Join Robert MacDonald and Javed Shah for an IBA Friday session! They will be discussing Netflix’s password sharing crackdown and Twitter ending free 2FA.

Video Transcript
Rob: Hi, everybody.

Javed: Hello.

Rob: The usual rambling before we get things rolling here.

Javed: It's the weather. It's weather talk.

Rob: And we're talking about weather, so what else is there to talk about? Oh, I don't even have my 1Kosmos thing on here. Javed, you didn't even tell me.

Javed: I wasn't sure what you were going for.

Rob: Yeah, I know. See what happens when I'm not paying attention?

Javed: But you have your space. Come on.

Rob: We have to put some branding on here. I'm part of marketing. There we go. There we go. See? Branded.

Javed: I was trying to carry for you, so...

Rob: Thanks buddy. So today, there's some stuff happening in the news. Oh, before we get started, welcome everybody. Welcome to IBA Friday. Rob, Javed.

Javed: Hello.

Rob: It's good to see you again. It's just the two of us today, we don't have any special guests, so we're just going to talk more, not about weather, but about the news, because there's some things happening in the news. And Javed, I hate to tell you, but you using my Netflix password and me carrying you, that cost is going to have to go away, according to what's going on in the news, looks like Netflix is going to start cracking down.

Javed: I don't like the [inaudible 00:01:09] Netflix expert. Yeah, sure. Definitely.

Rob: What's that?

Javed: I don't like the recommendations that I get. But you know what?

Rob: Listen.

Javed: That's a good topic to discuss, I think.

Rob: I know that you like watching Bridgerton and all the other romantic shows that are on that channel, or on that streaming service, so don't lie. But yeah, so there's a couple of things. So Netflix has been in the news. Twitter has a long going history in the news since Elon took them over, but a bunch of it ties back to username and passwords, and some form of authentication. So what I wanted to just talk about today, and put what we've been talking about since we've started IBA Friday into a little bit more context, in terms of how we could help these organizations solve some of the problems that they're facing with right now.

Javed: It's in our very name, IBA. Take it away.

Rob: It's true. So let's talk about Netflix first. So Netflix is threatening to crack down on people sharing passwords. In fact, they have done it in a couple of countries already. I think Canada is next on the list, if we're not already. I heard it on the radio this morning. People were freaking out, they were calling in saying they're going to drop Netflix if they're going to crack down on password sharing, which to me is crazy that people would be upset about that.

Javed: You would think that, hey, it's a good thing that an organization that size wants to actually protect your account because, while you know you shared it with someone you know, [inaudible 00:02:50].

Rob: Exactly, you don't know if they shared it with anybody.

Javed: Exactly.

Rob: On top of that. And to that, there's an intellectual property that they're trying to maintain. And yes, they're in business to make money and all that kind of stuff, and that impacts revenue, so that all makes sense. So the things that they're looking at trying to implement to make this work, I don't want to say sound clunky, but again, we're working to try to solve for a problem that has existed since the early fifties, forties? When did the password come around? At least 60 years ago. We're still trying to mask that problem with other technologies. And again, with 1Kosmos, we could just completely get rid of that altogether. So if you look at the way... How do you authenticate with Netflix? I know that I type in my username and password and I'll get a code.

Javed: I don't even know what my Netflix password is, but it's something that's obviously pre-filled on the browser, for the most part, or on the mobile. If you have the app, I think it probably remembers you for longer, but with this disruption they're introducing to shared accounts, I think they'll tighten the controls on how long you have the session, regardless of the channel you're consuming the service on.

Rob: And then this also applies to other streaming services too where, if I, in Canada, I'm signed up for the TSN, The Sports Network, and I'm in the United States and I want to follow what's going on with my favorite hockey team, the Ottawa Senators, it says that the content is blocked because I'm not in the right country. It's like, but I'm from that country, I just want to check in on the news and now you're telling me that I can't because I'm in the wrong country. There are ways around trying to deliver that content where I could just verify that that is Rob, and therefore I can stream the content to him regardless of where he is, or-

Javed: Exactly.

Rob: That is Rob, that's his Netflix account, and here are all the people that can authenticate underneath that account and I can authenticate their IDs to make sure that it's Lauren, my daughter, or Shane, my other daughter, or Paula, my wife, and not Javed this time, because Javed's not part of my family account. Sorry buddy, I got to kick you.

Javed: Press the exit button, wherever it is.

Rob: No more freeloading. No more freeloading.

Javed: Exactly. It's funny you say that, because it's not unusual for hiding to be one of the security principles that people follow. Let's just hide the data, let's block it, let's introduce a blackout, let's disrupt sharing. Does that increase your overall security? Highly doubtful. Technically, if you really are a roaming traveler, well of course you are, you're a business person. Well, what's wrong with, unless there is a true blackout at the business level, that they absolutely do not want the transmission of that particular content to cross the borders, for whatever good or bad reason that might be the case. As long as they know who this person is, technically it should not be an issue with you accessing content, even though you are traveling at the moment. Or you are in the plane, who cares? You haven't even landed yet. In the plane over wifi, how does that work? So good point, security by hiding is probably not the way to go.

