Inserting Identity into Your SSO Implementation

In this vlog, 1Kosmos VP of Product Marketing, Robert MacDonald, is joined by the VP of Solutions, Vikram Subramanian to discuss inserting identity into your SSO implementation.

Robert MacDonald:
Hi, everybody. Welcome to our vlog today. My name’s Robert MacDonald. I’m vice president of Product Marketing here at 1Kosmos, and I’m joined by Vikram today. Vikram, how are you doing?

Vikram Subramanian:
Hey. Great. I’m doing great, Rob. Hello, everyone. Vikram Subramanian, vice president of Solutions at 1Kosmos, and really excited to be talking to you today.

Robert MacDonald:
All right. Listen, it’s a pleasure having you. Today we’re going to talk about single sign-on implementations and inserting identity into an SSO implementation, like an Okta as an example. So Vik, let’s jump right into it. How do you view the balance between risk and convenience when it comes to single sign-on?

Vikram Subramanian:
This is a question that has been plaguing our industry for so long, right? I mean, obviously we all know, everyone’s talking about passwords are bad. And so what did we do? We just came up with another way of authenticating the user, which is put MFA in its place and you’re going to ask them to put a code in or have another device on the person or try and get something else out of them just to make sure, because the assurance that is there within the username and password is not there.

So what do we do? We also add on other risk factors. We evaluate 50 other things and 100 other things and all those signals, put them in together and then say, “Okay. With a reasonable amount of confidence, the user is who they say they are. Let them in the door.” Right? So that’s the state of SSO today, and this is where it actually brings up the conversation, really, what is the question that we are trying to answer with SSO, with authentication, with MFA? Are you really who you say you are? That is the question that needs answering. So we, I think, can help answer that question and add on to that experience with SSO.

Robert MacDonald:
Okay. Well, let’s talk a little bit more about that. So when you look at Okta or ForgeRock, Ping, whatever, how can organizations do more to protect themselves from cyber attacks? We talked about getting rid of passwords and MFA, right? Should they get rid of single sign-on platforms completely or is there something that they can do to try to augment, obviously keep the investment that they have but still become more secure as a net result? What is it that organizations could do?

Vikram Subramanian:
Absolutely. I mean, think about it. The organizations have invested so much money in really integrating applications or migrating from their legacy solutions to solutions like Okta, Microsoft, ForgeRock, Ping, I mean, all of our partners in the industry. And there are tons of applications that are out there. For us to go in and then say, “You’re going to have to migrate to another solution,” is going to be extremely irresponsible, which is where we want to enhance that experience and really give the users the ability to prove their identity as part of that authentication channel.

So when the users want to go in, we have a multitude of ways where organizations can enhance the user experience. We’ve been talking about risk. We’ve been talking about passwords. We’ve been talking about anything that just from a pure security standpoint, something that is troubling a particular seesaw. But more and more users and more and more users have begun to expect the user experience out of even enterprise IAM solutions. They want the experience. They want the consumer-like experience. They want to get in, they want to do their work, they want to get out, and that’s it. Don’t bother me with all the 10 other factors that I have to list down. That is where I think we should be able to come in and really help our organizations there.

Robert MacDonald:
Okay. Well, listen, on that note, let’s be a little bit more poignant in terms of what we’re talking about here. What is it that 1Kosmos can do to help augment a platform like Okta? So you said that replacement’s not an option, and you’re right. I mean, there’s too much money already invested in all that stuff. What can we do to come in and stand alongside an Okta or another single sign-on provider and provide value? What is it that we can do?

Vikram Subramanian:
See, this is where the true meaning of identity would come into play and that’s where the 1Kosmos architecture of really saying an identity is a person comes into play for the authentication and the SSO experience or the authentication experience. So 1Kosmos, what we are able to insert into the equation of really answering the question, “Are you really who you say you are?” is biometric-based authentication and identity-based authentication.

So what is identity-based authentication? Let’s talk about that. So if I really need to go prove myself in the digital world, I am bringing out my government IDs, like my driver’s license, passport, any of those national IDs, and I’m able to execute a transaction in the physical world.

Robert MacDonald:
That’s right.

Vikram Subramanian:
Now, what if we just translated that to the digital world? That is exciting. So this is where the concept of the digital identity comes into play, and we are able to create a digital identity for a user by really taking a look at their government issued documents and then verifying them with the issuing authorities and creating a digital identity for the user.

Now, with this digital identity, now there are a lot of solutions that stop with just proofing, now this is where 1Kosmos makes it special, we are able to take this proofed identity or proofed document, create an identity for the user, and help them store that identity within the wallet. With this identity in the wallet, they’re able to execute transactions. This could be authentication transactions, this could be other transactions like approving a particular transfer or money transfer or anything like that. And really, our wallet is made to enable identity-based transactions, which include authentication.

