5 Recommendations to Close the Security Gaps in Single Sign-On
Unlock On-Demand Webinar
Video Transcript
Robert MacDonald:
Welcome. Today, our presentation is on five recommendations to close the security gaps in single sign-on, and there's a bit of a hot topic going on around that right now. Mike, we're going to jump into that in a couple minutes, but my name's Robert McDonald. I'm the Vice President of Product Marketing here at 1Kosmos. I've been here for a little over three years now and I'm just happy to be along for the ride with Mike during this presentation. Mike, why don't you tell us a little bit about yourself and what you do here?
Mike Engle:
Yeah, happy to be here. I'm one of the co-founders, so going way back a little longer than you. But three years, congratulations. That is an eternity in the tech world, right?
Robert MacDonald:
It is.
Mike Engle:
So glad you made it with us that long. And yeah, my background in InfoSec, I built, scaled and ran the program at Lehman Brothers for many years and then moved into the venture-backed startup world after their demise, and now I'm all identity all the time so that's what we'll talk about here today.
Robert MacDonald:
Yeah, we're going to talk a lot about that today. All right, before we get started, I just wanted to highlight one thing. We do have a number of live sessions that we hold here at 1Kosmos. One of them is IBA Friday. We have one coming up tomorrow. It happens a little after 2:00 on LinkedIn. It's a LinkedIn live session that we do, myself and Javed, our VP of Product Management run that. Mike, I had you on two weeks ago, or maybe three weeks ago, to talk about passkeys. Tomorrow we're going to talk about verified credentials and what that looks like from a 1Kosmos perspective. But if you want to see more about what we do and how we do things around here, that's a good opportunity. They're very short sessions. They're normally no longer than 20 minutes, but it's a good opportunity to learn more about the technology and what we do here at 1Kosmos.
Normally, we'd also show what our upcoming webinars are before this. The next one that we're working on is a big one, so we don't have quite all the T's crossed and i's dotted on that yet. So keep an eye open on our website, but we've got a really, really big partner coming along for the ride with that one. We actually have two of them and it's going to be a great session, so keep an eye open on our website for that. But for now, Mike, let's jump in and talk about securing single sign-on and data breaches, right? So why don't you give us a little color based on the experience that you have and what we see going on in the market right now. This 81% number seems to be astronomical, but why don't you give us a little bit of color in terms of what you're seeing in the industry right now around data breaches and how they're happening and what's going on there.
Mike Engle:
Yeah. Going back, I'm old, so when I first started building InfoSec programs, it was all about perimeter, keeping bad guys out. That was really all you did. You had firewalls and then you had antivirus and endpoint and some stuff in between. But now, since everything is exposed and everybody can log in remotely and there's all these SaaS and cloud things, it's all about really identities now become the new perimeter. You get somebody's identity or what people are thinking identity is. We'll talk about that here today. You're in. You bypass firewalls, you bypass endpoint protection. So the hackers know that. And phishing, vishing and all these other things are now the way that people get in the front door. And we're going to talk about that here in a slide or two. So these stats are obvious. Hackers don't hack in anymore. They log in because we don't have identity.
Robert MacDonald:
I was waiting for you to say that you're building security with punch cards, but that's good that you didn't go that ... It's firewall.
Mike Engle:
Not quite that far.
Robert MacDonald:
So you're not that old. You're not that old.
Mike Engle:
Not quite.
Robert MacDonald:
All right. A pretty major event took place this the last week or so, Mike. There's a recent ransomware attack. It was at the MGM casino. It also happened to the Caesars group as well, but they paid the ransomware to keep the business up and running. But in terms of the reports that we're seeing, everything from hotel digital room keys to slot machines were offline and still are, I think, since the last I've read on it.
Mike Engle:
That's right.
Robert MacDonald:
An organization called Scattered Spider is believed to be the one responsible. They did it via a social engineering vishing attack. The report cited that hackers gained access through a single sign-on login. And what they did is they called the help desk to reset a credential through doing the vishing attack. So they did a little bit of social engineering, they went to somebody's LinkedIn, learned a little bit about what they do, called the help desk, and then impersonated that person to get their credential reset. So what are your thoughts on this, Mike? It's fascinating. I mean, we're still learning about it, but so far what have you gleaned out of this?
Mike Engle:
Well, it really iterates challenges that we're seeing around ... I mean this is legacy authentication that every company's using. Legacy username, password, 2FA. I deployed my first 2FA system in the late '90s. It was a security ID server with the hard tokens. And that's really still the standard. It's username, password, and some kind of one-time code or a push message. So that's not sufficient anymore. We need identity. We'll talk about that here today, obviously. So the help desk, there's only so much they can do. People are people. They make mistakes. We need to build the systems to mitigate the exposure to those human elements. How do you do that? Well, that's what we'll talk about here in just a minute. So MGM, we're not picking on them or their SSO provider. This could happen to anybody. It could happen to 1Kosmos. Much less likely because of the tech that we'll show you here today. So yeah, I feel bad for these guys. It's a life-changing event when you go through this.
Robert MacDonald:
It's a tough one, right? That's a tough phone call to wake up to in the morning saying, "Hey, everything we're doing right now is locked down. We've got to go to ..." I think they're doing manual processes right now.
Mike Engle:
Paper IOUs at the gambling tables.
Robert MacDonald:
Imagine. Imagine, right?
Mike Engle:
Oh man.
Robert MacDonald:
And that's tough. And again, we're still doing things to protect the antiquated way that we've been doing it for years, right? Passwords have been around for 60 plus years. And if you think about all the technology changes that we've had over the years in terms of how we try to run our infrastructure and secure our infrastructure, that's the one thing that hasn't changed, right?
Mike Engle:
That's right.
Robert MacDonald:
Legitimately, that's the one thing that hasn't changed, but a lot of the technology we're putting into place has been layered on top to try to protect that one thing and we're going to talk about that here in a second. So I think we have poll questions, Maureen. I think that's the magician in the backend here that's running everything. So our first poll question, are you worried about your SSO system being a single point of compromise? And that's a yes and no answer. I think that's relatively straightforward. Mike, what are you seeing on that? What do you think?
Mike Engle:
People definitely are because the SSO systems are making the news as well, and they're realizing that the SSO systems do SSO really well, but they aren't meant to do what we call real identity here that we'll cover. So I'm pretty sure I know what the answer will be. And yeah, you've got three quarters that are saying yes, so there you go.
Robert MacDonald:
Yeah, yeah. 75% of people say that they are worried about it. And again, single sign-on was brought on board to eliminate the number of passwords that people had to use in the run of a day, right?
Mike Engle:
That's right.
Robert MacDonald:
Make that easier for people to do in terms of logging in every day. But that one to many is a bit of a problem. So Mike, how do we solve ... We're going to dig into the recommendations, but there's two boxes here. Talk about how we can leverage or what we can do to solve the problem that we're facing with our single sign-on right now.
Mike Engle:
Yeah, there's really two techniques we're using here today. It's proving who you are remotely. Real proof, right? Not a one-time code, not something you can give to somebody else. And then being able to use that proof over and over again. And the only way to prove who you are remotely is with a biometric. Somebody might want to yell at me for using the word only, but please do. Educate me on that. So if you can give your authenticator to somebody else, it's not identity. When you walk up to the TSA agent and look them in the face or the state trooper on the highway, they look you in the face. It can't be somebody else in that seat unless you're Tom Cruise, Mission Impossible, rubber mask. But even then we have technology now to mitigate things like deep fakes and all that stuff. So we'll show you some demos of this, but it is a combination of really government credentials that prove who you are one time and then using that proof over and over again and it's that simple.
Robert MacDonald:
Yeah. I mean if we look at the way that we're doing authentication currently, it's about affirming that there's an identity present. But there's no real proof, like you said, that the user is who they claim to be, which is what the identity proofing side does. It gives you that high assurance that the person that wants to authenticate is the person trying to authenticate. And that high assurance is where a lot of organizations, specifically with this breach at MGM ran into. They had no way of assuring that the user calling in to reset their password was the actual user and that's where they ran into trouble.
We've got a quick demo, I think, Mike. We've got a video here. Hopefully this works. Do you want to walk us through this?
Mike Engle:
Yeah, I'll talk through it. Here's your traditional username and password on a Windows workstation, and this is what identity-based authentication looks like. You simply engage with the remote system. There's lots of ways to do this, but we're using a mobile phone here. And that's a real biometric proving that it's me and that as assertion is transmitted to the target system. Very simple. First of all, time to get in is super fast compared to typing a 15 character password. And then you can do some neat things with that same set of systems to make the second, third, fourth touch really easy. So you'll see here on unlocking, as long as I have the same devices with me, the watch I'm wearing, I can just ping and tap. So here's me tapping my watch to say, yep, I'm still here. I need to unlock my workstation. Amazing. We call this a high five moment in security. They're very rare where your users walking down the hallway will give you a high five about a piece of technology that you deploy. And let's see the bad guys try to log in with that credential, right? Can't do it.
Robert MacDonald:
Yeah, and I mean the cool thing with that is that, I know it happened reasonably quick, but it asked you to do a couple of things there to make sure you were live. So there was the liveness check to make sure that the biometric wasn't just a picture or some sort of video or something along those lines. And the experience with that is something that we do all the time. I mean, how many times do we take selfies or look at our phone to log in? We do it all the time. So from an experience standpoint, you're not asking users to do anything they don't do typically anyway, which is kind of cool.
Mike Engle:
Exactly.
Robert MacDonald:
All right, so let's move on to the next one here. So we have our five recommendations. So I'm just going to quickly go through these, Mike, and then what I'll do is we'll jump into the first one and you can do a deeper dive on it. But recommendation one we're going to cover today is how to conveniently verify identity at first in every request without antiquated SMS codes or just antiquated 2FA in general. We're going to talk about that. We're going to talk about how to modernize authentication using identity verified biometrics for improved user satisfaction, which is not something IT normally considers or even looks at, but is important. And we're going to show why. Give IT the tools to control the rollout of a passwordless MFA through a phased implementation. I think one of the reasons why we don't see as much passwordless as we should is partly because it's just trying to roll it out is difficult.
Nobody likes change and that makes it even worse. Also providing a consistent user experience for even those systems that can't go passwordless. I mean at the end of the day we know that not everything can go passwordless so what do you do in that instance? How do you make sure that you're keeping the user experience consistent so they don't get tricked into giving somebody a passcode or a password or whatever that might be. And then ultimately reduce help desk calls and eliminate multiple authenticator apps, which is really going to deliver some ROI on the investment in something like we're showing today.
So Mike, let's jump in and talk about coverage beyond single sign-on. So conveniently verifying identity at first in every request without antiquated SMS codes. So just quickly talk about that, and I know we have a couple slides and we have a quick demo that we're going to show how this works, but what are your thoughts on that? How do people do that?
Mike Engle:
Yeah. First access. What does that mean? There's one tile that you had that says security/IT really don't focus on the user experience. I think that is changing. I'm seeing more and more CIOs and CISOs that are saying, I want to reduce friction because it's an enabler for my business just like it is on the customer side. It's now happening on the employee side. So you hire somebody, they go through an I9 E-verify process. Why not digitize that and hand them a credential that same at the same time? They never need a line manager to call them up and give them a username and password that they have to change. So there's really a way to jumpstart that. And then of course you can use that same process over and over again. So it's obvious that if there's username and password and push or any 2FA, and it's not just Okta, right? It's Microsoft, it's SiteMinder, it's you name it, right? They do SSO really well, but they don't engage with the users in an incredibly compelling way. And of course they're missing half of the environment, which we'll talk about here as well.
Robert MacDonald:
Yeah. I mean they're limited in scope, right? It's only what falls underneath. What do you do with all the other stuff that doesn't fall underneath that S S O protection. Okay. We got another quick little video that we'll show, and I think this is similar to what we showed before, but this time Mike, we're just logging into Okta. Correct?
Mike Engle:
Once you have that trusted credential, use it anywhere you need to. In front of your CyberArk or your Thycotic, whatever. So this is an example of how we can sit and introduce true identity into an Okta authentication. So you'll see here again, we have a trusted authenticator and this was made with one of our integration partners. So you're engaging with that system, setting up a secure channel, and you are proving who you are once again. And it's that simple to introduce real identity to a downstream system. That's it. Now, of course you can do touch ID and face ID, but they're really good, they're limited to a device, but you could give that authenticator to somebody else because those aren't based on real identity. That's why we keep showing the use of real biometrics for those hard to reach places and hard to secure applications.
Robert MacDonald:
Yeah. If you look at a touch ID or face ID, if you think about how that gets invoked on my phone, for example, I open up an app, I enter my username password, and then it says, "Hey, do you want to use face ID?" I'm like, sure. So all that does is just eliminates me from needing to put the username and password in every time. It takes my face ID, says, yeah, that's Rob, based on what I know. I copy and paste his username and password in and then it lets me in, essentially. It's a very different experience from what we're talking about here from a security standpoint. So let's dig into that a little bit deeper and talk about this concept of ID plus selfie. So how do you modernize using identity verified biometrics to improve that user satisfaction? What does that mean?
Mike Engle:
Yeah, so this is where I hinted at this a minute ago, but identity verified. One of the best ways to verify identity is through government issued credentials. I won't say all because there's some people that don't have driver's license, passport. Typically, if you're working for an organization that worries about SSO and passwordless, they have these credentials. So let's use them as real proof of who you are and issue a credential that has a chain of custody back to that. That's a really important differentiator because you could do this matching here on the left in the first tile, but then just hand them a basic old username password in 2FA. Defeats the purpose. It's nice to be able to do that for new hires, but then you're kind of throwing that away. A tightly coupled system lets you reuse that proof of identity over and over again. And that's what we've done with a distributed ledger that gives you chain of custody of the authentication back to that genesis moment when you proved who you are.
Robert MacDonald:
Absolutely. And then again, like you said, leveraging that biometric going forward. So talk to us a little bit about the different standards that are involved in this and what that means specifically.
Mike Engle:
Sure. Yeah. There's really three standards going on here. NIST 863-3. It's been around since 2017. It's the government standard that establishes how you prove who you are remotely. It's not required for commercial systems yet today. I think there's more and more people looking to adopt it because it is the standard, but you do need it to access certain federal services. If you're doing things with the treasury department or healthcare, et cetera, it actually is mandatory. And even if you're just a bank, these principles here or what you do for KYC as part of the know your customer part. So it's clearly laid out. If your vendor has this certification, you know they went through a lot of diligence and they do things right. And then on the right you have FIDO, and also there's authentication built into the NIST standard. So this says, here's how you authenticate without a password. Again, leveraging that originally enrolled credential. Now FIDO doesn't handle yet today, they're working on it, verified identity. So if you put the two together, it's like peanut butter and jelly or identity-based authentication that I have here at to bottom. And there's certifying bodies that you can just check. If you're CANTERA certified for NIST, iBeta for your biometrics and FIDO for your passwordless, you've got a great match and there's very few vendors that have all these certifications.
Robert MacDonald:
Yeah, no, it's certainly a cool way of doing things. So if we look at the components involved to make all that work, Mike, why don't you just walk us through how this all comes together? What are the components here?
Mike Engle:
So this really is a lot of confusion in this upper box. When you scan a driver's license, that's called document verification or ID proofing. And this is an industry that's been around for some time but really hasn't gotten adoption yet, but it's getting popular. So there's thousands of organizations now looking to do this. But if you just scan the front and the back and try to figure out if this is a valid credential, you're missing a key part. Because what we can do and what you should do and other providers can do it, is not only prove if this is a good document but match the face, but then extract what's on here and verify it with the sources of truth. That is the second box, identity verification. Now, verification used to be its own thing without the document. If you opened a bank account 10 years ago, they did verification by looking up your social security number or your tax ID, whatever. And separately, they're weak, both of them. When you put them together is where you get triangulation and you can really get a much stronger sense of who the person really is. And then as I mentioned before, do that and then give the credential out at that time and it becomes a holistic solution that you can use across any of your applications.
Robert MacDonald:
Okay. So what you're saying is that typically organizations would do the verification and then that is kind of a throwaway component, but instead use what you've done there and then take that and build the credential out of it so now every time the user goes to authenticate, you're looking back at that step you did at the very beginning to make sure Mike is still the Mike that I hired on day one.
Mike Engle:
Exactly, exactly. Okay.
Robert MacDonald:
I'm assuming that would come in handy when we get into things like third party contractors when maybe you're doing that completely remote and you're not quite sure it's still the same person that you originally hired. I'm assuming it would work very well there.
Mike Engle:
Of course. Yeah, identity is identity.
Robert MacDonald:
Yeah. Very good. All right, so we're going to do a quick example of what scan looks like.
Mike Engle:
Before we press play, let me tee this up because this process here, we showed some heavier touchpoints, very secure with an app, QR code, face, live ID, but there's thousands of use cases where you just need to touch and verify somebody at a point in time. So imagine I am pretending to be an employee of a large casino and I call the help desk and I just have to convince them and they press a button. Well, what if you ask that remote user to do something that proves the identity? And so that's this process here. Imagine this is a help desk screen on the left. There's lots of implementations here. This is like a self-registration. But let's verify that I am who I am remotely. So help desk simply types in my phone number, go ahead and roll the tape, and bad actors on the right or good actor and I'm going to remotely prove my identity here. And again, this is done without an app. It's just any standard phone with a camera using Safari, Chrome and the camera.
