Closing the Security Loopholes in Multi-Factor Authentication
Unlock On-Demand Webinar
Video Transcript
Thanks everybody for joining. My name is Mike Engle. Today, we're going to be talking about, as you can see here, Closing the Security Loopholes in MFA or Multi-Factor Authentication. I am Chief Strategy Officer and co-founder here at 1Kosmos. I spent my career either running cybersecurity programs or building companies like this one, also a venture investor with a company called 1414 Ventures. I'm joined today by Roland Davis, the Director of Identity at Simeio Solutions. Would you like to say hello, Roland and introduce everybody?
Yeah. Hello everybody. I am Roland Davis, I've been with Simeio for the last five years and head up a practice around customer identity as well as workforce identity. So we're very excited today to able to co-present with 1Kosmos. 1Kosmos is amazing piece of technology that is becoming more and more prevalent down this path of passwordless capabilities. So we're very, very excited to be able to go close with them and provide some offerings and solutions to our customers jointly.
Awesome. Yeah. Well, thanks for being here, I appreciate it.
Thanks Mike.
Of course, I'd get in trouble with my marketing department, if I didn't give a shout out for our upcoming webinar, it's a completely different topic on the introduction of citizen identity in government and commercial services. So check this out, you can find a link to it at the top of our website, and you'll be hearing about it from our various sources.
And also we'll be talking about a couple different technologies today, and you're in invited to try out a passwordless experience by simply going to our website, clicking on a button to try the demo, grab an app out of the store and try it out. There's a whole bunch of different aspects of MFA, we'll be talking about today here. This is one of the coolest, and you can try it and no sign up needed, just give it a shot.
Yeah, I tried this the other day, Mike, and literally folks, it took me like a minute to try it out it, and it's a great little demo to get started on, on 1Kosmos. So give it a try, it's about a minute worth of your time.
Yeah. Thanks. I didn't even know you tried it, that's cool. And that experience is what like banks and some of the more forward leaning organization they're starting to do. So it's super exciting stuff. And then lastly, we are giving away what's something we call a Passwordless Identity Package today.
So it's a software package and $50,000 in value. So you can see some details here at our website of as well, we'll randomly select a lucky winner and follow up shortly after the webinar. All right. So Roland, you are not included in that list of potentials.
Oh, not eligible.
That's right. So I'm try to stack the deck.
Okay.
All right. So we're going to talk, it's a very simple agenda here today, and we're going to move kind of quickly, it's going to be a dialogue, not a bunch of slides boring you to death. And there's some new stuff in here that I think many people might be familiar with, but we're going to really expand upon, and all these acronyms we're going to cover them, and some you probably didn't hear of before, like the growing trend of trying to get rid of HBA in the enterprise and in the consumer world.
So we'll be diving into this, and we're also going to ask a couple of questions from the audience. So Maureen or Alexis, if you are ready, we're going to bring up three very simple poll questions throughout the webinar, and the first one is coming up now, and that question is, do you have MFA on all of your endpoints today?
All right. So it's a very simple, yes or no question, just click away, we'll give this about 15 seconds for people to really ponder this question, because it's so, so deep. And I could see quite a few and we're going to show the results right away. So this will be kind of fun. We can share them after the webinar as well. Okay.
Is watching the horse race at the amusement park.
It is. Yeah.
Which one's going to go in.
Super exciting, that's right. All right, Maureen, I think that's good. We got about 70% and if you press these share results, we'll see, we're about 50, 50, it's a 45, 55 split. So all of your external endpoints, I think that's probably why there's more no's than yes. There's so many external endpoints out there. So thanks for everybody for taking the time on that. Okay. And we're going to carry on here, I think the poll should disappear if it doesn't click the little X.
I guess Mike, if there's questions from the audience as well, we probably want to have those come in through the chat window as well, right?
That's right. Yeah. Feel free to just ask away as we're going. We have a couple of our technical staff on the line and they will be answering them in real-time. You can even make fun of my outfit or my hair, anything you want, it's all fair game today. So, and then we'll, if there's a couple of questions that need expanding on, because they're super deep, we will get into them.
So first, let's talk a little bit about some of the terminology. 2FA, we've known about 2FA for years, we're going to get into just a little bit of stage setting for how long 2FA's been around. I think people will be shocked to know how old this technology is, and of course, the successor of the 2FA is MFA, Multifactor, not just two. And Roland, do you remember the first type of 2FA that you used going back in your long storied career?
First kind of 2FA well, boy, it'd probably be those nasty security questions, right?
Yeah.
That probably goes back quite a few decades now right where people would be asking, "Hey, what's your mother's maiden name?" Or, "Hey, what was your favorite movie and what was your favorite vacation spot?"
That's right. Yeah. That's a caveat.
All those things. Yeah. All those knowledge-based questions and they'd work them authentication flows as well sometimes, so they wouldn't use them just for password resets and those kinds of things, but they would actually work them into a part of the authentication flow.
So after you put your username and password in, there you go put this extra thing in, code was very popular as well. So here's your pin, so enter after you put your password in, here's your pin, those have been very popular historically, right?
Right.
But there's horror stories from all those, I really don't like security questions these days. If anybody has security questions still in their environment, we certainly work with customers to try and get them to move away from those, right?
Yeah. The KBA knowledge based, writing something you know, your mother's shoe size when you were four is not only are they a pain for the user, but they're also called KBA for known by anybody, because one browse down your social or just asking some questions in a certain way or googling around, plus they've been stolen out of so many databases, they're really useless.
Mine was a secure ID Token in 1990, I don't know, five or six, I deployed an RSA SecureID Server and so we had these tokens, they were the coolest thing ever, because you had this little security thing that you could hand out to people little did we know how much of a better way.
The batteries would die later? Yeah.
Yeah. And then RSA ended up getting hacked, the secrets got stolen, there was all these things that made it bad. But yeah, we're migrating away from that and towards MFA and better types, not all MFA are created equal, we're going to talk about that quite a bit here today.
And then something we really focus on at 1Kosmos is Identity-Based Authentication. And my definition of that is how do you really prove that it's rolling at the other end of the line, not somebody who has Roland's secrets, or codes, or his phone, but it really is rolling, then we'll be talking about that here today. So we think-
HBA.
HBA is coming up, exactly. So HBA, let's expand on that term first, it's a great point. So it is on the slide. HBA, not many people know about this term, it's called Hope Based Authentication and it is what you use if you can't undeniably prove who that person is at the other on the line, you're hoping that they get into your system, that they can fetch their code, that they haven't lost their code, that they need, might have to change their password or forgot it. So that's where we're really trying to get away from. Yeah. Thanks for calling that out.
Makes sense. Yeah, no worries. I'm sure everybody on the line here probably is asking the same question, so...
Yeah, exactly. And so without identity, we have a system based on hope, really. I don't know how your experience is at the holidays, but when everybody gets new devices, they're calling uncle Mike or son Mike to try to fix their 17 Apple, and Google, and other accounts that have gotten locked out because they can out a new phone. So it's a continuous user experience problem as well as a security risk.
And the impacts of this are really staggering. So these are some relatively new stats, there's lots of people that have been thrown around stats from 2018. But these come from the 2021 Verizon Data Breach Investigations Report, it's the data breach investigations Bible, it's like 114 pages, if you haven't seen it, you can use it to make any security business justification.
But what this latest one said is that 85% of breaches focus on the human element. In other words, it's a person making a mistake, getting coerced, socially engineered or whatever it is, that's involved in a breach. And that of course, comes back to the fact that they even have a password. So I mean, how many breaches have you seen about this year, Roland? Just making a number of-
100.
... it's got to be one a week. Yeah, exactly.
Yeah. No, we definitely see our fair share breaches happening in the Marketplace, and we work with customers to minimize that credentials being the biggest attacked vector that we see in the Marketplace these days.
Right. And once they're exposed, once a credential is obtained, it's really expensive. So these stats are from the LOCKTON Group, cyber insurance broker or company. And you can see here, the average payment, 1.5 million, and the actual impact then, your business is shut down, your colonial pipeline or your mask, whatever is $5 million.
And of course, we've heard of some of these getting up and into the hundreds of millions like mask. And so 66% of every ransomware is over a million dollars too. So the problem's real, if you don't have the attention of the board or the C-suite showing some of these numbers, I think they already know how big of a problem this is though.
So like I was saying, I really wanted to talk about 2FA and where it sits on the history of authentication. So many people know that passwords have gone back to the sixties when they were invented as part of a mainframe shared resource. And then a bunch of other tactics came out in between, including encrypting them, it's called Hashing.
And then Bill Gates even said in 1984 that passwords were going away soon, and here we are, I don't even know how many years later, I can't do that kind of math. And as I mentioned, secure ID tokens, right. My first real cool 2FA deployment, 1993, and how many people are still buying some type of thing you have to put in your pocket to try to get into a system, either a number generator or something you plug into your USB device, they are stronger, but they're so cumbersome, and they're expensive, and hard to deploy. And this one here-
They're also not necessarily tied to the identity as well, Mike, like I've seen, I've heard of instances where people have set up webcams to their hardware token so they can share it amongst the team. So you get kind of scenarios even with that, like is it truly secure? And does it truly marry up the identity of the user to the owner of the hardware token? And there's a good argument to say that no, it doesn't, right?
Yeah, exactly. And that we're going to cover a lot of that, and that is the exact opposite of Identity-Based Authentication. It's some type of combination of other things that can be obtained by somebody else. So this really, I've seen so many websites just start to deploy SMS or email codes today. And it is a little bit better, but if you're really protecting something important like a bank account, the bad guys are showing how easy it is to now obtain these.
So fast forwarding now to the two thousands and we've got the FIDO Alliance, super exciting stuff. So for those that don't know what FIDO is, it stands for Fast Identity Online. It made mainstream news about three weeks ago because they've reached a certain point of attraction where websites are starting to pop up and now say, "Do you want to go passwordless?"
And I might be able to show an example of that here today, and now, so they're almost 10 years in the making and they're starting to change the way we can authenticate using our computers instead of things that we have to know and spit out and can be stolen.
And then, in between where passwordless started and where we are today, there's been a whole bunch of other tools and things that have come out, including a push to your mobile, which we have all used like authenticators pops up and says, "Is this you? Yes or no?" And that's certainly better than just using them in a password as well.
But now you can see from 2013 to 2018, FIDO's latest standard known as WebAuthn is what is starting to allow it to get adopted by the masses. And so websites like Best Buy, and TurboTax, and eBay have this as part of their journey now.
And of course, this is kind of a little bit of a slide in here at the end 2019 is when we coin the term identity based authentication. And we're starting to see this term and these concepts pop up in research, and papers, and analysts, and that is the strong joining of identity and authentication that we're going to talk in here. I'm sure this resonates with your clients as well, Roland, right?
Yeah, it does and kind of interestingly enough, like SMS being deprecated by NIST is back in 2016 and kind of to your point, there's still customers out there that are looking at using SMS or establishing SMS as their MFA strategy today, right?
That's right. And I think customers have a choice these days of being able to even get kind of do a little bit of leapfrog in the Marketplace and move towards passwordless. I know my customers have been asking for passwordless for years now, can we get there? And the market conditions are finally right for it. So very, very, very excited to be able to move forward with offerings on passwordless, that's for sure.
Yeah. And I put a call out here for Identity-Based Authentication and kind of where it sits in all of these technology, so there is a standard that says, "Here's how you prove who somebody is remotely," it's known as NIST 800-63, it's a US government standard, obviously.
And there's a version of it nearly every modern country, but it says, "Present credentials, match it to your face in a certain way that has the best chance of it being the real person." And that combined with a passwordless technology like FIDO is what lets you prove as best you can, who this person is coming in.
And we're going to expand upon this, but what's happened, because these technologies are relatively new, you're talking about really three years for some adoption happening in FIDO, and the identity proofing standard is still maturing. What we have is a landscape of companies that now just deal with compensating controls around authentication.
So the cyber security, if you walk the halls of the RSA security show, for example, you'll see hundreds of companies that try to mitigate password problems. And it could be by detecting fraud, bad signals from the guys who stolen your password, et cetera. So I'm sure you're familiar, obviously don't call any of these out rolling, but you probably integrate with a lot of these technologies in your staff.
Yeah. Historically we have. And you've had to, we've had to do that for customer requirements, to call out and see whether or not a password has been compromised or whether or not you're on a block list somewhere, et cetera. So we're just simply calling out to services to determine, is this a known threat to the environment? So yeah, we've had to integrate into a wide variety of these over time, and to your right Mike, these are mainly the create... There's a huge marketplace just for passwords and credential management.
And I think this whole landscape, these days is going to change significantly now. There's, if we can get away from things like having password managers, and browsers, and setting-up all these additional compensating type measures, just to be able to kind of get a grip on the password problem, if that all goes away and disappears, the industry's going to look a lot differently here in just a couple years, right?
Yeah, exactly. Yeah, I tried breaking down all of the types of these over time, so obviously we've started with user ID and passwords since 1960 or whatever it is. And that wasn't good enough so we made an expire, and we've proven now that is a bad technique, a longer non expiring phrase is best, but companies are still of doing this.
In fact, since the pandemic, a couple of clients that we worked with to go passwordless were moving from 12 to 16 and beyond characters in their password, complex, changing every 90 days. And then we added 2FA, and MFA, and Risk-Based Authentication, and like you mentioned before, your favorite, Knowledge-Based Authentication. And in fact, the airlines here in the US still use this as their second factor.
But then we started to see SSO, which is a step in the right direction, in my opinion, but still doesn't introduce identity. So we sit on top of these and we'll show you some of that. Password managers, passwordless is now a thing FIDO... So this is such a huge problem the industry has just kept putting bandaid upon, bandaid upon, bandaid.
And of course, biometrics is the newest and most controversial topic, that is one of the strongest ways to prove who somebody is remotely. So a lot of As and all of that. So it's time for the second poll. I know everybody's been waiting, I've gotten four chat messages, come on, Mike, can you get to the second question please? So here we go.
If Maureen, if you're ready to pop this up. This is a multiple choice, you can pick one, two, or as many as you do. And we're curious to know what type of MFA you've deployed inside out of your organization, for your customers, or your employees?