So when a user comes in to a website and they want to prove who they say they are, they’re able to take their wallet and inject their identity into that authentication scenario and truly prove who they say they are by use of, number one, the government issued documents, and number two, by using biometrics. It’s not mandatory to use government issued documents, but biometrics makes it very easy for the user to go ahead and prove who they say they are. All of us are used to doing face ID with the iPhones today. Everyone wants to just look at something and, “Hey, you know who I am. I mean, you just see me. Then authenticate me.” So that’s what we are inserting into the equation. This is how we can compliment the experience that organizations have with Okta and other SSO solutions today.

Right. Now, Rob, you may want to ask, “Okay, what else can we do, right? There’s got to be more, Hey, does the user have to go through identity proofing every time?” Well, not really. They don’t have to go through identity proofing every time, which is why we have the concept of the wallet. And what also that we have is the ability to issue verifiable credentials. This is something that a bunch of companies are already investing in and we are already compliant with the W3C standards to issue verifiable credentials, to create a presentation, and also to go ahead and use that in a particular transaction. So now we’ll talk about verifiable credentials as a part of the roadmap for something that companies can consider, but very simplistically in today’s world, like I mentioned, we can insert identity into an authentication and we can do this at every layer that the user is interacting with a particular organization.

So let’s start, anything that is logical, which is their laptop. So if they want to go in and really log into that Windows system on the operating system, they’re able to do that. It doesn’t matter which version of Windows they’re on, we’re able to support a bunch of versions, which is true for many organizations that not all of them are upgraded and not all laptops are made the same, which is where we are able to digitize that authentication, include biometrics, and the users don’t need to remember their username and password. Then we are able to translate that onto the web and interact with the systems like Okta and ForgeRock and go ahead and insert identity into the equation. You can go ahead and take these signals that we can send or even take a look at what is the identity assurance level of the user then make a decision, do you really want to let them into your applications or not?

Robert MacDonald:
Okay, that’s fair. So listen, that was a great explanation in terms of what users or what organizations can do to try… Or what we provide organizations to augment or improve the security of their single sign-on. Give me an example of what the experience looks like. So you did a very good job at explaining in terms of what happens, but talk about, well, how does it work, right? So you talked about logging into Windows. I’m assuming you can do it with Mac too. Obviously, there’s the single sign-on providers. And then I’m assuming, Vik, we work outside of just the single sign-on stuff. There are other areas that we can cover too. Just quickly talk about what that experience looks like from an authentication standpoint for the user when they come in the morning. What does that look like?

Vikram Subramanian:
Oh, wow. Yes. We were talking about the user experience. Yes. So let’s remove ourselves from technology and really look at the experience. From an experience standpoint, what we bring to the table is something that all of us are used to when we go to restaurants today, which is to scan a QR code. So, user comes in and they’re opening up their laptops. They can be presented with a QR code, scan the QR code, authenticate using biometrics, show their face or… you know what? … with our LiveID. We’re the only solution in the market that brings a smile to people’s faces, right? The only security solution that does that, right? So smile, get in, get to work, right?

And that same experience is carried over onto the web. They can go scan a QR code and they are logged in. Or… you know what? … depending on the system they’re logged into, many other solutions can calculate the risk. Are you coming in from the same device? All of those things can come into play. And they’re not forced to log in when they log into web applications, right? So that is the experience that we can give to the user. The other thing that we can also do is we can also interface with the webcam, and all that you need to do is take a look and then you’re logged in. So those are all things that we bring to the table and enforce situations where your mobile phone is not allowed, you don’t have a webcam. What do you do? This is where our support for passkeys comes into play, right? People can utilize their passkeys, their synced passkeys, and go ahead and authenticate across the entire stack and move forward.

Robert MacDonald:
So we do more than just the biometric, I guess. Well, I guess we do more than just a facial biometric is what you’re saying there. So we have other ways that users can authenticate, whether that be via an app, appless, FIDO, passkeys, all of those things are all built into the app is what you’re saying, and users can authenticate in any of those ways? Yes?

Vikram Subramanian:
Yes, absolutely. Right. Like I mentioned already, you go to a restaurant, you scan a QR code, you get the menu. You go to your enterprise, you scan a QR code, you get a menu of options that you can choose from. Absolutely.

Robert MacDonald:
Very good. All right, Vik, thanks very much for coming in today and telling us a little bit about how organizations can inject identity into securing their single sign-on implementation. I look forward to talking to you again soon. And everybody that’s watching, please make sure to take a look at our data sheet. We’ve got a Single Sign-On Better Together With 1Kosmos data sheet that’s available on our website that you can get a little bit more information in terms of what we’re talking about today. Thanks again, Vik.

Vikram Subramanian:
Thanks, Rob. Great being here.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More