Very straightforward set of instructions. Here's the instructions, hold your phone up, it'll automatically take a picture, an amazing user experience. Do the front, do the back. Now there's all kinds of security, integrity, validity checks going on here in real time. And then we're matching the user's face to the document. This is the final step. It takes about two seconds and boom. And now here's an example of about 10 integrity checks that we're displaying here that say this is a valid user. It's not a replay. It's not a copy of a document. The document hasn't been manipulated. So there's all these different checks that we're doing. And again, this is a subset. There's literally dozens and sometimes hundreds depending on the document. Now, help desk just got a green check mark. Whatever the interface is, of course you could tweak that. You have a much higher sense of who this person is remotely and you can carry on with whatever other validation you need before you go reset that password or let them in the front door.
Robert MacDonald:
And like you said, if we look back at the example that we brought up at the very beginning, that would've ended that conversation about resetting that person's password into the single sign-on environment, right?
Mike Engle:
That's right.
Robert MacDonald:
That's cool stuff. Okay. Second poll question, Mike. Let's see if Maureen can put that up for us. There we go. Do you have a plan to go 100% passwordless across your enterprise, covering the gaps in single sign-on today such as desktops and legacy applications? We're going to actually touch on that here on the next slide a little bit deeper, but going beyond, if you look at single sign-on and everything else, do you have a plan to go passwordless? What are you seeing with that, Mike? I know that we've had some conversations, but you're certainly into them more than I am. What are you hearing from our customers?
Mike Engle:
I'm hearing that plan to go, yes. They know it's a huge deal. Gartner's been talking about it for five years, but 100%, they don't know how to do it. For good reason. You have an app that was made 20 years ago. It's a fat client. Some windows GUI or an impossible to change mainframe. So I would say that this should almost be 100% no. You could have a plan, but implementation of it. However, we can get to 95 and then you put the right controls around that final 5%. We'll see how this goes. There you go. 100%, no. Because it's not attainable. So it's almost a trick question, but something to think about because we can get in the high 90s.
Robert MacDonald:
Yeah. For sure, for sure. All right, let's go on to our next slide here. So we just quickly touched on deployment. It is a big part of going passwordless, especially depending upon the size of the organization. I don't think anybody wants to have everybody do it one way on Friday and then when they come in Monday morning, you've got 20,000 employees all of a sudden doing it a different way. That's going to cause problems. So having a phased deployment is certainly the right approach. So giving IT the tools to control a roll out of a passwordless MFA through a phased implementation. What are you seeing? What are your recommendations around that, Mike?
Mike Engle:
Yeah. You have to make it easy for not only the users but the IT staff. So a properly designed passwordless plan involves knowing what you have to change, why and how hard it's going to be. And so we make it really easy to drop the stuff in with minimal help desk impact and minimal impact to the IT staff. In fact, once this is done, IT staff should be able to reclaim a lot of cycles because they have less systems to manage and you have one authoritative source for identity within the organization. Today there's 10 minimum. So it simplifies the infrastructure. And this example here where you simply just come, scan a QR code and learn how to self onboard is a very powerful tool, allows it to go viral across the organization without IT having to do anything.
Robert MacDonald:
Right. And then if we look at other ways in which we can do this, there's a coexistence strategy that we can also support. So why don't you talk a little bit about what coexistence is and why that's important?
Mike Engle:
Yeah, again, because this takes a long time to deploy, you have to do it phased, but you also have to let users opt into it or use it programmatically over time. Ideally, we get rid of the stuff on the right. It's going to take years. Some systems faster than others. You may have to have a fallback mechanism in case people lose phones and maybe username and password is one of your fallbacks and you put all kinds of risk compensating controls around how you use it in the future. So this is how we deploy every remote access and operating system and our logins into SSL so that when you roll it out to one user, the other 20,000 users do option on the right, user one does it on the left and then you can ease into it over time. So it's pretty straightforward, but a lot of passwordless providers require you to eat the whole elephant in one sitting. That is a recipe for disaster.
Robert MacDonald:
Yeah, absolutely. I mean, if there's one thing that maybe people hate more than passwords, it's change. I know that whenever I ask my spouse to do something, she doesn't like it when I tell her to do things, but if I give her the option, then it certainly is a much easier journey and I think IT faces something fairly similar with that. Nobody really likes to be told what to do, but allowing them to ease into it is certainly a good approach. All right, so we talked just briefly and we kind of touched on it a couple of times, Mike, about experience. So how does somebody provide a consistent user experience, even for systems that can't go passwordless? Why don't you talk a little bit about how we handle that here and what organizations need to look for in general as they move forward in their passwordless journey?
Mike Engle:
If you think about the just let it happen as it happens approach that organizations are kind of stumbling into now, you have your desktop provider giving you some passwordless, your SSO provider giving you something else and some other authenticator, and then your VPN still uses tokens or UB keys. You have this hodgepodge of things all with their own set of management. So give your users one way to do everything from a ... This is really a user experience play as much as a security play. Because when you reduce the friction, people stop creating back doors. You hear about people putting a camera on their secure ID token so they can pop into their Arlo camera when they're home and just be like, oh, there's my six digit code. Because nobody carries things anymore. So making it consistent and one place to engage with the user has huge benefits.
Robert MacDonald:
Let's dig into that just a little bit deeper. When we consider our platform, we do offer a platform of authentication. So yes, we do the live biometric bound to your approved and verified identity, but we also have the other stuff to help organizations like you said, kind of ease into this. So just talk quickly a little bit about the approach and how organizations can consider which factor to deploy based on whatever they're authenticating into.
Mike Engle:
Right. Even though I poo-pooed on some of those other authentication mechanisms a minute ago. Having a platform like ours front all of those techniques, again, gives you one place to write rules and to give you your exception processes the proper conditional access control. So what do you have here on the left? A combination of modern today authentication techniques, public private key pair passwordless, log in with a QR code, real live biometrics with some legacy. Because sometimes you just want to have a hardware token or you have to or the person can't use a phone. So we have really 12 different ways to engage with users to give you maximum flexibility with or without an app because in some states and countries you can't force employees to use an app. So we got you covered for that as well. And let all these systems on the right do what they do very well and introduce this user experience layer on the left.
Robert MacDonald:
Absolutely. I mean, like you said, if you can figure out who's using which lower form of authentication security protocol, it enables security teams to focus on the areas where you know there's a lower level of security based on either the technology or whatever you have standing in front of it because you haven't had the opportunity to move everything passwordless yet. It allows security teams to focus on the areas where they know there's potential gaps in the security chain because of the technology that's standing in front of it and not necessarily worry about as much the other technologies that are using the high-end live ID biometric. It can only be one person. It enables them to focus their watch on the systems that may really require it based on what's going on. So it's a very valid point.
Let's keep going here, Mike. Our last poll question, poll question number three. Maureen, if you can put that up for us, that'd be great. So do you have a plan for passwordless access? Do you have a plan for passwordless access on your domain controllers? Well, that's an interesting one because we all know that those things, you don't want anybody breaking into those. Mike, what are you seeing? How are people approaching passwordless on domain controllers or are they?
Mike Engle:
Yeah, it's a really hard to reach place without the right platform. First of all, they're remote and so it's hard to put a private key on them. So one of the principles around passwordless is the private key stays typically ... Say Windows Hello, the key goes right there on that machine, never leaves. And so how do you put a private key on a remote domain controller or a virtual desktop? So that's why we leverage other trusted sources for a private key to be able to reach a hard to reach place like this. So I'd be surprised if anybody has a yes here, but it'd be interesting to see if they do. Look at that.
Robert MacDonald:
50-50.
Mike Engle:
Maybe it's one of our employees.
Robert MacDonald:
Maybe.
Mike Engle:
Or all of our employees. So yeah, it's a really important consideration as you come up with a strategy.
Robert MacDonald:
Yeah, fair enough. Okay, so let's move on to our last recommendation here. So reducing the reliance on help desk. So as we know, things go wrong, got to reset a password, it doesn't work. Actually my spouse started this morning calling the help desk to reset her password because there was an update sent to her Windows machine, and every time that happens, for whatever reason, she can't log in, she has to call the help desk, get her password reset. I'm not quite sure. Anyway, so she started with that this morning and she has multiple authenticator apps. So how do we reduce the reliance on all of this stuff and how do we really start to generate some ROI out of a deployment like this, Mike?
Mike Engle:
Well, it's very similar to driving a Tesla, Robert.
Robert MacDonald:
Oh. Well, do tell. I haven't driven ... Actually that's not true. I don't own one. I have driven one. Go ahead.
Mike Engle:
All right. All right. I'll take you for a ride some time. But I had this revelation as I was running this morning. It was more like a fast walk. But when you drive an electric car, are you saving the planet? Not really. At least here in the US we still use fossil fuels to charge the car in my garage. It's natural gas, it's coal. We don't have much nuclear here. There's not much solar. Now, driving electric car is good, right? Besides the awesome response and all that, but it's kind of the right thing to do. If we could electrify and have a good source of energy, fossil fuels are reduced or whatever. So we still have the legacy fueling going on for my Tesla, but I am creating the habits for electrification and maybe I have solar in my roof eventually, but 90% no.
And it's similar in passwordless. You need to start now. Imagine if we just said in 2027 everybody just goes electric. Well no. In 2027 everybody goes passwordless. Well, there's a lot of lessons to learn, a lot of systems to change. So when I drive my Tesla, I may not have charged it enough. If I have to drive 20 hours, I have to go find fuel. Electric. And so I go to a supercharger. That is very similar to this right here. Every once in a while you get a hard to reach system that needs the password and you need an easy way to let users use it. Maybe it's that benefit system at the end of the year. So get your users in the habit of being passwordless. The beauty of that is they won't even think about their passwords anymore and the two times a year they need it to get into the benefit system or some legacy mainframe app, they press this button, they do their face ID, touch ID and they're off to the races. They don't even have to think about it the day after that. This is a very powerful tool and sometimes people will buy a product just for this feature. So there's your relation of Tesla to passwordless.
Robert MacDonald:
That's good. I wasn't sure how you're going to bring that back, but it was good.
Mike Engle:
All right. Really important feature though.
Robert MacDonald:
And typically when you have to reset passwords, at least I know in the past when I had to do it, I had to be connected inside the firewall, so I had to VPN in, so there's a whole bunch of steps I had to get there. So let's say I was on vacation and it expired while I was away. Well there's now my help desk call. So the experience behind resetting that password is certainly easier doing it through the app and then from a security standpoint, we can ensure that it's Mike Engle or Robert MacDonald requesting it with the biometrics that we add in. So you kind of have a double win there for-
Mike Engle:
Yeah. And don't forget about TOFU.
Robert MacDonald:
Yeah, that's right. Yeah, trust on first use. Not tofu like the food, TOFU like trust on first use, right?
Mike Engle:
Yeah. So when you go to a new Windows workstation in order to enable Windows Hello, you need the username and password. So yeah, there's a whole bunch of advantages to that to be able to press that magic button.
Robert MacDonald:
So there's a bit of a build here, Mike. I'll get what simplifying the experience looks like from our perspective. So do you want to walk us through the first couple of blocks here?
Mike Engle:
Yeah. Historically you're letting all of these systems have their own mechanisms, which creates fragmentation, IT overhead, et cetera. And what we're saying is let a trusted identity and user experience system hand off the proper access to these and then let them do what they do very well on the right. Really straightforward concept. But if you leave it to the legacy providers, you're going to have a hodgepodge of user experience challenges and frustration. So really straightforward story and there's a lot of savings and now fortunately, it's not just a miracle anymore. It is very quantifiable and within reach and quick to deploy. We've had a 40,000 person organization. There's a public testimonial on our website from a telco that did this in three weeks and got rid of hardware tokens and now they're expanding it across the whole organization. So it's neat stuff.
Robert MacDonald:
Yeah, absolutely. Okay, so those are our recommendations. Let's quickly ... Because I'm sure people are like, "Okay, that's great guys. It sounds amazing, but it's going to be miserable to deploy, or integrate it with my single sign-on or whatever else I'm using." I just want to point you to talk a little bit about that and I've got two use case examples. The first one's going to be around Microsoft. So why don't you talk a little bit about integrating this into a Microsoft single sign-on, Active Directory, Azure, Entra ID, whatever that might be type of environment.
Mike Engle:
Sure. Yeah. I mean Microsoft is one of the forward-looking identity SSO providers out there. They're really embracing things like decentralized identity and verifiable credentials for those identity geeks. I mean they even go so far as to rebrand their entire Azure AD as Entra ID. Your Entra into an organization. I'm not sure the exact genesis of that word. So they have a holistic strategy and they're working with providers like 1Kosmos to bring the zero trust component, which is real biometrics, proof of government credential. That's what we bring to the table. And when you put the two together, Microsoft plus 1Kosmos, we can reach all those hard to reach areas. Is Microsoft ever going to allow passwordless into Linux? Maybe, but maybe not. And it's really important to get that stuff. So use it where you can with your E5 license or whatever it is. We'll bootstrap that for you. We'll help those hard to reach places and that TOFU problem that exists in that world and then we'll help cover the other areas where you can't with a user experience layer that also increases security.
Robert MacDonald:
Yeah, that's cool. All right, so let's talk about the rest of the single sign on providers. So in this example, I've got Okta, but that can be swapped out for Ping or ForgeRock or SiteMinder or whoever. Step us through what that looks like.
Mike Engle:
Yeah. The key here is you have the 1Kosmos platform that acts as your identity provider, the IDP. People have been mistakenly calling their SSO providers as IDP, but for all the reasons we said in the beginning, it's not really identity, it's multiple factors. So let's throw those multiple factors away and let the identity expert do the identity part and hand off the ascertain. This is really a straightforward integration. It takes minutes for somebody who knows how to configure two systems together. If you know what SAML and OIDC, Oauth, those types of systems are, you can plumb these things together really fast. So again, yeah, regardless of what your SSO of choices here, we can snap it in there quite quickly.
Robert MacDonald:
Cool. All right Mike, I think that is all we've got for today in terms of slides, so that's probably good for everybody else that's on the call. If you were to give the Mike Engle, here's my vision of what you should do and what the future looks like around this, what would you say to somebody?
Mike Engle:
Well, I think passwordless is here. It's making its way out there. It's just like electrification of vehicles. You're seeing 2% of the cars on the road are now passwordless, electric, mixing those two together. So you have to start the journey now. You can't start thinking about this later and sadly I'm seeing organizations just start to roll out MFA now without thinking about a passwordless strategy. Let's go roll out a one-time code to the email and we're like, no, wait. Let's come up with just a two year plan to do it right and then allow you these options A, B, and C. So the tidal wave is coming and with the rate of change today, look at what AI has become in six months. It is crazy.
Robert MacDonald:
It is crazy.
Mike Engle:
It's going to happen that quickly. iOS 17 for example, released not that long ago. They're baking in a lot of passwordless support into these platforms. So let's embrace it and use it where it makes sense.
Robert MacDonald:
Yeah. I mean it's amazing when you read a lot of the articles on any of the cybersecurity incidents that are going on, everybody says you have to deploy MFA. It's like, well, I think we're probably moving beyond MFA at this point. At the end of the day it's masking the password problem in a lot of cases. So this passwordless move is certainly where we need to go. And like you said, Gartner's been talking about it forever. I think poor Ant Allan over at Gartner has been talking about getting rid of passwords now for probably 10 years and we're just really getting serious about it now.
Mike Engle:
Exactly.
Robert MacDonald:
Just a couple of questions here, Mike. There's one around the authenticators that come with the SSO platforms. Can they not do ... I'm paraphrasing, but can they not do passwordless? Why would I not just use what's coming with ... I don't want to use the product that they're throwing-
Mike Engle:
Sure. Yeah.
Robert MacDonald:
Throw anybody under the bus, but why would I not just use the authenticator that comes with?
Mike Engle:
Yeah, a couple reasons is they typically do not leverage the identity constructs that we mentioned before. Verified identity on enrollment or verified identity on authentication. So if you're using magic SSO authenticator XYZ, if I can coerce you to press that green button, the push message or whatever it is, which is what they're doing with push attacks, I bypassed it. So there's a security reason. And the second is coverage. They're covering only their stuff. They're not covering the operating systems, they're not covering the hard to reach systems connected by Radius and Kerberos and those types of environments typically. So there's a lot of good reasons for that.
Robert MacDonald:
I know that we wanted to give everybody back 10 minutes worth of time here. We got time for one more question. So this question's about the identity store. So if we're the IDP, does that mean that the identities are only stored in 1Kosmos or are they going to be in other places as well?
Mike Engle:
Yeah, so again, it comes down to the term identity. We let the user own their identity, which is their proof of who they are. We don't own-
Robert MacDonald:
The documents?
Mike Engle:
The cryptographic proof of possession of those documents.
Robert MacDonald:
Okay.
Mike Engle:
And then we strategically link them to the accounts in the SSO system. So your Azure AD account, your on-prem ADFS account, whatever it is still is the authoritative token that gets you into the applications. We'll introduce the verified identity and they work seamlessly together. The beauty is we don't have to replicate any of that SSO account into ours. We can loosely couple them or tightly and giving you really the best flexibility you can to serve both those populations.
Robert MacDonald:
Awesome. Mike, I appreciate you taking the time to go through the presentation today with me and I thank everybody else that came along for the ride today as well. For those of you that are listening in, this will be available on our website in the next couple of hours. So if you want to send it to some of your friends, you're more than welcome. And don't forget that we do a webinar almost every month and that we also have our IBA Fridays that you can come watch and listen to as well. So we appreciate you coming in today and we look forward to talking to you again soon. Thanks, Mike.
Mike Engle:
It was great chatting. Have a great day.
Robert MacDonald:
You too.
Welcome. Today, our presentation is on five recommendations to close the security gaps in single sign-on, and there's a bit of a hot topic going on around that right now. Mike, we're going to jump into that in a couple minutes, but my name's Robert McDonald. I'm the Vice President of Product Marketing here at 1Kosmos. I've been here for a little over three years now and I'm just happy to be along for the ride with Mike during this presentation. Mike, why don't you tell us a little bit about yourself and what you do here?
