NIST Compliant Identity Proofing

Robert MacDonald: So now we have to be nice because it's recording.

Javed Shah: That is not possible for you.

Robert MacDonald: It's true. That is probably true. That's very true actually. And now Sheila, this is where we try to figure out, okay, so when are we actually live?

Javed Shah: We've been live for about 10 seconds.

Robert MacDonald: Yeah.

Javed Shah: And I'm always right about that.

Robert MacDonald: Yeah. I wait for my watch. My watch will ping us saying that.

Javed Shah: Yeah, nonsense. And you're always wrong. That's how funny it is.

Robert MacDonald: It's true. It's always a couple seconds after we've actually been live. So now it does say that we've been live-streamed. But again, Javed, do you think we're ready?

Javed Shah: Yes, I think so. I think we are like 20 seconds into it now already.

Robert MacDonald: Yeah. All right.

Javed Shah: First one of the year. Let's go, Robert.

Robert MacDonald: First one of the year, yeah. All right. So hi, everybody. I think we're live. I'm Rob and you're probably wondering why do I have the awesome sweater on today. One, it's because I'm cool and I'm trying to keep up with Javed. Two, was because we didn't actually get to do one before the holidays, so I thought, well, it's better late than never. I'm all jingly today and we have a special guest.

Javed Shah: Oh my God, you have jingles.

Robert MacDonald: So happy holidays to everybody. Hope everybody had a great holiday, Christmas season and everybody had a great happy New Year. And our apologies for not getting to you and talking to you and saying all those great things before the holidays actually started. But we appreciate everybody that hung with us last year and we're looking forward to getting another year of these amazing episodes underneath our belt, right, Javed?

Javed Shah: Hello, everybody. Yeah, happy New Year. Obviously great to see everyone back.

Robert MacDonald: Yep.

Javed Shah: Hopefully you guys have had a great January.

Robert MacDonald: Yeah, January is almost over.

Javed Shah: What are you doing?

Robert MacDonald: A little late. A little late.

Javed Shah: January 26th.

Robert MacDonald: Yeah, January 26th, our first one. But I mean to be fair, we had sales kickoff last week and all kinds of great stuff here at 1Kosmos. So it's again, better late than never. And today we've got a special guest, Javed.

Javed Shah: Well, yeah, who's that? We have someone here. Hello.

Robert MacDonald: Who's that?

Sheetal: Hi everyone, this is Sheetal here. I'm a product manager at 1Kosmos.

Robert MacDonald: So Sheetal, this is a great opportunity. I know that you report into Javed, so this can be a therapy session for you if like. If you'd like to go through and talk about all of the things that you don't like about Javed, that'd be great.

Javed Shah: Okay. Time to exit here.

Robert MacDonald: But we're actually going to talk about things that are a little bit more important than that. We'll save all that stuff to the end. So today we're going to talk about NIST IAL2 proofing. So identity assurance level two proofing. Correct?

Sheetal: That's our option.

Robert MacDonald: All right, Sheetal. So before we get started, we should probably talk a little bit about what NIST is and for those of you that already know what NIST is, I don't want to talk down to you, but some of you may not quite understand what NIST is or what it does. Sheetal, do you want to tell us a little bit about that or would you like me to do that?

Sheetal: Yes, absolutely.

Robert MacDonald: Go for it.

Sheetal: So NIST is a federal agency. They primarily work towards setting guidelines for cybersecurity and digital identity. One of their particular topics is around how do you implement digital identity services. And this is specifically handled in the guideline that is referred to as the NIST 800-63-3 and of late, 800-63-4. So for anybody who is looking to see how can you make sure you are running access to the right people at the right time as a digital service, this is a guideline that should be of concern.

Robert MacDonald: That's cool. So when you look at identity proofing, so we all know how we prove identity kind of in the real world. We got a wallet. Javed, when the cops pulled you over last night for speeding, they came and tapped on your window and said, "Can you show me your wallet?" Right? I believe that's how, or your driver's license. Right?

Javed Shah: That didn't happen because I sped off.