Rob: Yeah, exactly. And then the other thing is that I've got Netflix on my computer, I've got it on my phone, I've got it on my Apple TV. I need to enter the username and password in for all of those. So imagine, so I think everybody's seen this before, but I'm just going to go to the Experience BlockID site here. Everybody can go do this on their own. You download the app, you enter in some information about yourself into the app, and then you can scan a QR code. So imagine, you go to log into Netflix, Disney, Amazon, whatever the streaming service is, wherever you are in the world, you could open up the app. Let me go get my app here while we're talking. And I could scan the QR code with the app here, so I'm just going to scan that QR code. It's going to say, "Please approve the login." I'm going to say, "For sure," it's going to give me a little Face ID. Now we can get super crazy with that. We can do live ID where we can verify the user's identity based on government issued documents, depending upon how secure you want it to be, you can get to that level. But at the end of the day, it knows where I am, what my last login was, all that stuff. And we can provide more information, you can go look in our developer sandbox to go see what it provides. But that's a really easy way to authenticate and to add a lighter assurance level, assure that that user is who they claim to be by using the Face ID on their device, the native biometric on the device. So instead of trying to mask it with all kinds of other stuff, just why not just get people to scan it with QR code? Does that not just seem easy to you? It seems like a no-brainer.

Javed: Yeah, I think it's a two-step. The way to think about this is obviously not just to have a QR code scanned necessarily, that's obviously the easiest way in. But the point is that if you're managing as a provider of a service, you're not just the provider of the service, you're also managing the accounts of the subscribers that are paying you money and you obviously want to have those folks add to the service, maybe purchase other tiers of service, or introduce your service to their family members and friends. It does not stop at that one person but what that means is, by definition, you want to allow usage, increase the adoption, the word of mouth, the publicity that you get with it. "Did you watch that? There's a really nice little..." That kind of conversation is what you want, if you're Netflix, for your subscribers to be engaged in, not the ones that you and I started the show with, "Hey, do you know that they cut the passwords, I can't share my account." That's not you want to be in the news for.

So I think with the BlockID approach, one of the immediate benefits is, wait a second, if you are a subscriber, if you are a customer, you get this capability of having your end users unlock the wallet before they may even scan the QR code. So that unlocking mechanism, you can calibrate. You want to go deep, advanced liveness, more than just the onboard biometrics such as Face ID? Go for it. Face ID checks liveness and ensures that you are who you are, of course the person behind the device, because we are not in the business of just authenticating the device. Yeah, that's old school. That's legacy stuff. Okay? Let's be clear. But that's fine. If you don't want to go up to that level, you allow the user to just do a pin, get the pin, set it, unlock it, go in, scan that QR code. So the point is to facilitate the experience, not to hinder it and be the subject of conversations where they're not talking about that show that you introduced last week, but about the account sharing you stopped, that kind of thing.

Rob: Sure. Yeah, absolutely. Yeah, that's exactly right. And depending upon, like you said, you can allow users, through our platform at least, to choose how they want to authenticate. Maybe they want to use a pin, or maybe they want to use Face ID, or maybe they want to use something else. You can go down that road, but it's all stored within the wallet that we build, either through the web browser or through the device, depending upon how they consume the content. And we're not authenticating that you have something, we're actually authenticating the user to get them access to whatever you have so then you have a pretty good level of assurance that it's Rob, and not whoever Rob shared the username and password with, which is really what we're trying to get away from. And again, everything points back to that username and password isn't fit for where we're going either on the internet or anywhere at work. It's not something to build any sort of service on because you cannot control how people either use, make, share, anything along those lines with that basic authentication method.

Javed: Yeah, exactly. The kind of example that we already have from the industry with limiting account sharing is, well, what's the option then? I still want to watch something, even though you won't allow me on your account now, well I have to go create a new account. That is, while it's probably a new subscriber from the provider's perspective, but it's a disruption to me. It would've been nice to have been more accommodating and have probably a persona, account persona type of a model that we actually support, where you may carry the account on your shoulders, but I could be one of the personas that-

Rob: Absolutely.

Javed: That is part of your profile, which is obviously 101 for us. But just some thoughts to think about, hey, don't just hide it, don't just limit it, perhaps there are cleaner ways of thinking about this problem.

Rob: So let's shift gears and let's talk a little bit about Twitter. And listen, everybody's used, everybody knows Twitter.

Javed: Just Twitter.

Rob: There are all-

Javed: [inaudible 00:13:04].

Rob: Right there. There's all kinds of things going on with Twitter right now and some of it makes sense. So if you really look at what Elon was saying last week around charging people for one time passwords via text, it's like that's expensive, because every time they have to send you that text, there's a cost associated with that.

