Introducing Continuous Identity Verification to Enable the Modern Workforce
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
Thanks everybody for joining. We're here today to talk about all kinds of identity constructs mostly in the workforce. I'm sure we'll have some tangents because identity is identity, whether you're an employee, a consumer, citizen, customer, it doesn't matter. And I'm joined today by two esteemed giants in the industry. Good longtime friend, Sam Tang. You want to say hi Sam and introduce yourself?
Sam Tang:
Hello everyone. Happy holidays. Thank you, EY. Thanks 1Kosmos for hosting this session. Very excited and also very privileged to be speaking with you and Max at the same time as you guys are industry powerhouses. So thank you very much.
Mike Engle:
You're making me blush and Max.
Max Cope:
Yeah, hi. Well, look, I'd like to say thank everyone for coming to the webinar and thank you Mike and Sam for the opportunity to allow us to show what we're doing, what we're about, and what identity means for us. And I'm looking forward to the conversation. It's always great to talk with you, Sam. We've been talking for a while now, and Mike, we're new friends but I think there's a bright future.
Mike Engle:
That's right. Yeah. And I'm Mike Engel, head of strategy and co-founder over here at 1Kosmos. So just real quick on 1Kosmos, we are an identity company. We'll get into a little bit more down the road here, but we'll prove anybody's identity and make it really easy to prove that over and over again, which you do that, it solves all kinds of problems, pretty much anywhere you're engaging with digital services, even in person.
So with that, let's jump in and get the show in the road here. We're talking about three really big challenges that impact us as we either build systems or even try to use them as end users. And the first is we have hundreds of ways that we engage with different systems, whether it's your computer, your phone, a website, government systems, it doesn't matter. It's pretty painful. The goal is to streamline that and make it consistent, repeatable, secure, of course.
And everybody's talking about passwordless. Let's go beyond just trying to solve passwordless on an application by application basis. You're seeing these great popups on this website, that website on your computer, on your phone. Let's unify that. Let's figure out a common way to do that across the enterprise and along the way if you do that right, we're going to talk about cost savings, the drivers, reduction of risk. Because of all this fragmentation you're seeing the scattered spider type stuff, just decimate companies. And so we're going to get into this a bit. So I'll start by asking, Sam, what are your thoughts on expanding the concept of ID beyond your SSO system or point solution X, Y, Z?
Sam Tang:
Yeah, as the geopolitical environment that we're in, there's a lot of focus on risk, safety and privacy. If you think of those three things, you got to cover more than just applications. As an industry, I think we've all been dealing with application access and provisioning and all that for a long time now, but it's going to expand to network infrastructure, cloud, physical locations, devices, and so on and so forth. As we're expanding the coverage of IAM, we need to consider those elements as well.
Mike Engle:
Right. And Max, what's the common theme as you think about new stuff that you need to deploy and what are some of the drivers for that?
Max Cope:
Well, exactly. I mean, A, you've hit on it. We are a very distributed and disparate organization in operating out of over 178 locations globally. A common authentication experience is very hard to come by but something that's on my Christmas list. Passwordless is a buzzword we've got every regulator known to man knocking on our door. Because of the countries we operate in, we have not just one set of regulators, but lots of sets of regulators and they say passwordless, but each one means a slightly different thing. And all of the internal drivers are around simplifying and reducing cost. And what you get is sometimes you get things like, "Hey, you guys are using Azure, so use Entra and that will give you that simplicity in that single common authentication." And then unfortunately, reality bytes and we end up with, we've got mainframes, we've got SQL databases, we've got apps that don't hook up to anything but are super critical for the operation of the business.
So for our strategy, when we have a common authentication experience, we've got to take all of these things into account. And it's not easy to come up with a single common approach to passwordless. Is it a pass key? Is it a certificate? What is it? What is that common approach? And actually a common approach in one place might not even legally be allowed in other places such as China. So when you operate in all these disparate environments, a single identity strategy is not maybe possible, but a number of streamlined identity strategies that drive that simplicity, extend the common authentication and bring a decent passwordless experience within the bounds of those geo-environments is potentially possible. But I think it's always going to be hard. And unless we have a common lexicon, we say, "This is what password means to us, this is what the common authentication gateway section is", then we're always going to be on an uphill struggle.
Mike Engle:
And I think that's a great point. Let's do that. Let's deconstruct what passwordless means. So I did a couple of things. Is passwordless the objective? I say no. It's almost like a feature. It's a byproduct of doing identity right. And so second line here, identity objective, it's a rhetorical question, but how do I cover all of my applications with identity? I mean, you can't do it overnight. And as I said in the intro, it doesn't matter if you're an employee or a customer, you're still you. How do you prove that every time? We're seeing tokens and authenticator this and at the end of the day, those things can be given to somebody else, which means you don't have zero trust and we don't want to kill our IT staff with product after product after product. So I went out and did a quick GPT of this.
We're going to talk about a couple of strategies of what it takes to introduce identity across an enterprise. And when I asked GPT and Claude, the two main competitors, you see all these different things come up. The legacy one-time code generators, they're calling themselves passwordless and that's why GPT-4 says one-time codes must be passwordless as well, so technically maybe. But I think if we start with what the success criteria would be, there's really some straightforward objectives that we all aspire to. And so Sam, if you would start with these four drivers. We've been talking about these for a long time, but what are you seeing for these objectives?
Sam Tang:
Yeah, thank you, Mike. And these four things, the objectives has done very well for us in driving justification as to why people spend money on cybersecurity and IAM. But what's emerging right now are three additional things I would like the audience to consider that's being asked of us now, cost, value and trust. And I'm not talking about zero trust, I'll explain that in a minute. And in terms of value and cost, what we have found is that everybody in the audience, I've been in this space for 30 years, I'm pretty confident by listening to Max. We've all been dealing with identities, credentials, passwords, and entitlements for quite a long time now. And we're still not in a place where we're truly optimized because we're still managing a lot. And on top of that, we're finding it very hard to actually allow our sponsors and leadership and they're asking for more justification now. How do you justify the spend and the cost associated to digital identity in IAM?
These three things actually, the cost, value, and trust, equate to two measurements, quantification measurement and maturity measurement. And the quantification wise is based on these four things, how can you justify what really is the cost savings or toss justification or what's the cost of not doing something? So there's always continued efforts in how we justify what we do on a day-to-day basis. But for maturity measurement, there's four other things that I like the audience to consider. And Mike, I've been speaking to you about four Rs, readiness, resiliency, realization, and also recovery and remediation.
And realization really is how much do you trust what you know about your environment? What data do you know about your environment? How much have you classified in your CMDB or your levels of access and readiness? How ready are you in event where there's another Covid? Are you really ready for it in your environment or M&A or business transaction? Are you ready? Resilience stays, how much do you really have control over the access to your devices, environments, physical locations, and so on, so forth. And then the recovery is how much trust do you have in the environment that you can recover from the events that you didn't anticipate. So really it's all about measurements and cost, value and trust.
Mike Engle:
Yeah, no, well said. And Max, how would you prioritize these as you think about these types of applications across HSBC's environment?
Max Cope:
So I mean, Sam's hit the nail on the head around the realization piece. I think that's probably one of the most important pieces for us because although we have highly complicated and highly regulated environments, what we also have are a lot of suppliers and third parties. And the risk around those is probably equally as great as our internal staff, trying to understand how their identities work, how we create B2B bridges to enable identity transfer, to be able to be sure that we're identifying the right people, the right place at the right time to allow the right access to the right system for the right thing. And on top of all of that, make sure that that is logged, monitored, assessed is exceedingly hard because you have to vet your suppliers, you have to vet the technology that you're using, you have to be ready to receive that technology. You have to be able to operate it.