There's just some great results, I think you'll like them. We got two of them, neck and neck, just two clicks away from each other. So we got about 50%, actually, we're getting up to 60% participation here. Just give it another 10 seconds, press your buttons everybody.
All right. So Maureen, if you could end the poll and share the results. Here we go. So can you guys see those? You see OTP, email, SMS, still are the most popular along with app-based authenticators, so that's your Google and Microsoft one time code generator.
So it's really comes down to one time codes that are the most popular, and it's good to see app-based, push notifications coming out, and look, there's FIDO coming in as a kind of distant fourth there. So steps in the right direction for sure, and really encouraging to see none that has such a low number.
Yeah, that's good to see.
Yeah. Awesome. Thanks for putting that out, Maureen. Okay. So let's talk about IBA. What is Identity-Based Authentication? And the way 1Kosmos defines this, and NIST really, is it's a combination of proving the user's identity, not just saying, type in your name and your address, and we'll verify the data, but proving it.
And this is that NIST standard that I mentioned before, 863-3 is the standard. Everybody in the banking community who has to deal with KYC, or sometimes an HR for know your employee, KYE knows about the standard, and the subsection of it is this 8633A, and that is the identity assurance level.
So what this does, is it triangulates your government documents or other strong sources of kind of document verification about you and matches them to your real world identity, your face, and verifying the documents are authentic and things like that.
So once you do that, you can then give the user a credential. Issuing a credential without doing step one, you could be putting a credential on top of a compromised account, or giving it to the wrong person, or it could be stolen. So it's the marrying of these. And there's another standard from the W3C called decentralized identifiers that can allow that identity to be shared internally in an organization across disparate apps, or more importantly, between companies, between industries, even between countries.
Those standards a few years old is getting really popular. The tech giants are all focusing on this with dedicated practices, and it's what we have under the hood at 1Kosmos to allow the identities to be portable if an organization wants their employees or customers identities to be shared, it really puts the user in control of the identity.
And then once you have these two put together, you can issue what are called verifiable credentials to third parties as well. So the idea here is you're Roland and that can never be taken away from you, but you could have a credential, like a COVID vaccination or proof of work that you work at Simeio, and that can be revoked.
You leave Simeio, that verifiable credential is verified and you don't work there anymore. So these are some of the relatively new identity standards that are allowing identity to be user managed, allows you to do privacy by design, and allows the identities to be shared.
Yeah. What I love about this Mike is you've taken some very complex standards out there, if anybody picks up the NIST standard, they're in for a few evenings of reading, that's for sure. And then even at the end of it, trying to piece it all together too, in order to put together a solution is a very complex initiative, it takes a lot.
And what I love about this is that this is simplified now, it's so nice to be able to start with the NIST standard, grow into the issuing the credentials, and then using those credentials using verified credentials. You've made it, you've kind of added that missing link and that is the usability of those standards. How do you actually implement them, right?
Yeah.
The very first time the standards came out for, let's say, HTML, you had to piece them all together, and now they're ubiquitous, in the future, this is going to be ubiquitous as well. It's just going to be part of everyday life in terms of how we go about logging into services, right?
Right. Exactly. And so these are the standards, and there's actually a bunch of certifying bodies to make sure that the company you're working with has employed these standards properly. So I know you were going to like, "Mike, well, how do I know if I've got the right standard and it's good." So there you go, here's my segue.
There's three certifying organizations that prove your identity onboarding, your biometrics and your passwordless experience. So here on the left, you have that NIST 863-3 standard that I referenced. And there's a nonprofit called the Kantara Initiative that certifies companies to say, "Yes, they do it the way the standard was meant to be done.
So this is an important seal of approval, your good housekeeping, if you will. And then on the right, you see your authentication, how do you know you're using open standard and certified product? It's the FIDO standard. So look for the FIDO2 logo, that is the latest ref of the standard.
And if a company's using real buy biometrics, which if they're not, it's not real identity, and I think we'll get to that later. But there's the world leader in biometric certifications called iBeta, they certify the scanners that you see in the airports and make sure that you can't put a mission impossible mask on like Tom Cruise and spoof somebody's identity through presentation attacks, and they check your false acceptance rate and all that stuff.
So it's really important to have these certifications as part of the identity platform that you're using as you start to change the way you engage with employees and customers. So a lot of devil in the details, right Roland?
Yeah, absolutely. Yeah.
Yeah. And there's one really simple test that you can ask any supplier or yourself to know is my identity, my authentication identity based, and that is, can you give it to somebody else? So Roland right now, I could give you my Bank of America, username, password, and my UBI key-
Could you?
... and my pin. I could, and you could log into my account, right? Or probably my employer, I could give him my phone, username, password, or my windows password, it's attainable one way or another.
And so if the answer to this is, no, it can't be done, then you have true identity at the other line and really Zero Trust. So Zero Trust is a concept of actually, why don't you explain Zero Trust because I know Simeio is a leader in this, I think this would be great for your context on Zero Trust.
Yeah. Thanks, Mike. Yeah. So certainly, Zero Trust is making sure that you, well, it comes down to trust nobody, verify always. And in order to verify people, that really means that the identity has to be established and linked to the verification process.
So every request that comes in for access to data, to applications, it's looked at it's inspected and linked back to the identity of the individual making that request. So that's Zero Trust. And I think we have a slide coming up on that after the poll here, to talk a little bit more about Zero Trust in a bit.
Awesome. Yeah. So now it's time for our third and final polling question. This is a very simple question, Maureen, if you could pop up this and the question is, would you use MFA on your operating system, Unix, Mac, or Windows, including remote computers, if it were a single touch experience, one click, I want to know who says no, but that's, we'll get to that later.
So this is obviously a loaded question. It is possible to put a single touch MFA Identity-Based Authentication on any remote system, and we're going to talk about that here today. And so not surprisingly, there's more yeses than no's on this one so far.
I think the no people must just use Android, or mobile devices, or tablets, or something, right, yeah, maybe?
Could be, actually, yeah. There's a lot of environments that are 100% cloud and don't use Mac or Windows at all, use a Chromebook. And so, yeah, that's a good point, the world is not just enterprise software, but that's great if you could finish this one and show the results, Maureen, thank you for that.
All right. I think we're... Awesome. Okay. So let's move on. So now let's talk about what we call IAM's Missing Function. So I deployed my first identity and access management system, not me, but a team of us at Lehman Brothers in the late nineties, early two thousands, when we called it Total Access Control Identity Access Management was the program, but it didn't have any identity in it, because it was really based on just creating accounts everywhere and trying to manage passwords and password resets.
So these sections here in the middle are what's been missing from every IAM stack, cryptographic, proof of identity, and that's what FIDO and this 863-3 set up for you, as well as a biometric that answers the authoritative who.
And so if you can feed these into your existing IAM Functions and let them do what they do, and manage the operating system, do single sign on, do your governance, et cetera, your account creation, then you're really taking the question out of whether or not it is that person at the other end of the line, introducing Zero Trust. So to that end, I'll let you expand on this a bit, Roland, I really love this slide, but this is obviously Simeio Zero Trust Model.
Yeah. And thanks for that, Mike. I think that from Simeio standpoint, being able to consume these services in a nice, easy way is crucial. So Zero Trust, it kind of shifts the focus traditionally away from the identity provider, that's still required, so it's still required to provide some form of proof of identity, but that gets fed into a policy engine. And the policy engine works in conjunction with a lot of sources of information like where's the location of the user? What's the behavior of this user? Is it abnormal behavior? They log in at 2:00 AM and they typically log in between the hours of nine and five.
So it can look at those types of behaviors and make a decision whether or not to ask for more information about the user, or deny access, or approve access based on the policies and conditions that you have in place.
So from Simeio standpoint, we work with customers to improve their Zero Trust environments. A lot of customers these days have mandates to adopt Zero Trust, but really have a hard time in just kind of going, where do we start? What do we start with? And certainly one of the areas to start with when it comes to Zero Trust is to implement on the authentication side, so strengthen up the authentication services, because that's crucial, tying your authentication directly to identity and having a verified identity, that's one of the foundations of Zero Trust.
Is to link all the requests back to an individual, or a service, or a system and making sure that only those systems and individuals that should have access to services do. So we've developed, it's similar, you could pass to the next slide.
We've developed a series of assessments specifically focused on Zero Trust, so advisory services is one of the things that we do to help customers kind of paint a roadmap for how do you go from current state today to the future state of Zero Trust, but we also provide deployment service and manage services as well.
So once you decide, okay, all right, now I need to implement a particular piece of technology, let's say you wanted to implement 1Kosmos, you can turn to Simeio and say, "Simeio, this is what we'd like to do. We can work with you to put together deployment services, manage services in the advisory services across the board for that."
So kind of take you the full gamut, help you produce the business case, help you to get that justification, the internal justifications that you need in order to move forward with your projects, and then deploy those projects. So kind of a little shameless plug for Simeio there, Mike.
No, it's good.
Giving us the opportunity for that, yeah.
You guys have created and managed hundreds of millions of identities over the years. So you really, really know your stuff. And we have a very tight integration with Simeio, so you can jumpstart your journey with a strong identity, and whenever that policy engine has to ask a question, we make it really easy to reach out to the user and say, "Can you just show me who you are," and reach out to them and they'll have that cryptographic proof that you need.
So, no, it's like peanut butter and jelly. So now let's just show a quick demo of what we refer to as Identity-Based Authentication. What you're going to see here is the first time launching of an app that lets you store your identity and present it to a third party with that proof that you need, and so this is just a couple of seconds long, and I'll let this roll here.
Here we go. So you'll see upon launching of the app behind the scenes, a private keys generated, transparent to the user. We use a pin just as another factor for kind of break glass purposes, it's very rarely needed. And then we do your device biometrics, touch ID or face ID, takes about a total of you saw here about eight seconds to enroll now three factors in the phone, key, pin, and device biometrics.
Now, we're going to do real biometrics. That's me. Thank God I wasn't wearing the same shirt. So that was what we call live ID, and that is a real biometric that I can now link to any source of truth and also ask for it again to authenticate them. And you saw how quick and easy it was, you don't have to ship somebody a token or a smart card reader, we're trusting this really very complex and secure piece of hardware to hold a lot of the credentials for us today.
So let's leverage it. We've got a high res camera, far better than cameras that we've used in the airport for 10 years. So it's really putting the power in the hand of the user. Now, everything you saw there is encrypted with my private key and only releasable with my consent, and that is a huge deal in the age of privacy and breaches. If that biometric is stored anywhere, we're a third party administrator or centralized encryption can get at it, you have a big problem. You saw that with the big curfuffle with the IRS about two months ago, and their use of a private biometric and identity scanning company.
So we make it look easy and it actually is easy. And of course, this can be private labeled. We have customers that call it their own identity or put each of these components as an SDK inside of their existing app.
And now once that identity is enrolled, sorry, let me skip forward, you can leverage that for verifying identity. So that didn't prove my identity as an individual, just let me enroll identity assets, my private key, my real biometrics. Now, we are going to link that to government ID, my citizen ID. And we do this by scanning government credentials, the front, the back, decoding that PDF, four and seven barcode, and matching my face to that photo, and verifying it with the DMV, called AMVA.
I can also enroll passports in any country that uses modern passports is over 100 of them. So that experience you saw there is getting really popular, especially in the crypto world overseas, and it's used to prove my identity. So now I can leverage that strong identity to say, "This is Mike Engel coming into my platform every time."
And this is my final one, and then we're going to wrap it up here. So this is how you employ Identity-Based Authentication for any target system. This could be your remote access, Citrix, VDI, Zscaler, whatever. It could be your operating systems, it could be a banking website, doesn't matter, the experience is the same. So the most common way now is a QR code. I will scan this, I give consent to authenticate.
My biometric is asked, I asked for the authentication and I'm staring at my downstream applications. It takes about two, three seconds. Now you don't have to do that every time, you can rely on touch ID and face ID, spot-check the user once a month with live ID, make sure that they're still the person that you think they are, prevent something called contractor jacking, where you onboard somebody on day two, they give their authentication to a buddy because they're 10 bucks an hour cheaper.
Huge problem, every customer I talk to who has this problem, this is the way to mitigate it. So we're really excited about this being employed really anywhere. And that wraps up the conclusion, I mean, that wraps up the presentation. We have a couple of questions here, I think about the biometrics. Let me read this one out.
So how easy is it to get around biometrics? And this is a great question. So that certification that I mentioned called iBeta, they attempt all kinds of different ways to subvert the authentication. So they will hold up a photo, cut eye holes in it, and they're very good at making sure that that biometric is accurate, that it can't be spoofed by strangers or whatever.
And there's all kinds of testing to make sure that you don't have problems with decisioning bias in these processes as well, so that means are you incorrectly saying no or yes, and letting a bad guy in. So it's a combination of those two. And those stats are really important when you select a vendor to make sure that they encrypt the biometric properly with the user's key, and that they are certified for presentation attacks by an independent lab. So I think that'll probably about do it in terms of time today, any closing thoughts, Roland? Should we give them our fax number for purchase orders? What's the next step here?
Yeah, no, absolutely, let's do that. That kind of dates us, does basically give them the fax number [crosstalk 00:41:58]
Right back there, yeah.
Yeah. You can send the email address. No, I think Mike, you brought up a couple of nice points there at the end, just around some of the different abuses we see these days for workforce identity, because the pandemic you do have people outsourcing their jobs or contracting out the jobs, you do have people that outsource the interview process as well, and then you get different people actually showing up for work day one.
We've certainly seen a big uptake just on workforce verification, and because of the pandemic, traditionally, we've seen the verification process more along the lines of financial institutions, or government, or retail to try and avoid fraud. But these days, I think almost everybody that is enterprise 500 type customer is looking to avoid fraud even internally with their own employees.
So that's a very key takeaway, I think these days for most organizations as well. So those are my closing remarks. Thanks Mike, for inviting Simeio, we're very excited about being able to partner with 1Kosmos on things these days.
Yeah. Thanks so much for joining us Roland and all of our attendees. Appreciate your time and enjoy the rest of your day and your week. We'll see you at the next webinar.