Robert MacDonald: Okay. That's why you got that cool leather jacket on today. So how do we do that kind of in the digital world? So I guess to that, Sheetal, why is identity proofing important to a business or a government or individual? Tell me a little bit about why identity proofing in a digital sense is important.

Sheetal: Okay. So I think the most important thing is online fraud, right? Robert, if you don't want me to grab your tax refund check and then go buy a Lamborghini with it, then maybe that's a really good use.

Javed Shah: His tax refund check?

Robert MacDonald: Absolutely.

Javed Shah: Okay. That's funny.

Sheetal: Yeah, so that's a great reason. You definitely want to stop online fraud, especially with any digital service. The second thing is to make sure that you're able to distribute a digital service very efficiently. Now let's say you're the government of the United States, you need to make sure that everybody gets their COVID relief fund as quickly as possible. Any kind of distribution is made easier without them really having to turn up in an office and prove their identity. It can all be done remotely. So the speed and efficiency of making sure that a digital service can be delivered quickly to a citizen, to an individual is what most importance from an identity proofing perspective.

Javed Shah: And also just making sure that it's actually the same person that the ID was issued to. You can prevent in the workforce context, you can prevent a contractor jacking for example. Right? That's one highly relevant, should we say use case. More than just expediency of service. Sorry, Robert, go ahead.

Robert MacDonald: That's right. So I guess on that point, in that direction that Javed was going with that, what kind of industries, what kind of organizations can something like an IAL2 level proofing help with?

Sheetal: Yes. So when the obvious things that the obvious industry is definitely is to start off in the federal space. Any kind of government agency where you want to avail a benefit from the government or your city based on your identity or tax refund, veteran affairs, those kind of industries are the obvious ones. The next one definitely is from a workforce perspective, like Javed was saying. If you want to make sure that your employees or contractors, more importantly, are who they say they are, you're making sure you have the not just an account information, you have the identity information every time they're accessing your system. That's another great use case industry that we've seen it being implemented in.

Our most recent industry that we've seen a lot of traction in is definitely the healthcare space. If you are a healthcare customer, you're going into a hospital, you don't need to go into a hospital to avail a healthcare services. You should be able to prescribe to any of those online. So we're seeing a lot of traction with digital identity in the healthcare space. Banking, you should. We have KYC processes today that happen completely in person. Why can't we move those online? You should be able to prove your identity just digitally and be able to open a bank account. So those are some of the major industries where we really feel that IAL to proofing can really help with.

Robert MacDonald: So what do I need or what would I use to generate an IAL level two proof? So if I'm Rob and you say, Rob, I need you to have an IAL level two proof, what do I need to provide you to make that happen?

Sheetal: Okay. So Rob, first of all, to prove who you are, we rely on multiple signals and what you would need to provide us with is an email address, a phone number, and then we would start off with any kind of government documents because those would sufficiently establish who you are. And in certain cases we would ask for a combination of government documents to make sure that who you are. And finally we also do a selfie match, which is being able to have a live biometric of you to make sure that there is a good match. Now why is this not a single document? Because we want to make sure that we have signals across different channels to make sure that Robert is who you say you are. So that kind of triangulation logic is what makes us powerful in making sure that a user is of identity level assurance too.

Robert MacDonald: And when you say government documents, I'm assuming you're talking about a driver's license, passport, national ID.

Sheetal: Yes.

Robert MacDonald: Social security number, something along those lines.

Sheetal: Yes. And then these differ country to country. So depending on the country, your set of documents to get there will be different.

Robert MacDonald: Okay.

Javed Shah: Just quickly.

Robert MacDonald: Go ahead.

Javed Shah: Just quickly. I guess the implication to the end user necessarily isn't that the end user, the person, the individual is generating anything. They just are who they are, like Robert dressed in this Christmas.

Robert MacDonald: Christmas sweater.

Javed Shah: Colors awesome. It's more the provider who comes in this case asserting that they can attest to a NIST certified identity assurance level of two for Robert, given the proofing exercise Robert's been through with the provider. I think that is the platform play here, right? Because the platform is able to assert to that level of assurance, it could also reuse that assurance for authentication or authorization as the use case maybe. Right? So I love talking about platforms as Robert already knows. We harp on that all year long.