So if we take a simple thing like pass keys, becoming mainstream norm for consumer type applications, but in the enterprise, there's very few people that are actually doing anything with actually enterprise grade pass keys right now because well, FIDO2, we're not entirely there yet with the enterprise level standard. And even if we were to adopt it, how do we then push that technology out? Is it going to be through Entra, is it going to be through a gateway, is it going to be through something like 1Kosmos? What does that mean for us and how do we scale that out? So we've got multiple dimensions to the sets of products issues that Sam's talking about.
Mike Engle:
Yeah. Yeah. And you mentioned an important standard in identity. I'm a big fan of standards as we really, the goal is to get rid of the password. And you mentioned FIDO, it stands for Fast Identity Online, was founded in 2013. A whole bunch of tech companies got together, Google, Apple, Microsoft, and 1Kosmos and 200 others. But there's a couple of standards that go together to make passwordless be verified with a real identity. And I want to call out NIST 800-63-3. It is the US government standard. This latest draft was out in 2017, and it is what nearly every organization is talking about. It says, "Here's how you prove who you are remotely." That's different in passwordless. And in order to do that, you need a biometric. I have to match my face. Mike Engel matches this real citizen or constituent identity.
And so that together and then issuing a FIDO authenticator or some other type of credential and making sure you have a chain of custody of the credential throughout its life. If I can give my YubiKey to somebody else, this whole thing breaks down. And so how do you back that up? It's with a verified identity, with a biometric. So a couple of standards that people are keeping their eyes on these days and the identity components are the first step is proving who you are remotely, verifying that data. So just because I have a license that says Mike Engel, do I live at that address, can I prove that I'm actually in possession of it and then assigning the credential? And it's really a subset of identity. Sam, your thoughts on this?
Sam Tang:
Yeah, something I want to touch on is the importance, not just verification, but continuous verification, just because someone is trustworthy in the industry or even in what data is available to vet the person, that's just because I'm trusted today doesn't mean that I'm trusted tomorrow, even a week later. And more importantly, what the trust factor and the verification is going to enable or emerging topics that people will talk about, which is privacy, I think you touched on for cross border access and classification of data as to what people can have access to or not, and also safety. How can you apply this technology to actually address privacy and safety as well?
Mike Engle:
Yeah. Max, are you guys keeping an eye on some of the standards and the concepts of proofing, obviously the organization your side it's a loaded question.
Max Cope:
Yeah, just a touch. So I mean, obviously we are subject to multi-jurisdictional KYC and AML, which applies on the customer side for all our CM-type identities, which we've got just shy of a billion identities under management. But actually for the staff side, it's a very different equation. And the reason for that is, again, the multi-jurisdictional bits and pieces. If we're in Europe, for instance, doing this proofing would mean that that would need to stay inside a European silo. Same applies for China, same applies for Singapore, Hong Kong. So where and how we would enact this would then become more difficult because we'd have silos of proofing and we'd have to go and check multiple sources of proofing across a user journey through the system.
And there's a large element of complexity driven by local regulation that is stopping us deploying some of this stuff. But in areas where we can deploy, this is something that we are looking at with a big lens at the moment because being able to have that continuous proofing is very important. But how we deploy that will also then depend on the technology stacks. So at the moment, you've got things like Windows Hello that can help you with the biometric pieces, but then stitching that together into FIDO compliant bits and pieces to deliver what you're talking about. Again, I think that's definitely on my Christmas list.
Mike Engle:
Yeah, yeah. Well, we're building a list as you go, so hopefully you don't get a bucket of coal at the end of that list. So we'll see. So as I mentioned, focusing on identity for us is obviously we can authenticate into anything, but the verified identity is really important. And where we're seeing our phone rang off the hook is in three areas. How do you know who you're hiring, whether it's an employee or a contractor, especially in the light of Covid, you heard stories about people having four jobs at the same time or proxy interviewing, I'm going to apply and put my cousin Vinny in the seat to do the interviewing 'cause he's better and then you show up for work, nobody knows any better.
So an example would be on interview, day one on talent acquisition, prove your identity, scan the license front back, here's a credential, can you show that to the next person, please? And we make that really simple. This is his first box. And then with, again, I mentioned scattered spider, when your employee database gets dumped, how do you verify remote callers? Because 90X percent of organizations use secrets. Well, all the secrets went out the door. And I spoke to an organization yesterday that has their employees holding up their employee badge like this and looking it at their face, this is what they've resorted to.
And we said, "Hold on a minute, I'm going to give you a button where you can press, put their phone number in, they'll proof in 60 seconds, and you'll get a green check mark", a hundred times more accurate than this and handles deep fix. And of course, Max, I mean you guys have massive KYC requirements as a regulated entity as well. So just these are things that are typically forgotten by the big box platform providers. They leave that to somebody else, it leaves a big hole for us to come in and we will talk about some of the techniques to get it out there as well. So we'll just move on on this one. I like to say Sam, I know you're a big fan of some of the remote proofing technologies. Anything to wrap up on this slide?
Sam Tang:
Yeah, the only thing I'll add here is that on the enterprise you have means to really detect JML. We always talk about JML, joiner, mover, lever. With an HR platform we can, and with the talent recruiting you can, but for the B2C and B2B use cases, you really don't have that. You don't have the luxury. So the proving I'm talking about, and the verification I'm talking about is more than just about the employee, it's about the consumer, it's about the merchant, it's about the third party and add on to the complexity, there's not just the identity risk, there's the third party risk as well. So the proving I'm talking about, the verification we're talking about is not just about identities, it's about everything that we need to do to control access to things.
Mike Engle:
Right. Yeah. And actually Max, I'd love your take on conditional access because the theme for the webinar here today is Continuous Identity Verification. So imagine if you could have some type of fraud signal or any condition before you get access to CyberArk, I want you to prove who it is. How much of a game changer would that be from your security posture perspective?
Max Cope:
Well, I think this goes back to the thing I touched on earlier, which is again, something that Sam talked about, which is your third parties. It would be high on the Christmas list because as it stands at the moment, understanding its making that link between the keyboard and the things that are doing the actions and the individual that are doing those actions via the device. So you can have very high certainty to a device, but between the device and the person, there's very low certainty as to who it is and being able to up that certainty so that you know whether or not someone's trying to use lifted credentials or anything like that, or you're being subject to a social engineering attack would be super helpful for just even a small percentage of the really sensitive and high priority stuff that we do.
Mike Engle:
Yeah, excellent. Thank you for that. So again, we're talking about some strategies here and common themes, first one being don't just focus on passwordless. But the other one is really making it easy to deploy, not only for the users. And you're seeing now, for example, out in the consumer world, FIDO is getting popular. You log into Best Buy here in the US and it says, "Would you like to get rid of your password?" People are going to say yes. And people are now trusting their face ID and touch IDs more and more. So we can extend that to the enterprise. And the common approach that you can either make easy or hard is how do you enroll people into it? So we call this coexistence, and this is an idea where you put the old alongside the new. So for example, on the right is PingFed, ID, username, password, some kind of token comes after this.