Thank you. Sounds good.
Thanks everybody.
Yeah. Hello everybody. I am Roland Davis, I've been with Simeio for the last five years and head up a practice around customer identity as well as workforce identity. So we're very excited today to able to co-present with 1Kosmos. 1Kosmos is amazing piece of technology that is becoming more and more prevalent down this path of passwordless capabilities. So we're very, very excited to be able to go close with them and provide some offerings and solutions to our customers jointly.
Awesome. Yeah. Well, thanks for being here, I appreciate it.
Thanks Mike.
Of course, I'd get in trouble with my marketing department, if I didn't give a shout out for our upcoming webinar, it's a completely different topic on the introduction of citizen identity in government and commercial services. So check this out, you can find a link to it at the top of our website, and you'll be hearing about it from our various sources.
And also we'll be talking about a couple different technologies today, and you're in invited to try out a passwordless experience by simply going to our website, clicking on a button to try the demo, grab an app out of the store and try it out. There's a whole bunch of different aspects of MFA, we'll be talking about today here. This is one of the coolest, and you can try it and no sign up needed, just give it a shot.
Yeah, I tried this the other day, Mike, and literally folks, it took me like a minute to try it out it, and it's a great little demo to get started on, on 1Kosmos. So give it a try, it's about a minute worth of your time.
Yeah. Thanks. I didn't even know you tried it, that's cool. And that experience is what like banks and some of the more forward leaning organization they're starting to do. So it's super exciting stuff. And then lastly, we are giving away what's something we call a Passwordless Identity Package today.
So it's a software package and $50,000 in value. So you can see some details here at our website of as well, we'll randomly select a lucky winner and follow up shortly after the webinar. All right. So Roland, you are not included in that list of potentials.
Oh, not eligible.
That's right. So I'm try to stack the deck.
Okay.
All right. So we're going to talk, it's a very simple agenda here today, and we're going to move kind of quickly, it's going to be a dialogue, not a bunch of slides boring you to death. And there's some new stuff in here that I think many people might be familiar with, but we're going to really expand upon, and all these acronyms we're going to cover them, and some you probably didn't hear of before, like the growing trend of trying to get rid of HBA in the enterprise and in the consumer world.
So we'll be diving into this, and we're also going to ask a couple of questions from the audience. So Maureen or Alexis, if you are ready, we're going to bring up three very simple poll questions throughout the webinar, and the first one is coming up now, and that question is, do you have MFA on all of your endpoints today?
All right. So it's a very simple, yes or no question, just click away, we'll give this about 15 seconds for people to really ponder this question, because it's so, so deep. And I could see quite a few and we're going to show the results right away. So this will be kind of fun. We can share them after the webinar as well. Okay.
Is watching the horse race at the amusement park.
It is. Yeah.
Which one's going to go in.
Super exciting, that's right. All right, Maureen, I think that's good. We got about 70% and if you press these share results, we'll see, we're about 50, 50, it's a 45, 55 split. So all of your external endpoints, I think that's probably why there's more no's than yes. There's so many external endpoints out there. So thanks for everybody for taking the time on that. Okay. And we're going to carry on here, I think the poll should disappear if it doesn't click the little X.
I guess Mike, if there's questions from the audience as well, we probably want to have those come in through the chat window as well, right?
That's right. Yeah. Feel free to just ask away as we're going. We have a couple of our technical staff on the line and they will be answering them in real-time. You can even make fun of my outfit or my hair, anything you want, it's all fair game today. So, and then we'll, if there's a couple of questions that need expanding on, because they're super deep, we will get into them.
So first, let's talk a little bit about some of the terminology. 2FA, we've known about 2FA for years, we're going to get into just a little bit of stage setting for how long 2FA's been around. I think people will be shocked to know how old this technology is, and of course, the successor of the 2FA is MFA, Multifactor, not just two. And Roland, do you remember the first type of 2FA that you used going back in your long storied career?
First kind of 2FA well, boy, it'd probably be those nasty security questions, right?
Yeah.
That probably goes back quite a few decades now right where people would be asking, "Hey, what's your mother's maiden name?" Or, "Hey, what was your favorite movie and what was your favorite vacation spot?"
That's right. Yeah. That's a caveat.
All those things. Yeah. All those knowledge-based questions and they'd work them authentication flows as well sometimes, so they wouldn't use them just for password resets and those kinds of things, but they would actually work them into a part of the authentication flow.
So after you put your username and password in, there you go put this extra thing in, code was very popular as well. So here's your pin, so enter after you put your password in, here's your pin, those have been very popular historically, right?
Right.
But there's horror stories from all those, I really don't like security questions these days. If anybody has security questions still in their environment, we certainly work with customers to try and get them to move away from those, right?
Yeah. The KBA knowledge based, writing something you know, your mother's shoe size when you were four is not only are they a pain for the user, but they're also called KBA for known by anybody, because one browse down your social or just asking some questions in a certain way or googling around, plus they've been stolen out of so many databases, they're really useless.
Mine was a secure ID Token in 1990, I don't know, five or six, I deployed an RSA SecureID Server and so we had these tokens, they were the coolest thing ever, because you had this little security thing that you could hand out to people little did we know how much of a better way.
The batteries would die later? Yeah.
Yeah. And then RSA ended up getting hacked, the secrets got stolen, there was all these things that made it bad. But yeah, we're migrating away from that and towards MFA and better types, not all MFA are created equal, we're going to talk about that quite a bit here today.
And then something we really focus on at 1Kosmos is Identity-Based Authentication. And my definition of that is how do you really prove that it's rolling at the other end of the line, not somebody who has Roland's secrets, or codes, or his phone, but it really is rolling, then we'll be talking about that here today. So we think-
HBA.
HBA is coming up, exactly. So HBA, let's expand on that term first, it's a great point. So it is on the slide. HBA, not many people know about this term, it's called Hope Based Authentication and it is what you use if you can't undeniably prove who that person is at the other on the line, you're hoping that they get into your system, that they can fetch their code, that they haven't lost their code, that they need, might have to change their password or forgot it. So that's where we're really trying to get away from. Yeah. Thanks for calling that out.
Makes sense. Yeah, no worries. I'm sure everybody on the line here probably is asking the same question, so...
Yeah, exactly. And so without identity, we have a system based on hope, really. I don't know how your experience is at the holidays, but when everybody gets new devices, they're calling uncle Mike or son Mike to try to fix their 17 Apple, and Google, and other accounts that have gotten locked out because they can out a new phone. So it's a continuous user experience problem as well as a security risk.
And the impacts of this are really staggering. So these are some relatively new stats, there's lots of people that have been thrown around stats from 2018. But these come from the 2021 Verizon Data Breach Investigations Report, it's the data breach investigations Bible, it's like 114 pages, if you haven't seen it, you can use it to make any security business justification.
But what this latest one said is that 85% of breaches focus on the human element. In other words, it's a person making a mistake, getting coerced, socially engineered or whatever it is, that's involved in a breach. And that of course, comes back to the fact that they even have a password. So I mean, how many breaches have you seen about this year, Roland? Just making a number of-
100.
... it's got to be one a week. Yeah, exactly.
Yeah. No, we definitely see our fair share breaches happening in the Marketplace, and we work with customers to minimize that credentials being the biggest attacked vector that we see in the Marketplace these days.
Right. And once they're exposed, once a credential is obtained, it's really expensive. So these stats are from the LOCKTON Group, cyber insurance broker or company. And you can see here, the average payment, 1.5 million, and the actual impact then, your business is shut down, your colonial pipeline or your mask, whatever is $5 million.
And of course, we've heard of some of these getting up and into the hundreds of millions like mask. And so 66% of every ransomware is over a million dollars too. So the problem's real, if you don't have the attention of the board or the C-suite showing some of these numbers, I think they already know how big of a problem this is though.
So like I was saying, I really wanted to talk about 2FA and where it sits on the history of authentication. So many people know that passwords have gone back to the sixties when they were invented as part of a mainframe shared resource. And then a bunch of other tactics came out in between, including encrypting them, it's called Hashing.
And then Bill Gates even said in 1984 that passwords were going away soon, and here we are, I don't even know how many years later, I can't do that kind of math. And as I mentioned, secure ID tokens, right. My first real cool 2FA deployment, 1993, and how many people are still buying some type of thing you have to put in your pocket to try to get into a system, either a number generator or something you plug into your USB device, they are stronger, but they're so cumbersome, and they're expensive, and hard to deploy. And this one here-
They're also not necessarily tied to the identity as well, Mike, like I've seen, I've heard of instances where people have set up webcams to their hardware token so they can share it amongst the team. So you get kind of scenarios even with that, like is it truly secure? And does it truly marry up the identity of the user to the owner of the hardware token? And there's a good argument to say that no, it doesn't, right?
Yeah, exactly. And that we're going to cover a lot of that, and that is the exact opposite of Identity-Based Authentication. It's some type of combination of other things that can be obtained by somebody else. So this really, I've seen so many websites just start to deploy SMS or email codes today. And it is a little bit better, but if you're really protecting something important like a bank account, the bad guys are showing how easy it is to now obtain these.
So fast forwarding now to the two thousands and we've got the FIDO Alliance, super exciting stuff. So for those that don't know what FIDO is, it stands for Fast Identity Online. It made mainstream news about three weeks ago because they've reached a certain point of attraction where websites are starting to pop up and now say, "Do you want to go passwordless?"
And I might be able to show an example of that here today, and now, so they're almost 10 years in the making and they're starting to change the way we can authenticate using our computers instead of things that we have to know and spit out and can be stolen.
And then, in between where passwordless started and where we are today, there's been a whole bunch of other tools and things that have come out, including a push to your mobile, which we have all used like authenticators pops up and says, "Is this you? Yes or no?" And that's certainly better than just using them in a password as well.
But now you can see from 2013 to 2018, FIDO's latest standard known as WebAuthn is what is starting to allow it to get adopted by the masses. And so websites like Best Buy, and TurboTax, and eBay have this as part of their journey now.
And of course, this is kind of a little bit of a slide in here at the end 2019 is when we coin the term identity based authentication. And we're starting to see this term and these concepts pop up in research, and papers, and analysts, and that is the strong joining of identity and authentication that we're going to talk in here. I'm sure this resonates with your clients as well, Roland, right?
Yeah, it does and kind of interestingly enough, like SMS being deprecated by NIST is back in 2016 and kind of to your point, there's still customers out there that are looking at using SMS or establishing SMS as their MFA strategy today, right?
That's right. And I think customers have a choice these days of being able to even get kind of do a little bit of leapfrog in the Marketplace and move towards passwordless. I know my customers have been asking for passwordless for years now, can we get there? And the market conditions are finally right for it. So very, very, very excited to be able to move forward with offerings on passwordless, that's for sure.
Yeah. And I put a call out here for Identity-Based Authentication and kind of where it sits in all of these technology, so there is a standard that says, "Here's how you prove who somebody is remotely," it's known as NIST 800-63, it's a US government standard, obviously.
And there's a version of it nearly every modern country, but it says, "Present credentials, match it to your face in a certain way that has the best chance of it being the real person." And that combined with a passwordless technology like FIDO is what lets you prove as best you can, who this person is coming in.
And we're going to expand upon this, but what's happened, because these technologies are relatively new, you're talking about really three years for some adoption happening in FIDO, and the identity proofing standard is still maturing. What we have is a landscape of companies that now just deal with compensating controls around authentication.
So the cyber security, if you walk the halls of the RSA security show, for example, you'll see hundreds of companies that try to mitigate password problems. And it could be by detecting fraud, bad signals from the guys who stolen your password, et cetera. So I'm sure you're familiar, obviously don't call any of these out rolling, but you probably integrate with a lot of these technologies in your staff.
Yeah. Historically we have. And you've had to, we've had to do that for customer requirements, to call out and see whether or not a password has been compromised or whether or not you're on a block list somewhere, et cetera. So we're just simply calling out to services to determine, is this a known threat to the environment? So yeah, we've had to integrate into a wide variety of these over time, and to your right Mike, these are mainly the create... There's a huge marketplace just for passwords and credential management.
And I think this whole landscape, these days is going to change significantly now. There's, if we can get away from things like having password managers, and browsers, and setting-up all these additional compensating type measures, just to be able to kind of get a grip on the password problem, if that all goes away and disappears, the industry's going to look a lot differently here in just a couple years, right?
Yeah, exactly. Yeah, I tried breaking down all of the types of these over time, so obviously we've started with user ID and passwords since 1960 or whatever it is. And that wasn't good enough so we made an expire, and we've proven now that is a bad technique, a longer non expiring phrase is best, but companies are still of doing this.
In fact, since the pandemic, a couple of clients that we worked with to go passwordless were moving from 12 to 16 and beyond characters in their password, complex, changing every 90 days. And then we added 2FA, and MFA, and Risk-Based Authentication, and like you mentioned before, your favorite, Knowledge-Based Authentication. And in fact, the airlines here in the US still use this as their second factor.
But then we started to see SSO, which is a step in the right direction, in my opinion, but still doesn't introduce identity. So we sit on top of these and we'll show you some of that. Password managers, passwordless is now a thing FIDO... So this is such a huge problem the industry has just kept putting bandaid upon, bandaid upon, bandaid.
And of course, biometrics is the newest and most controversial topic, that is one of the strongest ways to prove who somebody is remotely. So a lot of As and all of that. So it's time for the second poll. I know everybody's been waiting, I've gotten four chat messages, come on, Mike, can you get to the second question please? So here we go.
If Maureen, if you're ready to pop this up. This is a multiple choice, you can pick one, two, or as many as you do. And we're curious to know what type of MFA you've deployed inside out of your organization, for your customers, or your employees?
There's just some great results, I think you'll like them. We got two of them, neck and neck, just two clicks away from each other. So we got about 50%, actually, we're getting up to 60% participation here. Just give it another 10 seconds, press your buttons everybody.
All right. So Maureen, if you could end the poll and share the results. Here we go. So can you guys see those? You see OTP, email, SMS, still are the most popular along with app-based authenticators, so that's your Google and Microsoft one time code generator.