Mike Engle:
Yeah, happy to be here. I'm one of the co-founders, so going way back a little longer than you. But three years, congratulations. That is an eternity in the tech world, right?
Robert MacDonald:
It is.
Mike Engle:
So glad you made it with us that long. And yeah, my background in InfoSec, I built, scaled and ran the program at Lehman Brothers for many years and then moved into the venture-backed startup world after their demise, and now I'm all identity all the time so that's what we'll talk about here today.
Robert MacDonald:
Yeah, we're going to talk a lot about that today. All right, before we get started, I just wanted to highlight one thing. We do have a number of live sessions that we hold here at 1Kosmos. One of them is IBA Friday. We have one coming up tomorrow. It happens a little after 2:00 on LinkedIn. It's a LinkedIn live session that we do, myself and Javed, our VP of Product Management run that. Mike, I had you on two weeks ago, or maybe three weeks ago, to talk about passkeys. Tomorrow we're going to talk about verified credentials and what that looks like from a 1Kosmos perspective. But if you want to see more about what we do and how we do things around here, that's a good opportunity. They're very short sessions. They're normally no longer than 20 minutes, but it's a good opportunity to learn more about the technology and what we do here at 1Kosmos.
Normally, we'd also show what our upcoming webinars are before this. The next one that we're working on is a big one, so we don't have quite all the T's crossed and i's dotted on that yet. So keep an eye open on our website, but we've got a really, really big partner coming along for the ride with that one. We actually have two of them and it's going to be a great session, so keep an eye open on our website for that. But for now, Mike, let's jump in and talk about securing single sign-on and data breaches, right? So why don't you give us a little color based on the experience that you have and what we see going on in the market right now. This 81% number seems to be astronomical, but why don't you give us a little bit of color in terms of what you're seeing in the industry right now around data breaches and how they're happening and what's going on there.
Mike Engle:
Yeah. Going back, I'm old, so when I first started building InfoSec programs, it was all about perimeter, keeping bad guys out. That was really all you did. You had firewalls and then you had antivirus and endpoint and some stuff in between. But now, since everything is exposed and everybody can log in remotely and there's all these SaaS and cloud things, it's all about really identities now become the new perimeter. You get somebody's identity or what people are thinking identity is. We'll talk about that here today. You're in. You bypass firewalls, you bypass endpoint protection. So the hackers know that. And phishing, vishing and all these other things are now the way that people get in the front door. And we're going to talk about that here in a slide or two. So these stats are obvious. Hackers don't hack in anymore. They log in because we don't have identity.
Robert MacDonald:
I was waiting for you to say that you're building security with punch cards, but that's good that you didn't go that ... It's firewall.
Mike Engle:
Not quite that far.
Robert MacDonald:
So you're not that old. You're not that old.
Mike Engle:
Not quite.
Robert MacDonald:
All right. A pretty major event took place this the last week or so, Mike. There's a recent ransomware attack. It was at the MGM casino. It also happened to the Caesars group as well, but they paid the ransomware to keep the business up and running. But in terms of the reports that we're seeing, everything from hotel digital room keys to slot machines were offline and still are, I think, since the last I've read on it.
Mike Engle:
That's right.
Robert MacDonald:
An organization called Scattered Spider is believed to be the one responsible. They did it via a social engineering vishing attack. The report cited that hackers gained access through a single sign-on login. And what they did is they called the help desk to reset a credential through doing the vishing attack. So they did a little bit of social engineering, they went to somebody's LinkedIn, learned a little bit about what they do, called the help desk, and then impersonated that person to get their credential reset. So what are your thoughts on this, Mike? It's fascinating. I mean, we're still learning about it, but so far what have you gleaned out of this?
Mike Engle:
Well, it really iterates challenges that we're seeing around ... I mean this is legacy authentication that every company's using. Legacy username, password, 2FA. I deployed my first 2FA system in the late '90s. It was a security ID server with the hard tokens. And that's really still the standard. It's username, password, and some kind of one-time code or a push message. So that's not sufficient anymore. We need identity. We'll talk about that here today, obviously. So the help desk, there's only so much they can do. People are people. They make mistakes. We need to build the systems to mitigate the exposure to those human elements. How do you do that? Well, that's what we'll talk about here in just a minute. So MGM, we're not picking on them or their SSO provider. This could happen to anybody. It could happen to 1Kosmos. Much less likely because of the tech that we'll show you here today. So yeah, I feel bad for these guys. It's a life-changing event when you go through this.
Robert MacDonald:
It's a tough one, right? That's a tough phone call to wake up to in the morning saying, "Hey, everything we're doing right now is locked down. We've got to go to ..." I think they're doing manual processes right now.
Mike Engle:
Paper IOUs at the gambling tables.
Robert MacDonald:
Imagine. Imagine, right?
Mike Engle:
Oh man.
Robert MacDonald:
And that's tough. And again, we're still doing things to protect the antiquated way that we've been doing it for years, right? Passwords have been around for 60 plus years. And if you think about all the technology changes that we've had over the years in terms of how we try to run our infrastructure and secure our infrastructure, that's the one thing that hasn't changed, right?
Mike Engle:
That's right.
Robert MacDonald:
Legitimately, that's the one thing that hasn't changed, but a lot of the technology we're putting into place has been layered on top to try to protect that one thing and we're going to talk about that here in a second. So I think we have poll questions, Maureen. I think that's the magician in the backend here that's running everything. So our first poll question, are you worried about your SSO system being a single point of compromise? And that's a yes and no answer. I think that's relatively straightforward. Mike, what are you seeing on that? What do you think?
Mike Engle:
People definitely are because the SSO systems are making the news as well, and they're realizing that the SSO systems do SSO really well, but they aren't meant to do what we call real identity here that we'll cover. So I'm pretty sure I know what the answer will be. And yeah, you've got three quarters that are saying yes, so there you go.
Robert MacDonald:
Yeah, yeah. 75% of people say that they are worried about it. And again, single sign-on was brought on board to eliminate the number of passwords that people had to use in the run of a day, right?
Mike Engle:
That's right.
Robert MacDonald:
Make that easier for people to do in terms of logging in every day. But that one to many is a bit of a problem. So Mike, how do we solve ... We're going to dig into the recommendations, but there's two boxes here. Talk about how we can leverage or what we can do to solve the problem that we're facing with our single sign-on right now.
Mike Engle:
Yeah, there's really two techniques we're using here today. It's proving who you are remotely. Real proof, right? Not a one-time code, not something you can give to somebody else. And then being able to use that proof over and over again. And the only way to prove who you are remotely is with a biometric. Somebody might want to yell at me for using the word only, but please do. Educate me on that. So if you can give your authenticator to somebody else, it's not identity. When you walk up to the TSA agent and look them in the face or the state trooper on the highway, they look you in the face. It can't be somebody else in that seat unless you're Tom Cruise, Mission Impossible, rubber mask. But even then we have technology now to mitigate things like deep fakes and all that stuff. So we'll show you some demos of this, but it is a combination of really government credentials that prove who you are one time and then using that proof over and over again and it's that simple.
Robert MacDonald:
Yeah. I mean if we look at the way that we're doing authentication currently, it's about affirming that there's an identity present. But there's no real proof, like you said, that the user is who they claim to be, which is what the identity proofing side does. It gives you that high assurance that the person that wants to authenticate is the person trying to authenticate. And that high assurance is where a lot of organizations, specifically with this breach at MGM ran into. They had no way of assuring that the user calling in to reset their password was the actual user and that's where they ran into trouble.
We've got a quick demo, I think, Mike. We've got a video here. Hopefully this works. Do you want to walk us through this?
Mike Engle:
Yeah, I'll talk through it. Here's your traditional username and password on a Windows workstation, and this is what identity-based authentication looks like. You simply engage with the remote system. There's lots of ways to do this, but we're using a mobile phone here. And that's a real biometric proving that it's me and that as assertion is transmitted to the target system. Very simple. First of all, time to get in is super fast compared to typing a 15 character password. And then you can do some neat things with that same set of systems to make the second, third, fourth touch really easy. So you'll see here on unlocking, as long as I have the same devices with me, the watch I'm wearing, I can just ping and tap. So here's me tapping my watch to say, yep, I'm still here. I need to unlock my workstation. Amazing. We call this a high five moment in security. They're very rare where your users walking down the hallway will give you a high five about a piece of technology that you deploy. And let's see the bad guys try to log in with that credential, right? Can't do it.
Robert MacDonald:
Yeah, and I mean the cool thing with that is that, I know it happened reasonably quick, but it asked you to do a couple of things there to make sure you were live. So there was the liveness check to make sure that the biometric wasn't just a picture or some sort of video or something along those lines. And the experience with that is something that we do all the time. I mean, how many times do we take selfies or look at our phone to log in? We do it all the time. So from an experience standpoint, you're not asking users to do anything they don't do typically anyway, which is kind of cool.
Mike Engle:
Exactly.
Robert MacDonald:
All right, so let's move on to the next one here. So we have our five recommendations. So I'm just going to quickly go through these, Mike, and then what I'll do is we'll jump into the first one and you can do a deeper dive on it. But recommendation one we're going to cover today is how to conveniently verify identity at first in every request without antiquated SMS codes or just antiquated 2FA in general. We're going to talk about that. We're going to talk about how to modernize authentication using identity verified biometrics for improved user satisfaction, which is not something IT normally considers or even looks at, but is important. And we're going to show why. Give IT the tools to control the rollout of a passwordless MFA through a phased implementation. I think one of the reasons why we don't see as much passwordless as we should is partly because it's just trying to roll it out is difficult.
Nobody likes change and that makes it even worse. Also providing a consistent user experience for even those systems that can't go passwordless. I mean at the end of the day we know that not everything can go passwordless so what do you do in that instance? How do you make sure that you're keeping the user experience consistent so they don't get tricked into giving somebody a passcode or a password or whatever that might be. And then ultimately reduce help desk calls and eliminate multiple authenticator apps, which is really going to deliver some ROI on the investment in something like we're showing today.
So Mike, let's jump in and talk about coverage beyond single sign-on. So conveniently verifying identity at first in every request without antiquated SMS codes. So just quickly talk about that, and I know we have a couple slides and we have a quick demo that we're going to show how this works, but what are your thoughts on that? How do people do that?
Mike Engle:
Yeah. First access. What does that mean? There's one tile that you had that says security/IT really don't focus on the user experience. I think that is changing. I'm seeing more and more CIOs and CISOs that are saying, I want to reduce friction because it's an enabler for my business just like it is on the customer side. It's now happening on the employee side. So you hire somebody, they go through an I9 E-verify process. Why not digitize that and hand them a credential that same at the same time? They never need a line manager to call them up and give them a username and password that they have to change. So there's really a way to jumpstart that. And then of course you can use that same process over and over again. So it's obvious that if there's username and password and push or any 2FA, and it's not just Okta, right? It's Microsoft, it's SiteMinder, it's you name it, right? They do SSO really well, but they don't engage with the users in an incredibly compelling way. And of course they're missing half of the environment, which we'll talk about here as well.
Robert MacDonald:
Yeah. I mean they're limited in scope, right? It's only what falls underneath. What do you do with all the other stuff that doesn't fall underneath that S S O protection. Okay. We got another quick little video that we'll show, and I think this is similar to what we showed before, but this time Mike, we're just logging into Okta. Correct?
Mike Engle:
Once you have that trusted credential, use it anywhere you need to. In front of your CyberArk or your Thycotic, whatever. So this is an example of how we can sit and introduce true identity into an Okta authentication. So you'll see here again, we have a trusted authenticator and this was made with one of our integration partners. So you're engaging with that system, setting up a secure channel, and you are proving who you are once again. And it's that simple to introduce real identity to a downstream system. That's it. Now, of course you can do touch ID and face ID, but they're really good, they're limited to a device, but you could give that authenticator to somebody else because those aren't based on real identity. That's why we keep showing the use of real biometrics for those hard to reach places and hard to secure applications.
Robert MacDonald:
Yeah. If you look at a touch ID or face ID, if you think about how that gets invoked on my phone, for example, I open up an app, I enter my username password, and then it says, "Hey, do you want to use face ID?" I'm like, sure. So all that does is just eliminates me from needing to put the username and password in every time. It takes my face ID, says, yeah, that's Rob, based on what I know. I copy and paste his username and password in and then it lets me in, essentially. It's a very different experience from what we're talking about here from a security standpoint. So let's dig into that a little bit deeper and talk about this concept of ID plus selfie. So how do you modernize using identity verified biometrics to improve that user satisfaction? What does that mean?
Mike Engle:
Yeah, so this is where I hinted at this a minute ago, but identity verified. One of the best ways to verify identity is through government issued credentials. I won't say all because there's some people that don't have driver's license, passport. Typically, if you're working for an organization that worries about SSO and passwordless, they have these credentials. So let's use them as real proof of who you are and issue a credential that has a chain of custody back to that. That's a really important differentiator because you could do this matching here on the left in the first tile, but then just hand them a basic old username password in 2FA. Defeats the purpose. It's nice to be able to do that for new hires, but then you're kind of throwing that away. A tightly coupled system lets you reuse that proof of identity over and over again. And that's what we've done with a distributed ledger that gives you chain of custody of the authentication back to that genesis moment when you proved who you are.
Robert MacDonald:
Absolutely. And then again, like you said, leveraging that biometric going forward. So talk to us a little bit about the different standards that are involved in this and what that means specifically.
Mike Engle:
Sure. Yeah. There's really three standards going on here. NIST 863-3. It's been around since 2017. It's the government standard that establishes how you prove who you are remotely. It's not required for commercial systems yet today. I think there's more and more people looking to adopt it because it is the standard, but you do need it to access certain federal services. If you're doing things with the treasury department or healthcare, et cetera, it actually is mandatory. And even if you're just a bank, these principles here or what you do for KYC as part of the know your customer part. So it's clearly laid out. If your vendor has this certification, you know they went through a lot of diligence and they do things right. And then on the right you have FIDO, and also there's authentication built into the NIST standard. So this says, here's how you authenticate without a password. Again, leveraging that originally enrolled credential. Now FIDO doesn't handle yet today, they're working on it, verified identity. So if you put the two together, it's like peanut butter and jelly or identity-based authentication that I have here at to bottom. And there's certifying bodies that you can just check. If you're CANTERA certified for NIST, iBeta for your biometrics and FIDO for your passwordless, you've got a great match and there's very few vendors that have all these certifications.
Robert MacDonald:
Yeah, no, it's certainly a cool way of doing things. So if we look at the components involved to make all that work, Mike, why don't you just walk us through how this all comes together? What are the components here?
Mike Engle:
So this really is a lot of confusion in this upper box. When you scan a driver's license, that's called document verification or ID proofing. And this is an industry that's been around for some time but really hasn't gotten adoption yet, but it's getting popular. So there's thousands of organizations now looking to do this. But if you just scan the front and the back and try to figure out if this is a valid credential, you're missing a key part. Because what we can do and what you should do and other providers can do it, is not only prove if this is a good document but match the face, but then extract what's on here and verify it with the sources of truth. That is the second box, identity verification. Now, verification used to be its own thing without the document. If you opened a bank account 10 years ago, they did verification by looking up your social security number or your tax ID, whatever. And separately, they're weak, both of them. When you put them together is where you get triangulation and you can really get a much stronger sense of who the person really is. And then as I mentioned before, do that and then give the credential out at that time and it becomes a holistic solution that you can use across any of your applications.
Robert MacDonald:
Okay. So what you're saying is that typically organizations would do the verification and then that is kind of a throwaway component, but instead use what you've done there and then take that and build the credential out of it so now every time the user goes to authenticate, you're looking back at that step you did at the very beginning to make sure Mike is still the Mike that I hired on day one.
Mike Engle:
Exactly, exactly. Okay.
Robert MacDonald:
I'm assuming that would come in handy when we get into things like third party contractors when maybe you're doing that completely remote and you're not quite sure it's still the same person that you originally hired. I'm assuming it would work very well there.
Mike Engle:
Of course. Yeah, identity is identity.
Robert MacDonald:
Yeah. Very good. All right, so we're going to do a quick example of what scan looks like.
Mike Engle:
Before we press play, let me tee this up because this process here, we showed some heavier touchpoints, very secure with an app, QR code, face, live ID, but there's thousands of use cases where you just need to touch and verify somebody at a point in time. So imagine I am pretending to be an employee of a large casino and I call the help desk and I just have to convince them and they press a button. Well, what if you ask that remote user to do something that proves the identity? And so that's this process here. Imagine this is a help desk screen on the left. There's lots of implementations here. This is like a self-registration. But let's verify that I am who I am remotely. So help desk simply types in my phone number, go ahead and roll the tape, and bad actors on the right or good actor and I'm going to remotely prove my identity here. And again, this is done without an app. It's just any standard phone with a camera using Safari, Chrome and the camera.
Very straightforward set of instructions. Here's the instructions, hold your phone up, it'll automatically take a picture, an amazing user experience. Do the front, do the back. Now there's all kinds of security, integrity, validity checks going on here in real time. And then we're matching the user's face to the document. This is the final step. It takes about two seconds and boom. And now here's an example of about 10 integrity checks that we're displaying here that say this is a valid user. It's not a replay. It's not a copy of a document. The document hasn't been manipulated. So there's all these different checks that we're doing. And again, this is a subset. There's literally dozens and sometimes hundreds depending on the document. Now, help desk just got a green check mark. Whatever the interface is, of course you could tweak that. You have a much higher sense of who this person is remotely and you can carry on with whatever other validation you need before you go reset that password or let them in the front door.