And so your existing a hundred thousand users can do this while the first user figures this out, and the first user will take about the same amount of time as your next 90,000 because you get your run books down and you start to figure out how to deprecate some of these legacy systems. So this has been really a game changer for us and our customers where we could say, "Listen, you don't have to change anything. Add the button." And that goes for Windows and Mac and web systems, et cetera. And in that same theme of making it easy to get is to allow self-service onboarding.
So Max, I'm sure in the banking industry, everybody, I used to have to go into a branch to open an account, everybody had to come into the office to become a new employee, but now you're allowing it remote, mostly self-service, obviously with lots of background checks and things like that. So this is an example of, hey, it goes viral. If I'm asking you guys, Max and Sam on our weekly management call, "Hey, did you guys get rid of your passwords yet?" You're like, "What do you mean?" "Well you knucklehead, just go scan the QR code and self-enroll." So making it that easy is really critical as one of the steps. The question for Max, how much is user experience a priority for you as you roll out new systems for either employees or consumers?
Max Cope:
I would say it's absolutely critical. I don't think any kind of large scale identity program would succeed without it. And the reason for that is that we have proven time and time again that large scale migrations and forcing user populations to move to something new is expensive, error-prone, constantly changing the run book, things always crop up. It's never entirely thought through. And there are always, always gaps and problems. Whereas doing it like this, making it easier, ironing out a lot of the problems upfront and having something that allows the user to make a choice on their timeline just drives adoption. It drives that adoption because they want to do it because their mates done it and somebody else has done it. And, "Oh, look, I can get slightly better services quicker and easier if I do this and I can see other people around me doing it." And it gives them the confidence. Whereas even though there's no technical difference in doing a forced migration and just taking them through it, it's about that buy-in and that adoption. And if you have that buy-in and adoption, you end up with a more successful program.
Mike Engle:
Yeah. Sam, your thoughts?
Sam Tang:
Yeah, spot on Max. I mean, end user experience truly enables business adoption. And without business adoption, you're probably not going to get funding for your program. So it goes hand in hand with user experience. But going back to Mike, what you said about 863, if you look at that spec, there's a lot of conversation around allowing people to classify the information that they can share, self sovereignty. So without a simple end user experience, self sovereignty is probably not likely to be as small.
Mike Engle:
Yeah. Imagine if you... I'm sure at E&Y, if you go to one of your clients and say, "I just need to add four buttons to your customer signup process", it'd be like, "Okay, pack your things, you're out of here." So yeah, it's the same thing. You want people to enjoy using your systems, don't put them through hoops. I deployed my first secure ID server in the nineties, and oh my god, the friction, it was as bad as when I had to enable swipe out of the building at the turnstiles. People are bouncing off the turnstiles. So yeah, this goes way back. So no, thanks for your thoughts there. So we've covered two strategies. The third, I'm going to preface this, and I didn't talk to Max or Sam about this, but what is one of the biggest challenges when you try to get rid of passwords? I'll throw it out there, but it's the fact that you don't know your password anymore. How long is it going to take a Fortune 100 organization to get rid of passwords? What do you guys think?
Sam Tang:
Max, you want to give it a shot?
Mike Engle:
All passwords.
Max Cope:
I mean, I'm going to say not in my lifetime, hence I have pretty good evidence for that. We've got these funny things called mainframes, they really don't like working without passwords.
Mike Engle:
Yeah, yeah. No, that's exactly it. So it's actually all over Microsoft's like Windows Hello and Authenticator documentation. Be careful, if you let somebody go without passwords for 90 or 180 days, great, congratulations, high five. But on day 181, or even you make them rotate their password or they hit that legacy HR benefits system that hasn't been migrated, you just created a disaster. And so part of a successful passwordless deployment is to find better ways to support the password when you need it. And so we got a button here, it's like a smack your head against the glass button. Yeah, all right, I need it. Press the button, do your biometrics and reset it.
And so it's obvious once you hear it, but people think that, oh, if I roll out passwordless I'm good. It's not the case. And how many times have you heard this is for both of you guys, just use your phone for everything. Well, some people can't use a phone. Some people won't. It's illegal to make people use a phone in some countries or some states here in the US. So you need multiple modalities as part of the strategy. Max, I'm sure I'm preaching to the choir in this one.
Max Cope:
A hundred percent. So I mean we have exactly that issue. Well, we've got two things, right? We've got trading floors. You're not taking a phone on one of those and you're certainly not going to be scanning a QR code or using your biometrics for that. We've got areas and jurisdictions, even like for Germany for instance, on how you identify and manage user identity. It's not easy. So all of the things that you're talking about that, everything runs at a different velocity, but you need to cater for all velocities at all times. And therefore you're always going to have something that either requires a password or you need a way back or you need to do something and then you need to make sure that your help desk is spun up. You've got people who can actually understand those processes. There's still a whole load of wrap around the outside. It doesn't matter how cool the tech is if you don't have that right support wrap around the outside.
Mike Engle:
Oh, great. Yeah. Sam, I know you have a lot to say on this one 'cause you've told me.
Sam Tang:
Yeah. This close to my heart, this has been a pet peeve of mine as to why we've been managing physical access and access separately. And those two environments typically don't even talk to each other. So having a phone is not the answer for everything because there's always going to be restricted areas where a phone is not allowed. Manufacturing sites and highly sensitive areas like energy locations and so on and so forth. And there's techniques to use password certification to actually address it.
And by the way, I'm going to throw this out there. Having a physical wearable device like the UV key is not going to answer all your questions as well. So if there's always going to be shared workstation that you have to address and using technologies like this and combine it with physical access, I think it's going to give you the power that you need in order for you to manage physical access to things like turnstiles, to forklifts, even for financial institutions or ATM machines and so on and so forth. So again, without this strategy, it's going to cause a lot of friction when people want to modernize.
Mike Engle:
And physical access is one of the classic examples that's been used in biometrics for 20, 30 years. You get proofed by your physical security, you got a picture, goes into a database, sometimes people look at it and you're seeing more and more biometric readers get put at turnstiles and data centers and locked cabinets and all those things. Windows Hello, right, making its push out. Apple's touch ID, face ID, et cetera.
Mike Engle:
Should we put a new fax machine on your Christmas list as well?
Max Cope:
Yes, absolutely. Why not make it color this time? It'll be fun.
Mike Engle:
Okay, we can do that. All right, cool. No, thanks for that. So we're on strategy four, the last one, and we'll slide into the end of the presentation here with ROI, user experience. We talked a lot about the UX, but measuring the success of any program I think is top of mind. You can't just say we're kicking it off and then not check in on it later. So there's a couple of metrics that we focus on on day one, and this is examples of you have password resets, there's the legacy applications which costs 1, 3, 5, $10 per user per month. There's hardware tokens, and then there's the IT staff to manage all that, those seven separate identity platforms. So Max, I think I'll start with you on this one, how do you balance what the business thinks, wants, and then how do you measure the success of it as they take it on?
Max Cope:
So that is a key thing. The cost of any change that we make will be intensely measured by our finance colleagues, but it will also be intensely measured by the users themselves who will have absolutely no qualms in telling you how they feel about it. So what you end up with is you end up with two really good metrics. You have a metric of cost, where for the money that we save, have we achieved the ROI and how does that ROI get measured against? It's measured partly through the help desk and whether or not we're getting those resets, but then it's also in costs of other things. The opportunity cost of putting in what we've put in has taken out a cost somewhere else. And now we've realized that cost because we absolutely don't need that other thing that we had.
