Portable Digital Identity Using Verifiable Credentials
Join Robert MacDonald, Javed Shah, and Sheetal Elangovan, for an IBA Friday session! In this episode, they discuss the MGM cyber attacks, Gartner’s Market Guide for Identity Verification, and portable digital identity using verifiable credentials.
Video TranscriptRobert: Hi, Javed. Javed: Hey Robert. Robert: How are you doing? Javed: I'm good. How are you? Robert: I'm doing good. Hello everybody. Welcome to our latest IBA Friday. It's been a couple of weeks since we've seen you last. In fact, it's been even longer since you've seen Javed because I believe you were feeling under the weather during the last one. So welcome back. Javed: Thank you. I got whatever was going on a couple of weeks ago. Robert: Yeah, there's lots going around. The kids are back in school and everybody's sick. Javed: They're always bringing it home. Robert: Yeah, that's the downside. So we got a couple of things to talk about today. Javed. First and foremost, we had a mention in our recent Gartner Report, Market Guide for Identity Verification. And this paper is about identity verification in terms of how it helps deliver security and compliance and trust across different use cases. Looking at it from a security and risk management standpoint, looking at the leaders that are responsible for that kind of stuff, they got to look at how to differentiate between vendors that are looking at features versus core identity verification and how they can better manage that to build approaches into how they enable this across the organization, specifically when it comes into AI enabled attack vectors and things along those lines. I know you read the report, why don't you just give us your two seconds on it in terms of what was in it? And it's cool just being mentioned in a lot of these things, right? Javed: Oh yeah. I think it's pretty comprehensive report actually. It's very interesting. It's almost like a vision paper, the report. It reads like a vision paper on what verification is supposed to do for you. And it is not supposed to be a point solution as it was obviously initially crafted out to be. It was always positioned as, okay, you scan your driver's license, let's say that's the document of record we pick for the discussion. You scan it, and I know you, okay, done. It's not like that. It's the continuous verification of a person that they are indeed the same person now that they're engaging in higher value transactions, transfers, howsoever they're interacting with this larger ecosystem that we call an enterprise. So it's very interesting the report actually mentions there are inflection points in a customer's journey where you should be able, here comes the phrase, reuse a proofed person's identity. How many times have I said it on this call, you've said it on your webinars. We are the platform that you use to reuse a person's proofing event, using encrypted POV records, proof of verification records, carry them around in the wallet or export them to other wallets, so on and so forth, of course. But it's the platform that you use with. We've mentioned low code, orchestrated high assurance, medium assurance, journeys before in this call, said things are now in a paper by one of the leading analyst firms in the world. So good stuff happening. A lot of assertion and affirmation coming from the analyst on this topic, Robert. Robert: It's cool stuff. And we've got a special guest today, which we haven't brought on yet, but she's actually going to cover some of the things you just talked about, where you can reuse that digital identity and how you build that wallet and what that looks like. We're going to take you on a bit of a journey in terms of what that looks like from a 1Kosmos perspective, which is cool. Sheetal, are you with us? We might as well bring her on now while we got her in the wings there. Everybody knows Sheetal. She's been on these things many times. Hi Sheetal, how you doing doing Sheetal: Hi Robert. Hi Javed. Robert: Welcome back to IBA Friday. Sheetal: Always a pleasure to be here. Robert: Oh, by the way guys... Javed: She didn't mean that, by the way, Robert. Robert: I know she didn't. I know. I am enjoying an IPA today. Javed: Oh my god. Robert: An IPA. It's not an IPA, it's actually an amber, but it's a local brewing company here. Javed: I have water for you brother. Robert: Attaboy. It's an Amber Ale. It's ABC, Ashton Brewing Company. If anybody's ever in Ottawa, it's a great brewery. Anyway, moving on. Big news this week as well before we jump into Sheetal, and you're going to show us verified credentials and all that kind of stuff. We'll tee that up in a second. But MGM had a big hack, as did the Caesars Group. Ransomware, all kinds of crazy things. Caesars paid it upfront. They were up and running pretty quickly. MGM, doesn't look like they did based on what we can tell. It was done by an organization called Scattered Spider, I believe. They did a vishing attack, of which Javed, I'm going to get you to tell me a little bit about that here in a second. But essentially what ended up happening, they were able to do some social engineering. They said, "Hey, I found Javed on LinkedIn. I can find all kinds of things about him working at MGM. I'm going to call the help desk, impersonate Javed and get my single sign-on credentials reset so I can log in as him." So you spend, you and Sheetal in particular, spend a lot of time building the 1Kosmos platform to help prevent something like that happening. Do you want to shed a little bit of light in terms of what we do? And you already touched on it, but what is it that we bring to the table that would prevent maybe something like that happening? And again, we're not ambulance chasers. What happened to MGM is terrible, but there are things available today that you can leverage to prevent things like that from happening. Do you guys want to shed, just quickly, 30 seconds, what we can do to help prevent something like that. Javed: Define what vishing is, right? So I'm learning all these new terms. Robert: All the ishings. There's lots of them. Phishing, vishing. Unique. Javed: Apparently this is about leaving a voicemail, requesting your information from an otherwise well-known service that you as an end user do business with. And I think simply an