Join Sheetal Elangovan and Robert MacDonald for a IBA Friday session. In this episode, they introduce the 1Kosmos 1Key.

Video Transcript
Hi everybody. Welcome. It's another Friday, thank goodness. And that means it's IBA Friday time. Guess who's back? Sheetal. How you doing?

I'm good.

We had Mike Engle fill in for you while you were gone.

Mm-hmm. In Maui.

He did an adequate job. How was vacation?

Fantastic. It was great.

Yes. Well, I'm glad you had a great vacation. For those of us that had to stay and slum away, we did talk about last week about identity verification or a couple weeks ago, and today we've got another cool topic that we want to cover. And one of the areas that organizations struggle to deliver any sort of secure, let alone passwordless experience, is with a shared workstation. And a shared workstation can come in many formats. If you're at a retail floor, they've got those systems where people log in to see if things are in stock or to try to place orders or whatever.

There's those use cases. There's healthcare, there's student labs, call centers is a big one. And we actually have a pretty big customer call center that has shared workstations where people come in and they hotel, right, Sheetal? They come in, they don't sit at the same spot every time. I'm going to ask you this and you're going to show me, I think, right? How do you deliver a passwordless experience to those types of users where they're not at the same system every day and they can't bring their phone or there's no way to deliver a multifactored approach to their login? How do we solve that here at 1Kosmos?

So I think just looking at the situation where every employee is coming in with no device and into a shop floor where they don't have a dedicated desk, we are really looking at nothing that a user has to bring in. We are looking to the 1Key that we are expecting is going to get plugged into a shared workstation, a workstation that remains stationed. And it's one key and it's going to use, if you see the little biometric sensor here, that's what's going to take care of authentication for us.

So in a scenario like this, what we're expecting to happen is that there is a single point of registration where all of these employees would come in, they would register their fingerprint first, and after that they're on their way. They're able to enter any workstation on any floor, go ahead and use their biometrics. They're just going to put their hand on this finger on any device and they will be able to authenticate and enter. So that's really the cool part about the 1Key. We like to call this the 1Key. It's just a FIDO key that is capable of reading a user's biometrics, authenticating them. So it's a enroll ones, use anywhere kind of authentication method that we have here.

That's cool. So there's a couple of benefits to that. So if we think about FIDO keys in general, they're usually per user. So you buy a FIDO key and you give it to a user. So if we think about that from a help desk standpoint or a shared workstation standpoint, it means that you've got multiple users on a single system. So you're going to have to give each one of those users a key, which means a couple things. One, there's a cost associated with that obviously, that then leads you open to somebody forgetting it, losing it, having it stolen, breaking it, you name it. There's all kinds of things that go. So the management behind that can be quite cumbersome. It can be complex unnecessarily, and it could be just costly. So you're saying with this one, you leave it with the system?

Yes, you just leave it with the system. So if you're looking at a 20,000 workforce, you're looking at 20,000 keys that we actually need to purchase. But with the 1Key, what you're really looking at is how many of our shared workstations you need to have. So let's say you have about 150, 200, you're looking about the same cost for a key per workstation and multiple users just floating in and around and authenticating themselves. So it's a massive benefit in terms of cost and how well it can scale across an organization that has a floating population.

Yeah, because typically with these keys, it's one per, maybe five users per, and I think it's one fingerprint, maybe two fingerprints each at best. So what you're saying now is that anybody registered with this key can use any system that has that key?

Yep, any system that has that key. Mm-hmm.

That's pretty impressive. So we're looking at, like you said, simple registration. So you said you just scan your fingerprint and how many fingerprints can we scan?

We can actually scan all five of your fingerprint. So whichever one you-

All 10?

All 10. Now you're going to have to remember which finger you used.

Yeah, exactly. We just do them all, then you don't have to remember. Yep, fair enough.

We do whichever one is the user's preferred finger, they're going to go ahead and scan that, and we're going to remember it across many of these. Mm-hmm.

So that's cool. So then register once, use on any computer, and then you're going to deploy just one key per desktop instead of one key per person, which is also super cool. So that obviously eliminates lost, stolen keys, forgotten keys. Because geez, if you forget your key and you need your key to log in, well, you can't work that day. You have to go back home and get it or it doesn't work. So obviously we're storing biometrics. So where's the biometric stored? Obviously people get a little bit weary when somebody's capturing their biometric and that's stored somewhere. So how do we manage the biometric for that many users to be able to be used anywhere? Why don't you tell us a little bit about how that works?