So it's really comes down to one time codes that are the most popular, and it's good to see app-based, push notifications coming out, and look, there's FIDO coming in as a kind of distant fourth there. So steps in the right direction for sure, and really encouraging to see none that has such a low number.
Yeah, that's good to see.
Yeah. Awesome. Thanks for putting that out, Maureen. Okay. So let's talk about IBA. What is Identity-Based Authentication? And the way 1Kosmos defines this, and NIST really, is it's a combination of proving the user's identity, not just saying, type in your name and your address, and we'll verify the data, but proving it.
And this is that NIST standard that I mentioned before, 863-3 is the standard. Everybody in the banking community who has to deal with KYC, or sometimes an HR for know your employee, KYE knows about the standard, and the subsection of it is this 8633A, and that is the identity assurance level.
So what this does, is it triangulates your government documents or other strong sources of kind of document verification about you and matches them to your real world identity, your face, and verifying the documents are authentic and things like that.
So once you do that, you can then give the user a credential. Issuing a credential without doing step one, you could be putting a credential on top of a compromised account, or giving it to the wrong person, or it could be stolen. So it's the marrying of these. And there's another standard from the W3C called decentralized identifiers that can allow that identity to be shared internally in an organization across disparate apps, or more importantly, between companies, between industries, even between countries.
Those standards a few years old is getting really popular. The tech giants are all focusing on this with dedicated practices, and it's what we have under the hood at 1Kosmos to allow the identities to be portable if an organization wants their employees or customers identities to be shared, it really puts the user in control of the identity.
And then once you have these two put together, you can issue what are called verifiable credentials to third parties as well. So the idea here is you're Roland and that can never be taken away from you, but you could have a credential, like a COVID vaccination or proof of work that you work at Simeio, and that can be revoked.
You leave Simeio, that verifiable credential is verified and you don't work there anymore. So these are some of the relatively new identity standards that are allowing identity to be user managed, allows you to do privacy by design, and allows the identities to be shared.
Yeah. What I love about this Mike is you've taken some very complex standards out there, if anybody picks up the NIST standard, they're in for a few evenings of reading, that's for sure. And then even at the end of it, trying to piece it all together too, in order to put together a solution is a very complex initiative, it takes a lot.
And what I love about this is that this is simplified now, it's so nice to be able to start with the NIST standard, grow into the issuing the credentials, and then using those credentials using verified credentials. You've made it, you've kind of added that missing link and that is the usability of those standards. How do you actually implement them, right?
Yeah.
The very first time the standards came out for, let's say, HTML, you had to piece them all together, and now they're ubiquitous, in the future, this is going to be ubiquitous as well. It's just going to be part of everyday life in terms of how we go about logging into services, right?
Right. Exactly. And so these are the standards, and there's actually a bunch of certifying bodies to make sure that the company you're working with has employed these standards properly. So I know you were going to like, "Mike, well, how do I know if I've got the right standard and it's good." So there you go, here's my segue.
There's three certifying organizations that prove your identity onboarding, your biometrics and your passwordless experience. So here on the left, you have that NIST 863-3 standard that I referenced. And there's a nonprofit called the Kantara Initiative that certifies companies to say, "Yes, they do it the way the standard was meant to be done.
So this is an important seal of approval, your good housekeeping, if you will. And then on the right, you see your authentication, how do you know you're using open standard and certified product? It's the FIDO standard. So look for the FIDO2 logo, that is the latest ref of the standard.
And if a company's using real buy biometrics, which if they're not, it's not real identity, and I think we'll get to that later. But there's the world leader in biometric certifications called iBeta, they certify the scanners that you see in the airports and make sure that you can't put a mission impossible mask on like Tom Cruise and spoof somebody's identity through presentation attacks, and they check your false acceptance rate and all that stuff.
So it's really important to have these certifications as part of the identity platform that you're using as you start to change the way you engage with employees and customers. So a lot of devil in the details, right Roland?
Yeah, absolutely. Yeah.
Yeah. And there's one really simple test that you can ask any supplier or yourself to know is my identity, my authentication identity based, and that is, can you give it to somebody else? So Roland right now, I could give you my Bank of America, username, password, and my UBI key-
Could you?
... and my pin. I could, and you could log into my account, right? Or probably my employer, I could give him my phone, username, password, or my windows password, it's attainable one way or another.
And so if the answer to this is, no, it can't be done, then you have true identity at the other line and really Zero Trust. So Zero Trust is a concept of actually, why don't you explain Zero Trust because I know Simeio is a leader in this, I think this would be great for your context on Zero Trust.
Yeah. Thanks, Mike. Yeah. So certainly, Zero Trust is making sure that you, well, it comes down to trust nobody, verify always. And in order to verify people, that really means that the identity has to be established and linked to the verification process.
So every request that comes in for access to data, to applications, it's looked at it's inspected and linked back to the identity of the individual making that request. So that's Zero Trust. And I think we have a slide coming up on that after the poll here, to talk a little bit more about Zero Trust in a bit.
Awesome. Yeah. So now it's time for our third and final polling question. This is a very simple question, Maureen, if you could pop up this and the question is, would you use MFA on your operating system, Unix, Mac, or Windows, including remote computers, if it were a single touch experience, one click, I want to know who says no, but that's, we'll get to that later.
So this is obviously a loaded question. It is possible to put a single touch MFA Identity-Based Authentication on any remote system, and we're going to talk about that here today. And so not surprisingly, there's more yeses than no's on this one so far.
I think the no people must just use Android, or mobile devices, or tablets, or something, right, yeah, maybe?
Could be, actually, yeah. There's a lot of environments that are 100% cloud and don't use Mac or Windows at all, use a Chromebook. And so, yeah, that's a good point, the world is not just enterprise software, but that's great if you could finish this one and show the results, Maureen, thank you for that.
All right. I think we're... Awesome. Okay. So let's move on. So now let's talk about what we call IAM's Missing Function. So I deployed my first identity and access management system, not me, but a team of us at Lehman Brothers in the late nineties, early two thousands, when we called it Total Access Control Identity Access Management was the program, but it didn't have any identity in it, because it was really based on just creating accounts everywhere and trying to manage passwords and password resets.
So these sections here in the middle are what's been missing from every IAM stack, cryptographic, proof of identity, and that's what FIDO and this 863-3 set up for you, as well as a biometric that answers the authoritative who.
And so if you can feed these into your existing IAM Functions and let them do what they do, and manage the operating system, do single sign on, do your governance, et cetera, your account creation, then you're really taking the question out of whether or not it is that person at the other end of the line, introducing Zero Trust. So to that end, I'll let you expand on this a bit, Roland, I really love this slide, but this is obviously Simeio Zero Trust Model.
Yeah. And thanks for that, Mike. I think that from Simeio standpoint, being able to consume these services in a nice, easy way is crucial. So Zero Trust, it kind of shifts the focus traditionally away from the identity provider, that's still required, so it's still required to provide some form of proof of identity, but that gets fed into a policy engine. And the policy engine works in conjunction with a lot of sources of information like where's the location of the user? What's the behavior of this user? Is it abnormal behavior? They log in at 2:00 AM and they typically log in between the hours of nine and five.
So it can look at those types of behaviors and make a decision whether or not to ask for more information about the user, or deny access, or approve access based on the policies and conditions that you have in place.
So from Simeio standpoint, we work with customers to improve their Zero Trust environments. A lot of customers these days have mandates to adopt Zero Trust, but really have a hard time in just kind of going, where do we start? What do we start with? And certainly one of the areas to start with when it comes to Zero Trust is to implement on the authentication side, so strengthen up the authentication services, because that's crucial, tying your authentication directly to identity and having a verified identity, that's one of the foundations of Zero Trust.
Is to link all the requests back to an individual, or a service, or a system and making sure that only those systems and individuals that should have access to services do. So we've developed, it's similar, you could pass to the next slide.
We've developed a series of assessments specifically focused on Zero Trust, so advisory services is one of the things that we do to help customers kind of paint a roadmap for how do you go from current state today to the future state of Zero Trust, but we also provide deployment service and manage services as well.
So once you decide, okay, all right, now I need to implement a particular piece of technology, let's say you wanted to implement 1Kosmos, you can turn to Simeio and say, "Simeio, this is what we'd like to do. We can work with you to put together deployment services, manage services in the advisory services across the board for that."
So kind of take you the full gamut, help you produce the business case, help you to get that justification, the internal justifications that you need in order to move forward with your projects, and then deploy those projects. So kind of a little shameless plug for Simeio there, Mike.
No, it's good.
Giving us the opportunity for that, yeah.
You guys have created and managed hundreds of millions of identities over the years. So you really, really know your stuff. And we have a very tight integration with Simeio, so you can jumpstart your journey with a strong identity, and whenever that policy engine has to ask a question, we make it really easy to reach out to the user and say, "Can you just show me who you are," and reach out to them and they'll have that cryptographic proof that you need.
So, no, it's like peanut butter and jelly. So now let's just show a quick demo of what we refer to as Identity-Based Authentication. What you're going to see here is the first time launching of an app that lets you store your identity and present it to a third party with that proof that you need, and so this is just a couple of seconds long, and I'll let this roll here.
Here we go. So you'll see upon launching of the app behind the scenes, a private keys generated, transparent to the user. We use a pin just as another factor for kind of break glass purposes, it's very rarely needed. And then we do your device biometrics, touch ID or face ID, takes about a total of you saw here about eight seconds to enroll now three factors in the phone, key, pin, and device biometrics.
Now, we're going to do real biometrics. That's me. Thank God I wasn't wearing the same shirt. So that was what we call live ID, and that is a real biometric that I can now link to any source of truth and also ask for it again to authenticate them. And you saw how quick and easy it was, you don't have to ship somebody a token or a smart card reader, we're trusting this really very complex and secure piece of hardware to hold a lot of the credentials for us today.
So let's leverage it. We've got a high res camera, far better than cameras that we've used in the airport for 10 years. So it's really putting the power in the hand of the user. Now, everything you saw there is encrypted with my private key and only releasable with my consent, and that is a huge deal in the age of privacy and breaches. If that biometric is stored anywhere, we're a third party administrator or centralized encryption can get at it, you have a big problem. You saw that with the big curfuffle with the IRS about two months ago, and their use of a private biometric and identity scanning company.
So we make it look easy and it actually is easy. And of course, this can be private labeled. We have customers that call it their own identity or put each of these components as an SDK inside of their existing app.
And now once that identity is enrolled, sorry, let me skip forward, you can leverage that for verifying identity. So that didn't prove my identity as an individual, just let me enroll identity assets, my private key, my real biometrics. Now, we are going to link that to government ID, my citizen ID. And we do this by scanning government credentials, the front, the back, decoding that PDF, four and seven barcode, and matching my face to that photo, and verifying it with the DMV, called AMVA.
I can also enroll passports in any country that uses modern passports is over 100 of them. So that experience you saw there is getting really popular, especially in the crypto world overseas, and it's used to prove my identity. So now I can leverage that strong identity to say, "This is Mike Engel coming into my platform every time."
And this is my final one, and then we're going to wrap it up here. So this is how you employ Identity-Based Authentication for any target system. This could be your remote access, Citrix, VDI, Zscaler, whatever. It could be your operating systems, it could be a banking website, doesn't matter, the experience is the same. So the most common way now is a QR code. I will scan this, I give consent to authenticate.
My biometric is asked, I asked for the authentication and I'm staring at my downstream applications. It takes about two, three seconds. Now you don't have to do that every time, you can rely on touch ID and face ID, spot-check the user once a month with live ID, make sure that they're still the person that you think they are, prevent something called contractor jacking, where you onboard somebody on day two, they give their authentication to a buddy because they're 10 bucks an hour cheaper.
Huge problem, every customer I talk to who has this problem, this is the way to mitigate it. So we're really excited about this being employed really anywhere. And that wraps up the conclusion, I mean, that wraps up the presentation. We have a couple of questions here, I think about the biometrics. Let me read this one out.
So how easy is it to get around biometrics? And this is a great question. So that certification that I mentioned called iBeta, they attempt all kinds of different ways to subvert the authentication. So they will hold up a photo, cut eye holes in it, and they're very good at making sure that that biometric is accurate, that it can't be spoofed by strangers or whatever.
And there's all kinds of testing to make sure that you don't have problems with decisioning bias in these processes as well, so that means are you incorrectly saying no or yes, and letting a bad guy in. So it's a combination of those two. And those stats are really important when you select a vendor to make sure that they encrypt the biometric properly with the user's key, and that they are certified for presentation attacks by an independent lab. So I think that'll probably about do it in terms of time today, any closing thoughts, Roland? Should we give them our fax number for purchase orders? What's the next step here?
Yeah, no, absolutely, let's do that. That kind of dates us, does basically give them the fax number [crosstalk 00:41:58]
Right back there, yeah.
Yeah. You can send the email address. No, I think Mike, you brought up a couple of nice points there at the end, just around some of the different abuses we see these days for workforce identity, because the pandemic you do have people outsourcing their jobs or contracting out the jobs, you do have people that outsource the interview process as well, and then you get different people actually showing up for work day one.
We've certainly seen a big uptake just on workforce verification, and because of the pandemic, traditionally, we've seen the verification process more along the lines of financial institutions, or government, or retail to try and avoid fraud. But these days, I think almost everybody that is enterprise 500 type customer is looking to avoid fraud even internally with their own employees.
So that's a very key takeaway, I think these days for most organizations as well. So those are my closing remarks. Thanks Mike, for inviting Simeio, we're very excited about being able to partner with 1Kosmos on things these days.
Yeah. Thanks so much for joining us Roland and all of our attendees. Appreciate your time and enjoy the rest of your day and your week. We'll see you at the next webinar.
Thank you. Sounds good.
Thanks everybody.
Mike Engle
CSO
1Kosmos
Roland Davis
Director of Customer Identity
Simeio
This webinar explores a modern approach to MFA that replaces the “what you know” in the form of the one-time code with “what you are” in the form of a likeness verified to a credentialed identity. By watching you will learn:
- How to transition from authenticating users as an isolated, one-time event and move to continuous identity assurance at every point of access for zero trust
- The difference between device-level biometrics and liveness detection to prevent spoofing and decisioning bias (e.g., racial bias)
- The best way to secure biometrics and PII to comply with regulatory guidelines and ensure users have private key access to determine when and what information is shared with 3rd party applications
Multi-factor authentication (MFA) can improve password security, but as an authentication method it is full of loopholes. The one-time codes sent via email, SMS or push can be easily compromised as can the session tokens. Layered on top of usernames and passwords, traditional MFA also contributes to a clumsy login experience and still leaves you hoping that the user at the other end of the connection is who they claim to be.