out of band, one-time passcode, just the laziest option out of this can still solve for this problem. And of course, we have support for not only these one-time passcodes sent through various channels to the end user via either an SMS to your phone or a message to your email. But also, we have support for a voice delivered one time passcode. So anyways, the point is you really want to make sure that this voicemail, that it is received where someone's asking for private information, asking you to go visit a link. I literally just showed you my phone before the call started about a USPS phishing attempt, right? Someone mimicking to be the USPS, US Post Office, and saying, "Sorry, I couldn't deliver your mail. Just click the following link, by the way." And the DNS happens to be USPS dot something. How the hacker does figure out to mimic that domain is beyond me. But I could very well have clicked on that, but I didn't because obviously I'm a security professional. But would be nice obviously for the messaging for these reach outs from services and companies and businesses, to any of those, to include some out of band information. By the way, we do want to get in touch with you and we've sent you a proprietary security token. Let's say a one-time passcode. Let's just say to your email, go validate yourself. That should bring up, let's hope, an advanced biometric prompt, potentially, eventually. If not just a one-time passcode where you reuse what you've proofed with 1Kosmos before. Much could be said, but very interesting. Vishing is a new one. Vishing with a V. Robert: And the big thing now is that now that it's been done successfully, there's going to be others trying to replicate that, which is pretty crazy. Sheetal, anything you want to add to that or do you want to just jump in and we can show different ways? Maybe you can use Build A Wallet as an example. Sheetal: Of course. I think we should jump right in. Robert: So let's tee this up for a second. Was it this week? It was last week. Last week. Last week you were at Finnovate, fall, and we had an opportunity to be up on stage and show some of the cool technology that we have here at 1Kosmos. Why don't you tell us a little bit about what you showed and then show us what you showed. Sheetal: Of course. I'm going to start off by actually- Javed: Did we win something? Sheetal: Best ID management solution? Robert: Yeah, we did. We won best ID management. That's another thing I forgot. That's a good thing to bring up Javed. You're right. We did win an award award for Best ID management solution. Javed: I thought you would bring it up but. Robert: Completely forgot. All right Sheetal. Javed: It's that local beer with... Robert: It is the beer. Javed: ... times the amount of alcohol. Robert: And I'm not even halfway through it yet. All right, Sheetal, what do you got? Show us. Sheetal: So Javed and Robert, of course, they're very possible of making absolutely false claims about themselves. So how can we really prevent this? That's what we're going to talk about. So the primary premise or what we showcased at Finnovate was how can you help a user build a digital wallet that truly helps you show your affiliations, who you work with, which company you bank with, do you have a verified ID? How do you show this as proof to someone, hold it digitally and make it really easy for a verifier to access all of that information. For you as a customer, you want to be able to hold proof that I am a graduate from Stanford University or I'm an employee of 1Kosmos. I bank with this particular bank. Holding all of this proofs can be made really easy for a customer and for a verifier to also access, and 1Kosmos is here to sort of enable this entire ecosystem. So what we did showcase at Finnovate this time was how can you hold digital proof in your wallet? How can you make your driver's license scan something that's reusable, can be presented to any other entity? So what we showcased there was a fictitious entity called Fin Pass who helps a end customer go through an identity verification process. So once they finish ID verification, they've really verified themselves. Now why can't I just hold this as proof where I can present this multiple times? Why do I have to go through ID verification again and again? So we showcase how a end customer can hold their proof as a reusable credential and how they can truly present it to anyone who needs to see it. Once you have that digital credential that says that, hey, I am a person who has a verified driver's license or a verified university certificate or a verified employee, you can present it in a workflow setting, you can present it to avail a discount or when you're trying to open a new bank account. So that's what we showcased at Finnovate this time. Anything that both of you wanted to add before I get right into the demo what we showcased? Javed: Just that what you were showing on that slide, you were summarizing, but that's a journey, and it's an orchestratable journey. God help me. And we have a control plane where you are able to make subtle changes, add nuances to this journey. We're obviously always building something out as you can expect. But again, referring back to the Gartner paper that Robert alluded to earlier, the stress and the focus for truly bringing out the value of identity verification for a business is in clearly the continuity that it offers, because at different inflection points, you should be able to reproof a person without physically reproofing them because you have a set of verified claims for them, but then also perhaps built on controls, like MFA controls or geo specificity or whatever other controls you'd like to add to really bring that journey forward and offer different journeys for different users. And I think that's what this picture shows you because it resembles that journey, which is what I think the industry wants to move to. Sheetal: Absolutely. So jumping right to the demo here. So what we did showcase is this entity called Fin Pass, which is where an end customer would land to grab their credential. So think of them as a trusted entity like a bank, someone who knows and who's capable of issuing a verified credential. So what the end customer really does here is they start by opening an account, they provide some basic