So there's two finance metrics there and then obviously there's the user feedback forums, which are generally a, "Hey, this thing's amazing, we love it", or "Oh my God, just take this out of my life, just please, I don't like it. It's new." There is a very negative ROI on negative feedback and there's a positive ROI on positive feedback. So we work on those three metrics. We have user feedback, we have help desk reduction cost feedback, and then we have opportunity cost through finance and that's how we pick those things. And like Sam said, that gives us that justification for the next project.
Mike Engle:
Yeah, and Sam, I threw this up here a second ago, but could you touch on the justifications that you'll cover when you're working with clients on this stuff?
Sam Tang:
Yeah, and Max, spot on again, and I'm going to couple what I asked earlier about quantification of cost and it's associated to what the value it's gained and the way that people would need to think about this. It's not just about the technology, it's about I'm from EY, so if I don't say people, process and technology at least once in my presentation, that means I have failed, but I'm going to add on data as well. So every step of the way, so this is not a one-time thing, this has got to be a recurring thing. And what I've been telling my clients, you've got to do this twice a year. How much money are you spending on the management of your identities? How much money are you spending on your credentials across people, process, technology, and also entitlements?
We've all been dealing with passwords for the past 30 years, and I'm hoping before I retire I can see in three to five year time, here's my goal for a lot of my clients. What if you are able to get to reduce 90% of dependencies on passwords. What would you think that the ROI is? If you go across what it takes to manage people, process, technology and data across just those two things alone, the number is extremely high.
Mike Engle:
Yeah, no, I'll throw out a real world use case, and this is a public testimonial from the CSO for Vodafone. We happen, right time, right place, they asked if we could help them go passwordless for remote access to deprecate a one-time code generating product, to mention who. And we had... No, I mean, there's a couple of them out there. It was a three-week go live from the time we started really talking to them and we did it. And if you go to 1Kosmos Insights testimonials, you'll see that out there. But here's the cool part. So we did that.
Now, the cost of deprecating that old product and the 11 seconds average control, delete whatever login time, go fetch the code, saved over those users over the course of a year, you put the whole thing together and they're saving millions of dollars. So yeah, it's out there to be had and if you measure it, you can manage it properly and take credit for it as you're doing it along the way. So I'm sure there's just some levers that you'll pull on with your clients as well, Sam. So an example of this, just ask your customers how much they like logging in today.
Dear remote access or Windows user, how much do you like logging in today? And then ask them three months after the deployment and you get a one to 10, you get a one, you'll get an eight, you'll get a nine. And this is an example of just a very simple question that we will make sure our customers get asked. They ask their end users as part of the deployment, "Did you have any issues registering for passwordless?" And so another one is, "Did it make it easier, yes or no?" So we'll get high eighties into low nineties. Some people are sticklers for passwords, but they'll come around pretty quickly.
So just a couple questions here. I think we've about done it, if you have any closing thoughts, but I got a couple questions here that have come in. Sam, I'll field this one to you first. When you think about identity, and I'm paraphrasing here a bit on the question, but passwordless is obviously one component. Where do you see, you mentioned verifiable credentials and other identity constructs like that having an important role for organizations?
Sam Tang:
So I personally feel using a password to log into anything, it's only because people have not really addressed the real problem. I think Max, you touched on this earlier, conditional access. So access to things. What if you flipped it on its head? What if you gave everybody access? It really depends on what you're authorized to, even if you log in, if you're not authorized to anything, what is the real harm of giving people access to a device? So my last statement here, my closing thought, is really focus on understanding what your environment is, where you're spending money on, start patronizing as to what the usage patterns are to the services that people are accessing, and stop worrying about how people gain access to things. If you have passwordless, you shouldn't have to worry about passwords and allow that technology to just allow you to think about how to really control what people have access to based on the 863 spec for assurance lines. So that's my last statement there.
Mike Engle:
Yeah, I'll expand on that just real quickly. What we're seeing, because we have a verifiable credential engine of the hood and you see Microsoft with renaming their entire product to Entra and having verifiable credentials at the heart. So it is an up and coming, it's going to take years to get out there, just like chip and pin on credit cards took us 10 years here in the US but it's coming. And so when you need your employee identity or your customer identity or your bank identity to be used out in the industry, verifiable credentials is the way. So again, it's not just about getting rid of the password. If you have a verifiable credential, there is no password, but it's just part of the mix. And the last question here, biometrics are all the rage, either pro or con. There's deep fakes, there's Tom Cruise videos circulating the internet.
How do you think about biometrics and do them right? And this is really a question for all three of us. I think it's TBD. Well, the first step is never store a face in a database that even your admins can get to. That's just like you need this privacy by design approach. Max, over to you. You mentioned a little bit about the legality. I'm sure the way you would do identity in Singapore is much different than Germany or Italy where you can't even have a camera on a cashier, because their face could be in view.
Max Cope:
Yep. You are not wrong. We have, I think you could call it multiple strategies for this. And there's also obviously multiple biometrics. It depends on how far down the line of biometrics you want to go. But you've got full body biometrics, you've got gait biometrics, you've got facial biometrics, you've got fingerprints and hand prints. You've got all sorts of mad things that form a biometric, from your voice and your eyes and your face to pretty much everything that makes up you to other things that are the way that you do something, all of which have a different cadence of some form of regulation against them. And when you work in a highly regulated environment, we could probably enforce something in certain areas, but it would never be consistent. And actually to have a good solid identity program, it's got to be consistent, reliable, and repeatable.
If it isn't any of those things, then you've got a great silo of something, but you can't then use that as the benchmark or the guarantee for the next thing that you want to do. So for me, verified credentials, banked by some form of government organization would be super useful in terms of onboarding, but maybe not very useful in terms of day-to-day access and control. And like Sam's talking about, we are in a world where we're doing a bit of shift left from authentication, which is now super easy and very commoditized to authorization, which is now coming of age a little bit. And we're talking now not just about, "Hey, my authorization hangs on, I'm a member of a group on NAD." And then that group's been tied to a set of permissions in an application, but rather a real time check of should Sam be having access to this thing at this time from this device in this location?
And the answer is no, he's on holiday and he really shouldn't be checking his email. So it's moving towards that policy-based access control driven by a set of different things that are also potentially, include biometrics, is absolutely key. And how you then keep those things, how you make that authorization real time is now very dependent because then you have to keep a load of stuff. So what you end up doing is profiling your users, which in most parts of Europe you're not allowed to do. So as much as it would be a great nirvana to have from a security point of view for us to keep our customers and our systems safe, there's actually very hard limits on what we can and can't do to move towards that.
Mike Engle:
Yeah, yeah. Proceed carefully for sure. You get yourself in legal trouble pretty quickly. In the US we have the State of Illinois put out laws called BIPA and they're suing everybody who's captured a face and hasn't used it even just a little bit right. So yeah, tread carefully there, run it by legal and all those great things. So I think we've about done it. I really appreciate you guys coming on here. We'll give people a few minutes to get a break between their back-to-back meetings these days. Max, really good luck with your Christmas list. I'd managed to capture a couple of the elements here for you, right? So single log on experience, conditional access, and a new fax machine in color. And Sam, I think yours is just no volcano eruptions, right?
Sam Tang:
Thank you.
Mike Engle:
I think then we will have done it. But any closing remarks? Just wish everybody a happy holiday.
Sam Tang:
Yeah, happy holidays everyone.
Max Cope:
Yeah, absolutely. Have a fantastic time in whatever it is you're doing.