Mike Engle
CSO
1Kosmos
Roland Davis
Director of Customer Identity
Simeio
Video Transcript
Thanks everybody for joining. My name is Mike Engle. Today, we're going to be talking about, as you can see here, Closing the Security Loopholes in MFA or Multi-Factor Authentication. I am Chief Strategy Officer and co-founder here at 1Kosmos. I spent my career either running cybersecurity programs or building companies like this one, also a venture investor with a company called 1414 Ventures. I'm joined today by Roland Davis, the Director of Identity at Simeio Solutions. Would you like to say hello, Roland and introduce everybody?
Yeah. Hello everybody. I am Roland Davis, I've been with Simeio for the last five years and head up a practice around customer identity as well as workforce identity. So we're very excited today to able to co-present with 1Kosmos. 1Kosmos is amazing piece of technology that is becoming more and more prevalent down this path of passwordless capabilities. So we're very, very excited to be able to go close with them and provide some offerings and solutions to our customers jointly.
Awesome. Yeah. Well, thanks for being here, I appreciate it.
Thanks Mike.
Of course, I'd get in trouble with my marketing department, if I didn't give a shout out for our upcoming webinar, it's a completely different topic on the introduction of citizen identity in government and commercial services. So check this out, you can find a link to it at the top of our website, and you'll be hearing about it from our various sources.
And also we'll be talking about a couple different technologies today, and you're in invited to try out a passwordless experience by simply going to our website, clicking on a button to try the demo, grab an app out of the store and try it out. There's a whole bunch of different aspects of MFA, we'll be talking about today here. This is one of the coolest, and you can try it and no sign up needed, just give it a shot.
Yeah, I tried this the other day, Mike, and literally folks, it took me like a minute to try it out it, and it's a great little demo to get started on, on 1Kosmos. So give it a try, it's about a minute worth of your time.
Yeah. Thanks. I didn't even know you tried it, that's cool. And that experience is what like banks and some of the more forward leaning organization they're starting to do. So it's super exciting stuff. And then lastly, we are giving away what's something we call a Passwordless Identity Package today.
So it's a software package and $50,000 in value. So you can see some details here at our website of as well, we'll randomly select a lucky winner and follow up shortly after the webinar. All right. So Roland, you are not included in that list of potentials.
Oh, not eligible.
That's right. So I'm try to stack the deck.
Okay.
All right. So we're going to talk, it's a very simple agenda here today, and we're going to move kind of quickly, it's going to be a dialogue, not a bunch of slides boring you to death. And there's some new stuff in here that I think many people might be familiar with, but we're going to really expand upon, and all these acronyms we're going to cover them, and some you probably didn't hear of before, like the growing trend of trying to get rid of HBA in the enterprise and in the consumer world.
So we'll be diving into this, and we're also going to ask a couple of questions from the audience. So Maureen or Alexis, if you are ready, we're going to bring up three very simple poll questions throughout the webinar, and the first one is coming up now, and that question is, do you have MFA on all of your endpoints today?
All right. So it's a very simple, yes or no question, just click away, we'll give this about 15 seconds for people to really ponder this question, because it's so, so deep. And I could see quite a few and we're going to show the results right away. So this will be kind of fun. We can share them after the webinar as well. Okay.
Is watching the horse race at the amusement park.
It is. Yeah.
Which one's going to go in.
Super exciting, that's right. All right, Maureen, I think that's good. We got about 70% and if you press these share results, we'll see, we're about 50, 50, it's a 45, 55 split. So all of your external endpoints, I think that's probably why there's more no's than yes. There's so many external endpoints out there. So thanks for everybody for taking the time on that. Okay. And we're going to carry on here, I think the poll should disappear if it doesn't click the little X.
I guess Mike, if there's questions from the audience as well, we probably want to have those come in through the chat window as well, right?
That's right. Yeah. Feel free to just ask away as we're going. We have a couple of our technical staff on the line and they will be answering them in real-time. You can even make fun of my outfit or my hair, anything you want, it's all fair game today. So, and then we'll, if there's a couple of questions that need expanding on, because they're super deep, we will get into them.
So first, let's talk a little bit about some of the terminology. 2FA, we've known about 2FA for years, we're going to get into just a little bit of stage setting for how long 2FA's been around. I think people will be shocked to know how old this technology is, and of course, the successor of the 2FA is MFA, Multifactor, not just two. And Roland, do you remember the first type of 2FA that you used going back in your long storied career?
First kind of 2FA well, boy, it'd probably be those nasty security questions, right?
Yeah.
That probably goes back quite a few decades now right where people would be asking, "Hey, what's your mother's maiden name?" Or, "Hey, what was your favorite movie and what was your favorite vacation spot?"
That's right. Yeah. That's a caveat.
All those things. Yeah. All those knowledge-based questions and they'd work them authentication flows as well sometimes, so they wouldn't use them just for password resets and those kinds of things, but they would actually work them into a part of the authentication flow.
So after you put your username and password in, there you go put this extra thing in, code was very popular as well. So here's your pin, so enter after you put your password in, here's your pin, those have been very popular historically, right?
Right.
But there's horror stories from all those, I really don't like security questions these days. If anybody has security questions still in their environment, we certainly work with customers to try and get them to move away from those, right?
Yeah. The KBA knowledge based, writing something you know, your mother's shoe size when you were four is not only are they a pain for the user, but they're also called KBA for known by anybody, because one browse down your social or just asking some questions in a certain way or googling around, plus they've been stolen out of so many databases, they're really useless.
Mine was a secure ID Token in 1990, I don't know, five or six, I deployed an RSA SecureID Server and so we had these tokens, they were the coolest thing ever, because you had this little security thing that you could hand out to people little did we know how much of a better way.
The batteries would die later? Yeah.
Yeah. And then RSA ended up getting hacked, the secrets got stolen, there was all these things that made it bad. But yeah, we're migrating away from that and towards MFA and better types, not all MFA are created equal, we're going to talk about that quite a bit here today.
And then something we really focus on at 1Kosmos is Identity-Based Authentication. And my definition of that is how do you really prove that it's rolling at the other end of the line, not somebody who has Roland's secrets, or codes, or his phone, but it really is rolling, then we'll be talking about that here today. So we think-
HBA.
HBA is coming up, exactly. So HBA, let's expand on that term first, it's a great point. So it is on the slide. HBA, not many people know about this term, it's called Hope Based Authentication and it is what you use if you can't undeniably prove who that person is at the other on the line, you're hoping that they get into your system, that they can fetch their code, that they haven't lost their code, that they need, might have to change their password or forgot it. So that's where we're really trying to get away from. Yeah. Thanks for calling that out.
Makes sense. Yeah, no worries. I'm sure everybody on the line here probably is asking the same question, so...
Yeah, exactly. And so without identity, we have a system based on hope, really. I don't know how your experience is at the holidays, but when everybody gets new devices, they're calling uncle Mike or son Mike to try to fix their 17 Apple, and Google, and other accounts that have gotten locked out because they can out a new phone. So it's a continuous user experience problem as well as a security risk.
And the impacts of this are really staggering. So these are some relatively new stats, there's lots of people that have been thrown around stats from 2018. But these come from the 2021 Verizon Data Breach Investigations Report, it's the data breach investigations Bible, it's like 114 pages, if you haven't seen it, you can use it to make any security business justification.
But what this latest one said is that 85% of breaches focus on the human element. In other words, it's a person making a mistake, getting coerced, socially engineered or whatever it is, that's involved in a breach. And that of course, comes back to the fact that they even have a password. So I mean, how many breaches have you seen about this year, Roland? Just making a number of-
100.
... it's got to be one a week. Yeah, exactly.
Yeah. No, we definitely see our fair share breaches happening in the Marketplace, and we work with customers to minimize that credentials being the biggest attacked vector that we see in the Marketplace these days.
Right. And once they're exposed, once a credential is obtained, it's really expensive. So these stats are from the LOCKTON Group, cyber insurance broker or company. And you can see here, the average payment, 1.5 million, and the actual impact then, your business is shut down, your colonial pipeline or your mask, whatever is $5 million.
And of course, we've heard of some of these getting up and into the hundreds of millions like mask. And so 66% of every ransomware is over a million dollars too. So the problem's real, if you don't have the attention of the board or the C-suite showing some of these numbers, I think they already know how big of a problem this is though.
So like I was saying, I really wanted to talk about 2FA and where it sits on the history of authentication. So many people know that passwords have gone back to the sixties when they were invented as part of a mainframe shared resource. And then a bunch of other tactics came out in between, including encrypting them, it's called Hashing.
And then Bill Gates even said in 1984 that passwords were going away soon, and here we are, I don't even know how many years later, I can't do that kind of math. And as I mentioned, secure ID tokens, right. My first real cool 2FA deployment, 1993, and how many people are still buying some type of thing you have to put in your pocket to try to get into a system, either a number generator or something you plug into your USB device, they are stronger, but they're so cumbersome, and they're expensive, and hard to deploy. And this one here-
They're also not necessarily tied to the identity as well, Mike, like I've seen, I've heard of instances where people have set up webcams to their hardware token so they can share it amongst the team. So you get kind of scenarios even with that, like is it truly secure? And does it truly marry up the identity of the user to the owner of the hardware token? And there's a good argument to say that no, it doesn't, right?
Yeah, exactly. And that we're going to cover a lot of that, and that is the exact opposite of Identity-Based Authentication. It's some type of combination of other things that can be obtained by somebody else. So this really, I've seen so many websites just start to deploy SMS or email codes today. And it is a little bit better, but if you're really protecting something important like a bank account, the bad guys are showing how easy it is to now obtain these.
So fast forwarding now to the two thousands and we've got the FIDO Alliance, super exciting stuff. So for those that don't know what FIDO is, it stands for Fast Identity Online. It made mainstream news about three weeks ago because they've reached a certain point of attraction where websites are starting to pop up and now say, "Do you want to go passwordless?"
And I might be able to show an example of that here today, and now, so they're almost 10 years in the making and they're starting to change the way we can authenticate using our computers instead of things that we have to know and spit out and can be stolen.
And then, in between where passwordless started and where we are today, there's been a whole bunch of other tools and things that have come out, including a push to your mobile, which we have all used like authenticators pops up and says, "Is this you? Yes or no?" And that's certainly better than just using them in a password as well.
But now you can see from 2013 to 2018, FIDO's latest standard known as WebAuthn is what is starting to allow it to get adopted by the masses. And so websites like Best Buy, and TurboTax, and eBay have this as part of their journey now.
And of course, this is kind of a little bit of a slide in here at the end 2019 is when we coin the term identity based authentication. And we're starting to see this term and these concepts pop up in research, and papers, and analysts, and that is the strong joining of identity and authentication that we're going to talk in here. I'm sure this resonates with your clients as well, Roland, right?
Yeah, it does and kind of interestingly enough, like SMS being deprecated by NIST is back in 2016 and kind of to your point, there's still customers out there that are looking at using SMS or establishing SMS as their MFA strategy today, right?
That's right. And I think customers have a choice these days of being able to even get kind of do a little bit of leapfrog in the Marketplace and move towards passwordless. I know my customers have been asking for passwordless for years now, can we get there? And the market conditions are finally right for it. So very, very, very excited to be able to move forward with offerings on passwordless, that's for sure.
Yeah. And I put a call out here for Identity-Based Authentication and kind of where it sits in all of these technology, so there is a standard that says, "Here's how you prove who somebody is remotely," it's known as NIST 800-63, it's a US government standard, obviously.
And there's a version of it nearly every modern country, but it says, "Present credentials, match it to your face in a certain way that has the best chance of it being the real person." And that combined with a passwordless technology like FIDO is what lets you prove as best you can, who this person is coming in.
And we're going to expand upon this, but what's happened, because these technologies are relatively new, you're talking about really three years for some adoption happening in FIDO, and the identity proofing standard is still maturing. What we have is a landscape of companies that now just deal with compensating controls around authentication.
So the cyber security, if you walk the halls of the RSA security show, for example, you'll see hundreds of companies that try to mitigate password problems. And it could be by detecting fraud, bad signals from the guys who stolen your password, et cetera. So I'm sure you're familiar, obviously don't call any of these out rolling, but you probably integrate with a lot of these technologies in your staff.
Yeah. Historically we have. And you've had to, we've had to do that for customer requirements, to call out and see whether or not a password has been compromised or whether or not you're on a block list somewhere, et cetera. So we're just simply calling out to services to determine, is this a known threat to the environment? So yeah, we've had to integrate into a wide variety of these over time, and to your right Mike, these are mainly the create... There's a huge marketplace just for passwords and credential management.
And I think this whole landscape, these days is going to change significantly now. There's, if we can get away from things like having password managers, and browsers, and setting-up all these additional compensating type measures, just to be able to kind of get a grip on the password problem, if that all goes away and disappears, the industry's going to look a lot differently here in just a couple years, right?
Yeah, exactly. Yeah, I tried breaking down all of the types of these over time, so obviously we've started with user ID and passwords since 1960 or whatever it is. And that wasn't good enough so we made an expire, and we've proven now that is a bad technique, a longer non expiring phrase is best, but companies are still of doing this.
In fact, since the pandemic, a couple of clients that we worked with to go passwordless were moving from 12 to 16 and beyond characters in their password, complex, changing every 90 days. And then we added 2FA, and MFA, and Risk-Based Authentication, and like you mentioned before, your favorite, Knowledge-Based Authentication. And in fact, the airlines here in the US still use this as their second factor.
But then we started to see SSO, which is a step in the right direction, in my opinion, but still doesn't introduce identity. So we sit on top of these and we'll show you some of that. Password managers, passwordless is now a thing FIDO... So this is such a huge problem the industry has just kept putting bandaid upon, bandaid upon, bandaid.