information about them, and once they finish getting set up with their account, what they're really doing here is they're trying to get a verified ID. And the way to get a verified ID is to present any kind of government document that says that you are who you say you are. And 1Kosmos here, we were awarded the best ID management solution, so we're not really going to go through the scanning process here. But what I'm doing here behind the scenes is scanning the QR code, going through an ID verification process where I'm scanning the front of my ID, the back of my ID, providing biometrics. We're doing a lot of triangulation here. But just really skipping ahead. What I do here is I'm done with my ID verification process, and the 1Kosmos platform provides some amazing information about your ID verification that it was a valid document, your likeness, it was not from a scanned document, there was a good match between the face that was presented as well as the document. So this is all great proof here along with all the claims about myself. So right below you'll see my driver's license, my images, all of the information extracted. Now if I want to make this a completely reusable proof, how can we do that is what we're going to talk about next. So end user can go ahead and scan this QR code that is available here using the Block ID mobile app. So I have a QR code here which says that this is proof that Sheetal has completed ID verification and this is the information that we gathered from her ID. So what I'm doing here is I'm scanning the QR code that I see here through the Block ID mobile app, at which point I am getting a beautiful credential here that says some amazing information about me. It says, hey, this is my driver's license ID, this is the date of expiry, my first name, last name, along with an identifier that says that, hey, this is immutable proof that lives on the blockchain, that a verifier can query and understand that this is indeed true evidence that's being presented. And I'm going to go ahead and hold this card inside my wallet as a verifiable credential, along with all this beautiful information. Now I have all of this information. How can I use this? How can I use this as reusable proof? There are different partners that we can work with. You can use this as an ID when you're opening a bank account or trying to rent a car, or even when you're trying to get your tax return where they're going to ask you to prove your identity. Or when you're at a Walgreens and you need to get your prescription, they want you to show your ID. So you can use it in any of these places where it is accepted. Because all of these verifiers are able to query the blockchain, make sure that this information that's being presented is accurate, and it's all digital, behind the scenes happening here. The second part of the demo was really showcasing how can somebody leverage this? How can I verifier use this? So in the next part of the demo, what I'm doing is I'm heading over to a car rental website where I am picking a car that I love and I'm signing up to drive that car out. And what the website is telling me as I'm booking this is, if I provide a verified ID, then they're going to offer me a no contact checkout. And of course, I'm going to do this all digitally where it says that, hey, show us your fin pass verified ID, and you can get a no contact checkout. So that's a great offer there. You're saving time for your customers, making sure there are no queues lined up at a point of sale. And then it's as simple as this. So the user has to go ahead and scan the QR code. And what happens behind the scenes is the information is traveling from my wallet to this particular site here, with my consent. Behind the scenes, the verifier goes ahead, where the blockchain, verifies that this information is indeed accurate and they're able to say, "Okay, this is indeed the ID and this has been verified, and I can go ahead and offer this discount or service to this particular person." So I go ahead, continue to checkout, and it's done. I can just walk out with my car when I land at the car rental website. So this is really what we showcased at Finnovate, how banks or FinTech companies can help their customers gain identity that is usable, as well as use it with an entire partner network so that they may avail a discount or create an ecosystem where fraud is a lot more harder to accomplish. So hopefully that was a fun one. And Javed, Robert, anything that you guys wanted to add? Robert: No, listen, we've been talking about bits and pieces of this for the last, I don't know, two years, Javed. How long have we been doing IB Friday? And I think this is the first time where we've shown it all put together. And it's pretty cool stuff in my opinion. Javed: And I feel like you build the platform that is able to extract verifiable claims first, you do that in a secure and privacy focused manner. Once you've done that, you enable multiple channels for users to be able to obviously present their documents of record and get themselves approved, verified, then you have offer a control plane for administrators to change that journey as they see fit. And then you also offer the full lifecycle for the user to manage the wallet that stores those proofs of record, to recover, restore, and transfer those to other devices, so to speak. So I think it's the entirety, the full trifecta of those elements is what I think we personally are on a journey to complete. It's not done. We're not done. But what you saw here is one end-to-end journey coming to life. Robert: No, listen, it's really cool and it's a great demo, Sheetal. Appreciate you coming on today to show us how this all works, how it's all coming together. I'm sure we're going to have you on again soon so you can show us more. But no, that was excellent. Listen guys, I know that we went a little bit longer than we normally do. Appreciate everybody hanging in and just checking out what we got going on today. There's lots going on here at 1Kosmos, and we appreciate you swinging by and sitting in through another IB Friday. Sheetal, as always, great job. Love having you on. Javed, have a good weekend. Javed: You too, buddy. Robert: Sheetal, you have a good weekend too. And we'll see everybody again soon. Thanks. Javed: Thanks. Bye.