Mike Engle:
Yeah, thank you so much for joining. Thanks everybody for attending the webinar and a recording of this will be sent out to everybody who registered and it'll be posted on our website in the coming days. So if you're seeing this after, then thanks for joining a second time. All right.
Sam Tang:
Thank you everyone. Thank you Mike.
Thanks everybody for joining. We're here today to talk about all kinds of identity constructs mostly in the workforce. I'm sure we'll have some tangents because identity is identity, whether you're an employee, a consumer, citizen, customer, it doesn't matter. And I'm joined today by two esteemed giants in the industry. Good longtime friend, Sam Tang. You want to say hi Sam and introduce yourself?
Sam Tang:
Hello everyone. Happy holidays. Thank you, EY. Thanks 1Kosmos for hosting this session. Very excited and also very privileged to be speaking with you and Max at the same time as you guys are industry powerhouses. So thank you very much.
Mike Engle:
You're making me blush and Max.
Max Cope:
Yeah, hi. Well, look, I'd like to say thank everyone for coming to the webinar and thank you Mike and Sam for the opportunity to allow us to show what we're doing, what we're about, and what identity means for us. And I'm looking forward to the conversation. It's always great to talk with you, Sam. We've been talking for a while now, and Mike, we're new friends but I think there's a bright future.
Mike Engle:
That's right. Yeah. And I'm Mike Engel, head of strategy and co-founder over here at 1Kosmos. So just real quick on 1Kosmos, we are an identity company. We'll get into a little bit more down the road here, but we'll prove anybody's identity and make it really easy to prove that over and over again, which you do that, it solves all kinds of problems, pretty much anywhere you're engaging with digital services, even in person.
So with that, let's jump in and get the show in the road here. We're talking about three really big challenges that impact us as we either build systems or even try to use them as end users. And the first is we have hundreds of ways that we engage with different systems, whether it's your computer, your phone, a website, government systems, it doesn't matter. It's pretty painful. The goal is to streamline that and make it consistent, repeatable, secure, of course.
And everybody's talking about passwordless. Let's go beyond just trying to solve passwordless on an application by application basis. You're seeing these great popups on this website, that website on your computer, on your phone. Let's unify that. Let's figure out a common way to do that across the enterprise and along the way if you do that right, we're going to talk about cost savings, the drivers, reduction of risk. Because of all this fragmentation you're seeing the scattered spider type stuff, just decimate companies. And so we're going to get into this a bit. So I'll start by asking, Sam, what are your thoughts on expanding the concept of ID beyond your SSO system or point solution X, Y, Z?
Sam Tang:
Yeah, as the geopolitical environment that we're in, there's a lot of focus on risk, safety and privacy. If you think of those three things, you got to cover more than just applications. As an industry, I think we've all been dealing with application access and provisioning and all that for a long time now, but it's going to expand to network infrastructure, cloud, physical locations, devices, and so on and so forth. As we're expanding the coverage of IAM, we need to consider those elements as well.
Mike Engle:
Right. And Max, what's the common theme as you think about new stuff that you need to deploy and what are some of the drivers for that?
Max Cope:
Well, exactly. I mean, A, you've hit on it. We are a very distributed and disparate organization in operating out of over 178 locations globally. A common authentication experience is very hard to come by but something that's on my Christmas list. Passwordless is a buzzword we've got every regulator known to man knocking on our door. Because of the countries we operate in, we have not just one set of regulators, but lots of sets of regulators and they say passwordless, but each one means a slightly different thing. And all of the internal drivers are around simplifying and reducing cost. And what you get is sometimes you get things like, "Hey, you guys are using Azure, so use Entra and that will give you that simplicity in that single common authentication." And then unfortunately, reality bytes and we end up with, we've got mainframes, we've got SQL databases, we've got apps that don't hook up to anything but are super critical for the operation of the business.
So for our strategy, when we have a common authentication experience, we've got to take all of these things into account. And it's not easy to come up with a single common approach to passwordless. Is it a pass key? Is it a certificate? What is it? What is that common approach? And actually a common approach in one place might not even legally be allowed in other places such as China. So when you operate in all these disparate environments, a single identity strategy is not maybe possible, but a number of streamlined identity strategies that drive that simplicity, extend the common authentication and bring a decent passwordless experience within the bounds of those geo-environments is potentially possible. But I think it's always going to be hard. And unless we have a common lexicon, we say, "This is what password means to us, this is what the common authentication gateway section is", then we're always going to be on an uphill struggle.
Mike Engle:
And I think that's a great point. Let's do that. Let's deconstruct what passwordless means. So I did a couple of things. Is passwordless the objective? I say no. It's almost like a feature. It's a byproduct of doing identity right. And so second line here, identity objective, it's a rhetorical question, but how do I cover all of my applications with identity? I mean, you can't do it overnight. And as I said in the intro, it doesn't matter if you're an employee or a customer, you're still you. How do you prove that every time? We're seeing tokens and authenticator this and at the end of the day, those things can be given to somebody else, which means you don't have zero trust and we don't want to kill our IT staff with product after product after product. So I went out and did a quick GPT of this.
We're going to talk about a couple of strategies of what it takes to introduce identity across an enterprise. And when I asked GPT and Claude, the two main competitors, you see all these different things come up. The legacy one-time code generators, they're calling themselves passwordless and that's why GPT-4 says one-time codes must be passwordless as well, so technically maybe. But I think if we start with what the success criteria would be, there's really some straightforward objectives that we all aspire to. And so Sam, if you would start with these four drivers. We've been talking about these for a long time, but what are you seeing for these objectives?
Sam Tang:
Yeah, thank you, Mike. And these four things, the objectives has done very well for us in driving justification as to why people spend money on cybersecurity and IAM. But what's emerging right now are three additional things I would like the audience to consider that's being asked of us now, cost, value and trust. And I'm not talking about zero trust, I'll explain that in a minute. And in terms of value and cost, what we have found is that everybody in the audience, I've been in this space for 30 years, I'm pretty confident by listening to Max. We've all been dealing with identities, credentials, passwords, and entitlements for quite a long time now. And we're still not in a place where we're truly optimized because we're still managing a lot. And on top of that, we're finding it very hard to actually allow our sponsors and leadership and they're asking for more justification now. How do you justify the spend and the cost associated to digital identity in IAM?
These three things actually, the cost, value, and trust, equate to two measurements, quantification measurement and maturity measurement. And the quantification wise is based on these four things, how can you justify what really is the cost savings or toss justification or what's the cost of not doing something? So there's always continued efforts in how we justify what we do on a day-to-day basis. But for maturity measurement, there's four other things that I like the audience to consider. And Mike, I've been speaking to you about four Rs, readiness, resiliency, realization, and also recovery and remediation.
And realization really is how much do you trust what you know about your environment? What data do you know about your environment? How much have you classified in your CMDB or your levels of access and readiness? How ready are you in event where there's another Covid? Are you really ready for it in your environment or M&A or business transaction? Are you ready? Resilience stays, how much do you really have control over the access to your devices, environments, physical locations, and so on, so forth. And then the recovery is how much trust do you have in the environment that you can recover from the events that you didn't anticipate. So really it's all about measurements and cost, value and trust.
Mike Engle:
Yeah, no, well said. And Max, how would you prioritize these as you think about these types of applications across HSBC's environment?