I think it's more than just a point proof me a play. It's proof me and reuse that. Don't have me re-scan my DL just because I want a fifth line with AT&T and then I have to go apply for my naturalization app or something else. But they have me scan the DL again. I think that re-usability is what's missing in the industry and it's a really sore point because common folks like us, we have to go through this over and over and, well, we could probably help solve some of this.

Robert MacDonald: That's frustrating because we know that there's an answer to that problem. So on that note, Sheetal, listen, Javed and I talked at length what the benefits, what our platform brings to the table. And we don't normally pump our own tires on IBA Friday, but I think in this case I brought-

Javed Shah: Exactly what we do.

Robert MacDonald: Yeah, yeah. It's exactly what we do. But in this case there are some things that we do that are special. If I'm going to give you all of my PII data, I'm going to give you my driver's license and passport and all that kind of stuff for you to prove who I am. Well, you better be managing that properly, right? So tell me a little bit about some of the benefits that we bring to the table around that privacy management and all the other great stuff that we bring.

Sheetal: So this takes us back to our philosophy. As a company, we are defined by the fact that we are a privacy by design company. We believe in making sure that the identity of the user is always user controlled, user managed. What do we mean by that? To a layman, it means that you have a digital identity wallet. That identity wallet can only be opened by you. It can only be shared when you choose to share it. And all of that information is always under your control. How do we do that?

Javed Shah: And revoked. And revoked.

Sheetal: And revoked.

Javed Shah: As you please.

Sheetal: And revoke it as you please. So we have cryptography wallets that sit behind the scenes. The private key that controls that particular wallet is always under your control, without getting into too much detail. What does that mean to the end user? The end user is always in control of their identity. They don't have to worry about their PII being in different databases or in their dark web somewhere. To large organizations what this enables them to do is that it helps them protect against any kind of breach, right? Because you're not keeping this PII anywhere on a centralized database. So that is what makes us unique in across this market space.

Robert MacDonald: Cool. So you talked a bit about document verification and you talked a little bit about the identity assurance level. Is there a difference between the two?

Sheetal: Definitely there's a difference. So Robert, when there are many scenarios where somebody comes in and just hands your DL and there's so much fraud that happens just from presenting a single document. IAL2 or ID level assurance two is a journey when I'm interacting with the same person at multiple points of time to get different signals. Okay. So I'm trying to map behind the scenes. Does Robert's address really map to things on his driver's license? Does his SSN information really add up? So it's a journey and at the end of that journey we are able to compute a score as well as an identity assurance level. So we can assert with certainty that you are who you say you are. Not with just one document, but with multiple signals. So that's really helping prevent fraud.

Javed Shah: Right.

Robert MacDonald: Go ahead.

Javed Shah: The extensibility there is that it's not just a point in time exercise and we know how crazy Robert can get sometimes. Maybe his driver's license expired and he still wants access to the same service. Our platform is able to track the validity of the document along with the proof of verification that we embed in our platform. We know. Well, it's not the same that it was before. So your identity assurance level cannot be asserted at the same level as we did before. That is also a key capability.

Robert MacDonald: Because the document expired.

Javed Shah: It is expired literally.

Robert MacDonald: Got it. Got it. Okay. So Sheetal, can you show us maybe what that journey or what that trigger for an IAL level two could potentially look like? Do you have maybe a demo or a picture that you can walk us through?

Sheetal: Yes.

Robert MacDonald: Walk us through what it looks like?

Sheetal: Sure. I'm going to share my screen really quick.

Javed Shah: Robert, we should plug in our change logs. It's a good time to plug them.

Robert MacDonald: Yep. For those of you that want to see changes that we've made to the platform, which is quite frequent, you can go to 1Kosmos.com and look for change logs and all of the updates to the platform that we have are listed there. And for that matter, you can go look at our Devex platform too if you want to go see how some of the stuff works from a developer standpoint. You can look at that as well. It's all there. Go ahead Sheetal. Sorry. We're just filling in.