Robert MacDonald:
And like you said, if we look back at the example that we brought up at the very beginning, that would've ended that conversation about resetting that person's password into the single sign-on environment, right?
Mike Engle:
That's right.
Robert MacDonald:
That's cool stuff. Okay. Second poll question, Mike. Let's see if Maureen can put that up for us. There we go. Do you have a plan to go 100% passwordless across your enterprise, covering the gaps in single sign-on today such as desktops and legacy applications? We're going to actually touch on that here on the next slide a little bit deeper, but going beyond, if you look at single sign-on and everything else, do you have a plan to go passwordless? What are you seeing with that, Mike? I know that we've had some conversations, but you're certainly into them more than I am. What are you hearing from our customers?
Mike Engle:
I'm hearing that plan to go, yes. They know it's a huge deal. Gartner's been talking about it for five years, but 100%, they don't know how to do it. For good reason. You have an app that was made 20 years ago. It's a fat client. Some windows GUI or an impossible to change mainframe. So I would say that this should almost be 100% no. You could have a plan, but implementation of it. However, we can get to 95 and then you put the right controls around that final 5%. We'll see how this goes. There you go. 100%, no. Because it's not attainable. So it's almost a trick question, but something to think about because we can get in the high 90s.
Robert MacDonald:
Yeah. For sure, for sure. All right, let's go on to our next slide here. So we just quickly touched on deployment. It is a big part of going passwordless, especially depending upon the size of the organization. I don't think anybody wants to have everybody do it one way on Friday and then when they come in Monday morning, you've got 20,000 employees all of a sudden doing it a different way. That's going to cause problems. So having a phased deployment is certainly the right approach. So giving IT the tools to control a roll out of a passwordless MFA through a phased implementation. What are you seeing? What are your recommendations around that, Mike?
Mike Engle:
Yeah. You have to make it easy for not only the users but the IT staff. So a properly designed passwordless plan involves knowing what you have to change, why and how hard it's going to be. And so we make it really easy to drop the stuff in with minimal help desk impact and minimal impact to the IT staff. In fact, once this is done, IT staff should be able to reclaim a lot of cycles because they have less systems to manage and you have one authoritative source for identity within the organization. Today there's 10 minimum. So it simplifies the infrastructure. And this example here where you simply just come, scan a QR code and learn how to self onboard is a very powerful tool, allows it to go viral across the organization without IT having to do anything.
Robert MacDonald:
Right. And then if we look at other ways in which we can do this, there's a coexistence strategy that we can also support. So why don't you talk a little bit about what coexistence is and why that's important?
Mike Engle:
Yeah, again, because this takes a long time to deploy, you have to do it phased, but you also have to let users opt into it or use it programmatically over time. Ideally, we get rid of the stuff on the right. It's going to take years. Some systems faster than others. You may have to have a fallback mechanism in case people lose phones and maybe username and password is one of your fallbacks and you put all kinds of risk compensating controls around how you use it in the future. So this is how we deploy every remote access and operating system and our logins into SSL so that when you roll it out to one user, the other 20,000 users do option on the right, user one does it on the left and then you can ease into it over time. So it's pretty straightforward, but a lot of passwordless providers require you to eat the whole elephant in one sitting. That is a recipe for disaster.
Robert MacDonald:
Yeah, absolutely. I mean, if there's one thing that maybe people hate more than passwords, it's change. I know that whenever I ask my spouse to do something, she doesn't like it when I tell her to do things, but if I give her the option, then it certainly is a much easier journey and I think IT faces something fairly similar with that. Nobody really likes to be told what to do, but allowing them to ease into it is certainly a good approach. All right, so we talked just briefly and we kind of touched on it a couple of times, Mike, about experience. So how does somebody provide a consistent user experience, even for systems that can't go passwordless? Why don't you talk a little bit about how we handle that here and what organizations need to look for in general as they move forward in their passwordless journey?
Mike Engle:
If you think about the just let it happen as it happens approach that organizations are kind of stumbling into now, you have your desktop provider giving you some passwordless, your SSO provider giving you something else and some other authenticator, and then your VPN still uses tokens or UB keys. You have this hodgepodge of things all with their own set of management. So give your users one way to do everything from a ... This is really a user experience play as much as a security play. Because when you reduce the friction, people stop creating back doors. You hear about people putting a camera on their secure ID token so they can pop into their Arlo camera when they're home and just be like, oh, there's my six digit code. Because nobody carries things anymore. So making it consistent and one place to engage with the user has huge benefits.
Robert MacDonald:
Let's dig into that just a little bit deeper. When we consider our platform, we do offer a platform of authentication. So yes, we do the live biometric bound to your approved and verified identity, but we also have the other stuff to help organizations like you said, kind of ease into this. So just talk quickly a little bit about the approach and how organizations can consider which factor to deploy based on whatever they're authenticating into.
Mike Engle:
Right. Even though I poo-pooed on some of those other authentication mechanisms a minute ago. Having a platform like ours front all of those techniques, again, gives you one place to write rules and to give you your exception processes the proper conditional access control. So what do you have here on the left? A combination of modern today authentication techniques, public private key pair passwordless, log in with a QR code, real live biometrics with some legacy. Because sometimes you just want to have a hardware token or you have to or the person can't use a phone. So we have really 12 different ways to engage with users to give you maximum flexibility with or without an app because in some states and countries you can't force employees to use an app. So we got you covered for that as well. And let all these systems on the right do what they do very well and introduce this user experience layer on the left.
Robert MacDonald:
Absolutely. I mean, like you said, if you can figure out who's using which lower form of authentication security protocol, it enables security teams to focus on the areas where you know there's a lower level of security based on either the technology or whatever you have standing in front of it because you haven't had the opportunity to move everything passwordless yet. It allows security teams to focus on the areas where they know there's potential gaps in the security chain because of the technology that's standing in front of it and not necessarily worry about as much the other technologies that are using the high-end live ID biometric. It can only be one person. It enables them to focus their watch on the systems that may really require it based on what's going on. So it's a very valid point.
Let's keep going here, Mike. Our last poll question, poll question number three. Maureen, if you can put that up for us, that'd be great. So do you have a plan for passwordless access? Do you have a plan for passwordless access on your domain controllers? Well, that's an interesting one because we all know that those things, you don't want anybody breaking into those. Mike, what are you seeing? How are people approaching passwordless on domain controllers or are they?
Mike Engle:
Yeah, it's a really hard to reach place without the right platform. First of all, they're remote and so it's hard to put a private key on them. So one of the principles around passwordless is the private key stays typically ... Say Windows Hello, the key goes right there on that machine, never leaves. And so how do you put a private key on a remote domain controller or a virtual desktop? So that's why we leverage other trusted sources for a private key to be able to reach a hard to reach place like this. So I'd be surprised if anybody has a yes here, but it'd be interesting to see if they do. Look at that.
Robert MacDonald:
50-50.
Mike Engle:
Maybe it's one of our employees.
Robert MacDonald:
Maybe.
Mike Engle:
Or all of our employees. So yeah, it's a really important consideration as you come up with a strategy.
Robert MacDonald:
Yeah, fair enough. Okay, so let's move on to our last recommendation here. So reducing the reliance on help desk. So as we know, things go wrong, got to reset a password, it doesn't work. Actually my spouse started this morning calling the help desk to reset her password because there was an update sent to her Windows machine, and every time that happens, for whatever reason, she can't log in, she has to call the help desk, get her password reset. I'm not quite sure. Anyway, so she started with that this morning and she has multiple authenticator apps. So how do we reduce the reliance on all of this stuff and how do we really start to generate some ROI out of a deployment like this, Mike?
Mike Engle:
Well, it's very similar to driving a Tesla, Robert.
Robert MacDonald:
Oh. Well, do tell. I haven't driven ... Actually that's not true. I don't own one. I have driven one. Go ahead.
Mike Engle:
All right. All right. I'll take you for a ride some time. But I had this revelation as I was running this morning. It was more like a fast walk. But when you drive an electric car, are you saving the planet? Not really. At least here in the US we still use fossil fuels to charge the car in my garage. It's natural gas, it's coal. We don't have much nuclear here. There's not much solar. Now, driving electric car is good, right? Besides the awesome response and all that, but it's kind of the right thing to do. If we could electrify and have a good source of energy, fossil fuels are reduced or whatever. So we still have the legacy fueling going on for my Tesla, but I am creating the habits for electrification and maybe I have solar in my roof eventually, but 90% no.
And it's similar in passwordless. You need to start now. Imagine if we just said in 2027 everybody just goes electric. Well no. In 2027 everybody goes passwordless. Well, there's a lot of lessons to learn, a lot of systems to change. So when I drive my Tesla, I may not have charged it enough. If I have to drive 20 hours, I have to go find fuel. Electric. And so I go to a supercharger. That is very similar to this right here. Every once in a while you get a hard to reach system that needs the password and you need an easy way to let users use it. Maybe it's that benefit system at the end of the year. So get your users in the habit of being passwordless. The beauty of that is they won't even think about their passwords anymore and the two times a year they need it to get into the benefit system or some legacy mainframe app, they press this button, they do their face ID, touch ID and they're off to the races. They don't even have to think about it the day after that. This is a very powerful tool and sometimes people will buy a product just for this feature. So there's your relation of Tesla to passwordless.
Robert MacDonald:
That's good. I wasn't sure how you're going to bring that back, but it was good.
Mike Engle:
All right. Really important feature though.
Robert MacDonald:
And typically when you have to reset passwords, at least I know in the past when I had to do it, I had to be connected inside the firewall, so I had to VPN in, so there's a whole bunch of steps I had to get there. So let's say I was on vacation and it expired while I was away. Well there's now my help desk call. So the experience behind resetting that password is certainly easier doing it through the app and then from a security standpoint, we can ensure that it's Mike Engle or Robert MacDonald requesting it with the biometrics that we add in. So you kind of have a double win there for-
Mike Engle:
Yeah. And don't forget about TOFU.
Robert MacDonald:
Yeah, that's right. Yeah, trust on first use. Not tofu like the food, TOFU like trust on first use, right?
Mike Engle:
Yeah. So when you go to a new Windows workstation in order to enable Windows Hello, you need the username and password. So yeah, there's a whole bunch of advantages to that to be able to press that magic button.
Robert MacDonald:
So there's a bit of a build here, Mike. I'll get what simplifying the experience looks like from our perspective. So do you want to walk us through the first couple of blocks here?
Mike Engle:
Yeah. Historically you're letting all of these systems have their own mechanisms, which creates fragmentation, IT overhead, et cetera. And what we're saying is let a trusted identity and user experience system hand off the proper access to these and then let them do what they do very well on the right. Really straightforward concept. But if you leave it to the legacy providers, you're going to have a hodgepodge of user experience challenges and frustration. So really straightforward story and there's a lot of savings and now fortunately, it's not just a miracle anymore. It is very quantifiable and within reach and quick to deploy. We've had a 40,000 person organization. There's a public testimonial on our website from a telco that did this in three weeks and got rid of hardware tokens and now they're expanding it across the whole organization. So it's neat stuff.
Robert MacDonald:
Yeah, absolutely. Okay, so those are our recommendations. Let's quickly ... Because I'm sure people are like, "Okay, that's great guys. It sounds amazing, but it's going to be miserable to deploy, or integrate it with my single sign-on or whatever else I'm using." I just want to point you to talk a little bit about that and I've got two use case examples. The first one's going to be around Microsoft. So why don't you talk a little bit about integrating this into a Microsoft single sign-on, Active Directory, Azure, Entra ID, whatever that might be type of environment.
Mike Engle:
Sure. Yeah. I mean Microsoft is one of the forward-looking identity SSO providers out there. They're really embracing things like decentralized identity and verifiable credentials for those identity geeks. I mean they even go so far as to rebrand their entire Azure AD as Entra ID. Your Entra into an organization. I'm not sure the exact genesis of that word. So they have a holistic strategy and they're working with providers like 1Kosmos to bring the zero trust component, which is real biometrics, proof of government credential. That's what we bring to the table. And when you put the two together, Microsoft plus 1Kosmos, we can reach all those hard to reach areas. Is Microsoft ever going to allow passwordless into Linux? Maybe, but maybe not. And it's really important to get that stuff. So use it where you can with your E5 license or whatever it is. We'll bootstrap that for you. We'll help those hard to reach places and that TOFU problem that exists in that world and then we'll help cover the other areas where you can't with a user experience layer that also increases security.
Robert MacDonald:
Yeah, that's cool. All right, so let's talk about the rest of the single sign on providers. So in this example, I've got Okta, but that can be swapped out for Ping or ForgeRock or SiteMinder or whoever. Step us through what that looks like.
Mike Engle:
Yeah. The key here is you have the 1Kosmos platform that acts as your identity provider, the IDP. People have been mistakenly calling their SSO providers as IDP, but for all the reasons we said in the beginning, it's not really identity, it's multiple factors. So let's throw those multiple factors away and let the identity expert do the identity part and hand off the ascertain. This is really a straightforward integration. It takes minutes for somebody who knows how to configure two systems together. If you know what SAML and OIDC, Oauth, those types of systems are, you can plumb these things together really fast. So again, yeah, regardless of what your SSO of choices here, we can snap it in there quite quickly.
Robert MacDonald:
Cool. All right Mike, I think that is all we've got for today in terms of slides, so that's probably good for everybody else that's on the call. If you were to give the Mike Engle, here's my vision of what you should do and what the future looks like around this, what would you say to somebody?
Mike Engle:
Well, I think passwordless is here. It's making its way out there. It's just like electrification of vehicles. You're seeing 2% of the cars on the road are now passwordless, electric, mixing those two together. So you have to start the journey now. You can't start thinking about this later and sadly I'm seeing organizations just start to roll out MFA now without thinking about a passwordless strategy. Let's go roll out a one-time code to the email and we're like, no, wait. Let's come up with just a two year plan to do it right and then allow you these options A, B, and C. So the tidal wave is coming and with the rate of change today, look at what AI has become in six months. It is crazy.
Robert MacDonald:
It is crazy.
Mike Engle:
It's going to happen that quickly. iOS 17 for example, released not that long ago. They're baking in a lot of passwordless support into these platforms. So let's embrace it and use it where it makes sense.
Robert MacDonald:
Yeah. I mean it's amazing when you read a lot of the articles on any of the cybersecurity incidents that are going on, everybody says you have to deploy MFA. It's like, well, I think we're probably moving beyond MFA at this point. At the end of the day it's masking the password problem in a lot of cases. So this passwordless move is certainly where we need to go. And like you said, Gartner's been talking about it forever. I think poor Ant Allan over at Gartner has been talking about getting rid of passwords now for probably 10 years and we're just really getting serious about it now.
Mike Engle:
Exactly.
Robert MacDonald:
Just a couple of questions here, Mike. There's one around the authenticators that come with the SSO platforms. Can they not do ... I'm paraphrasing, but can they not do passwordless? Why would I not just use what's coming with ... I don't want to use the product that they're throwing-
Mike Engle:
Sure. Yeah.
Robert MacDonald:
Throw anybody under the bus, but why would I not just use the authenticator that comes with?
Mike Engle:
Yeah, a couple reasons is they typically do not leverage the identity constructs that we mentioned before. Verified identity on enrollment or verified identity on authentication. So if you're using magic SSO authenticator XYZ, if I can coerce you to press that green button, the push message or whatever it is, which is what they're doing with push attacks, I bypassed it. So there's a security reason. And the second is coverage. They're covering only their stuff. They're not covering the operating systems, they're not covering the hard to reach systems connected by Radius and Kerberos and those types of environments typically. So there's a lot of good reasons for that.
Robert MacDonald:
I know that we wanted to give everybody back 10 minutes worth of time here. We got time for one more question. So this question's about the identity store. So if we're the IDP, does that mean that the identities are only stored in 1Kosmos or are they going to be in other places as well?
Mike Engle:
Yeah, so again, it comes down to the term identity. We let the user own their identity, which is their proof of who they are. We don't own-
Robert MacDonald:
The documents?
Mike Engle:
The cryptographic proof of possession of those documents.
Robert MacDonald:
Okay.
Mike Engle:
And then we strategically link them to the accounts in the SSO system. So your Azure AD account, your on-prem ADFS account, whatever it is still is the authoritative token that gets you into the applications. We'll introduce the verified identity and they work seamlessly together. The beauty is we don't have to replicate any of that SSO account into ours. We can loosely couple them or tightly and giving you really the best flexibility you can to serve both those populations.
Robert MacDonald:
Awesome. Mike, I appreciate you taking the time to go through the presentation today with me and I thank everybody else that came along for the ride today as well. For those of you that are listening in, this will be available on our website in the next couple of hours. So if you want to send it to some of your friends, you're more than welcome. And don't forget that we do a webinar almost every month and that we also have our IBA Fridays that you can come watch and listen to as well. So we appreciate you coming in today and we look forward to talking to you again soon. Thanks, Mike.
Mike Engle:
It was great chatting. Have a great day.
Robert MacDonald:
You too.
Mike Engle
CSO
1Kosmos
Robert MacDonald
VP of Product Marketing
1Kosmos
During this webinar, Mike Engle, CSO of 1Kosmos, and Robert MacDonald, VP of Product Marketing at 1Kosmos, explored this new approach and provide five recommendations for security teams to eliminate the security loopholes in traditional SSO systems:
- Conveniently verify identity at first and every access without antiquated SMS codes
- Modernize authentication using identity-verified biometrics for improved user satisfaction
- Give IT the tools to control the rollout of passwordless MFA through phased implementation
- Provide a consistent user experience even for systems that can’t go passwordless
- Reduce help desk calls and eliminate multiple authenticator apps
Single Sign-on (SSO) platforms like Okta simplify access to thousands of applications. Still, heavy reliance on vulnerable SMS codes and rampant employee/contractor identity fraud during hiring and onboarding has many organizations looking to close the identity gap.