Max Cope:
So I mean, Sam's hit the nail on the head around the realization piece. I think that's probably one of the most important pieces for us because although we have highly complicated and highly regulated environments, what we also have are a lot of suppliers and third parties. And the risk around those is probably equally as great as our internal staff, trying to understand how their identities work, how we create B2B bridges to enable identity transfer, to be able to be sure that we're identifying the right people, the right place at the right time to allow the right access to the right system for the right thing. And on top of all of that, make sure that that is logged, monitored, assessed is exceedingly hard because you have to vet your suppliers, you have to vet the technology that you're using, you have to be ready to receive that technology. You have to be able to operate it.
So if we take a simple thing like pass keys, becoming mainstream norm for consumer type applications, but in the enterprise, there's very few people that are actually doing anything with actually enterprise grade pass keys right now because well, FIDO2, we're not entirely there yet with the enterprise level standard. And even if we were to adopt it, how do we then push that technology out? Is it going to be through Entra, is it going to be through a gateway, is it going to be through something like 1Kosmos? What does that mean for us and how do we scale that out? So we've got multiple dimensions to the sets of products issues that Sam's talking about.
Mike Engle:
Yeah. Yeah. And you mentioned an important standard in identity. I'm a big fan of standards as we really, the goal is to get rid of the password. And you mentioned FIDO, it stands for Fast Identity Online, was founded in 2013. A whole bunch of tech companies got together, Google, Apple, Microsoft, and 1Kosmos and 200 others. But there's a couple of standards that go together to make passwordless be verified with a real identity. And I want to call out NIST 800-63-3. It is the US government standard. This latest draft was out in 2017, and it is what nearly every organization is talking about. It says, "Here's how you prove who you are remotely." That's different in passwordless. And in order to do that, you need a biometric. I have to match my face. Mike Engel matches this real citizen or constituent identity.
And so that together and then issuing a FIDO authenticator or some other type of credential and making sure you have a chain of custody of the credential throughout its life. If I can give my YubiKey to somebody else, this whole thing breaks down. And so how do you back that up? It's with a verified identity, with a biometric. So a couple of standards that people are keeping their eyes on these days and the identity components are the first step is proving who you are remotely, verifying that data. So just because I have a license that says Mike Engel, do I live at that address, can I prove that I'm actually in possession of it and then assigning the credential? And it's really a subset of identity. Sam, your thoughts on this?
Sam Tang:
Yeah, something I want to touch on is the importance, not just verification, but continuous verification, just because someone is trustworthy in the industry or even in what data is available to vet the person, that's just because I'm trusted today doesn't mean that I'm trusted tomorrow, even a week later. And more importantly, what the trust factor and the verification is going to enable or emerging topics that people will talk about, which is privacy, I think you touched on for cross border access and classification of data as to what people can have access to or not, and also safety. How can you apply this technology to actually address privacy and safety as well?
Mike Engle:
Yeah. Max, are you guys keeping an eye on some of the standards and the concepts of proofing, obviously the organization your side it's a loaded question.
Max Cope:
Yeah, just a touch. So I mean, obviously we are subject to multi-jurisdictional KYC and AML, which applies on the customer side for all our CM-type identities, which we've got just shy of a billion identities under management. But actually for the staff side, it's a very different equation. And the reason for that is, again, the multi-jurisdictional bits and pieces. If we're in Europe, for instance, doing this proofing would mean that that would need to stay inside a European silo. Same applies for China, same applies for Singapore, Hong Kong. So where and how we would enact this would then become more difficult because we'd have silos of proofing and we'd have to go and check multiple sources of proofing across a user journey through the system.
And there's a large element of complexity driven by local regulation that is stopping us deploying some of this stuff. But in areas where we can deploy, this is something that we are looking at with a big lens at the moment because being able to have that continuous proofing is very important. But how we deploy that will also then depend on the technology stacks. So at the moment, you've got things like Windows Hello that can help you with the biometric pieces, but then stitching that together into FIDO compliant bits and pieces to deliver what you're talking about. Again, I think that's definitely on my Christmas list.
Mike Engle:
Yeah, yeah. Well, we're building a list as you go, so hopefully you don't get a bucket of coal at the end of that list. So we'll see. So as I mentioned, focusing on identity for us is obviously we can authenticate into anything, but the verified identity is really important. And where we're seeing our phone rang off the hook is in three areas. How do you know who you're hiring, whether it's an employee or a contractor, especially in the light of Covid, you heard stories about people having four jobs at the same time or proxy interviewing, I'm going to apply and put my cousin Vinny in the seat to do the interviewing 'cause he's better and then you show up for work, nobody knows any better.
So an example would be on interview, day one on talent acquisition, prove your identity, scan the license front back, here's a credential, can you show that to the next person, please? And we make that really simple. This is his first box. And then with, again, I mentioned scattered spider, when your employee database gets dumped, how do you verify remote callers? Because 90X percent of organizations use secrets. Well, all the secrets went out the door. And I spoke to an organization yesterday that has their employees holding up their employee badge like this and looking it at their face, this is what they've resorted to.
And we said, "Hold on a minute, I'm going to give you a button where you can press, put their phone number in, they'll proof in 60 seconds, and you'll get a green check mark", a hundred times more accurate than this and handles deep fix. And of course, Max, I mean you guys have massive KYC requirements as a regulated entity as well. So just these are things that are typically forgotten by the big box platform providers. They leave that to somebody else, it leaves a big hole for us to come in and we will talk about some of the techniques to get it out there as well. So we'll just move on on this one. I like to say Sam, I know you're a big fan of some of the remote proofing technologies. Anything to wrap up on this slide?
Sam Tang:
Yeah, the only thing I'll add here is that on the enterprise you have means to really detect JML. We always talk about JML, joiner, mover, lever. With an HR platform we can, and with the talent recruiting you can, but for the B2C and B2B use cases, you really don't have that. You don't have the luxury. So the proving I'm talking about, and the verification I'm talking about is more than just about the employee, it's about the consumer, it's about the merchant, it's about the third party and add on to the complexity, there's not just the identity risk, there's the third party risk as well. So the proving I'm talking about, the verification we're talking about is not just about identities, it's about everything that we need to do to control access to things.
Mike Engle:
Right. Yeah. And actually Max, I'd love your take on conditional access because the theme for the webinar here today is Continuous Identity Verification. So imagine if you could have some type of fraud signal or any condition before you get access to CyberArk, I want you to prove who it is. How much of a game changer would that be from your security posture perspective?
Max Cope:
Well, I think this goes back to the thing I touched on earlier, which is again, something that Sam talked about, which is your third parties. It would be high on the Christmas list because as it stands at the moment, understanding its making that link between the keyboard and the things that are doing the actions and the individual that are doing those actions via the device. So you can have very high certainty to a device, but between the device and the person, there's very low certainty as to who it is and being able to up that certainty so that you know whether or not someone's trying to use lifted credentials or anything like that, or you're being subject to a social engineering attack would be super helpful for just even a small percentage of the really sensitive and high priority stuff that we do.
Mike Engle:
Yeah, excellent. Thank you for that. So again, we're talking about some strategies here and common themes, first one being don't just focus on passwordless. But the other one is really making it easy to deploy, not only for the users. And you're seeing now, for example, out in the consumer world, FIDO is getting popular. You log into Best Buy here in the US and it says, "Would you like to get rid of your password?" People are going to say yes. And people are now trusting their face ID and touch IDs more and more. So we can extend that to the enterprise. And the common approach that you can either make easy or hard is how do you enroll people into it? So we call this coexistence, and this is an idea where you put the old alongside the new. So for example, on the right is PingFed, ID, username, password, some kind of token comes after this.