And of course, biometrics is the newest and most controversial topic, that is one of the strongest ways to prove who somebody is remotely. So a lot of As and all of that. So it's time for the second poll. I know everybody's been waiting, I've gotten four chat messages, come on, Mike, can you get to the second question please? So here we go.
If Maureen, if you're ready to pop this up. This is a multiple choice, you can pick one, two, or as many as you do. And we're curious to know what type of MFA you've deployed inside out of your organization, for your customers, or your employees?
There's just some great results, I think you'll like them. We got two of them, neck and neck, just two clicks away from each other. So we got about 50%, actually, we're getting up to 60% participation here. Just give it another 10 seconds, press your buttons everybody.
All right. So Maureen, if you could end the poll and share the results. Here we go. So can you guys see those? You see OTP, email, SMS, still are the most popular along with app-based authenticators, so that's your Google and Microsoft one time code generator.
So it's really comes down to one time codes that are the most popular, and it's good to see app-based, push notifications coming out, and look, there's FIDO coming in as a kind of distant fourth there. So steps in the right direction for sure, and really encouraging to see none that has such a low number.
Yeah, that's good to see.
Yeah. Awesome. Thanks for putting that out, Maureen. Okay. So let's talk about IBA. What is Identity-Based Authentication? And the way 1Kosmos defines this, and NIST really, is it's a combination of proving the user's identity, not just saying, type in your name and your address, and we'll verify the data, but proving it.
And this is that NIST standard that I mentioned before, 863-3 is the standard. Everybody in the banking community who has to deal with KYC, or sometimes an HR for know your employee, KYE knows about the standard, and the subsection of it is this 8633A, and that is the identity assurance level.
So what this does, is it triangulates your government documents or other strong sources of kind of document verification about you and matches them to your real world identity, your face, and verifying the documents are authentic and things like that.
So once you do that, you can then give the user a credential. Issuing a credential without doing step one, you could be putting a credential on top of a compromised account, or giving it to the wrong person, or it could be stolen. So it's the marrying of these. And there's another standard from the W3C called decentralized identifiers that can allow that identity to be shared internally in an organization across disparate apps, or more importantly, between companies, between industries, even between countries.
Those standards a few years old is getting really popular. The tech giants are all focusing on this with dedicated practices, and it's what we have under the hood at 1Kosmos to allow the identities to be portable if an organization wants their employees or customers identities to be shared, it really puts the user in control of the identity.
And then once you have these two put together, you can issue what are called verifiable credentials to third parties as well. So the idea here is you're Roland and that can never be taken away from you, but you could have a credential, like a COVID vaccination or proof of work that you work at Simeio, and that can be revoked.
You leave Simeio, that verifiable credential is verified and you don't work there anymore. So these are some of the relatively new identity standards that are allowing identity to be user managed, allows you to do privacy by design, and allows the identities to be shared.
Yeah. What I love about this Mike is you've taken some very complex standards out there, if anybody picks up the NIST standard, they're in for a few evenings of reading, that's for sure. And then even at the end of it, trying to piece it all together too, in order to put together a solution is a very complex initiative, it takes a lot.
And what I love about this is that this is simplified now, it's so nice to be able to start with the NIST standard, grow into the issuing the credentials, and then using those credentials using verified credentials. You've made it, you've kind of added that missing link and that is the usability of those standards. How do you actually implement them, right?
Yeah.
The very first time the standards came out for, let's say, HTML, you had to piece them all together, and now they're ubiquitous, in the future, this is going to be ubiquitous as well. It's just going to be part of everyday life in terms of how we go about logging into services, right?
Right. Exactly. And so these are the standards, and there's actually a bunch of certifying bodies to make sure that the company you're working with has employed these standards properly. So I know you were going to like, "Mike, well, how do I know if I've got the right standard and it's good." So there you go, here's my segue.
There's three certifying organizations that prove your identity onboarding, your biometrics and your passwordless experience. So here on the left, you have that NIST 863-3 standard that I referenced. And there's a nonprofit called the Kantara Initiative that certifies companies to say, "Yes, they do it the way the standard was meant to be done.
So this is an important seal of approval, your good housekeeping, if you will. And then on the right, you see your authentication, how do you know you're using open standard and certified product? It's the FIDO standard. So look for the FIDO2 logo, that is the latest ref of the standard.
And if a company's using real buy biometrics, which if they're not, it's not real identity, and I think we'll get to that later. But there's the world leader in biometric certifications called iBeta, they certify the scanners that you see in the airports and make sure that you can't put a mission impossible mask on like Tom Cruise and spoof somebody's identity through presentation attacks, and they check your false acceptance rate and all that stuff.
So it's really important to have these certifications as part of the identity platform that you're using as you start to change the way you engage with employees and customers. So a lot of devil in the details, right Roland?
Yeah, absolutely. Yeah.
Yeah. And there's one really simple test that you can ask any supplier or yourself to know is my identity, my authentication identity based, and that is, can you give it to somebody else? So Roland right now, I could give you my Bank of America, username, password, and my UBI key-
Could you?
... and my pin. I could, and you could log into my account, right? Or probably my employer, I could give him my phone, username, password, or my windows password, it's attainable one way or another.
And so if the answer to this is, no, it can't be done, then you have true identity at the other line and really Zero Trust. So Zero Trust is a concept of actually, why don't you explain Zero Trust because I know Simeio is a leader in this, I think this would be great for your context on Zero Trust.
Yeah. Thanks, Mike. Yeah. So certainly, Zero Trust is making sure that you, well, it comes down to trust nobody, verify always. And in order to verify people, that really means that the identity has to be established and linked to the verification process.
So every request that comes in for access to data, to applications, it's looked at it's inspected and linked back to the identity of the individual making that request. So that's Zero Trust. And I think we have a slide coming up on that after the poll here, to talk a little bit more about Zero Trust in a bit.
Awesome. Yeah. So now it's time for our third and final polling question. This is a very simple question, Maureen, if you could pop up this and the question is, would you use MFA on your operating system, Unix, Mac, or Windows, including remote computers, if it were a single touch experience, one click, I want to know who says no, but that's, we'll get to that later.
So this is obviously a loaded question. It is possible to put a single touch MFA Identity-Based Authentication on any remote system, and we're going to talk about that here today. And so not surprisingly, there's more yeses than no's on this one so far.
I think the no people must just use Android, or mobile devices, or tablets, or something, right, yeah, maybe?
Could be, actually, yeah. There's a lot of environments that are 100% cloud and don't use Mac or Windows at all, use a Chromebook. And so, yeah, that's a good point, the world is not just enterprise software, but that's great if you could finish this one and show the results, Maureen, thank you for that.
All right. I think we're... Awesome. Okay. So let's move on. So now let's talk about what we call IAM's Missing Function. So I deployed my first identity and access management system, not me, but a team of us at Lehman Brothers in the late nineties, early two thousands, when we called it Total Access Control Identity Access Management was the program, but it didn't have any identity in it, because it was really based on just creating accounts everywhere and trying to manage passwords and password resets.
So these sections here in the middle are what's been missing from every IAM stack, cryptographic, proof of identity, and that's what FIDO and this 863-3 set up for you, as well as a biometric that answers the authoritative who.
And so if you can feed these into your existing IAM Functions and let them do what they do, and manage the operating system, do single sign on, do your governance, et cetera, your account creation, then you're really taking the question out of whether or not it is that person at the other end of the line, introducing Zero Trust. So to that end, I'll let you expand on this a bit, Roland, I really love this slide, but this is obviously Simeio Zero Trust Model.
Yeah. And thanks for that, Mike. I think that from Simeio standpoint, being able to consume these services in a nice, easy way is crucial. So Zero Trust, it kind of shifts the focus traditionally away from the identity provider, that's still required, so it's still required to provide some form of proof of identity, but that gets fed into a policy engine. And the policy engine works in conjunction with a lot of sources of information like where's the location of the user? What's the behavior of this user? Is it abnormal behavior? They log in at 2:00 AM and they typically log in between the hours of nine and five.
So it can look at those types of behaviors and make a decision whether or not to ask for more information about the user, or deny access, or approve access based on the policies and conditions that you have in place.
So from Simeio standpoint, we work with customers to improve their Zero Trust environments. A lot of customers these days have mandates to adopt Zero Trust, but really have a hard time in just kind of going, where do we start? What do we start with? And certainly one of the areas to start with when it comes to Zero Trust is to implement on the authentication side, so strengthen up the authentication services, because that's crucial, tying your authentication directly to identity and having a verified identity, that's one of the foundations of Zero Trust.
Is to link all the requests back to an individual, or a service, or a system and making sure that only those systems and individuals that should have access to services do. So we've developed, it's similar, you could pass to the next slide.
We've developed a series of assessments specifically focused on Zero Trust, so advisory services is one of the things that we do to help customers kind of paint a roadmap for how do you go from current state today to the future state of Zero Trust, but we also provide deployment service and manage services as well.
So once you decide, okay, all right, now I need to implement a particular piece of technology, let's say you wanted to implement 1Kosmos, you can turn to Simeio and say, "Simeio, this is what we'd like to do. We can work with you to put together deployment services, manage services in the advisory services across the board for that."
So kind of take you the full gamut, help you produce the business case, help you to get that justification, the internal justifications that you need in order to move forward with your projects, and then deploy those projects. So kind of a little shameless plug for Simeio there, Mike.
No, it's good.
Giving us the opportunity for that, yeah.
You guys have created and managed hundreds of millions of identities over the years. So you really, really know your stuff. And we have a very tight integration with Simeio, so you can jumpstart your journey with a strong identity, and whenever that policy engine has to ask a question, we make it really easy to reach out to the user and say, "Can you just show me who you are," and reach out to them and they'll have that cryptographic proof that you need.
So, no, it's like peanut butter and jelly. So now let's just show a quick demo of what we refer to as Identity-Based Authentication. What you're going to see here is the first time launching of an app that lets you store your identity and present it to a third party with that proof that you need, and so this is just a couple of seconds long, and I'll let this roll here.
Here we go. So you'll see upon launching of the app behind the scenes, a private keys generated, transparent to the user. We use a pin just as another factor for kind of break glass purposes, it's very rarely needed. And then we do your device biometrics, touch ID or face ID, takes about a total of you saw here about eight seconds to enroll now three factors in the phone, key, pin, and device biometrics.
Now, we're going to do real biometrics. That's me. Thank God I wasn't wearing the same shirt. So that was what we call live ID, and that is a real biometric that I can now link to any source of truth and also ask for it again to authenticate them. And you saw how quick and easy it was, you don't have to ship somebody a token or a smart card reader, we're trusting this really very complex and secure piece of hardware to hold a lot of the credentials for us today.
So let's leverage it. We've got a high res camera, far better than cameras that we've used in the airport for 10 years. So it's really putting the power in the hand of the user. Now, everything you saw there is encrypted with my private key and only releasable with my consent, and that is a huge deal in the age of privacy and breaches. If that biometric is stored anywhere, we're a third party administrator or centralized encryption can get at it, you have a big problem. You saw that with the big curfuffle with the IRS about two months ago, and their use of a private biometric and identity scanning company.
So we make it look easy and it actually is easy. And of course, this can be private labeled. We have customers that call it their own identity or put each of these components as an SDK inside of their existing app.
And now once that identity is enrolled, sorry, let me skip forward, you can leverage that for verifying identity. So that didn't prove my identity as an individual, just let me enroll identity assets, my private key, my real biometrics. Now, we are going to link that to government ID, my citizen ID. And we do this by scanning government credentials, the front, the back, decoding that PDF, four and seven barcode, and matching my face to that photo, and verifying it with the DMV, called AMVA.
I can also enroll passports in any country that uses modern passports is over 100 of them. So that experience you saw there is getting really popular, especially in the crypto world overseas, and it's used to prove my identity. So now I can leverage that strong identity to say, "This is Mike Engel coming into my platform every time."
And this is my final one, and then we're going to wrap it up here. So this is how you employ Identity-Based Authentication for any target system. This could be your remote access, Citrix, VDI, Zscaler, whatever. It could be your operating systems, it could be a banking website, doesn't matter, the experience is the same. So the most common way now is a QR code. I will scan this, I give consent to authenticate.
My biometric is asked, I asked for the authentication and I'm staring at my downstream applications. It takes about two, three seconds. Now you don't have to do that every time, you can rely on touch ID and face ID, spot-check the user once a month with live ID, make sure that they're still the person that you think they are, prevent something called contractor jacking, where you onboard somebody on day two, they give their authentication to a buddy because they're 10 bucks an hour cheaper.
Huge problem, every customer I talk to who has this problem, this is the way to mitigate it. So we're really excited about this being employed really anywhere. And that wraps up the conclusion, I mean, that wraps up the presentation. We have a couple of questions here, I think about the biometrics. Let me read this one out.
So how easy is it to get around biometrics? And this is a great question. So that certification that I mentioned called iBeta, they attempt all kinds of different ways to subvert the authentication. So they will hold up a photo, cut eye holes in it, and they're very good at making sure that that biometric is accurate, that it can't be spoofed by strangers or whatever.
And there's all kinds of testing to make sure that you don't have problems with decisioning bias in these processes as well, so that means are you incorrectly saying no or yes, and letting a bad guy in. So it's a combination of those two. And those stats are really important when you select a vendor to make sure that they encrypt the biometric properly with the user's key, and that they are certified for presentation attacks by an independent lab. So I think that'll probably about do it in terms of time today, any closing thoughts, Roland? Should we give them our fax number for purchase orders? What's the next step here?
Yeah, no, absolutely, let's do that. That kind of dates us, does basically give them the fax number [crosstalk 00:41:58]
Right back there, yeah.
Yeah. You can send the email address. No, I think Mike, you brought up a couple of nice points there at the end, just around some of the different abuses we see these days for workforce identity, because the pandemic you do have people outsourcing their jobs or contracting out the jobs, you do have people that outsource the interview process as well, and then you get different people actually showing up for work day one.
We've certainly seen a big uptake just on workforce verification, and because of the pandemic, traditionally, we've seen the verification process more along the lines of financial institutions, or government, or retail to try and avoid fraud. But these days, I think almost everybody that is enterprise 500 type customer is looking to avoid fraud even internally with their own employees.