Verifying user identity without adding friction to the user experience presents a significant challenge. However, issuing weak password-based credentials afterward defeats the purpose because these are not tied to identity. This puts numerous authenticators in play. It’s time to simplify and modernize user authentication!
Identity-based biometrics stop the guessing. Binding them to strong authentication credentials delivers both convenience and security for unmatched trustworthiness. Perhaps best of all, this approach simplifies the decades-old IAM tech stack by drastically improving privacy and compliance management.
Mike Engle
CSO
1Kosmos
Robert MacDonald
VP of Product Marketing
1Kosmos
Video Transcript
Robert MacDonald:
Welcome. Today, our presentation is on five recommendations to close the security gaps in single sign-on, and there's a bit of a hot topic going on around that right now. Mike, we're going to jump into that in a couple minutes, but my name's Robert McDonald. I'm the Vice President of Product Marketing here at 1Kosmos. I've been here for a little over three years now and I'm just happy to be along for the ride with Mike during this presentation. Mike, why don't you tell us a little bit about yourself and what you do here?
Mike Engle:
Yeah, happy to be here. I'm one of the co-founders, so going way back a little longer than you. But three years, congratulations. That is an eternity in the tech world, right?
Robert MacDonald:
It is.
Mike Engle:
So glad you made it with us that long. And yeah, my background in InfoSec, I built, scaled and ran the program at Lehman Brothers for many years and then moved into the venture-backed startup world after their demise, and now I'm all identity all the time so that's what we'll talk about here today.
Robert MacDonald:
Yeah, we're going to talk a lot about that today. All right, before we get started, I just wanted to highlight one thing. We do have a number of live sessions that we hold here at 1Kosmos. One of them is IBA Friday. We have one coming up tomorrow. It happens a little after 2:00 on LinkedIn. It's a LinkedIn live session that we do, myself and Javed, our VP of Product Management run that. Mike, I had you on two weeks ago, or maybe three weeks ago, to talk about passkeys. Tomorrow we're going to talk about verified credentials and what that looks like from a 1Kosmos perspective. But if you want to see more about what we do and how we do things around here, that's a good opportunity. They're very short sessions. They're normally no longer than 20 minutes, but it's a good opportunity to learn more about the technology and what we do here at 1Kosmos.
Normally, we'd also show what our upcoming webinars are before this. The next one that we're working on is a big one, so we don't have quite all the T's crossed and i's dotted on that yet. So keep an eye open on our website, but we've got a really, really big partner coming along for the ride with that one. We actually have two of them and it's going to be a great session, so keep an eye open on our website for that. But for now, Mike, let's jump in and talk about securing single sign-on and data breaches, right? So why don't you give us a little color based on the experience that you have and what we see going on in the market right now. This 81% number seems to be astronomical, but why don't you give us a little bit of color in terms of what you're seeing in the industry right now around data breaches and how they're happening and what's going on there.
Mike Engle:
Yeah. Going back, I'm old, so when I first started building InfoSec programs, it was all about perimeter, keeping bad guys out. That was really all you did. You had firewalls and then you had antivirus and endpoint and some stuff in between. But now, since everything is exposed and everybody can log in remotely and there's all these SaaS and cloud things, it's all about really identities now become the new perimeter. You get somebody's identity or what people are thinking identity is. We'll talk about that here today. You're in. You bypass firewalls, you bypass endpoint protection. So the hackers know that. And phishing, vishing and all these other things are now the way that people get in the front door. And we're going to talk about that here in a slide or two. So these stats are obvious. Hackers don't hack in anymore. They log in because we don't have identity.
Robert MacDonald:
I was waiting for you to say that you're building security with punch cards, but that's good that you didn't go that ... It's firewall.
Mike Engle:
Not quite that far.
Robert MacDonald:
So you're not that old. You're not that old.
Mike Engle:
Not quite.
Robert MacDonald:
All right. A pretty major event took place this the last week or so, Mike. There's a recent ransomware attack. It was at the MGM casino. It also happened to the Caesars group as well, but they paid the ransomware to keep the business up and running. But in terms of the reports that we're seeing, everything from hotel digital room keys to slot machines were offline and still are, I think, since the last I've read on it.
Mike Engle:
That's right.
Robert MacDonald:
An organization called Scattered Spider is believed to be the one responsible. They did it via a social engineering vishing attack. The report cited that hackers gained access through a single sign-on login. And what they did is they called the help desk to reset a credential through doing the vishing attack. So they did a little bit of social engineering, they went to somebody's LinkedIn, learned a little bit about what they do, called the help desk, and then impersonated that person to get their credential reset. So what are your thoughts on this, Mike? It's fascinating. I mean, we're still learning about it, but so far what have you gleaned out of this?
Mike Engle:
Well, it really iterates challenges that we're seeing around ... I mean this is legacy authentication that every company's using. Legacy username, password, 2FA. I deployed my first 2FA system in the late '90s. It was a security ID server with the hard tokens. And that's really still the standard. It's username, password, and some kind of one-time code or a push message. So that's not sufficient anymore. We need identity. We'll talk about that here today, obviously. So the help desk, there's only so much they can do. People are people. They make mistakes. We need to build the systems to mitigate the exposure to those human elements. How do you do that? Well, that's what we'll talk about here in just a minute. So MGM, we're not picking on them or their SSO provider. This could happen to anybody. It could happen to 1Kosmos. Much less likely because of the tech that we'll show you here today. So yeah, I feel bad for these guys. It's a life-changing event when you go through this.
Robert MacDonald:
It's a tough one, right? That's a tough phone call to wake up to in the morning saying, "Hey, everything we're doing right now is locked down. We've got to go to ..." I think they're doing manual processes right now.
Mike Engle:
Paper IOUs at the gambling tables.
Robert MacDonald:
Imagine. Imagine, right?
Mike Engle:
Oh man.
Robert MacDonald:
And that's tough. And again, we're still doing things to protect the antiquated way that we've been doing it for years, right? Passwords have been around for 60 plus years. And if you think about all the technology changes that we've had over the years in terms of how we try to run our infrastructure and secure our infrastructure, that's the one thing that hasn't changed, right?
Mike Engle:
That's right.
Robert MacDonald:
Legitimately, that's the one thing that hasn't changed, but a lot of the technology we're putting into place has been layered on top to try to protect that one thing and we're going to talk about that here in a second. So I think we have poll questions, Maureen. I think that's the magician in the backend here that's running everything. So our first poll question, are you worried about your SSO system being a single point of compromise? And that's a yes and no answer. I think that's relatively straightforward. Mike, what are you seeing on that? What do you think?
Mike Engle:
People definitely are because the SSO systems are making the news as well, and they're realizing that the SSO systems do SSO really well, but they aren't meant to do what we call real identity here that we'll cover. So I'm pretty sure I know what the answer will be. And yeah, you've got three quarters that are saying yes, so there you go.
Robert MacDonald:
Yeah, yeah. 75% of people say that they are worried about it. And again, single sign-on was brought on board to eliminate the number of passwords that people had to use in the run of a day, right?
Mike Engle:
That's right.
Robert MacDonald:
Make that easier for people to do in terms of logging in every day. But that one to many is a bit of a problem. So Mike, how do we solve ... We're going to dig into the recommendations, but there's two boxes here. Talk about how we can leverage or what we can do to solve the problem that we're facing with our single sign-on right now.
Mike Engle:
Yeah, there's really two techniques we're using here today. It's proving who you are remotely. Real proof, right? Not a one-time code, not something you can give to somebody else. And then being able to use that proof over and over again. And the only way to prove who you are remotely is with a biometric. Somebody might want to yell at me for using the word only, but please do. Educate me on that. So if you can give your authenticator to somebody else, it's not identity. When you walk up to the TSA agent and look them in the face or the state trooper on the highway, they look you in the face. It can't be somebody else in that seat unless you're Tom Cruise, Mission Impossible, rubber mask. But even then we have technology now to mitigate things like deep fakes and all that stuff. So we'll show you some demos of this, but it is a combination of really government credentials that prove who you are one time and then using that proof over and over again and it's that simple.
Robert MacDonald:
Yeah. I mean if we look at the way that we're doing authentication currently, it's about affirming that there's an identity present. But there's no real proof, like you said, that the user is who they claim to be, which is what the identity proofing side does. It gives you that high assurance that the person that wants to authenticate is the person trying to authenticate. And that high assurance is where a lot of organizations, specifically with this breach at MGM ran into. They had no way of assuring that the user calling in to reset their password was the actual user and that's where they ran into trouble.
We've got a quick demo, I think, Mike. We've got a video here. Hopefully this works. Do you want to walk us through this?
Mike Engle:
Yeah, I'll talk through it. Here's your traditional username and password on a Windows workstation, and this is what identity-based authentication looks like. You simply engage with the remote system. There's lots of ways to do this, but we're using a mobile phone here. And that's a real biometric proving that it's me and that as assertion is transmitted to the target system. Very simple. First of all, time to get in is super fast compared to typing a 15 character password. And then you can do some neat things with that same set of systems to make the second, third, fourth touch really easy. So you'll see here on unlocking, as long as I have the same devices with me, the watch I'm wearing, I can just ping and tap. So here's me tapping my watch to say, yep, I'm still here. I need to unlock my workstation. Amazing. We call this a high five moment in security. They're very rare where your users walking down the hallway will give you a high five about a piece of technology that you deploy. And let's see the bad guys try to log in with that credential, right? Can't do it.
Robert MacDonald:
Yeah, and I mean the cool thing with that is that, I know it happened reasonably quick, but it asked you to do a couple of things there to make sure you were live. So there was the liveness check to make sure that the biometric wasn't just a picture or some sort of video or something along those lines. And the experience with that is something that we do all the time. I mean, how many times do we take selfies or look at our phone to log in? We do it all the time. So from an experience standpoint, you're not asking users to do anything they don't do typically anyway, which is kind of cool.
Mike Engle:
Exactly.
Robert MacDonald:
All right, so let's move on to the next one here. So we have our five recommendations. So I'm just going to quickly go through these, Mike, and then what I'll do is we'll jump into the first one and you can do a deeper dive on it. But recommendation one we're going to cover today is how to conveniently verify identity at first in every request without antiquated SMS codes or just antiquated 2FA in general. We're going to talk about that. We're going to talk about how to modernize authentication using identity verified biometrics for improved user satisfaction, which is not something IT normally considers or even looks at, but is important. And we're going to show why. Give IT the tools to control the rollout of a passwordless MFA through a phased implementation. I think one of the reasons why we don't see as much passwordless as we should is partly because it's just trying to roll it out is difficult.
Nobody likes change and that makes it even worse. Also providing a consistent user experience for even those systems that can't go passwordless. I mean at the end of the day we know that not everything can go passwordless so what do you do in that instance? How do you make sure that you're keeping the user experience consistent so they don't get tricked into giving somebody a passcode or a password or whatever that might be. And then ultimately reduce help desk calls and eliminate multiple authenticator apps, which is really going to deliver some ROI on the investment in something like we're showing today.
So Mike, let's jump in and talk about coverage beyond single sign-on. So conveniently verifying identity at first in every request without antiquated SMS codes. So just quickly talk about that, and I know we have a couple slides and we have a quick demo that we're going to show how this works, but what are your thoughts on that? How do people do that?
Mike Engle:
Yeah. First access. What does that mean? There's one tile that you had that says security/IT really don't focus on the user experience. I think that is changing. I'm seeing more and more CIOs and CISOs that are saying, I want to reduce friction because it's an enabler for my business just like it is on the customer side. It's now happening on the employee side. So you hire somebody, they go through an I9 E-verify process. Why not digitize that and hand them a credential that same at the same time? They never need a line manager to call them up and give them a username and password that they have to change. So there's really a way to jumpstart that. And then of course you can use that same process over and over again. So it's obvious that if there's username and password and push or any 2FA, and it's not just Okta, right? It's Microsoft, it's SiteMinder, it's you name it, right? They do SSO really well, but they don't engage with the users in an incredibly compelling way. And of course they're missing half of the environment, which we'll talk about here as well.
Robert MacDonald:
Yeah. I mean they're limited in scope, right? It's only what falls underneath. What do you do with all the other stuff that doesn't fall underneath that S S O protection. Okay. We got another quick little video that we'll show, and I think this is similar to what we showed before, but this time Mike, we're just logging into Okta. Correct?
Mike Engle:
Once you have that trusted credential, use it anywhere you need to. In front of your CyberArk or your Thycotic, whatever. So this is an example of how we can sit and introduce true identity into an Okta authentication. So you'll see here again, we have a trusted authenticator and this was made with one of our integration partners. So you're engaging with that system, setting up a secure channel, and you are proving who you are once again. And it's that simple to introduce real identity to a downstream system. That's it. Now, of course you can do touch ID and face ID, but they're really good, they're limited to a device, but you could give that authenticator to somebody else because those aren't based on real identity. That's why we keep showing the use of real biometrics for those hard to reach places and hard to secure applications.
Robert MacDonald:
Yeah. If you look at a touch ID or face ID, if you think about how that gets invoked on my phone, for example, I open up an app, I enter my username password, and then it says, "Hey, do you want to use face ID?" I'm like, sure. So all that does is just eliminates me from needing to put the username and password in every time. It takes my face ID, says, yeah, that's Rob, based on what I know. I copy and paste his username and password in and then it lets me in, essentially. It's a very different experience from what we're talking about here from a security standpoint. So let's dig into that a little bit deeper and talk about this concept of ID plus selfie. So how do you modernize using identity verified biometrics to improve that user satisfaction? What does that mean?
Mike Engle:
Yeah, so this is where I hinted at this a minute ago, but identity verified. One of the best ways to verify identity is through government issued credentials. I won't say all because there's some people that don't have driver's license, passport. Typically, if you're working for an organization that worries about SSO and passwordless, they have these credentials. So let's use them as real proof of who you are and issue a credential that has a chain of custody back to that. That's a really important differentiator because you could do this matching here on the left in the first tile, but then just hand them a basic old username password in 2FA. Defeats the purpose. It's nice to be able to do that for new hires, but then you're kind of throwing that away. A tightly coupled system lets you reuse that proof of identity over and over again. And that's what we've done with a distributed ledger that gives you chain of custody of the authentication back to that genesis moment when you proved who you are.
Robert MacDonald:
Absolutely. And then again, like you said, leveraging that biometric going forward. So talk to us a little bit about the different standards that are involved in this and what that means specifically.
Mike Engle:
Sure. Yeah. There's really three standards going on here. NIST 863-3. It's been around since 2017. It's the government standard that establishes how you prove who you are remotely. It's not required for commercial systems yet today. I think there's more and more people looking to adopt it because it is the standard, but you do need it to access certain federal services. If you're doing things with the treasury department or healthcare, et cetera, it actually is mandatory. And even if you're just a bank, these principles here or what you do for KYC as part of the know your customer part. So it's clearly laid out. If your vendor has this certification, you know they went through a lot of diligence and they do things right. And then on the right you have FIDO, and also there's authentication built into the NIST standard. So this says, here's how you authenticate without a password. Again, leveraging that originally enrolled credential. Now FIDO doesn't handle yet today, they're working on it, verified identity. So if you put the two together, it's like peanut butter and jelly or identity-based authentication that I have here at to bottom. And there's certifying bodies that you can just check. If you're CANTERA certified for NIST, iBeta for your biometrics and FIDO for your passwordless, you've got a great match and there's very few vendors that have all these certifications.
Robert MacDonald:
Yeah, no, it's certainly a cool way of doing things. So if we look at the components involved to make all that work, Mike, why don't you just walk us through how this all comes together? What are the components here?
Mike Engle:
So this really is a lot of confusion in this upper box. When you scan a driver's license, that's called document verification or ID proofing. And this is an industry that's been around for some time but really hasn't gotten adoption yet, but it's getting popular. So there's thousands of organizations now looking to do this. But if you just scan the front and the back and try to figure out if this is a valid credential, you're missing a key part. Because what we can do and what you should do and other providers can do it, is not only prove if this is a good document but match the face, but then extract what's on here and verify it with the sources of truth. That is the second box, identity verification. Now, verification used to be its own thing without the document. If you opened a bank account 10 years ago, they did verification by looking up your social security number or your tax ID, whatever. And separately, they're weak, both of them. When you put them together is where you get triangulation and you can really get a much stronger sense of who the person really is. And then as I mentioned before, do that and then give the credential out at that time and it becomes a holistic solution that you can use across any of your applications.
Robert MacDonald:
Okay. So what you're saying is that typically organizations would do the verification and then that is kind of a throwaway component, but instead use what you've done there and then take that and build the credential out of it so now every time the user goes to authenticate, you're looking back at that step you did at the very beginning to make sure Mike is still the Mike that I hired on day one.
Mike Engle:
Exactly, exactly. Okay.
Robert MacDonald:
I'm assuming that would come in handy when we get into things like third party contractors when maybe you're doing that completely remote and you're not quite sure it's still the same person that you originally hired. I'm assuming it would work very well there.
Mike Engle:
Of course. Yeah, identity is identity.
Robert MacDonald:
Yeah. Very good. All right, so we're going to do a quick example of what scan looks like.