And so your existing a hundred thousand users can do this while the first user figures this out, and the first user will take about the same amount of time as your next 90,000 because you get your run books down and you start to figure out how to deprecate some of these legacy systems. So this has been really a game changer for us and our customers where we could say, "Listen, you don't have to change anything. Add the button." And that goes for Windows and Mac and web systems, et cetera. And in that same theme of making it easy to get is to allow self-service onboarding.
So Max, I'm sure in the banking industry, everybody, I used to have to go into a branch to open an account, everybody had to come into the office to become a new employee, but now you're allowing it remote, mostly self-service, obviously with lots of background checks and things like that. So this is an example of, hey, it goes viral. If I'm asking you guys, Max and Sam on our weekly management call, "Hey, did you guys get rid of your passwords yet?" You're like, "What do you mean?" "Well you knucklehead, just go scan the QR code and self-enroll." So making it that easy is really critical as one of the steps. The question for Max, how much is user experience a priority for you as you roll out new systems for either employees or consumers?
Max Cope:
I would say it's absolutely critical. I don't think any kind of large scale identity program would succeed without it. And the reason for that is that we have proven time and time again that large scale migrations and forcing user populations to move to something new is expensive, error-prone, constantly changing the run book, things always crop up. It's never entirely thought through. And there are always, always gaps and problems. Whereas doing it like this, making it easier, ironing out a lot of the problems upfront and having something that allows the user to make a choice on their timeline just drives adoption. It drives that adoption because they want to do it because their mates done it and somebody else has done it. And, "Oh, look, I can get slightly better services quicker and easier if I do this and I can see other people around me doing it." And it gives them the confidence. Whereas even though there's no technical difference in doing a forced migration and just taking them through it, it's about that buy-in and that adoption. And if you have that buy-in and adoption, you end up with a more successful program.
Mike Engle:
Yeah. Sam, your thoughts?
Sam Tang:
Yeah, spot on Max. I mean, end user experience truly enables business adoption. And without business adoption, you're probably not going to get funding for your program. So it goes hand in hand with user experience. But going back to Mike, what you said about 863, if you look at that spec, there's a lot of conversation around allowing people to classify the information that they can share, self sovereignty. So without a simple end user experience, self sovereignty is probably not likely to be as small.
Mike Engle:
Yeah. Imagine if you... I'm sure at E&Y, if you go to one of your clients and say, "I just need to add four buttons to your customer signup process", it'd be like, "Okay, pack your things, you're out of here." So yeah, it's the same thing. You want people to enjoy using your systems, don't put them through hoops. I deployed my first secure ID server in the nineties, and oh my god, the friction, it was as bad as when I had to enable swipe out of the building at the turnstiles. People are bouncing off the turnstiles. So yeah, this goes way back. So no, thanks for your thoughts there. So we've covered two strategies. The third, I'm going to preface this, and I didn't talk to Max or Sam about this, but what is one of the biggest challenges when you try to get rid of passwords? I'll throw it out there, but it's the fact that you don't know your password anymore. How long is it going to take a Fortune 100 organization to get rid of passwords? What do you guys think?
Sam Tang:
Max, you want to give it a shot?
Mike Engle:
All passwords.
Max Cope:
I mean, I'm going to say not in my lifetime, hence I have pretty good evidence for that. We've got these funny things called mainframes, they really don't like working without passwords.
Mike Engle:
Yeah, yeah. No, that's exactly it. So it's actually all over Microsoft's like Windows Hello and Authenticator documentation. Be careful, if you let somebody go without passwords for 90 or 180 days, great, congratulations, high five. But on day 181, or even you make them rotate their password or they hit that legacy HR benefits system that hasn't been migrated, you just created a disaster. And so part of a successful passwordless deployment is to find better ways to support the password when you need it. And so we got a button here, it's like a smack your head against the glass button. Yeah, all right, I need it. Press the button, do your biometrics and reset it.
And so it's obvious once you hear it, but people think that, oh, if I roll out passwordless I'm good. It's not the case. And how many times have you heard this is for both of you guys, just use your phone for everything. Well, some people can't use a phone. Some people won't. It's illegal to make people use a phone in some countries or some states here in the US. So you need multiple modalities as part of the strategy. Max, I'm sure I'm preaching to the choir in this one.
Max Cope:
A hundred percent. So I mean we have exactly that issue. Well, we've got two things, right? We've got trading floors. You're not taking a phone on one of those and you're certainly not going to be scanning a QR code or using your biometrics for that. We've got areas and jurisdictions, even like for Germany for instance, on how you identify and manage user identity. It's not easy. So all of the things that you're talking about that, everything runs at a different velocity, but you need to cater for all velocities at all times. And therefore you're always going to have something that either requires a password or you need a way back or you need to do something and then you need to make sure that your help desk is spun up. You've got people who can actually understand those processes. There's still a whole load of wrap around the outside. It doesn't matter how cool the tech is if you don't have that right support wrap around the outside.
Mike Engle:
Oh, great. Yeah. Sam, I know you have a lot to say on this one 'cause you've told me.
Sam Tang:
Yeah. This close to my heart, this has been a pet peeve of mine as to why we've been managing physical access and access separately. And those two environments typically don't even talk to each other. So having a phone is not the answer for everything because there's always going to be restricted areas where a phone is not allowed. Manufacturing sites and highly sensitive areas like energy locations and so on and so forth. And there's techniques to use password certification to actually address it.
And by the way, I'm going to throw this out there. Having a physical wearable device like the UV key is not going to answer all your questions as well. So if there's always going to be shared workstation that you have to address and using technologies like this and combine it with physical access, I think it's going to give you the power that you need in order for you to manage physical access to things like turnstiles, to forklifts, even for financial institutions or ATM machines and so on and so forth. So again, without this strategy, it's going to cause a lot of friction when people want to modernize.
Mike Engle:
And physical access is one of the classic examples that's been used in biometrics for 20, 30 years. You get proofed by your physical security, you got a picture, goes into a database, sometimes people look at it and you're seeing more and more biometric readers get put at turnstiles and data centers and locked cabinets and all those things. Windows Hello, right, making its push out. Apple's touch ID, face ID, et cetera.
Mike Engle:
Should we put a new fax machine on your Christmas list as well?
Max Cope:
Yes, absolutely. Why not make it color this time? It'll be fun.
Mike Engle:
Okay, we can do that. All right, cool. No, thanks for that. So we're on strategy four, the last one, and we'll slide into the end of the presentation here with ROI, user experience. We talked a lot about the UX, but measuring the success of any program I think is top of mind. You can't just say we're kicking it off and then not check in on it later. So there's a couple of metrics that we focus on on day one, and this is examples of you have password resets, there's the legacy applications which costs 1, 3, 5, $10 per user per month. There's hardware tokens, and then there's the IT staff to manage all that, those seven separate identity platforms. So Max, I think I'll start with you on this one, how do you balance what the business thinks, wants, and then how do you measure the success of it as they take it on?
Max Cope:
So that is a key thing. The cost of any change that we make will be intensely measured by our finance colleagues, but it will also be intensely measured by the users themselves who will have absolutely no qualms in telling you how they feel about it. So what you end up with is you end up with two really good metrics. You have a metric of cost, where for the money that we save, have we achieved the ROI and how does that ROI get measured against? It's measured partly through the help desk and whether or not we're getting those resets, but then it's also in costs of other things. The opportunity cost of putting in what we've put in has taken out a cost somewhere else. And now we've realized that cost because we absolutely don't need that other thing that we had.