So that's a very key takeaway, I think these days for most organizations as well. So those are my closing remarks. Thanks Mike, for inviting Simeio, we're very excited about being able to partner with 1Kosmos on things these days.
Yeah. Thanks so much for joining us Roland and all of our attendees. Appreciate your time and enjoy the rest of your day and your week. We'll see you at the next webinar.
Thank you. Sounds good.
Thanks everybody.
Yeah. Hello everybody. I am Roland Davis, I've been with Simeio for the last five years and head up a practice around customer identity as well as workforce identity. So we're very excited today to able to co-present with 1Kosmos. 1Kosmos is amazing piece of technology that is becoming more and more prevalent down this path of passwordless capabilities. So we're very, very excited to be able to go close with them and provide some offerings and solutions to our customers jointly.
Awesome. Yeah. Well, thanks for being here, I appreciate it.
Thanks Mike.
Of course, I'd get in trouble with my marketing department, if I didn't give a shout out for our upcoming webinar, it's a completely different topic on the introduction of citizen identity in government and commercial services. So check this out, you can find a link to it at the top of our website, and you'll be hearing about it from our various sources.
And also we'll be talking about a couple different technologies today, and you're in invited to try out a passwordless experience by simply going to our website, clicking on a button to try the demo, grab an app out of the store and try it out. There's a whole bunch of different aspects of MFA, we'll be talking about today here. This is one of the coolest, and you can try it and no sign up needed, just give it a shot.
Yeah, I tried this the other day, Mike, and literally folks, it took me like a minute to try it out it, and it's a great little demo to get started on, on 1Kosmos. So give it a try, it's about a minute worth of your time.
Yeah. Thanks. I didn't even know you tried it, that's cool. And that experience is what like banks and some of the more forward leaning organization they're starting to do. So it's super exciting stuff. And then lastly, we are giving away what's something we call a Passwordless Identity Package today.
So it's a software package and $50,000 in value. So you can see some details here at our website of as well, we'll randomly select a lucky winner and follow up shortly after the webinar. All right. So Roland, you are not included in that list of potentials.
Oh, not eligible.
That's right. So I'm try to stack the deck.
Okay.
All right. So we're going to talk, it's a very simple agenda here today, and we're going to move kind of quickly, it's going to be a dialogue, not a bunch of slides boring you to death. And there's some new stuff in here that I think many people might be familiar with, but we're going to really expand upon, and all these acronyms we're going to cover them, and some you probably didn't hear of before, like the growing trend of trying to get rid of HBA in the enterprise and in the consumer world.
So we'll be diving into this, and we're also going to ask a couple of questions from the audience. So Maureen or Alexis, if you are ready, we're going to bring up three very simple poll questions throughout the webinar, and the first one is coming up now, and that question is, do you have MFA on all of your endpoints today?
All right. So it's a very simple, yes or no question, just click away, we'll give this about 15 seconds for people to really ponder this question, because it's so, so deep. And I could see quite a few and we're going to show the results right away. So this will be kind of fun. We can share them after the webinar as well. Okay.
Is watching the horse race at the amusement park.
It is. Yeah.
Which one's going to go in.
Super exciting, that's right. All right, Maureen, I think that's good. We got about 70% and if you press these share results, we'll see, we're about 50, 50, it's a 45, 55 split. So all of your external endpoints, I think that's probably why there's more no's than yes. There's so many external endpoints out there. So thanks for everybody for taking the time on that. Okay. And we're going to carry on here, I think the poll should disappear if it doesn't click the little X.
I guess Mike, if there's questions from the audience as well, we probably want to have those come in through the chat window as well, right?
That's right. Yeah. Feel free to just ask away as we're going. We have a couple of our technical staff on the line and they will be answering them in real-time. You can even make fun of my outfit or my hair, anything you want, it's all fair game today. So, and then we'll, if there's a couple of questions that need expanding on, because they're super deep, we will get into them.
So first, let's talk a little bit about some of the terminology. 2FA, we've known about 2FA for years, we're going to get into just a little bit of stage setting for how long 2FA's been around. I think people will be shocked to know how old this technology is, and of course, the successor of the 2FA is MFA, Multifactor, not just two. And Roland, do you remember the first type of 2FA that you used going back in your long storied career?
First kind of 2FA well, boy, it'd probably be those nasty security questions, right?
Yeah.
That probably goes back quite a few decades now right where people would be asking, "Hey, what's your mother's maiden name?" Or, "Hey, what was your favorite movie and what was your favorite vacation spot?"
That's right. Yeah. That's a caveat.
All those things. Yeah. All those knowledge-based questions and they'd work them authentication flows as well sometimes, so they wouldn't use them just for password resets and those kinds of things, but they would actually work them into a part of the authentication flow.
So after you put your username and password in, there you go put this extra thing in, code was very popular as well. So here's your pin, so enter after you put your password in, here's your pin, those have been very popular historically, right?
Right.
But there's horror stories from all those, I really don't like security questions these days. If anybody has security questions still in their environment, we certainly work with customers to try and get them to move away from those, right?
Yeah. The KBA knowledge based, writing something you know, your mother's shoe size when you were four is not only are they a pain for the user, but they're also called KBA for known by anybody, because one browse down your social or just asking some questions in a certain way or googling around, plus they've been stolen out of so many databases, they're really useless.
Mine was a secure ID Token in 1990, I don't know, five or six, I deployed an RSA SecureID Server and so we had these tokens, they were the coolest thing ever, because you had this little security thing that you could hand out to people little did we know how much of a better way.
The batteries would die later? Yeah.
Yeah. And then RSA ended up getting hacked, the secrets got stolen, there was all these things that made it bad. But yeah, we're migrating away from that and towards MFA and better types, not all MFA are created equal, we're going to talk about that quite a bit here today.
And then something we really focus on at 1Kosmos is Identity-Based Authentication. And my definition of that is how do you really prove that it's rolling at the other end of the line, not somebody who has Roland's secrets, or codes, or his phone, but it really is rolling, then we'll be talking about that here today. So we think-
HBA.
HBA is coming up, exactly. So HBA, let's expand on that term first, it's a great point. So it is on the slide. HBA, not many people know about this term, it's called Hope Based Authentication and it is what you use if you can't undeniably prove who that person is at the other on the line, you're hoping that they get into your system, that they can fetch their code, that they haven't lost their code, that they need, might have to change their password or forgot it. So that's where we're really trying to get away from. Yeah. Thanks for calling that out.
Makes sense. Yeah, no worries. I'm sure everybody on the line here probably is asking the same question, so...
Yeah, exactly. And so without identity, we have a system based on hope, really. I don't know how your experience is at the holidays, but when everybody gets new devices, they're calling uncle Mike or son Mike to try to fix their 17 Apple, and Google, and other accounts that have gotten locked out because they can out a new phone. So it's a continuous user experience problem as well as a security risk.
And the impacts of this are really staggering. So these are some relatively new stats, there's lots of people that have been thrown around stats from 2018. But these come from the 2021 Verizon Data Breach Investigations Report, it's the data breach investigations Bible, it's like 114 pages, if you haven't seen it, you can use it to make any security business justification.
But what this latest one said is that 85% of breaches focus on the human element. In other words, it's a person making a mistake, getting coerced, socially engineered or whatever it is, that's involved in a breach. And that of course, comes back to the fact that they even have a password. So I mean, how many breaches have you seen about this year, Roland? Just making a number of-
100.
... it's got to be one a week. Yeah, exactly.
Yeah. No, we definitely see our fair share breaches happening in the Marketplace, and we work with customers to minimize that credentials being the biggest attacked vector that we see in the Marketplace these days.
Right. And once they're exposed, once a credential is obtained, it's really expensive. So these stats are from the LOCKTON Group, cyber insurance broker or company. And you can see here, the average payment, 1.5 million, and the actual impact then, your business is shut down, your colonial pipeline or your mask, whatever is $5 million.
And of course, we've heard of some of these getting up and into the hundreds of millions like mask. And so 66% of every ransomware is over a million dollars too. So the problem's real, if you don't have the attention of the board or the C-suite showing some of these numbers, I think they already know how big of a problem this is though.
So like I was saying, I really wanted to talk about 2FA and where it sits on the history of authentication. So many people know that passwords have gone back to the sixties when they were invented as part of a mainframe shared resource. And then a bunch of other tactics came out in between, including encrypting them, it's called Hashing.
And then Bill Gates even said in 1984 that passwords were going away soon, and here we are, I don't even know how many years later, I can't do that kind of math. And as I mentioned, secure ID tokens, right. My first real cool 2FA deployment, 1993, and how many people are still buying some type of thing you have to put in your pocket to try to get into a system, either a number generator or something you plug into your USB device, they are stronger, but they're so cumbersome, and they're expensive, and hard to deploy. And this one here-
They're also not necessarily tied to the identity as well, Mike, like I've seen, I've heard of instances where people have set up webcams to their hardware token so they can share it amongst the team. So you get kind of scenarios even with that, like is it truly secure? And does it truly marry up the identity of the user to the owner of the hardware token? And there's a good argument to say that no, it doesn't, right?
Yeah, exactly. And that we're going to cover a lot of that, and that is the exact opposite of Identity-Based Authentication. It's some type of combination of other things that can be obtained by somebody else. So this really, I've seen so many websites just start to deploy SMS or email codes today. And it is a little bit better, but if you're really protecting something important like a bank account, the bad guys are showing how easy it is to now obtain these.
So fast forwarding now to the two thousands and we've got the FIDO Alliance, super exciting stuff. So for those that don't know what FIDO is, it stands for Fast Identity Online. It made mainstream news about three weeks ago because they've reached a certain point of attraction where websites are starting to pop up and now say, "Do you want to go passwordless?"
And I might be able to show an example of that here today, and now, so they're almost 10 years in the making and they're starting to change the way we can authenticate using our computers instead of things that we have to know and spit out and can be stolen.
And then, in between where passwordless started and where we are today, there's been a whole bunch of other tools and things that have come out, including a push to your mobile, which we have all used like authenticators pops up and says, "Is this you? Yes or no?" And that's certainly better than just using them in a password as well.
But now you can see from 2013 to 2018, FIDO's latest standard known as WebAuthn is what is starting to allow it to get adopted by the masses. And so websites like Best Buy, and TurboTax, and eBay have this as part of their journey now.
And of course, this is kind of a little bit of a slide in here at the end 2019 is when we coin the term identity based authentication. And we're starting to see this term and these concepts pop up in research, and papers, and analysts, and that is the strong joining of identity and authentication that we're going to talk in here. I'm sure this resonates with your clients as well, Roland, right?
Yeah, it does and kind of interestingly enough, like SMS being deprecated by NIST is back in 2016 and kind of to your point, there's still customers out there that are looking at using SMS or establishing SMS as their MFA strategy today, right?
That's right. And I think customers have a choice these days of being able to even get kind of do a little bit of leapfrog in the Marketplace and move towards passwordless. I know my customers have been asking for passwordless for years now, can we get there? And the market conditions are finally right for it. So very, very, very excited to be able to move forward with offerings on passwordless, that's for sure.
Yeah. And I put a call out here for Identity-Based Authentication and kind of where it sits in all of these technology, so there is a standard that says, "Here's how you prove who somebody is remotely," it's known as NIST 800-63, it's a US government standard, obviously.
And there's a version of it nearly every modern country, but it says, "Present credentials, match it to your face in a certain way that has the best chance of it being the real person." And that combined with a passwordless technology like FIDO is what lets you prove as best you can, who this person is coming in.
And we're going to expand upon this, but what's happened, because these technologies are relatively new, you're talking about really three years for some adoption happening in FIDO, and the identity proofing standard is still maturing. What we have is a landscape of companies that now just deal with compensating controls around authentication.
So the cyber security, if you walk the halls of the RSA security show, for example, you'll see hundreds of companies that try to mitigate password problems. And it could be by detecting fraud, bad signals from the guys who stolen your password, et cetera. So I'm sure you're familiar, obviously don't call any of these out rolling, but you probably integrate with a lot of these technologies in your staff.
Yeah. Historically we have. And you've had to, we've had to do that for customer requirements, to call out and see whether or not a password has been compromised or whether or not you're on a block list somewhere, et cetera. So we're just simply calling out to services to determine, is this a known threat to the environment? So yeah, we've had to integrate into a wide variety of these over time, and to your right Mike, these are mainly the create... There's a huge marketplace just for passwords and credential management.
And I think this whole landscape, these days is going to change significantly now. There's, if we can get away from things like having password managers, and browsers, and setting-up all these additional compensating type measures, just to be able to kind of get a grip on the password problem, if that all goes away and disappears, the industry's going to look a lot differently here in just a couple years, right?
Yeah, exactly. Yeah, I tried breaking down all of the types of these over time, so obviously we've started with user ID and passwords since 1960 or whatever it is. And that wasn't good enough so we made an expire, and we've proven now that is a bad technique, a longer non expiring phrase is best, but companies are still of doing this.
In fact, since the pandemic, a couple of clients that we worked with to go passwordless were moving from 12 to 16 and beyond characters in their password, complex, changing every 90 days. And then we added 2FA, and MFA, and Risk-Based Authentication, and like you mentioned before, your favorite, Knowledge-Based Authentication. And in fact, the airlines here in the US still use this as their second factor.
But then we started to see SSO, which is a step in the right direction, in my opinion, but still doesn't introduce identity. So we sit on top of these and we'll show you some of that. Password managers, passwordless is now a thing FIDO... So this is such a huge problem the industry has just kept putting bandaid upon, bandaid upon, bandaid.
And of course, biometrics is the newest and most controversial topic, that is one of the strongest ways to prove who somebody is remotely. So a lot of As and all of that. So it's time for the second poll. I know everybody's been waiting, I've gotten four chat messages, come on, Mike, can you get to the second question please? So here we go.
If Maureen, if you're ready to pop this up. This is a multiple choice, you can pick one, two, or as many as you do. And we're curious to know what type of MFA you've deployed inside out of your organization, for your customers, or your employees?