Sheetal: Any time there is an end user involved, the most important thing for us as a company to remember is to make this entire process of identity verification extremely frictionless. It needs to be something easy, something that's quick for the user to go through to get to that IAL2 level. So that really is at the heart of our implementation. So let's say Acme Health wants to make sure that Robert is who he says he is before he gets access to a doctor for an appointment. How would this process work?

So the job board would come to our CSP site. He would start by creating an account and for creating an account, we are going to make sure he has a email that is verified as well as a phone number that is verified. So that's really the first step, just basic account set up and making sure that we have some minimal signals from there to make sure that that is Robert.

The next step is to set up an identity wallet for Robert, right? Why do we set up an identity wallet? We want to make sure that all of his PII information is tucked away within that identity wallet that's been created for Robert, the private key of which he is always in possession with. Once that identity wallet is created, the third step is to begin with a government document. And that can be anything depending on the country that you're coming from. It can be a driver's license, a passport.

We do this quick scan of the front, the back, as well as do a selfie, taking a quick picture of the person to make sure that there is a match between the face on the ID as well as the biometric that we saw. The key thing is also to optionally include some sort of signal from third party sources, like third party databases to make sure that this ID sort of matches up.

And finally, in certain scenarios we do prompt for a social security number if we're not able to sufficiently prove that, hey, the signals that we've received about this user add up. Once they've done all of that, we do some triangulation at the backend to make sure that, hey, you know what, based on all this information that you've provided to us, you are at IAL level two depending on the standards that have been defined by NIST. And finally the last step is for Robert to go back to Acme Health and say, "Hey, you know what? Here is some verified information that I consent to share with you." For example, Robert could be asked to share his address. Now Acme Health knows that this address is not something that Robert is asserting. It is actually address information that has been verified and coming in from a government document. So that's a real benefit here. The experience is designed to be friction free, making sure that the user is able to go through this quickly and return back to Acme Health so the user is back on their merry way and doing whatever and get access to whichever digital service they need.

Robert MacDonald: That's pretty cool. Sheetal, thank you for walking through that with us. That was great. You're definitely an upgrade over Javed. Maybe we'll have to look at swapping you out. But all kidding aside, Javed, do you have anything else for Sheetal before we wrap things up today?

Javed Shah: No, this was great. She's the best person to present this because she invent it.

Robert MacDonald: That's right. That's true. Actually, we probably didn't even mention that. Sheetal is a genius.

Javed Shah: I did. Hello? I did.

Robert MacDonald: Yeah. Yeah, that's true. But yeah, Sheetal was the PM responsible for getting this all put together, delivering a CSPA credential service provider from 1Kosmos is-

Javed Shah: And she's also the one to bug for use cases that apply to the CSP, the one to reach out to. Please do actually.

Robert MacDonald: Yeah. Absolutely. Anyway, on that note, thanks everybody for coming by today. We appreciate it and we'll see you again in a couple of weeks.

Javed Shah: With routine time zone. Thank you very much everybody.

Robert MacDonald: Yeah, I won't have my bells on. I'll have something else on.

Sheetal: Something new, right?

Robert MacDonald: Yeah, something new. Something new.

Sheetal: Valentine's Day is right around the corner.

Robert MacDonald: Ooh, that's a good point.

Javed Shah: Oh, goodness. No.

Robert MacDonald: I have to think about that one. It's a good point.

Javed Shah: I'll [inaudible 00:20:31].

Robert MacDonald: That's a public service announcements for all the boys that are watching the show as well. Valentine's Day is coming. Yeah.

Javed Shah: You should end it here while it is still open.

Robert MacDonald: Fair enough.

Javed Shah: See you guys. Thank you so much.

Robert MacDonald: All right everybody. Thanks a lot.

Sheetal: Bye-Bye.

Javed Shah: It's good, I think.

Robert MacDonald: I think we're good.

Javed Shah: Good one. Yeah, I think so.

Robert MacDonald: Yeah, it was good. Maureen.