Mike Engle:
Before we press play, let me tee this up because this process here, we showed some heavier touchpoints, very secure with an app, QR code, face, live ID, but there's thousands of use cases where you just need to touch and verify somebody at a point in time. So imagine I am pretending to be an employee of a large casino and I call the help desk and I just have to convince them and they press a button. Well, what if you ask that remote user to do something that proves the identity? And so that's this process here. Imagine this is a help desk screen on the left. There's lots of implementations here. This is like a self-registration. But let's verify that I am who I am remotely. So help desk simply types in my phone number, go ahead and roll the tape, and bad actors on the right or good actor and I'm going to remotely prove my identity here. And again, this is done without an app. It's just any standard phone with a camera using Safari, Chrome and the camera.
Very straightforward set of instructions. Here's the instructions, hold your phone up, it'll automatically take a picture, an amazing user experience. Do the front, do the back. Now there's all kinds of security, integrity, validity checks going on here in real time. And then we're matching the user's face to the document. This is the final step. It takes about two seconds and boom. And now here's an example of about 10 integrity checks that we're displaying here that say this is a valid user. It's not a replay. It's not a copy of a document. The document hasn't been manipulated. So there's all these different checks that we're doing. And again, this is a subset. There's literally dozens and sometimes hundreds depending on the document. Now, help desk just got a green check mark. Whatever the interface is, of course you could tweak that. You have a much higher sense of who this person is remotely and you can carry on with whatever other validation you need before you go reset that password or let them in the front door.
Robert MacDonald:
And like you said, if we look back at the example that we brought up at the very beginning, that would've ended that conversation about resetting that person's password into the single sign-on environment, right?
Mike Engle:
That's right.
Robert MacDonald:
That's cool stuff. Okay. Second poll question, Mike. Let's see if Maureen can put that up for us. There we go. Do you have a plan to go 100% passwordless across your enterprise, covering the gaps in single sign-on today such as desktops and legacy applications? We're going to actually touch on that here on the next slide a little bit deeper, but going beyond, if you look at single sign-on and everything else, do you have a plan to go passwordless? What are you seeing with that, Mike? I know that we've had some conversations, but you're certainly into them more than I am. What are you hearing from our customers?
Mike Engle:
I'm hearing that plan to go, yes. They know it's a huge deal. Gartner's been talking about it for five years, but 100%, they don't know how to do it. For good reason. You have an app that was made 20 years ago. It's a fat client. Some windows GUI or an impossible to change mainframe. So I would say that this should almost be 100% no. You could have a plan, but implementation of it. However, we can get to 95 and then you put the right controls around that final 5%. We'll see how this goes. There you go. 100%, no. Because it's not attainable. So it's almost a trick question, but something to think about because we can get in the high 90s.
Robert MacDonald:
Yeah. For sure, for sure. All right, let's go on to our next slide here. So we just quickly touched on deployment. It is a big part of going passwordless, especially depending upon the size of the organization. I don't think anybody wants to have everybody do it one way on Friday and then when they come in Monday morning, you've got 20,000 employees all of a sudden doing it a different way. That's going to cause problems. So having a phased deployment is certainly the right approach. So giving IT the tools to control a roll out of a passwordless MFA through a phased implementation. What are you seeing? What are your recommendations around that, Mike?
Mike Engle:
Yeah. You have to make it easy for not only the users but the IT staff. So a properly designed passwordless plan involves knowing what you have to change, why and how hard it's going to be. And so we make it really easy to drop the stuff in with minimal help desk impact and minimal impact to the IT staff. In fact, once this is done, IT staff should be able to reclaim a lot of cycles because they have less systems to manage and you have one authoritative source for identity within the organization. Today there's 10 minimum. So it simplifies the infrastructure. And this example here where you simply just come, scan a QR code and learn how to self onboard is a very powerful tool, allows it to go viral across the organization without IT having to do anything.
Robert MacDonald:
Right. And then if we look at other ways in which we can do this, there's a coexistence strategy that we can also support. So why don't you talk a little bit about what coexistence is and why that's important?
Mike Engle:
Yeah, again, because this takes a long time to deploy, you have to do it phased, but you also have to let users opt into it or use it programmatically over time. Ideally, we get rid of the stuff on the right. It's going to take years. Some systems faster than others. You may have to have a fallback mechanism in case people lose phones and maybe username and password is one of your fallbacks and you put all kinds of risk compensating controls around how you use it in the future. So this is how we deploy every remote access and operating system and our logins into SSL so that when you roll it out to one user, the other 20,000 users do option on the right, user one does it on the left and then you can ease into it over time. So it's pretty straightforward, but a lot of passwordless providers require you to eat the whole elephant in one sitting. That is a recipe for disaster.
Robert MacDonald:
Yeah, absolutely. I mean, if there's one thing that maybe people hate more than passwords, it's change. I know that whenever I ask my spouse to do something, she doesn't like it when I tell her to do things, but if I give her the option, then it certainly is a much easier journey and I think IT faces something fairly similar with that. Nobody really likes to be told what to do, but allowing them to ease into it is certainly a good approach. All right, so we talked just briefly and we kind of touched on it a couple of times, Mike, about experience. So how does somebody provide a consistent user experience, even for systems that can't go passwordless? Why don't you talk a little bit about how we handle that here and what organizations need to look for in general as they move forward in their passwordless journey?
Mike Engle:
If you think about the just let it happen as it happens approach that organizations are kind of stumbling into now, you have your desktop provider giving you some passwordless, your SSO provider giving you something else and some other authenticator, and then your VPN still uses tokens or UB keys. You have this hodgepodge of things all with their own set of management. So give your users one way to do everything from a ... This is really a user experience play as much as a security play. Because when you reduce the friction, people stop creating back doors. You hear about people putting a camera on their secure ID token so they can pop into their Arlo camera when they're home and just be like, oh, there's my six digit code. Because nobody carries things anymore. So making it consistent and one place to engage with the user has huge benefits.
Robert MacDonald:
Let's dig into that just a little bit deeper. When we consider our platform, we do offer a platform of authentication. So yes, we do the live biometric bound to your approved and verified identity, but we also have the other stuff to help organizations like you said, kind of ease into this. So just talk quickly a little bit about the approach and how organizations can consider which factor to deploy based on whatever they're authenticating into.
Mike Engle:
Right. Even though I poo-pooed on some of those other authentication mechanisms a minute ago. Having a platform like ours front all of those techniques, again, gives you one place to write rules and to give you your exception processes the proper conditional access control. So what do you have here on the left? A combination of modern today authentication techniques, public private key pair passwordless, log in with a QR code, real live biometrics with some legacy. Because sometimes you just want to have a hardware token or you have to or the person can't use a phone. So we have really 12 different ways to engage with users to give you maximum flexibility with or without an app because in some states and countries you can't force employees to use an app. So we got you covered for that as well. And let all these systems on the right do what they do very well and introduce this user experience layer on the left.
Robert MacDonald:
Absolutely. I mean, like you said, if you can figure out who's using which lower form of authentication security protocol, it enables security teams to focus on the areas where you know there's a lower level of security based on either the technology or whatever you have standing in front of it because you haven't had the opportunity to move everything passwordless yet. It allows security teams to focus on the areas where they know there's potential gaps in the security chain because of the technology that's standing in front of it and not necessarily worry about as much the other technologies that are using the high-end live ID biometric. It can only be one person. It enables them to focus their watch on the systems that may really require it based on what's going on. So it's a very valid point.
Let's keep going here, Mike. Our last poll question, poll question number three. Maureen, if you can put that up for us, that'd be great. So do you have a plan for passwordless access? Do you have a plan for passwordless access on your domain controllers? Well, that's an interesting one because we all know that those things, you don't want anybody breaking into those. Mike, what are you seeing? How are people approaching passwordless on domain controllers or are they?
Mike Engle:
Yeah, it's a really hard to reach place without the right platform. First of all, they're remote and so it's hard to put a private key on them. So one of the principles around passwordless is the private key stays typically ... Say Windows Hello, the key goes right there on that machine, never leaves. And so how do you put a private key on a remote domain controller or a virtual desktop? So that's why we leverage other trusted sources for a private key to be able to reach a hard to reach place like this. So I'd be surprised if anybody has a yes here, but it'd be interesting to see if they do. Look at that.
Robert MacDonald:
50-50.
Mike Engle:
Maybe it's one of our employees.
Robert MacDonald:
Maybe.
Mike Engle:
Or all of our employees. So yeah, it's a really important consideration as you come up with a strategy.
Robert MacDonald:
Yeah, fair enough. Okay, so let's move on to our last recommendation here. So reducing the reliance on help desk. So as we know, things go wrong, got to reset a password, it doesn't work. Actually my spouse started this morning calling the help desk to reset her password because there was an update sent to her Windows machine, and every time that happens, for whatever reason, she can't log in, she has to call the help desk, get her password reset. I'm not quite sure. Anyway, so she started with that this morning and she has multiple authenticator apps. So how do we reduce the reliance on all of this stuff and how do we really start to generate some ROI out of a deployment like this, Mike?
Mike Engle:
Well, it's very similar to driving a Tesla, Robert.
Robert MacDonald:
Oh. Well, do tell. I haven't driven ... Actually that's not true. I don't own one. I have driven one. Go ahead.
Mike Engle:
All right. All right. I'll take you for a ride some time. But I had this revelation as I was running this morning. It was more like a fast walk. But when you drive an electric car, are you saving the planet? Not really. At least here in the US we still use fossil fuels to charge the car in my garage. It's natural gas, it's coal. We don't have much nuclear here. There's not much solar. Now, driving electric car is good, right? Besides the awesome response and all that, but it's kind of the right thing to do. If we could electrify and have a good source of energy, fossil fuels are reduced or whatever. So we still have the legacy fueling going on for my Tesla, but I am creating the habits for electrification and maybe I have solar in my roof eventually, but 90% no.
And it's similar in passwordless. You need to start now. Imagine if we just said in 2027 everybody just goes electric. Well no. In 2027 everybody goes passwordless. Well, there's a lot of lessons to learn, a lot of systems to change. So when I drive my Tesla, I may not have charged it enough. If I have to drive 20 hours, I have to go find fuel. Electric. And so I go to a supercharger. That is very similar to this right here. Every once in a while you get a hard to reach system that needs the password and you need an easy way to let users use it. Maybe it's that benefit system at the end of the year. So get your users in the habit of being passwordless. The beauty of that is they won't even think about their passwords anymore and the two times a year they need it to get into the benefit system or some legacy mainframe app, they press this button, they do their face ID, touch ID and they're off to the races. They don't even have to think about it the day after that. This is a very powerful tool and sometimes people will buy a product just for this feature. So there's your relation of Tesla to passwordless.
Robert MacDonald:
That's good. I wasn't sure how you're going to bring that back, but it was good.
Mike Engle:
All right. Really important feature though.
Robert MacDonald:
And typically when you have to reset passwords, at least I know in the past when I had to do it, I had to be connected inside the firewall, so I had to VPN in, so there's a whole bunch of steps I had to get there. So let's say I was on vacation and it expired while I was away. Well there's now my help desk call. So the experience behind resetting that password is certainly easier doing it through the app and then from a security standpoint, we can ensure that it's Mike Engle or Robert MacDonald requesting it with the biometrics that we add in. So you kind of have a double win there for-
Mike Engle:
Yeah. And don't forget about TOFU.
Robert MacDonald:
Yeah, that's right. Yeah, trust on first use. Not tofu like the food, TOFU like trust on first use, right?
Mike Engle:
Yeah. So when you go to a new Windows workstation in order to enable Windows Hello, you need the username and password. So yeah, there's a whole bunch of advantages to that to be able to press that magic button.
Robert MacDonald:
So there's a bit of a build here, Mike. I'll get what simplifying the experience looks like from our perspective. So do you want to walk us through the first couple of blocks here?
Mike Engle:
Yeah. Historically you're letting all of these systems have their own mechanisms, which creates fragmentation, IT overhead, et cetera. And what we're saying is let a trusted identity and user experience system hand off the proper access to these and then let them do what they do very well on the right. Really straightforward concept. But if you leave it to the legacy providers, you're going to have a hodgepodge of user experience challenges and frustration. So really straightforward story and there's a lot of savings and now fortunately, it's not just a miracle anymore. It is very quantifiable and within reach and quick to deploy. We've had a 40,000 person organization. There's a public testimonial on our website from a telco that did this in three weeks and got rid of hardware tokens and now they're expanding it across the whole organization. So it's neat stuff.
Robert MacDonald:
Yeah, absolutely. Okay, so those are our recommendations. Let's quickly ... Because I'm sure people are like, "Okay, that's great guys. It sounds amazing, but it's going to be miserable to deploy, or integrate it with my single sign-on or whatever else I'm using." I just want to point you to talk a little bit about that and I've got two use case examples. The first one's going to be around Microsoft. So why don't you talk a little bit about integrating this into a Microsoft single sign-on, Active Directory, Azure, Entra ID, whatever that might be type of environment.
Mike Engle:
Sure. Yeah. I mean Microsoft is one of the forward-looking identity SSO providers out there. They're really embracing things like decentralized identity and verifiable credentials for those identity geeks. I mean they even go so far as to rebrand their entire Azure AD as Entra ID. Your Entra into an organization. I'm not sure the exact genesis of that word. So they have a holistic strategy and they're working with providers like 1Kosmos to bring the zero trust component, which is real biometrics, proof of government credential. That's what we bring to the table. And when you put the two together, Microsoft plus 1Kosmos, we can reach all those hard to reach areas. Is Microsoft ever going to allow passwordless into Linux? Maybe, but maybe not. And it's really important to get that stuff. So use it where you can with your E5 license or whatever it is. We'll bootstrap that for you. We'll help those hard to reach places and that TOFU problem that exists in that world and then we'll help cover the other areas where you can't with a user experience layer that also increases security.
Robert MacDonald:
Yeah, that's cool. All right, so let's talk about the rest of the single sign on providers. So in this example, I've got Okta, but that can be swapped out for Ping or ForgeRock or SiteMinder or whoever. Step us through what that looks like.
Mike Engle:
Yeah. The key here is you have the 1Kosmos platform that acts as your identity provider, the IDP. People have been mistakenly calling their SSO providers as IDP, but for all the reasons we said in the beginning, it's not really identity, it's multiple factors. So let's throw those multiple factors away and let the identity expert do the identity part and hand off the ascertain. This is really a straightforward integration. It takes minutes for somebody who knows how to configure two systems together. If you know what SAML and OIDC, Oauth, those types of systems are, you can plumb these things together really fast. So again, yeah, regardless of what your SSO of choices here, we can snap it in there quite quickly.
Robert MacDonald:
Cool. All right Mike, I think that is all we've got for today in terms of slides, so that's probably good for everybody else that's on the call. If you were to give the Mike Engle, here's my vision of what you should do and what the future looks like around this, what would you say to somebody?
Mike Engle:
Well, I think passwordless is here. It's making its way out there. It's just like electrification of vehicles. You're seeing 2% of the cars on the road are now passwordless, electric, mixing those two together. So you have to start the journey now. You can't start thinking about this later and sadly I'm seeing organizations just start to roll out MFA now without thinking about a passwordless strategy. Let's go roll out a one-time code to the email and we're like, no, wait. Let's come up with just a two year plan to do it right and then allow you these options A, B, and C. So the tidal wave is coming and with the rate of change today, look at what AI has become in six months. It is crazy.
Robert MacDonald:
It is crazy.
Mike Engle:
It's going to happen that quickly. iOS 17 for example, released not that long ago. They're baking in a lot of passwordless support into these platforms. So let's embrace it and use it where it makes sense.
Robert MacDonald:
Yeah. I mean it's amazing when you read a lot of the articles on any of the cybersecurity incidents that are going on, everybody says you have to deploy MFA. It's like, well, I think we're probably moving beyond MFA at this point. At the end of the day it's masking the password problem in a lot of cases. So this passwordless move is certainly where we need to go. And like you said, Gartner's been talking about it forever. I think poor Ant Allan over at Gartner has been talking about getting rid of passwords now for probably 10 years and we're just really getting serious about it now.
Mike Engle:
Exactly.
Robert MacDonald:
Just a couple of questions here, Mike. There's one around the authenticators that come with the SSO platforms. Can they not do ... I'm paraphrasing, but can they not do passwordless? Why would I not just use what's coming with ... I don't want to use the product that they're throwing-
Mike Engle:
Sure. Yeah.
Robert MacDonald:
Throw anybody under the bus, but why would I not just use the authenticator that comes with?
Mike Engle:
Yeah, a couple reasons is they typically do not leverage the identity constructs that we mentioned before. Verified identity on enrollment or verified identity on authentication. So if you're using magic SSO authenticator XYZ, if I can coerce you to press that green button, the push message or whatever it is, which is what they're doing with push attacks, I bypassed it. So there's a security reason. And the second is coverage. They're covering only their stuff. They're not covering the operating systems, they're not covering the hard to reach systems connected by Radius and Kerberos and those types of environments typically. So there's a lot of good reasons for that.
Robert MacDonald:
I know that we wanted to give everybody back 10 minutes worth of time here. We got time for one more question. So this question's about the identity store. So if we're the IDP, does that mean that the identities are only stored in 1Kosmos or are they going to be in other places as well?
Mike Engle:
Yeah, so again, it comes down to the term identity. We let the user own their identity, which is their proof of who they are. We don't own-
Robert MacDonald:
The documents?
Mike Engle:
The cryptographic proof of possession of those documents.
Robert MacDonald:
Okay.
Mike Engle:
And then we strategically link them to the accounts in the SSO system. So your Azure AD account, your on-prem ADFS account, whatever it is still is the authoritative token that gets you into the applications. We'll introduce the verified identity and they work seamlessly together. The beauty is we don't have to replicate any of that SSO account into ours. We can loosely couple them or tightly and giving you really the best flexibility you can to serve both those populations.