Javed: Very expensive. Trust me.

Rob: It's crazy expensive.

Javed: It's crazy expensive.

Rob: We have customers that work within the workforce that provide that service to their employees and they pay $400,000 a year to send those texts.

Javed: You went there. Yes, exactly. [inaudible 00:13:43].

Rob: It's bonkers. I'm not going to say which provider it is, but it's a big one. So there is a cost associated with that. So if you look at what Twitter's trying to do, there's a couple of things. One, you can spend, how much is it? You can spend $8 or $5 for the blue check mark?

Javed: Eight, whatever.

Rob: But anybody can buy it, anybody can buy that, so you're still not proving that that user is real. And then there's the authentication that goes along with it. And we all know the celebrities that were hacked and something was typed on their Twitter account, that wasn't them. Who knows? They might have got into something and didn't realize they taped a video, but it doesn't matter.

At the end of the day, if you look at the basic premise in terms of what we are trying to deliver to the market from 1Kosmos is like, listen, if you really want to know who a user is online, then you need to verify the identity first. So with our technology, you're able to do that. We're going to take a live selfie, we're going to compare that selfie to the government issued documents that we ask you to scan into the document. If those images match and the data on those documents match AAMVA or [inaudible 00:15:00] or whatever, then that identity is proven at a very high assurance level, at IL level two. So then if you take that and apply that to the authentication, so when the user goes to authenticate, you're going to scan their face again, compare it to the selfie that they took at login, which means now that every time they authenticate, we're going to point back to the verification step that you did so it's not a one and done scenario. So now you have blue check marks, that means something.

Javed: That means something. Exactly. The proof of verification is obviously added to the wallet. There's a technical cryptographic proof for you are having done something, and we remember it, we track the validity and the expiry of the document that obviously allows us to attest the NIST certified identity assurance level too for you, for example. So if the document expires, your assurance level, as asserted by the provider, drops as well. So when people think about that blue check mark, it's not just you buy something and you hang on the wall and that's your blue check mark.

Rob: Exactly.

Javed: You have to put some more effort behind making sure that thing is valid tomorrow, day after, in six months.

Rob: Exactly.

Javed: Those kinds of things. And that's, I think, what people probably want to think about behind a verification check mark, this should be more.

Rob: Well, 100%. At this point, that blue check mark doesn't really mean anything, and there are ways, there are technologies that can do it. Say that again.

Javed: It means somebody paid somebody for it, for the blue check mark.

Rob: Exactly. That's exactly right. So if you're able to provide a service where you know that user is who they claim to be, and when they authenticate it can only be that user because we're verifying a facial biometric. Now, this stuff is awesome, sounds awesome, but it's relatively new. The fact that we have this platform, we're the only ones that can deliver this service, this capability, in one platform, is new. Phones being able to scan at a high-res and take pictures at a high-res and having portable identity wallets and verifiable verified credentials, that stuff's relatively new, so it's not like everybody's behind.

Javed: It's very new. And look, we don't claim to have solved all the problems because, trust me, there are problems in all of these corner cases that exist and there are... But I think more important than delivering a product is also about the thought process and the vision that startups should have. Startups in this space that, we are one of them, is what are we trying to solve for? I think today's discussion is very apt actually. We are looking to solve for problems like, hey, somebody limited account sharing because passwords were shared. Okay. Do you know who was sharing the passwords? Can you really identify?

Another example you brought up was that checkbox, to being a verified [inaudible 00:18:05]. So just thinking about these problems, we are already transcending domains, we are already jumping over use cases, because there is applicability, far and wide applicability. So I think the point is, it's not just the product we can deliver today or the problems we are dealing with collectively in this industry, it's also about who's thinking about these use cases and what are they doing about it? They might not have finished doing what they've started to do, but are they doing something about it that can be of use today? And I think that that's where I would say our claim is that, yes, they are.

Rob: Absolutely. I agree. That was it. That's all I want to talk about. You got anything else?

Javed: What a heavy hitting IBA, I thought it was going to be a little ramble between friends.

Rob: Nah, what are you watching on Netflix these days? Anything good?

Javed: Oh, goodness. Don't ask. This is a way... I can't. I don't.

Rob: You don't have time. You're too busy developing, building a product.

Javed: I don't watch Netflix as much as I want to and even if I watch something, it is such a one-off that I can't even remember what I watched the next day. It's tough.

Rob: Fair enough. I don't disagree with any of those things you just said. That's good.

Javed: I'm not going to ask you what you were watching.

Rob: No. You don't want to know. No, absolutely not. Bridgerton might have been one of them, I'm just saying. Anyway, Javed, have a good weekend everybody. Thank you for coming by again today. We appreciate you swinging by, listening to our ramblings. We will see you again in a couple of weeks. Thanks everybody.

Javed: Thanks Robert. Bye.