Authenticate 2022 Session: How Web 3.0 Will Reshape Authentication
With the advent of Web 3.0, we are approaching the promise of a decentralized Internet and decentralized identity. This session discusses the impact of Web 3.0 on authentication, including the transition to identity-based verification that replaces proxies like usernames/passwords, one-time codes, etc.
With users in control of their identity data, how will this affect authentication frameworks used for employee and consumer identity and access management? 1Kosmos VP of Product Marketing, Robert MacDonald, provides a glimpse into what organizations can expect on the authentication front as Web 3.0 gains traction and how they can begin preparing for these changes today.
Video TranscriptNext we have how Web 3.0 will reshape authentication? We have Robert MacDonald, VP of Product Marketing from 1Kosmos.
Everybody can hear me? Yeah, there we go. Excellent. I'm proud of everybody that came in. You're here listening to a marketing guy. I figured for sure... I did a little search on everybody that was coming to the show and there's like three of us. Good for you guys. I'm not going to be too marketing today, I promise. How Web3 will shape authentication? Just a quick agenda. I'm going to define what Web3 is. Talk about the promises that it's going to deliver, what authenticity means in Web3, some of the pitfalls, the transition from two to three, what that looks like, and then some of the standards that actually support that. Getting into Web3, hopefully this isn't going to insult anybody in the room here. I just want to make sure everybody's on the same level playing field in terms of what it is.
Web3 or Web 3.0, whatever you want to say, is an idea for the new iteration of what the web's going to look like. It's based on a blockchain technology. It's not going to be centralized, it's going to be a decentralized backend to it and it's going to have a token based economic structure to it. When you look at Web1 that was a static read only webpage, I'm old enough to remember what that is. Some of you in the room look like you might be old enough to remember what that is as well. Web2 is what we're really familiar with now. It was centralized information centric content and it was interactive. But each one of those icons, that I have on the screen there, owned your identity in some way, shape or form.
Web3 is going to be user centric, decentralized, secure, and a foreign word when it comes to the web, as it stands today, it's going to be private. Let's talk about how that's going to work. When we look at decentralization, the state of the network itself is going to move away from a centralized server and be backed by a blockchain in some way, shape, or form. The user is going to be in control of their identity, which is a weird concept based on how we know the web to be today. And it's going to have a disruptive scale. Tokenization of assets and transaction is going to rule the day and it's going to be consumed by the masses. And venture capitalists are all over this right now because of the promise of what this brings. The rate in which this market and engine is growing is pretty substantial.
You're going to see much more of it over the next little bit. When we look at tokenization itself, it's a fundamental shift in the economic model on the web. And the network behavior's going to be incentivized by these tokens. It's going to be the currency of the web. Like I said earlier, venture capitalists are all in on Web3 and you see a little bit of it now with Bitcoin and NFTs. That's the ground level as it is right now in this Web3 space. When we look at Web3, it's going to help us prove the identity of users. Now this handsome fellow is about 10 pounds lighter because that was a pre-COVID picture. But being able to prove who I am online is much different than in real life. You guys can see me, I'm here, I'm real.
My glasses might be a little bit different. I might have slightly different clothing on, but for the most part I look like that guy on the screen. When we move to a digital environment, I'm a bunch of zeros and ones. And by the way, if anybody can read, that's how you spell Robert MacDonald and zeros and ones, I want to make sure that I talk to everybody that was in the room here today. Being able to prove who I am online, as we know, and even yourselves online is difficult. There's no real way of knowing who is on the other side of that digital connection. We have very little assurance and we see that every day. When we look at the tech stack itself of what Web3 is going to bring, it is that decentralized compute storage, always on, application execution.
Everything lives on the chain. Everything has an address. All nodes work together to compute, verify and record the state of changes. And an application called a crypto wallet is what we're all going to leverage going forward because that's going to hold everything that we use or need to verify who we are and what we can have access to or want to have access to on the web. Now for those of you that don't know, I do work at 1Kosmos. We do a lot of this stuff and building that wallet is core to some of the things that we do and we're going to talk a little bit about that here in a minute. Not from a 1Kosmos perspective, but just in general. But that crypto wallet is going to store the keys that you have. It's going to store all your accounts and addresses and tokens and all the other things that go along with it. It's also what's going to help you protect your privacy online.
