Bringing Verified Identity and Passwordless to the Masses

Huzefa Olia

In this vlog, our COO, Huzefa Olia, is joined by Kevin Shanley, Principal at Amazon Web Services Identity to discuss bringing verified identity and passwordless to the masses.

Huzefa Olia:
Hello and welcome. Hi Kevin, how are you?

Kevin Shanley:
Hey, Huzefa. I’m doing great, thanks and yourself?

Huzefa Olia:
Wonderful. So you are new to this particular vlog our so would love for you to introduce yourself first to our audience.

Kevin Shanley:
Absolutely. My name is Kevin Shanley. I lead go to market for AWS consumer identity services. And while I’m relatively new at AWS, I’ve actually been an IM for over 25 years.

Huzefa Olia:
Thanks for the intro. Now, in your world today you see so many different types of identities that are coming in. What are the different challenges that you see with respect to authentication?

Kevin Shanley:
Well, in three words, passwords, friction, and passwordless. If we double click on passwords, they’re difficult to make both complex and to remember. And this makes them susceptible to being these weak, easy, remember simple passwords that are often reused at different sites. And then that next problem becomes friction. So as we try to add security to passwords, we add friction, you make it harder for those legitimate users to actually authenticate.

And then the solution to that is passwordless and this is where everyone wants to go, we all want to go passwordless but that really brings it own set of problems. You may not have hardware that supports passwordless. You may not be a tech savvy person and know how to use passwordless. And so while passwords may not be very secure, at least everyone knows how passwords work, it’s just a known quantity. So that question becomes how do we get to passwordless?

And so well, it can brings up a couple of other points. Huzefa, can you explain how bringing a user’s true identity into authentication enhances both the security and mitigates risks?

Huzefa Olia:
Kevin, very interesting question. When you talk about passwordless, there’s so many different ways to get to passwordless in the market today, and most of them always take into the equation what a user’s device is.

But what is important is also to know who’s the user behind the device. You need to know if the user is authorized to access that particular device and the user is in fact the one that you provisioned or you created the account for. At the end of the day, identity and access management has to work together and identity has to be brought in into any kind of an access or a sign on scenario.

Kevin Shanley:
Thanks, Huzefa, that’s great. And so I guess what specific strategies or technologies can be employed to incorporate a user’s true identity into authentication?

Huzefa Olia:
Often when we look at any kind of access, we always looking at how do I register a user’s device and then give them access?

What we advocate is when you bring on a user, right, already you, onboard a employee, contractor, customer of yours, do identity proofing or identity verification, and there are various different standards, the most prominent one being the NIST 800-63. So you have a guideline to how to proof and verify a user as well. But the result of that proofing and verification can be not just a verified user, but also using the user’s biometrics to authenticate them.

So today, when you look at any connect for passwordless access, you can essentially ask a user to prove who they are by taking their live biometrics or their live selfie to access various different systems and mainly critical systems as well where you no longer are requiring an OTP, you’re no longer requiring a user just to use a push notification but actually validate themselves by looking at the camera and us identifying if that’s the same user who registered for the service as well.

So hopefully that gave you some context, but now let me ask you this question, Kevin, right? When you see this flow of an identity based authentication, right? How do you think that would benefit? Which industries would benefit from this kind of an authentication?

Kevin Shanley:
So, well, AWS especially, it’s really anything you care about securing, any industry that cares, cares about securing your site, financial services, healthcare, commercial sites. I mean even social networking because you’re concerned about data mining.

This point, bad bot traffic is now the majority of traffic on the internet. And what are these bots doing? They’re creating fake accounts, they’re attempting to break into existing user accounts. And so I mean, why do they even create these fake accounts and how can they create them? It’s because for the most part, nothing is actually verifying that there’s a real person on the end of the line and that that’s a real user identity.

And as we kind of pivot over to identity verification, identity proofing and stronger authentication, passwordless, that’s where we start to really close the loop on that and that’s both, it’s going to mean that you’re going to have real accounts actually in your databases. You’re going to see real traffic and real metrics and not have it all abstracted with a bunch of bad bot traffic and you’re going to end up as well as saving money because you’re not going to have to pay for that bot traffic that are taking up your monthly user accounts and such.

And so I guess from your perspective Huzefa, what steps can an organization take to successfully roll out an identity based authentication for the masses?

Huzefa Olia:
Simple answer to this would be to include any kind of identity proofing and verification into your onboarding flow. And your onboarding flow can be depending on the persona of the user, if it’s an employer or contractor, when you’re creating them as a new user. If you have customers when you’re registering them, for example, for financial services, if you’re doing a KYC or if you’re in retail and if you need to know for any kind of offer sensitive transaction that needs to be done, know who the user is, do the proofing and verification that is required, which will have all the added benefits of reducing fraud like you mentioned Kevin. And then not just do this one time, but use this identity template that has been accumulated for that specific user to use that into their authentication as well.

So all of, our companies have worked together to put 1Kosmos and the AWS solutions. Where do you think this collaboration with 1Kosmos and AWS will contribute to the market?

Kevin Shanley:
Oh, great question. So well, coming from the AWS side and how I see it, AWS is the leading cloud provider and AWS identity and access management services were recently given a top customer choice award from Gartner. In fact, AWS IM handles hundreds of millions of API calls per second, which is just a crazy number. I mean hundreds of millions of API calls per second. So we go big, we do identity well, but we can’t be everywhere. We can’t do everything.

And as an agile startup, 1Kosmos has both, I think the technical depth and focus to really innovate in identity-based authentication. And together I think we bring that targeted innovation together with the stability, scale availability, and cost-efficient computing to drive identity over to all to the masses.

Huzefa Olia:
Thank you. Thank you for that, Kevin. This is very, very insightful and I’m sure our audience wants to learn a little bit more about this. So you are going to Identiverse, you will be speaking at Identiverse. Can you tell our audience where will you be?

Kevin Shanley:
Yeah, absolutely. So, at Identiverse, I’ll be speaking with Mike Engle in Las Vegas. The title of our session is Bringing Verified Identity and Password List to the Masses, and that’s going to be running at 4:30 PM on Thursday, June the 1st.

Huzefa Olia:
Awesome. Look forward to. I’ll be audience as well.

Kevin Shanley:
Great. Looking forward to seeing you there.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Huzefa Olia

Chief Operating Officer

Huzefa Olia, Chief Operating Officer for 1Kosmos is a recognized expert in Identity & Access Management. He previously held senior management roles at global identity management services provider Simeio, cyber risk management vendor Brinqa and identity compliance management vendor Vaau (acquired by Sun).