So I think a lot of the concern, the questions that we get, customers are iffy about storing biometrics. So how we really manage that is that they're all centralized in a particular location, it's per customer. But the beauty of it is the levels and the layers of encryption that we add to it. So everything that is on the device itself is encrypted. Everything that is in transit, which means where we're storing the fingerprint whenever it is in transit, is also encrypted, followed by the actual storage on our servers where we're storing all the data is also encrypted. So typically you really have to crack through many of these layers for us to be able to get to being able to access any of this data. So that makes us feel good about the strategy that we have in here.

The other part is the authorization on these keys. These keys can be authorized only to work with certain servers. So these are all scenarios that we've thought about. What happens if there's a compromise? What happens if somebody decides to steal the key and walk away with it? So we have appropriate authorizations in place that can help us manage and make sure that when there is an event of compromise that we can manage the permissions on a particular key and make sure it cannot be used to access anything within that particular customer.

Oh, that's kind of cool. Okay. So you can't just take it out and plug it into some other laptop and make it work. Okay, awesome. So do you know what one of my favorite movies is? Mission Impossible.

I should have known.

Here's where we're going to go with the next question. We're using fingerprints, we're using biometrics. So I'm following you into work, not in a weird way, but I'm following you into work and I get your fingerprint, I put it on a piece of tape, and then I'm going to try to go log in as you, I'm going to present your fingerprint as my own. Is there anything on that key that can help us ensure that that doesn't happen?

I'm sure. I think the first thing we need to protect against is you, Robert.

Yeah, I think so. Right, guys?

So that's definitely one of the top things that we've thought about here: How can somebody else attempt to access it in that format? So the key itself, we've invested a lot in the hardware of it. It has a 360 degree scanner, which means that we are reading the entire part of the finger, we're checking for liveness, we're checking for many things about the form factor of the finger itself. So really adding it to a tape is definitely not going to work. It is going to have to be a much more sophisticated attack to really get through this. So this having a 360 degree scanner into the device itself is what makes it truly unique in terms of protecting against this kind of compromise.

Okay. It's unique already; that just makes it even more unique. And the cool thing with that is that it actually keeps in line with the promise that we have here at 1Kosmos in that we're always doing with our biometrics, like our live ID, we're doing a liveness check to make sure that there's actually a user present, it's not some sort of presentation attack. So that's kind of cool. I think I've got a quick little video here. Do you want to just see it in action?


Let me see if I have... I just have to find which screen I have it on. Oh, here it is. Yep. So let me share my screen. Now, of course, like any authentication demo, it's pretty bland, but that's okay because you'll get a quick look as to what this does. So we've got a laptop set up here, you can see the 1Key in the system. We'll click play on this and I'll turn off the volume. Ooh, sorry. There we go. So we enter in the username, you can see the little blue light blink. There we go. Present your fingerprint, logs the user in. Now of course, we've got to wait for Windows to start up, not to take anything away from Windows, but that takes a couple seconds.

So let's jump to our next user. There we go. So they'll do the same thing: enter in same system, new username, you'll see the lights blink again. There we go. Different finger, logs the user in. Cool. All right. At the end of the day, we're not going to watch everybody do it because it works the same, but I think the important point there is is that same laptop, one key, multiple users logging in. And like we said earlier, it can be as many users as an organization has, at the end of the day. What have we forgot to talk about, Sheetal? What have I forgot to ask you? Is there anything else that we would like to talk about? Did we cover it all?

No. We did cover it all about 1Key.

Awesome. So for everybody watching, this is new. It's a new capability that we've brought to our platform. It's available today. If you'd like to talk to us more about it, please reach out to Sheetal and I. We'd love to tell you more about it. Of course, there's information on our website as well. If you'd like to go read about it, you can do that as well. But for now, I wish everybody a happy Friday. Sheetal, happy Friday.

You too. Happy Friday.

It's almost wine time, Sheetal?

Yes, it is.

Excellent. Yeah, I know. Me too. All right everybody, that's it for today's IBA Friday. We appreciate you coming along for the ride. We'll see you again in two weeks where we're going to talk about VPN access, I think passwordless VPN access, right?

Yeah, passwords.

Based on a couple of breaches that have happened over the last couple of weeks. So that'll be a good session too. So make sure you watch for that IBA Friday pop up on your LinkedIn. We'll talk to you again soon. Thanks everybody.