When we look at identity and what Web2 is today, we have lots of them. I was saying earlier to somebody that I get almost emails almost every day for my wife resetting her identity, her username and password, for whatever application, website, whatever she's trying to log into. We don't own any of our identity data online. We're allowed to use a lot of our identities that organizations have on us, but we don't actually own it. They own it and they try to monetize it in a lot of cases. Facebook is a prime example of that. Google, Apple, all those guys are looking for ways to leverage your identity to sell to people like me, marketing people so I can send you emails about buying my technology. When we look at the way we log in today, everybody's familiar with this, we use username and passwords or we can leverage our Facebook identity or our Google identity or our Apple identity to log into something that's the web version of saying that, "Yeah, that's Rob."
But at the end of the day, we don't really know if that's Rob. And then there's the link there that my wife likes to use all the time, which is, I forgot my password. We have to get rid of those passwords. When we look at the way in which Web3 is coming to be, there are patterns in Web2 that are surfacing. It's because people are looking for shortcuts to accelerate how they're getting to Web3. Things like passwords and 2FA's are still the basic way of access. And what that does is it opens up phishing attacks for the private key's. There's all kinds of things that we know happen when we leverage username and passwords. Blockchain addresses or pseudonyms, you don't really know who you're dealing with, which again is what Web3 is trying to get away from. We're trying to drive authenticity in the web and right now for leveraging the way in which we're doing Web2 in a Web3 interface, that's going to be a problem.
Every blockchain has its own verification and parsing rules. The issue with that is that you're going to need different chains for every time you want to access something that's based on a different blockchain and that's going to be a problem. That's almost the way it works now on the web. Smart contracts are just addresses on the chain that are invoked with parameters. The app or wallet can't tell whether or not you're buying a token or giving them all away. What ends up happening there is that it opens up spoofing.
The concentration of assets is still happening. Similar to what I showed earlier in terms of who owns your identity. If you look at something like Coinbase or OpenSea, Coinbase has 53% of all cryptocurrency transactions. OpenSea has 90% of all the NFT activity. The issue with that is that when you have that concentration, it doesn't open up the environment and it becomes a very target rich environment. It's that honey pot of data. And tokens that represent assets that exist off chain are just pointers. The issue with that then becomes fraud, forgery, theft are possible, you're selling things that don't actually exist, things along those lines. We see that happening every day as it is.
When we look at identity in Web3, it's about user controlled access to their own personal information via a wallet. I own my data and then I choose based on my wallet to share it with you. The concept is identical to your own wallet that you have in real life. It has your driver's license in, it's got your credit card in it. It's got a whole bunch of identity verification capabilities in it. And if the cop pulls you over, they'll be like, "Show me your driver's license, pull it out, show me the driver's license." That's how you prove identity.
It's the same concept online, only you're doing it with a digital wallet. All of your identity will then be stored in it. Unlike today, Facebook owns your identity data and that identity can't really move fluidly across the web, where with a digital wallet it will be able to do that and that wallet will be enhanced with verified data from the real world. Doing identity verification and driving verified credentials that will be stored in that wallet will be critical as we move forward in a Web3 type format. You will leverage your driver's license and your passport or your social insurance number or those things to verify your identity, to build your wallet, which will then help you move online.
When you look at a Web3 login, it'll be slightly different than what it is today. There will be, hopefully, no username and passwords for example, you'll use your wallet, whichever wallet you've built, to log in or verify who you are online. When I look at what we deliver from a 1KOSMOS perspective, we verify identities remotely. We will look at your driver's license, passport, social insurance number, what have you to verify who you are. We can check that against AMVA, or whatever, to make sure that that identity is who you claim it to be.
We will then take a picture of your face and then every time you go to log in, we will double check that picture that we took at login, which we compared against the pictures that we took off your identity, to make sure that you're the person standing in front of the camera. You become the authenticator, which is where we're going in this model, you will become the authenticator. You'll use a FIDO biometric of some sort, whether it be a fingerprint, whether it be your face to authenticate going in. And then on top of that, because you have these wallets, you'll be able to choose who you want to share your data with, when you want to share it. And if you ever want to revoke that, you will have access to do that or capabilities to do that as well.