Robert MacDonald:
Awesome. Mike, I appreciate you taking the time to go through the presentation today with me and I thank everybody else that came along for the ride today as well. For those of you that are listening in, this will be available on our website in the next couple of hours. So if you want to send it to some of your friends, you're more than welcome. And don't forget that we do a webinar almost every month and that we also have our IBA Fridays that you can come watch and listen to as well. So we appreciate you coming in today and we look forward to talking to you again soon. Thanks, Mike.
Mike Engle:
It was great chatting. Have a great day.
Robert MacDonald:
You too.
Welcome. Today, our presentation is on five recommendations to close the security gaps in single sign-on, and there's a bit of a hot topic going on around that right now. Mike, we're going to jump into that in a couple minutes, but my name's Robert McDonald. I'm the Vice President of Product Marketing here at 1Kosmos. I've been here for a little over three years now and I'm just happy to be along for the ride with Mike during this presentation. Mike, why don't you tell us a little bit about yourself and what you do here?
Mike Engle:
Yeah, happy to be here. I'm one of the co-founders, so going way back a little longer than you. But three years, congratulations. That is an eternity in the tech world, right?
Robert MacDonald:
It is.
Mike Engle:
So glad you made it with us that long. And yeah, my background in InfoSec, I built, scaled and ran the program at Lehman Brothers for many years and then moved into the venture-backed startup world after their demise, and now I'm all identity all the time so that's what we'll talk about here today.
Robert MacDonald:
Yeah, we're going to talk a lot about that today. All right, before we get started, I just wanted to highlight one thing. We do have a number of live sessions that we hold here at 1Kosmos. One of them is IBA Friday. We have one coming up tomorrow. It happens a little after 2:00 on LinkedIn. It's a LinkedIn live session that we do, myself and Javed, our VP of Product Management run that. Mike, I had you on two weeks ago, or maybe three weeks ago, to talk about passkeys. Tomorrow we're going to talk about verified credentials and what that looks like from a 1Kosmos perspective. But if you want to see more about what we do and how we do things around here, that's a good opportunity. They're very short sessions. They're normally no longer than 20 minutes, but it's a good opportunity to learn more about the technology and what we do here at 1Kosmos.
Normally, we'd also show what our upcoming webinars are before this. The next one that we're working on is a big one, so we don't have quite all the T's crossed and i's dotted on that yet. So keep an eye open on our website, but we've got a really, really big partner coming along for the ride with that one. We actually have two of them and it's going to be a great session, so keep an eye open on our website for that. But for now, Mike, let's jump in and talk about securing single sign-on and data breaches, right? So why don't you give us a little color based on the experience that you have and what we see going on in the market right now. This 81% number seems to be astronomical, but why don't you give us a little bit of color in terms of what you're seeing in the industry right now around data breaches and how they're happening and what's going on there.
Mike Engle:
Yeah. Going back, I'm old, so when I first started building InfoSec programs, it was all about perimeter, keeping bad guys out. That was really all you did. You had firewalls and then you had antivirus and endpoint and some stuff in between. But now, since everything is exposed and everybody can log in remotely and there's all these SaaS and cloud things, it's all about really identities now become the new perimeter. You get somebody's identity or what people are thinking identity is. We'll talk about that here today. You're in. You bypass firewalls, you bypass endpoint protection. So the hackers know that. And phishing, vishing and all these other things are now the way that people get in the front door. And we're going to talk about that here in a slide or two. So these stats are obvious. Hackers don't hack in anymore. They log in because we don't have identity.
Robert MacDonald:
I was waiting for you to say that you're building security with punch cards, but that's good that you didn't go that ... It's firewall.
Mike Engle:
Not quite that far.
Robert MacDonald:
So you're not that old. You're not that old.
Mike Engle:
Not quite.
Robert MacDonald:
All right. A pretty major event took place this the last week or so, Mike. There's a recent ransomware attack. It was at the MGM casino. It also happened to the Caesars group as well, but they paid the ransomware to keep the business up and running. But in terms of the reports that we're seeing, everything from hotel digital room keys to slot machines were offline and still are, I think, since the last I've read on it.
Mike Engle:
That's right.
Robert MacDonald:
An organization called Scattered Spider is believed to be the one responsible. They did it via a social engineering vishing attack. The report cited that hackers gained access through a single sign-on login. And what they did is they called the help desk to reset a credential through doing the vishing attack. So they did a little bit of social engineering, they went to somebody's LinkedIn, learned a little bit about what they do, called the help desk, and then impersonated that person to get their credential reset. So what are your thoughts on this, Mike? It's fascinating. I mean, we're still learning about it, but so far what have you gleaned out of this?
Mike Engle:
Well, it really iterates challenges that we're seeing around ... I mean this is legacy authentication that every company's using. Legacy username, password, 2FA. I deployed my first 2FA system in the late '90s. It was a security ID server with the hard tokens. And that's really still the standard. It's username, password, and some kind of one-time code or a push message. So that's not sufficient anymore. We need identity. We'll talk about that here today, obviously. So the help desk, there's only so much they can do. People are people. They make mistakes. We need to build the systems to mitigate the exposure to those human elements. How do you do that? Well, that's what we'll talk about here in just a minute. So MGM, we're not picking on them or their SSO provider. This could happen to anybody. It could happen to 1Kosmos. Much less likely because of the tech that we'll show you here today. So yeah, I feel bad for these guys. It's a life-changing event when you go through this.
Robert MacDonald:
It's a tough one, right? That's a tough phone call to wake up to in the morning saying, "Hey, everything we're doing right now is locked down. We've got to go to ..." I think they're doing manual processes right now.
Mike Engle:
Paper IOUs at the gambling tables.
Robert MacDonald:
Imagine. Imagine, right?
Mike Engle:
Oh man.
Robert MacDonald:
And that's tough. And again, we're still doing things to protect the antiquated way that we've been doing it for years, right? Passwords have been around for 60 plus years. And if you think about all the technology changes that we've had over the years in terms of how we try to run our infrastructure and secure our infrastructure, that's the one thing that hasn't changed, right?
Mike Engle:
That's right.
Robert MacDonald:
Legitimately, that's the one thing that hasn't changed, but a lot of the technology we're putting into place has been layered on top to try to protect that one thing and we're going to talk about that here in a second. So I think we have poll questions, Maureen. I think that's the magician in the backend here that's running everything. So our first poll question, are you worried about your SSO system being a single point of compromise? And that's a yes and no answer. I think that's relatively straightforward. Mike, what are you seeing on that? What do you think?
Mike Engle:
People definitely are because the SSO systems are making the news as well, and they're realizing that the SSO systems do SSO really well, but they aren't meant to do what we call real identity here that we'll cover. So I'm pretty sure I know what the answer will be. And yeah, you've got three quarters that are saying yes, so there you go.
Robert MacDonald:
Yeah, yeah. 75% of people say that they are worried about it. And again, single sign-on was brought on board to eliminate the number of passwords that people had to use in the run of a day, right?
Mike Engle:
That's right.
Robert MacDonald:
Make that easier for people to do in terms of logging in every day. But that one to many is a bit of a problem. So Mike, how do we solve ... We're going to dig into the recommendations, but there's two boxes here. Talk about how we can leverage or what we can do to solve the problem that we're facing with our single sign-on right now.
Mike Engle:
Yeah, there's really two techniques we're using here today. It's proving who you are remotely. Real proof, right? Not a one-time code, not something you can give to somebody else. And then being able to use that proof over and over again. And the only way to prove who you are remotely is with a biometric. Somebody might want to yell at me for using the word only, but please do. Educate me on that. So if you can give your authenticator to somebody else, it's not identity. When you walk up to the TSA agent and look them in the face or the state trooper on the highway, they look you in the face. It can't be somebody else in that seat unless you're Tom Cruise, Mission Impossible, rubber mask. But even then we have technology now to mitigate things like deep fakes and all that stuff. So we'll show you some demos of this, but it is a combination of really government credentials that prove who you are one time and then using that proof over and over again and it's that simple.
Robert MacDonald:
Yeah. I mean if we look at the way that we're doing authentication currently, it's about affirming that there's an identity present. But there's no real proof, like you said, that the user is who they claim to be, which is what the identity proofing side does. It gives you that high assurance that the person that wants to authenticate is the person trying to authenticate. And that high assurance is where a lot of organizations, specifically with this breach at MGM ran into. They had no way of assuring that the user calling in to reset their password was the actual user and that's where they ran into trouble.
We've got a quick demo, I think, Mike. We've got a video here. Hopefully this works. Do you want to walk us through this?
Mike Engle:
Yeah, I'll talk through it. Here's your traditional username and password on a Windows workstation, and this is what identity-based authentication looks like. You simply engage with the remote system. There's lots of ways to do this, but we're using a mobile phone here. And that's a real biometric proving that it's me and that as assertion is transmitted to the target system. Very simple. First of all, time to get in is super fast compared to typing a 15 character password. And then you can do some neat things with that same set of systems to make the second, third, fourth touch really easy. So you'll see here on unlocking, as long as I have the same devices with me, the watch I'm wearing, I can just ping and tap. So here's me tapping my watch to say, yep, I'm still here. I need to unlock my workstation. Amazing. We call this a high five moment in security. They're very rare where your users walking down the hallway will give you a high five about a piece of technology that you deploy. And let's see the bad guys try to log in with that credential, right? Can't do it.
Robert MacDonald:
Yeah, and I mean the cool thing with that is that, I know it happened reasonably quick, but it asked you to do a couple of things there to make sure you were live. So there was the liveness check to make sure that the biometric wasn't just a picture or some sort of video or something along those lines. And the experience with that is something that we do all the time. I mean, how many times do we take selfies or look at our phone to log in? We do it all the time. So from an experience standpoint, you're not asking users to do anything they don't do typically anyway, which is kind of cool.
Mike Engle:
Exactly.
Robert MacDonald:
All right, so let's move on to the next one here. So we have our five recommendations. So I'm just going to quickly go through these, Mike, and then what I'll do is we'll jump into the first one and you can do a deeper dive on it. But recommendation one we're going to cover today is how to conveniently verify identity at first in every request without antiquated SMS codes or just antiquated 2FA in general. We're going to talk about that. We're going to talk about how to modernize authentication using identity verified biometrics for improved user satisfaction, which is not something IT normally considers or even looks at, but is important. And we're going to show why. Give IT the tools to control the rollout of a passwordless MFA through a phased implementation. I think one of the reasons why we don't see as much passwordless as we should is partly because it's just trying to roll it out is difficult.
Nobody likes change and that makes it even worse. Also providing a consistent user experience for even those systems that can't go passwordless. I mean at the end of the day we know that not everything can go passwordless so what do you do in that instance? How do you make sure that you're keeping the user experience consistent so they don't get tricked into giving somebody a passcode or a password or whatever that might be. And then ultimately reduce help desk calls and eliminate multiple authenticator apps, which is really going to deliver some ROI on the investment in something like we're showing today.
So Mike, let's jump in and talk about coverage beyond single sign-on. So conveniently verifying identity at first in every request without antiquated SMS codes. So just quickly talk about that, and I know we have a couple slides and we have a quick demo that we're going to show how this works, but what are your thoughts on that? How do people do that?
Mike Engle:
Yeah. First access. What does that mean? There's one tile that you had that says security/IT really don't focus on the user experience. I think that is changing. I'm seeing more and more CIOs and CISOs that are saying, I want to reduce friction because it's an enabler for my business just like it is on the customer side. It's now happening on the employee side. So you hire somebody, they go through an I9 E-verify process. Why not digitize that and hand them a credential that same at the same time? They never need a line manager to call them up and give them a username and password that they have to change. So there's really a way to jumpstart that. And then of course you can use that same process over and over again. So it's obvious that if there's username and password and push or any 2FA, and it's not just Okta, right? It's Microsoft, it's SiteMinder, it's you name it, right? They do SSO really well, but they don't engage with the users in an incredibly compelling way. And of course they're missing half of the environment, which we'll talk about here as well.
Robert MacDonald:
Yeah. I mean they're limited in scope, right? It's only what falls underneath. What do you do with all the other stuff that doesn't fall underneath that S S O protection. Okay. We got another quick little video that we'll show, and I think this is similar to what we showed before, but this time Mike, we're just logging into Okta. Correct?
Mike Engle:
Once you have that trusted credential, use it anywhere you need to. In front of your CyberArk or your Thycotic, whatever. So this is an example of how we can sit and introduce true identity into an Okta authentication. So you'll see here again, we have a trusted authenticator and this was made with one of our integration partners. So you're engaging with that system, setting up a secure channel, and you are proving who you are once again. And it's that simple to introduce real identity to a downstream system. That's it. Now, of course you can do touch ID and face ID, but they're really good, they're limited to a device, but you could give that authenticator to somebody else because those aren't based on real identity. That's why we keep showing the use of real biometrics for those hard to reach places and hard to secure applications.
Robert MacDonald:
Yeah. If you look at a touch ID or face ID, if you think about how that gets invoked on my phone, for example, I open up an app, I enter my username password, and then it says, "Hey, do you want to use face ID?" I'm like, sure. So all that does is just eliminates me from needing to put the username and password in every time. It takes my face ID, says, yeah, that's Rob, based on what I know. I copy and paste his username and password in and then it lets me in, essentially. It's a very different experience from what we're talking about here from a security standpoint. So let's dig into that a little bit deeper and talk about this concept of ID plus selfie. So how do you modernize using identity verified biometrics to improve that user satisfaction? What does that mean?
Mike Engle:
Yeah, so this is where I hinted at this a minute ago, but identity verified. One of the best ways to verify identity is through government issued credentials. I won't say all because there's some people that don't have driver's license, passport. Typically, if you're working for an organization that worries about SSO and passwordless, they have these credentials. So let's use them as real proof of who you are and issue a credential that has a chain of custody back to that. That's a really important differentiator because you could do this matching here on the left in the first tile, but then just hand them a basic old username password in 2FA. Defeats the purpose. It's nice to be able to do that for new hires, but then you're kind of throwing that away. A tightly coupled system lets you reuse that proof of identity over and over again. And that's what we've done with a distributed ledger that gives you chain of custody of the authentication back to that genesis moment when you proved who you are.
Robert MacDonald:
Absolutely. And then again, like you said, leveraging that biometric going forward. So talk to us a little bit about the different standards that are involved in this and what that means specifically.
Mike Engle:
Sure. Yeah. There's really three standards going on here. NIST 863-3. It's been around since 2017. It's the government standard that establishes how you prove who you are remotely. It's not required for commercial systems yet today. I think there's more and more people looking to adopt it because it is the standard, but you do need it to access certain federal services. If you're doing things with the treasury department or healthcare, et cetera, it actually is mandatory. And even if you're just a bank, these principles here or what you do for KYC as part of the know your customer part. So it's clearly laid out. If your vendor has this certification, you know they went through a lot of diligence and they do things right. And then on the right you have FIDO, and also there's authentication built into the NIST standard. So this says, here's how you authenticate without a password. Again, leveraging that originally enrolled credential. Now FIDO doesn't handle yet today, they're working on it, verified identity. So if you put the two together, it's like peanut butter and jelly or identity-based authentication that I have here at to bottom. And there's certifying bodies that you can just check. If you're CANTERA certified for NIST, iBeta for your biometrics and FIDO for your passwordless, you've got a great match and there's very few vendors that have all these certifications.
Robert MacDonald:
Yeah, no, it's certainly a cool way of doing things. So if we look at the components involved to make all that work, Mike, why don't you just walk us through how this all comes together? What are the components here?
Mike Engle:
So this really is a lot of confusion in this upper box. When you scan a driver's license, that's called document verification or ID proofing. And this is an industry that's been around for some time but really hasn't gotten adoption yet, but it's getting popular. So there's thousands of organizations now looking to do this. But if you just scan the front and the back and try to figure out if this is a valid credential, you're missing a key part. Because what we can do and what you should do and other providers can do it, is not only prove if this is a good document but match the face, but then extract what's on here and verify it with the sources of truth. That is the second box, identity verification. Now, verification used to be its own thing without the document. If you opened a bank account 10 years ago, they did verification by looking up your social security number or your tax ID, whatever. And separately, they're weak, both of them. When you put them together is where you get triangulation and you can really get a much stronger sense of who the person really is. And then as I mentioned before, do that and then give the credential out at that time and it becomes a holistic solution that you can use across any of your applications.
Robert MacDonald:
Okay. So what you're saying is that typically organizations would do the verification and then that is kind of a throwaway component, but instead use what you've done there and then take that and build the credential out of it so now every time the user goes to authenticate, you're looking back at that step you did at the very beginning to make sure Mike is still the Mike that I hired on day one.
Mike Engle:
Exactly, exactly. Okay.
Robert MacDonald:
I'm assuming that would come in handy when we get into things like third party contractors when maybe you're doing that completely remote and you're not quite sure it's still the same person that you originally hired. I'm assuming it would work very well there.
Mike Engle:
Of course. Yeah, identity is identity.
Robert MacDonald:
Yeah. Very good. All right, so we're going to do a quick example of what scan looks like.
Mike Engle:
Before we press play, let me tee this up because this process here, we showed some heavier touchpoints, very secure with an app, QR code, face, live ID, but there's thousands of use cases where you just need to touch and verify somebody at a point in time. So imagine I am pretending to be an employee of a large casino and I call the help desk and I just have to convince them and they press a button. Well, what if you ask that remote user to do something that proves the identity? And so that's this process here. Imagine this is a help desk screen on the left. There's lots of implementations here. This is like a self-registration. But let's verify that I am who I am remotely. So help desk simply types in my phone number, go ahead and roll the tape, and bad actors on the right or good actor and I'm going to remotely prove my identity here. And again, this is done without an app. It's just any standard phone with a camera using Safari, Chrome and the camera.