There's just some great results, I think you'll like them. We got two of them, neck and neck, just two clicks away from each other. So we got about 50%, actually, we're getting up to 60% participation here. Just give it another 10 seconds, press your buttons everybody.
All right. So Maureen, if you could end the poll and share the results. Here we go. So can you guys see those? You see OTP, email, SMS, still are the most popular along with app-based authenticators, so that's your Google and Microsoft one time code generator.
So it's really comes down to one time codes that are the most popular, and it's good to see app-based, push notifications coming out, and look, there's FIDO coming in as a kind of distant fourth there. So steps in the right direction for sure, and really encouraging to see none that has such a low number.
Yeah, that's good to see.
Yeah. Awesome. Thanks for putting that out, Maureen. Okay. So let's talk about IBA. What is Identity-Based Authentication? And the way 1Kosmos defines this, and NIST really, is it's a combination of proving the user's identity, not just saying, type in your name and your address, and we'll verify the data, but proving it.
And this is that NIST standard that I mentioned before, 863-3 is the standard. Everybody in the banking community who has to deal with KYC, or sometimes an HR for know your employee, KYE knows about the standard, and the subsection of it is this 8633A, and that is the identity assurance level.
So what this does, is it triangulates your government documents or other strong sources of kind of document verification about you and matches them to your real world identity, your face, and verifying the documents are authentic and things like that.
So once you do that, you can then give the user a credential. Issuing a credential without doing step one, you could be putting a credential on top of a compromised account, or giving it to the wrong person, or it could be stolen. So it's the marrying of these. And there's another standard from the W3C called decentralized identifiers that can allow that identity to be shared internally in an organization across disparate apps, or more importantly, between companies, between industries, even between countries.
Those standards a few years old is getting really popular. The tech giants are all focusing on this with dedicated practices, and it's what we have under the hood at 1Kosmos to allow the identities to be portable if an organization wants their employees or customers identities to be shared, it really puts the user in control of the identity.
And then once you have these two put together, you can issue what are called verifiable credentials to third parties as well. So the idea here is you're Roland and that can never be taken away from you, but you could have a credential, like a COVID vaccination or proof of work that you work at Simeio, and that can be revoked.
You leave Simeio, that verifiable credential is verified and you don't work there anymore. So these are some of the relatively new identity standards that are allowing identity to be user managed, allows you to do privacy by design, and allows the identities to be shared.
Yeah. What I love about this Mike is you've taken some very complex standards out there, if anybody picks up the NIST standard, they're in for a few evenings of reading, that's for sure. And then even at the end of it, trying to piece it all together too, in order to put together a solution is a very complex initiative, it takes a lot.
And what I love about this is that this is simplified now, it's so nice to be able to start with the NIST standard, grow into the issuing the credentials, and then using those credentials using verified credentials. You've made it, you've kind of added that missing link and that is the usability of those standards. How do you actually implement them, right?
Yeah.
The very first time the standards came out for, let's say, HTML, you had to piece them all together, and now they're ubiquitous, in the future, this is going to be ubiquitous as well. It's just going to be part of everyday life in terms of how we go about logging into services, right?
Right. Exactly. And so these are the standards, and there's actually a bunch of certifying bodies to make sure that the company you're working with has employed these standards properly. So I know you were going to like, "Mike, well, how do I know if I've got the right standard and it's good." So there you go, here's my segue.
There's three certifying organizations that prove your identity onboarding, your biometrics and your passwordless experience. So here on the left, you have that NIST 863-3 standard that I referenced. And there's a nonprofit called the Kantara Initiative that certifies companies to say, "Yes, they do it the way the standard was meant to be done.
So this is an important seal of approval, your good housekeeping, if you will. And then on the right, you see your authentication, how do you know you're using open standard and certified product? It's the FIDO standard. So look for the FIDO2 logo, that is the latest ref of the standard.
And if a company's using real buy biometrics, which if they're not, it's not real identity, and I think we'll get to that later. But there's the world leader in biometric certifications called iBeta, they certify the scanners that you see in the airports and make sure that you can't put a mission impossible mask on like Tom Cruise and spoof somebody's identity through presentation attacks, and they check your false acceptance rate and all that stuff.
So it's really important to have these certifications as part of the identity platform that you're using as you start to change the way you engage with employees and customers. So a lot of devil in the details, right Roland?
Yeah, absolutely. Yeah.
Yeah. And there's one really simple test that you can ask any supplier or yourself to know is my identity, my authentication identity based, and that is, can you give it to somebody else? So Roland right now, I could give you my Bank of America, username, password, and my UBI key-
Could you?
... and my pin. I could, and you could log into my account, right? Or probably my employer, I could give him my phone, username, password, or my windows password, it's attainable one way or another.
And so if the answer to this is, no, it can't be done, then you have true identity at the other line and really Zero Trust. So Zero Trust is a concept of actually, why don't you explain Zero Trust because I know Simeio is a leader in this, I think this would be great for your context on Zero Trust.
Yeah. Thanks, Mike. Yeah. So certainly, Zero Trust is making sure that you, well, it comes down to trust nobody, verify always. And in order to verify people, that really means that the identity has to be established and linked to the verification process.
So every request that comes in for access to data, to applications, it's looked at it's inspected and linked back to the identity of the individual making that request. So that's Zero Trust. And I think we have a slide coming up on that after the poll here, to talk a little bit more about Zero Trust in a bit.
Awesome. Yeah. So now it's time for our third and final polling question. This is a very simple question, Maureen, if you could pop up this and the question is, would you use MFA on your operating system, Unix, Mac, or Windows, including remote computers, if it were a single touch experience, one click, I want to know who says no, but that's, we'll get to that later.
So this is obviously a loaded question. It is possible to put a single touch MFA Identity-Based Authentication on any remote system, and we're going to talk about that here today. And so not surprisingly, there's more yeses than no's on this one so far.
I think the no people must just use Android, or mobile devices, or tablets, or something, right, yeah, maybe?
Could be, actually, yeah. There's a lot of environments that are 100% cloud and don't use Mac or Windows at all, use a Chromebook. And so, yeah, that's a good point, the world is not just enterprise software, but that's great if you could finish this one and show the results, Maureen, thank you for that.
All right. I think we're... Awesome. Okay. So let's move on. So now let's talk about what we call IAM's Missing Function. So I deployed my first identity and access management system, not me, but a team of us at Lehman Brothers in the late nineties, early two thousands, when we called it Total Access Control Identity Access Management was the program, but it didn't have any identity in it, because it was really based on just creating accounts everywhere and trying to manage passwords and password resets.
So these sections here in the middle are what's been missing from every IAM stack, cryptographic, proof of identity, and that's what FIDO and this 863-3 set up for you, as well as a biometric that answers the authoritative who.
And so if you can feed these into your existing IAM Functions and let them do what they do, and manage the operating system, do single sign on, do your governance, et cetera, your account creation, then you're really taking the question out of whether or not it is that person at the other end of the line, introducing Zero Trust. So to that end, I'll let you expand on this a bit, Roland, I really love this slide, but this is obviously Simeio Zero Trust Model.
Yeah. And thanks for that, Mike. I think that from Simeio standpoint, being able to consume these services in a nice, easy way is crucial. So Zero Trust, it kind of shifts the focus traditionally away from the identity provider, that's still required, so it's still required to provide some form of proof of identity, but that gets fed into a policy engine. And the policy engine works in conjunction with a lot of sources of information like where's the location of the user? What's the behavior of this user? Is it abnormal behavior? They log in at 2:00 AM and they typically log in between the hours of nine and five.
So it can look at those types of behaviors and make a decision whether or not to ask for more information about the user, or deny access, or approve access based on the policies and conditions that you have in place.
So from Simeio standpoint, we work with customers to improve their Zero Trust environments. A lot of customers these days have mandates to adopt Zero Trust, but really have a hard time in just kind of going, where do we start? What do we start with? And certainly one of the areas to start with when it comes to Zero Trust is to implement on the authentication side, so strengthen up the authentication services, because that's crucial, tying your authentication directly to identity and having a verified identity, that's one of the foundations of Zero Trust.
Is to link all the requests back to an individual, or a service, or a system and making sure that only those systems and individuals that should have access to services do. So we've developed, it's similar, you could pass to the next slide.
We've developed a series of assessments specifically focused on Zero Trust, so advisory services is one of the things that we do to help customers kind of paint a roadmap for how do you go from current state today to the future state of Zero Trust, but we also provide deployment service and manage services as well.
So once you decide, okay, all right, now I need to implement a particular piece of technology, let's say you wanted to implement 1Kosmos, you can turn to Simeio and say, "Simeio, this is what we'd like to do. We can work with you to put together deployment services, manage services in the advisory services across the board for that."
So kind of take you the full gamut, help you produce the business case, help you to get that justification, the internal justifications that you need in order to move forward with your projects, and then deploy those projects. So kind of a little shameless plug for Simeio there, Mike.
No, it's good.
Giving us the opportunity for that, yeah.
You guys have created and managed hundreds of millions of identities over the years. So you really, really know your stuff. And we have a very tight integration with Simeio, so you can jumpstart your journey with a strong identity, and whenever that policy engine has to ask a question, we make it really easy to reach out to the user and say, "Can you just show me who you are," and reach out to them and they'll have that cryptographic proof that you need.
So, no, it's like peanut butter and jelly. So now let's just show a quick demo of what we refer to as Identity-Based Authentication. What you're going to see here is the first time launching of an app that lets you store your identity and present it to a third party with that proof that you need, and so this is just a couple of seconds long, and I'll let this roll here.
Here we go. So you'll see upon launching of the app behind the scenes, a private keys generated, transparent to the user. We use a pin just as another factor for kind of break glass purposes, it's very rarely needed. And then we do your device biometrics, touch ID or face ID, takes about a total of you saw here about eight seconds to enroll now three factors in the phone, key, pin, and device biometrics.
Now, we're going to do real biometrics. That's me. Thank God I wasn't wearing the same shirt. So that was what we call live ID, and that is a real biometric that I can now link to any source of truth and also ask for it again to authenticate them. And you saw how quick and easy it was, you don't have to ship somebody a token or a smart card reader, we're trusting this really very complex and secure piece of hardware to hold a lot of the credentials for us today.
So let's leverage it. We've got a high res camera, far better than cameras that we've used in the airport for 10 years. So it's really putting the power in the hand of the user. Now, everything you saw there is encrypted with my private key and only releasable with my consent, and that is a huge deal in the age of privacy and breaches. If that biometric is stored anywhere, we're a third party administrator or centralized encryption can get at it, you have a big problem. You saw that with the big curfuffle with the IRS about two months ago, and their use of a private biometric and identity scanning company.
So we make it look easy and it actually is easy. And of course, this can be private labeled. We have customers that call it their own identity or put each of these components as an SDK inside of their existing app.
And now once that identity is enrolled, sorry, let me skip forward, you can leverage that for verifying identity. So that didn't prove my identity as an individual, just let me enroll identity assets, my private key, my real biometrics. Now, we are going to link that to government ID, my citizen ID. And we do this by scanning government credentials, the front, the back, decoding that PDF, four and seven barcode, and matching my face to that photo, and verifying it with the DMV, called AMVA.
I can also enroll passports in any country that uses modern passports is over 100 of them. So that experience you saw there is getting really popular, especially in the crypto world overseas, and it's used to prove my identity. So now I can leverage that strong identity to say, "This is Mike Engel coming into my platform every time."
And this is my final one, and then we're going to wrap it up here. So this is how you employ Identity-Based Authentication for any target system. This could be your remote access, Citrix, VDI, Zscaler, whatever. It could be your operating systems, it could be a banking website, doesn't matter, the experience is the same. So the most common way now is a QR code. I will scan this, I give consent to authenticate.
My biometric is asked, I asked for the authentication and I'm staring at my downstream applications. It takes about two, three seconds. Now you don't have to do that every time, you can rely on touch ID and face ID, spot-check the user once a month with live ID, make sure that they're still the person that you think they are, prevent something called contractor jacking, where you onboard somebody on day two, they give their authentication to a buddy because they're 10 bucks an hour cheaper.
Huge problem, every customer I talk to who has this problem, this is the way to mitigate it. So we're really excited about this being employed really anywhere. And that wraps up the conclusion, I mean, that wraps up the presentation. We have a couple of questions here, I think about the biometrics. Let me read this one out.
So how easy is it to get around biometrics? And this is a great question. So that certification that I mentioned called iBeta, they attempt all kinds of different ways to subvert the authentication. So they will hold up a photo, cut eye holes in it, and they're very good at making sure that that biometric is accurate, that it can't be spoofed by strangers or whatever.
And there's all kinds of testing to make sure that you don't have problems with decisioning bias in these processes as well, so that means are you incorrectly saying no or yes, and letting a bad guy in. So it's a combination of those two. And those stats are really important when you select a vendor to make sure that they encrypt the biometric properly with the user's key, and that they are certified for presentation attacks by an independent lab. So I think that'll probably about do it in terms of time today, any closing thoughts, Roland? Should we give them our fax number for purchase orders? What's the next step here?
Yeah, no, absolutely, let's do that. That kind of dates us, does basically give them the fax number [crosstalk 00:41:58]
Right back there, yeah.
Yeah. You can send the email address. No, I think Mike, you brought up a couple of nice points there at the end, just around some of the different abuses we see these days for workforce identity, because the pandemic you do have people outsourcing their jobs or contracting out the jobs, you do have people that outsource the interview process as well, and then you get different people actually showing up for work day one.
We've certainly seen a big uptake just on workforce verification, and because of the pandemic, traditionally, we've seen the verification process more along the lines of financial institutions, or government, or retail to try and avoid fraud. But these days, I think almost everybody that is enterprise 500 type customer is looking to avoid fraud even internally with their own employees.
So that's a very key takeaway, I think these days for most organizations as well. So those are my closing remarks. Thanks Mike, for inviting Simeio, we're very excited about being able to partner with 1Kosmos on things these days.
Yeah. Thanks so much for joining us Roland and all of our attendees. Appreciate your time and enjoy the rest of your day and your week. We'll see you at the next webinar.
Thank you. Sounds good.
Thanks everybody.