When we look at the model itself, there's all kinds of standards that are already built that make this work. There are ID issuers, there are ID holders, and there's a relying party that are all associated with the authentication of the user. You've got KYC proofing that the ID issuer will do, which will then build a signed credential and then that signed credential will be matched against what the ID relying party has to verify that user. There'll be two kinds of verification that will take place every time a user goes to authenticate into something, so that wallet, which holds the private key, will be what is enabled to verify those users via some sort of distributed identifier.
When we look at Web3 and identity, and I use identity and access at the same time, when I say identity, I also mean authentication here. The identity of users, and this is already taking place. There are states within the US right now that have digital driver's licenses. They're stored in your Apple wallet, but that digital identity, which will be either a driver's license, could even be your passport, will be owned by the citizen and it will be trusted by employers, government, merchants because they'll all be verified. And then instead of creating accounts with your bank or whatever that might be, they're going to add the credential to your wallet. It'd be like putting your debit card in your wallet versus username, password and all the other things that have to go along with it to verify who you are.
When you go to log in, you'll have the credential built into the wallet. When you come into the good or service, whatever that might be, you'll already be verified, when want to open up a new account, you want to get a new credit card, you want to apply for a new mortgage, whatever that might be, you've already been verified. We don't have to go through that again, those credentials are all stored in your wallet. It's tied to some sort of biometric to prove who you are when you go to authenticate and then all that should work seamlessly.
And on top of that, you're in complete control of it because, again, it's your wallet similar to what it is that you have in your pocket or purse. When you look at identity wallets and the sources of truths that will be enablers, mobile driver's licenses, e-passports, Apple and Google announced that they're working within the FIDO Alliance to try to store keys in the cloud and be able to authenticate users from wherever they are at any device, federal credentials, banks, all of those authoritative sources will be part of the ecosystem to ensure that that user is who they claim to be.
And it's tricky doing it online because you never see the person. You don't know who you're dealing with. Synthetic I.D's, synthetic frauds are all problems right now because we don't have a good way of trying to figure out who that user is on the other side of that digital connection. But this is what Web3 is trying to overcome and trying to solve for.
When you look at the identity constructs of what Web3 is bringing to bear, there are two sides of this from an identity and authentication standpoint. There is the establishing identity, which is a NIST 800-63-3 IAL certification, and you can get different levels of certification. The highest you can really get in a digital remote format is an IAL level two. But what that will do is it'll prove who your employees or customers are and you're able to do that from a remote first engagement, which is something that we're not really used to doing right now, but it's coming and it's coming quickly. What that will mean is that you'll have two forms of identity documentation that are matched to real biometrics and then that will get you to the IAL level two, which you need to have, which will give you a high level of assurance for that identity.
Now you know who the identity is. Now you need to authenticate them and you need to authenticate them depending upon what your business model is or what your risk profile is to an AAL level two. Now what that does, that's NIST 800-63-3B. That's AAL and that's a FIDO2 passwordless authentication. What that brings is a remote authentication that, much like the identity assurance you had, you will have the same thing from an access assurance, so that user is who they claim to be. One of the things that we do at 1Kosmos is we tie the two of those together. When you establish the identity, we bind that to the user. Every time they authenticate, we compare it to what you did during the establishment of identity to ensure that the user is who they claim to be to meet that AAL level two, that certified biometric.
What happens when we then build that authentication is that a private key is given to the user, and again, it is also matched to the real biometric that you took at the establishment of identity. And then that's Kantara. The establishment of identity is Kantara certified and the authentication is FIDO certified. And then the identity based authentication, which is one of the capabilities that we bring, we actually have it iBeta certified as well. But there's a lot of different certifications, a lot of different governing bodies around these three types of capabilities that you can leverage to ensure that those users that are looking to gain access to good services, whatever they may be, are who they claim to be. When we look at it from a platform and standard standpoint, there's four steps in this process, enrolling the identity in the metaverse.