Very straightforward set of instructions. Here's the instructions, hold your phone up, it'll automatically take a picture, an amazing user experience. Do the front, do the back. Now there's all kinds of security, integrity, validity checks going on here in real time. And then we're matching the user's face to the document. This is the final step. It takes about two seconds and boom. And now here's an example of about 10 integrity checks that we're displaying here that say this is a valid user. It's not a replay. It's not a copy of a document. The document hasn't been manipulated. So there's all these different checks that we're doing. And again, this is a subset. There's literally dozens and sometimes hundreds depending on the document. Now, help desk just got a green check mark. Whatever the interface is, of course you could tweak that. You have a much higher sense of who this person is remotely and you can carry on with whatever other validation you need before you go reset that password or let them in the front door.
Robert MacDonald:
And like you said, if we look back at the example that we brought up at the very beginning, that would've ended that conversation about resetting that person's password into the single sign-on environment, right?
Mike Engle:
That's right.
Robert MacDonald:
That's cool stuff. Okay. Second poll question, Mike. Let's see if Maureen can put that up for us. There we go. Do you have a plan to go 100% passwordless across your enterprise, covering the gaps in single sign-on today such as desktops and legacy applications? We're going to actually touch on that here on the next slide a little bit deeper, but going beyond, if you look at single sign-on and everything else, do you have a plan to go passwordless? What are you seeing with that, Mike? I know that we've had some conversations, but you're certainly into them more than I am. What are you hearing from our customers?
Mike Engle:
I'm hearing that plan to go, yes. They know it's a huge deal. Gartner's been talking about it for five years, but 100%, they don't know how to do it. For good reason. You have an app that was made 20 years ago. It's a fat client. Some windows GUI or an impossible to change mainframe. So I would say that this should almost be 100% no. You could have a plan, but implementation of it. However, we can get to 95 and then you put the right controls around that final 5%. We'll see how this goes. There you go. 100%, no. Because it's not attainable. So it's almost a trick question, but something to think about because we can get in the high 90s.
Robert MacDonald:
Yeah. For sure, for sure. All right, let's go on to our next slide here. So we just quickly touched on deployment. It is a big part of going passwordless, especially depending upon the size of the organization. I don't think anybody wants to have everybody do it one way on Friday and then when they come in Monday morning, you've got 20,000 employees all of a sudden doing it a different way. That's going to cause problems. So having a phased deployment is certainly the right approach. So giving IT the tools to control a roll out of a passwordless MFA through a phased implementation. What are you seeing? What are your recommendations around that, Mike?
Mike Engle:
Yeah. You have to make it easy for not only the users but the IT staff. So a properly designed passwordless plan involves knowing what you have to change, why and how hard it's going to be. And so we make it really easy to drop the stuff in with minimal help desk impact and minimal impact to the IT staff. In fact, once this is done, IT staff should be able to reclaim a lot of cycles because they have less systems to manage and you have one authoritative source for identity within the organization. Today there's 10 minimum. So it simplifies the infrastructure. And this example here where you simply just come, scan a QR code and learn how to self onboard is a very powerful tool, allows it to go viral across the organization without IT having to do anything.
Robert MacDonald:
Right. And then if we look at other ways in which we can do this, there's a coexistence strategy that we can also support. So why don't you talk a little bit about what coexistence is and why that's important?
Mike Engle:
Yeah, again, because this takes a long time to deploy, you have to do it phased, but you also have to let users opt into it or use it programmatically over time. Ideally, we get rid of the stuff on the right. It's going to take years. Some systems faster than others. You may have to have a fallback mechanism in case people lose phones and maybe username and password is one of your fallbacks and you put all kinds of risk compensating controls around how you use it in the future. So this is how we deploy every remote access and operating system and our logins into SSL so that when you roll it out to one user, the other 20,000 users do option on the right, user one does it on the left and then you can ease into it over time. So it's pretty straightforward, but a lot of passwordless providers require you to eat the whole elephant in one sitting. That is a recipe for disaster.
Robert MacDonald:
Yeah, absolutely. I mean, if there's one thing that maybe people hate more than passwords, it's change. I know that whenever I ask my spouse to do something, she doesn't like it when I tell her to do things, but if I give her the option, then it certainly is a much easier journey and I think IT faces something fairly similar with that. Nobody really likes to be told what to do, but allowing them to ease into it is certainly a good approach. All right, so we talked just briefly and we kind of touched on it a couple of times, Mike, about experience. So how does somebody provide a consistent user experience, even for systems that can't go passwordless? Why don't you talk a little bit about how we handle that here and what organizations need to look for in general as they move forward in their passwordless journey?
Mike Engle:
If you think about the just let it happen as it happens approach that organizations are kind of stumbling into now, you have your desktop provider giving you some passwordless, your SSO provider giving you something else and some other authenticator, and then your VPN still uses tokens or UB keys. You have this hodgepodge of things all with their own set of management. So give your users one way to do everything from a ... This is really a user experience play as much as a security play. Because when you reduce the friction, people stop creating back doors. You hear about people putting a camera on their secure ID token so they can pop into their Arlo camera when they're home and just be like, oh, there's my six digit code. Because nobody carries things anymore. So making it consistent and one place to engage with the user has huge benefits.
Robert MacDonald:
Let's dig into that just a little bit deeper. When we consider our platform, we do offer a platform of authentication. So yes, we do the live biometric bound to your approved and verified identity, but we also have the other stuff to help organizations like you said, kind of ease into this. So just talk quickly a little bit about the approach and how organizations can consider which factor to deploy based on whatever they're authenticating into.
Mike Engle:
Right. Even though I poo-pooed on some of those other authentication mechanisms a minute ago. Having a platform like ours front all of those techniques, again, gives you one place to write rules and to give you your exception processes the proper conditional access control. So what do you have here on the left? A combination of modern today authentication techniques, public private key pair passwordless, log in with a QR code, real live biometrics with some legacy. Because sometimes you just want to have a hardware token or you have to or the person can't use a phone. So we have really 12 different ways to engage with users to give you maximum flexibility with or without an app because in some states and countries you can't force employees to use an app. So we got you covered for that as well. And let all these systems on the right do what they do very well and introduce this user experience layer on the left.
Robert MacDonald:
Absolutely. I mean, like you said, if you can figure out who's using which lower form of authentication security protocol, it enables security teams to focus on the areas where you know there's a lower level of security based on either the technology or whatever you have standing in front of it because you haven't had the opportunity to move everything passwordless yet. It allows security teams to focus on the areas where they know there's potential gaps in the security chain because of the technology that's standing in front of it and not necessarily worry about as much the other technologies that are using the high-end live ID biometric. It can only be one person. It enables them to focus their watch on the systems that may really require it based on what's going on. So it's a very valid point.
Let's keep going here, Mike. Our last poll question, poll question number three. Maureen, if you can put that up for us, that'd be great. So do you have a plan for passwordless access? Do you have a plan for passwordless access on your domain controllers? Well, that's an interesting one because we all know that those things, you don't want anybody breaking into those. Mike, what are you seeing? How are people approaching passwordless on domain controllers or are they?
Mike Engle:
Yeah, it's a really hard to reach place without the right platform. First of all, they're remote and so it's hard to put a private key on them. So one of the principles around passwordless is the private key stays typically ... Say Windows Hello, the key goes right there on that machine, never leaves. And so how do you put a private key on a remote domain controller or a virtual desktop? So that's why we leverage other trusted sources for a private key to be able to reach a hard to reach place like this. So I'd be surprised if anybody has a yes here, but it'd be interesting to see if they do. Look at that.
Robert MacDonald:
50-50.
Mike Engle:
Maybe it's one of our employees.
Robert MacDonald:
Maybe.
Mike Engle:
Or all of our employees. So yeah, it's a really important consideration as you come up with a strategy.
Robert MacDonald:
Yeah, fair enough. Okay, so let's move on to our last recommendation here. So reducing the reliance on help desk. So as we know, things go wrong, got to reset a password, it doesn't work. Actually my spouse started this morning calling the help desk to reset her password because there was an update sent to her Windows machine, and every time that happens, for whatever reason, she can't log in, she has to call the help desk, get her password reset. I'm not quite sure. Anyway, so she started with that this morning and she has multiple authenticator apps. So how do we reduce the reliance on all of this stuff and how do we really start to generate some ROI out of a deployment like this, Mike?
Mike Engle:
Well, it's very similar to driving a Tesla, Robert.
Robert MacDonald:
Oh. Well, do tell. I haven't driven ... Actually that's not true. I don't own one. I have driven one. Go ahead.
Mike Engle:
All right. All right. I'll take you for a ride some time. But I had this revelation as I was running this morning. It was more like a fast walk. But when you drive an electric car, are you saving the planet? Not really. At least here in the US we still use fossil fuels to charge the car in my garage. It's natural gas, it's coal. We don't have much nuclear here. There's not much solar. Now, driving electric car is good, right? Besides the awesome response and all that, but it's kind of the right thing to do. If we could electrify and have a good source of energy, fossil fuels are reduced or whatever. So we still have the legacy fueling going on for my Tesla, but I am creating the habits for electrification and maybe I have solar in my roof eventually, but 90% no.
And it's similar in passwordless. You need to start now. Imagine if we just said in 2027 everybody just goes electric. Well no. In 2027 everybody goes passwordless. Well, there's a lot of lessons to learn, a lot of systems to change. So when I drive my Tesla, I may not have charged it enough. If I have to drive 20 hours, I have to go find fuel. Electric. And so I go to a supercharger. That is very similar to this right here. Every once in a while you get a hard to reach system that needs the password and you need an easy way to let users use it. Maybe it's that benefit system at the end of the year. So get your users in the habit of being passwordless. The beauty of that is they won't even think about their passwords anymore and the two times a year they need it to get into the benefit system or some legacy mainframe app, they press this button, they do their face ID, touch ID and they're off to the races. They don't even have to think about it the day after that. This is a very powerful tool and sometimes people will buy a product just for this feature. So there's your relation of Tesla to passwordless.
Robert MacDonald:
That's good. I wasn't sure how you're going to bring that back, but it was good.
Mike Engle:
All right. Really important feature though.
Robert MacDonald:
And typically when you have to reset passwords, at least I know in the past when I had to do it, I had to be connected inside the firewall, so I had to VPN in, so there's a whole bunch of steps I had to get there. So let's say I was on vacation and it expired while I was away. Well there's now my help desk call. So the experience behind resetting that password is certainly easier doing it through the app and then from a security standpoint, we can ensure that it's Mike Engle or Robert MacDonald requesting it with the biometrics that we add in. So you kind of have a double win there for-
Mike Engle:
Yeah. And don't forget about TOFU.
Robert MacDonald:
Yeah, that's right. Yeah, trust on first use. Not tofu like the food, TOFU like trust on first use, right?
Mike Engle:
Yeah. So when you go to a new Windows workstation in order to enable Windows Hello, you need the username and password. So yeah, there's a whole bunch of advantages to that to be able to press that magic button.
Robert MacDonald:
So there's a bit of a build here, Mike. I'll get what simplifying the experience looks like from our perspective. So do you want to walk us through the first couple of blocks here?
Mike Engle:
Yeah. Historically you're letting all of these systems have their own mechanisms, which creates fragmentation, IT overhead, et cetera. And what we're saying is let a trusted identity and user experience system hand off the proper access to these and then let them do what they do very well on the right. Really straightforward concept. But if you leave it to the legacy providers, you're going to have a hodgepodge of user experience challenges and frustration. So really straightforward story and there's a lot of savings and now fortunately, it's not just a miracle anymore. It is very quantifiable and within reach and quick to deploy. We've had a 40,000 person organization. There's a public testimonial on our website from a telco that did this in three weeks and got rid of hardware tokens and now they're expanding it across the whole organization. So it's neat stuff.
Robert MacDonald:
Yeah, absolutely. Okay, so those are our recommendations. Let's quickly ... Because I'm sure people are like, "Okay, that's great guys. It sounds amazing, but it's going to be miserable to deploy, or integrate it with my single sign-on or whatever else I'm using." I just want to point you to talk a little bit about that and I've got two use case examples. The first one's going to be around Microsoft. So why don't you talk a little bit about integrating this into a Microsoft single sign-on, Active Directory, Azure, Entra ID, whatever that might be type of environment.
Mike Engle:
Sure. Yeah. I mean Microsoft is one of the forward-looking identity SSO providers out there. They're really embracing things like decentralized identity and verifiable credentials for those identity geeks. I mean they even go so far as to rebrand their entire Azure AD as Entra ID. Your Entra into an organization. I'm not sure the exact genesis of that word. So they have a holistic strategy and they're working with providers like 1Kosmos to bring the zero trust component, which is real biometrics, proof of government credential. That's what we bring to the table. And when you put the two together, Microsoft plus 1Kosmos, we can reach all those hard to reach areas. Is Microsoft ever going to allow passwordless into Linux? Maybe, but maybe not. And it's really important to get that stuff. So use it where you can with your E5 license or whatever it is. We'll bootstrap that for you. We'll help those hard to reach places and that TOFU problem that exists in that world and then we'll help cover the other areas where you can't with a user experience layer that also increases security.
Robert MacDonald:
Yeah, that's cool. All right, so let's talk about the rest of the single sign on providers. So in this example, I've got Okta, but that can be swapped out for Ping or ForgeRock or SiteMinder or whoever. Step us through what that looks like.
Mike Engle:
Yeah. The key here is you have the 1Kosmos platform that acts as your identity provider, the IDP. People have been mistakenly calling their SSO providers as IDP, but for all the reasons we said in the beginning, it's not really identity, it's multiple factors. So let's throw those multiple factors away and let the identity expert do the identity part and hand off the ascertain. This is really a straightforward integration. It takes minutes for somebody who knows how to configure two systems together. If you know what SAML and OIDC, Oauth, those types of systems are, you can plumb these things together really fast. So again, yeah, regardless of what your SSO of choices here, we can snap it in there quite quickly.
Robert MacDonald:
Cool. All right Mike, I think that is all we've got for today in terms of slides, so that's probably good for everybody else that's on the call. If you were to give the Mike Engle, here's my vision of what you should do and what the future looks like around this, what would you say to somebody?
Mike Engle:
Well, I think passwordless is here. It's making its way out there. It's just like electrification of vehicles. You're seeing 2% of the cars on the road are now passwordless, electric, mixing those two together. So you have to start the journey now. You can't start thinking about this later and sadly I'm seeing organizations just start to roll out MFA now without thinking about a passwordless strategy. Let's go roll out a one-time code to the email and we're like, no, wait. Let's come up with just a two year plan to do it right and then allow you these options A, B, and C. So the tidal wave is coming and with the rate of change today, look at what AI has become in six months. It is crazy.
Robert MacDonald:
It is crazy.
Mike Engle:
It's going to happen that quickly. iOS 17 for example, released not that long ago. They're baking in a lot of passwordless support into these platforms. So let's embrace it and use it where it makes sense.
Robert MacDonald:
Yeah. I mean it's amazing when you read a lot of the articles on any of the cybersecurity incidents that are going on, everybody says you have to deploy MFA. It's like, well, I think we're probably moving beyond MFA at this point. At the end of the day it's masking the password problem in a lot of cases. So this passwordless move is certainly where we need to go. And like you said, Gartner's been talking about it forever. I think poor Ant Allan over at Gartner has been talking about getting rid of passwords now for probably 10 years and we're just really getting serious about it now.
Mike Engle:
Exactly.
Robert MacDonald:
Just a couple of questions here, Mike. There's one around the authenticators that come with the SSO platforms. Can they not do ... I'm paraphrasing, but can they not do passwordless? Why would I not just use what's coming with ... I don't want to use the product that they're throwing-
Mike Engle:
Sure. Yeah.
Robert MacDonald:
Throw anybody under the bus, but why would I not just use the authenticator that comes with?
Mike Engle:
Yeah, a couple reasons is they typically do not leverage the identity constructs that we mentioned before. Verified identity on enrollment or verified identity on authentication. So if you're using magic SSO authenticator XYZ, if I can coerce you to press that green button, the push message or whatever it is, which is what they're doing with push attacks, I bypassed it. So there's a security reason. And the second is coverage. They're covering only their stuff. They're not covering the operating systems, they're not covering the hard to reach systems connected by Radius and Kerberos and those types of environments typically. So there's a lot of good reasons for that.
Robert MacDonald:
I know that we wanted to give everybody back 10 minutes worth of time here. We got time for one more question. So this question's about the identity store. So if we're the IDP, does that mean that the identities are only stored in 1Kosmos or are they going to be in other places as well?
Mike Engle:
Yeah, so again, it comes down to the term identity. We let the user own their identity, which is their proof of who they are. We don't own-
Robert MacDonald:
The documents?
Mike Engle:
The cryptographic proof of possession of those documents.
Robert MacDonald:
Okay.
Mike Engle:
And then we strategically link them to the accounts in the SSO system. So your Azure AD account, your on-prem ADFS account, whatever it is still is the authoritative token that gets you into the applications. We'll introduce the verified identity and they work seamlessly together. The beauty is we don't have to replicate any of that SSO account into ours. We can loosely couple them or tightly and giving you really the best flexibility you can to serve both those populations.
Robert MacDonald:
Awesome. Mike, I appreciate you taking the time to go through the presentation today with me and I thank everybody else that came along for the ride today as well. For those of you that are listening in, this will be available on our website in the next couple of hours. So if you want to send it to some of your friends, you're more than welcome. And don't forget that we do a webinar almost every month and that we also have our IBA Fridays that you can come watch and listen to as well. So we appreciate you coming in today and we look forward to talking to you again soon. Thanks, Mike.
Mike Engle:
It was great chatting. Have a great day.
Robert MacDonald:
You too.