friction to go passwordless across those dozens or hundreds of systems really to handle any situation.
John Tolbert:
And one more question here. "How many countries does the identity proofing work in and what types of documents does it support?"
Mike Engle:
Yeah, that's always a question, can you scan an Uzbekistan document, yes or no, right? But no, we have a very robust document scanning engine. We have coverage for over 150 countries and the document types vary country by country. So for example, in the Dominican Republic, we will scan ... It's called the national identity card, it's not a driver's license. The U.S., the standards are obviously driver's license which varies across 50 states and passports. So it varies country to country. The other thing is, when that process goes badly, sometimes you can't scan a document for some reason, it's an old photo or your document is mutilated. We have something called agent-assisted, so in that scenario, we can route the session to a live agent in a certified data center, and they can take over and give that kind of white glove approach to make sure that user gets onboarded properly.
John Tolbert:
Yep. That sounds great. There are many different document types and there's ICAO and non-ICAO passports. There's the eIDAS standard and like you said there's lots of different things in the U.S. and it's kind of a very fragmented thing. We see that there are in many cases country-specific identity proofing service providers and yeah, rolling those up into like a much larger CIAM service is something that can be very useful for companies that are dealing with consumers or employees from multiple countries, multiple regions around the world [inaudible 00:56:18] it's a complex thing that it would be great if it could be simplified but I don't see any easy ways for that particular piece of it for the near future.
Well with that, I'd like to thank everyone for attending and thanks for your participation on the polls and questions and thanks to Mike and 1Kosmos for helping out here. Any final comments Mike?
Mike Engle:
No. No, thanks for having me on. I enjoyed it. Our entire world is on our website. We don't hold anything back so please check us out. Thanks for your time as well John and let's do it again soon.
John Tolbert:
Great. Sounds good. Well thanks again everyone. Have a good rest of your day.
Mike Engle:
Take care.
Check out this webinar with our CSO, Mike Engle, and lead KuppingerCole analyst, John Tolbert. Learn about authentication options and solutions, the need for higher identity assurance and identity proofing and much more.
Watch now!