Looking at credentials where the private key stays with the user, the standards body is NIST, the assurance level can go as high as three if you do it in person, but two, if you're doing it all online. And the idea behind that is that you want to be able to detect fraudulent enrollments, duplicate enrollments, and reestablish credential binding. That's why you want to enroll the identity. Once you do that, you start to build that wallet, then you can use that identity to then authenticate. Users will authenticate with some form of advanced biometric, something like a liveness test for example, instead of a username password. The enrollment of the identity bound with the authentication means that you no longer need a credential. You're using the biometric. Yes?
Five minutes. Okay. I thought you had your hand up and I'm almost done. That's good, thanks.
From there you're going to verify those credentials. Users can share verifiable credentials with third parties with consent. You can choose how much or how little you want to share with those third parties. And that credential model is tamper evident credentials, you can track start to finish that that transaction actually happened and who it initiated and who ended it. And then of course, how are you going to deliver all this? That's what the blockchain does. It keeps the identity attributes and biometrics protected based on the user's key and it's written in an immutable ledger. It identifies any subject, whether it be a person, organization, a thing, whatever it might be, NFT, could be anything. And it ensures that it's under control of the user. And then again, in terms of standards names, that's a DID, the verified credentials is a verified credential data model.
And then when you get into the authenticate, that's when we get into the FIDO WebAuthn, SAML Oauth, OIDC to get that authentication level. This is coming quickly, and this is a little plug for what we're doing here this week. FIDO has two working groups that align completely to what I was just talking about. And if you look at their identity verification and binding working group that establishes possession, identity verification, and the Biometrics Working Group develops and maintains a framework for the certification of biometric subsystems that can be then turned into integrated FIDO authenticators.
They keep all of their notes, all of their findings, all of their discussions online. If you want to read about what's coming, what's been approved, what's coming down the road, that's a good spot to look. It's also a pretty good thing if you want to sign up to be a FIDO member, you can become part of that as well. But this stuff is coming. It's coming quickly. And there are governing bodies that are aligning it to where it needs to go. And it's going to fundamentally change the way in which we do anything online, which is exciting because I'm tired of not knowing who's on the other side of that digital connection. Hopefully it'll get rid of trolls and all the other things that we see online, but we'll see.
Thank you Robert.
It's very inspiring. We are talking a lot about the Web3 identity for... It feels like adapt a lot for the consumer side. I was wondering how this Web3 identity can impact the enterprise side because in enterprise, usually they are companies or organization they want to handle or control their identity.
They do. If you have a new employee or you have third party contractors of some sort coming into the organization now, you will have a verified identity as to who that user is and you can leverage that within the organization to make sure that user authenticates without a username or password right from the get go. And it also eliminates a lot of the privacy controls that are associated with a lot of those identities that you have to manage. It hands that over now to the user because the user controls it and it takes that off the plate of the organization, both from a consumer and an employee standpoint. There are benefits to both sides of that, whether it be employee or customer. Your welcome.
Thank you for the talk, Alexei from ID.me. Do you mind going back to the slide that had the four steps and the four protocols?
Slides. This one?
I think the next one.
This one? Yeah, sorry. Perfect. There we go.
Yes. Can you talk a little bit about how you see the difference between step two and step four? One could say AL two, which is gaining you access to the wallet, could be very similar to gaining access to the identity store on the blockchain. What is the fundamental difference that you see between the roles that number two and number four play? Basically, if you have four, why do you need two? If you have two, why do you need four?
Fair enough. Two is going to bind it back to the enrolled identity. That proves the user. The fourth one is going to show the actual... What's the word I'm looking for? It's going to show the immutable ledger in terms of the authentications that take place. It stores the data as well. Don't confuse the authentication part with the blockchain part because the blockchain's going to store a lot of that data too.
If you look at the existing Web2 where everything's stored in a centralized server, if I break in, I have access to all of it, where a blockchain, you're going to have shards of data throughout and the key is the one that's going to bring that all together to be able to prove who that user is, when they're authenticating, when they're sharing their data, whatever that that is. The blockchain is just the way in which the data is stored, where the authentication layer is, how the user is going to authenticate. Now the blockchain part will also deliver that immutable ledger so we can prove that users made a transaction and it was the user that claimed to be the user at that point in time. Does that make sense? Does that answer your question? Sort of? We can talk. We'll talk.
All right. Well thank you again, Robert. We appreciate your time and your presentation. Thanks very much.
Great. Thanks everybody.