So there's two finance metrics there and then obviously there's the user feedback forums, which are generally a, "Hey, this thing's amazing, we love it", or "Oh my God, just take this out of my life, just please, I don't like it. It's new." There is a very negative ROI on negative feedback and there's a positive ROI on positive feedback. So we work on those three metrics. We have user feedback, we have help desk reduction cost feedback, and then we have opportunity cost through finance and that's how we pick those things. And like Sam said, that gives us that justification for the next project.
Mike Engle:
Yeah, and Sam, I threw this up here a second ago, but could you touch on the justifications that you'll cover when you're working with clients on this stuff?
Sam Tang:
Yeah, and Max, spot on again, and I'm going to couple what I asked earlier about quantification of cost and it's associated to what the value it's gained and the way that people would need to think about this. It's not just about the technology, it's about I'm from EY, so if I don't say people, process and technology at least once in my presentation, that means I have failed, but I'm going to add on data as well. So every step of the way, so this is not a one-time thing, this has got to be a recurring thing. And what I've been telling my clients, you've got to do this twice a year. How much money are you spending on the management of your identities? How much money are you spending on your credentials across people, process, technology, and also entitlements?
We've all been dealing with passwords for the past 30 years, and I'm hoping before I retire I can see in three to five year time, here's my goal for a lot of my clients. What if you are able to get to reduce 90% of dependencies on passwords. What would you think that the ROI is? If you go across what it takes to manage people, process, technology and data across just those two things alone, the number is extremely high.
Mike Engle:
Yeah, no, I'll throw out a real world use case, and this is a public testimonial from the CSO for Vodafone. We happen, right time, right place, they asked if we could help them go passwordless for remote access to deprecate a one-time code generating product, to mention who. And we had... No, I mean, there's a couple of them out there. It was a three-week go live from the time we started really talking to them and we did it. And if you go to 1Kosmos Insights testimonials, you'll see that out there. But here's the cool part. So we did that.
Now, the cost of deprecating that old product and the 11 seconds average control, delete whatever login time, go fetch the code, saved over those users over the course of a year, you put the whole thing together and they're saving millions of dollars. So yeah, it's out there to be had and if you measure it, you can manage it properly and take credit for it as you're doing it along the way. So I'm sure there's just some levers that you'll pull on with your clients as well, Sam. So an example of this, just ask your customers how much they like logging in today.
Dear remote access or Windows user, how much do you like logging in today? And then ask them three months after the deployment and you get a one to 10, you get a one, you'll get an eight, you'll get a nine. And this is an example of just a very simple question that we will make sure our customers get asked. They ask their end users as part of the deployment, "Did you have any issues registering for passwordless?" And so another one is, "Did it make it easier, yes or no?" So we'll get high eighties into low nineties. Some people are sticklers for passwords, but they'll come around pretty quickly.
So just a couple questions here. I think we've about done it, if you have any closing thoughts, but I got a couple questions here that have come in. Sam, I'll field this one to you first. When you think about identity, and I'm paraphrasing here a bit on the question, but passwordless is obviously one component. Where do you see, you mentioned verifiable credentials and other identity constructs like that having an important role for organizations?
Sam Tang:
So I personally feel using a password to log into anything, it's only because people have not really addressed the real problem. I think Max, you touched on this earlier, conditional access. So access to things. What if you flipped it on its head? What if you gave everybody access? It really depends on what you're authorized to, even if you log in, if you're not authorized to anything, what is the real harm of giving people access to a device? So my last statement here, my closing thought, is really focus on understanding what your environment is, where you're spending money on, start patronizing as to what the usage patterns are to the services that people are accessing, and stop worrying about how people gain access to things. If you have passwordless, you shouldn't have to worry about passwords and allow that technology to just allow you to think about how to really control what people have access to based on the 863 spec for assurance lines. So that's my last statement there.
Mike Engle:
Yeah, I'll expand on that just real quickly. What we're seeing, because we have a verifiable credential engine of the hood and you see Microsoft with renaming their entire product to Entra and having verifiable credentials at the heart. So it is an up and coming, it's going to take years to get out there, just like chip and pin on credit cards took us 10 years here in the US but it's coming. And so when you need your employee identity or your customer identity or your bank identity to be used out in the industry, verifiable credentials is the way. So again, it's not just about getting rid of the password. If you have a verifiable credential, there is no password, but it's just part of the mix. And the last question here, biometrics are all the rage, either pro or con. There's deep fakes, there's Tom Cruise videos circulating the internet.
How do you think about biometrics and do them right? And this is really a question for all three of us. I think it's TBD. Well, the first step is never store a face in a database that even your admins can get to. That's just like you need this privacy by design approach. Max, over to you. You mentioned a little bit about the legality. I'm sure the way you would do identity in Singapore is much different than Germany or Italy where you can't even have a camera on a cashier, because their face could be in view.
Max Cope:
Yep. You are not wrong. We have, I think you could call it multiple strategies for this. And there's also obviously multiple biometrics. It depends on how far down the line of biometrics you want to go. But you've got full body biometrics, you've got gait biometrics, you've got facial biometrics, you've got fingerprints and hand prints. You've got all sorts of mad things that form a biometric, from your voice and your eyes and your face to pretty much everything that makes up you to other things that are the way that you do something, all of which have a different cadence of some form of regulation against them. And when you work in a highly regulated environment, we could probably enforce something in certain areas, but it would never be consistent. And actually to have a good solid identity program, it's got to be consistent, reliable, and repeatable.
If it isn't any of those things, then you've got a great silo of something, but you can't then use that as the benchmark or the guarantee for the next thing that you want to do. So for me, verified credentials, banked by some form of government organization would be super useful in terms of onboarding, but maybe not very useful in terms of day-to-day access and control. And like Sam's talking about, we are in a world where we're doing a bit of shift left from authentication, which is now super easy and very commoditized to authorization, which is now coming of age a little bit. And we're talking now not just about, "Hey, my authorization hangs on, I'm a member of a group on NAD." And then that group's been tied to a set of permissions in an application, but rather a real time check of should Sam be having access to this thing at this time from this device in this location?
And the answer is no, he's on holiday and he really shouldn't be checking his email. So it's moving towards that policy-based access control driven by a set of different things that are also potentially, include biometrics, is absolutely key. And how you then keep those things, how you make that authorization real time is now very dependent because then you have to keep a load of stuff. So what you end up doing is profiling your users, which in most parts of Europe you're not allowed to do. So as much as it would be a great nirvana to have from a security point of view for us to keep our customers and our systems safe, there's actually very hard limits on what we can and can't do to move towards that.
Mike Engle:
Yeah, yeah. Proceed carefully for sure. You get yourself in legal trouble pretty quickly. In the US we have the State of Illinois put out laws called BIPA and they're suing everybody who's captured a face and hasn't used it even just a little bit right. So yeah, tread carefully there, run it by legal and all those great things. So I think we've about done it. I really appreciate you guys coming on here. We'll give people a few minutes to get a break between their back-to-back meetings these days. Max, really good luck with your Christmas list. I'd managed to capture a couple of the elements here for you, right? So single log on experience, conditional access, and a new fax machine in color. And Sam, I think yours is just no volcano eruptions, right?
Sam Tang:
Thank you.
Mike Engle:
I think then we will have done it. But any closing remarks? Just wish everybody a happy holiday.
Sam Tang:
Yeah, happy holidays everyone.
Max Cope:
Yeah, absolutely. Have a fantastic time in whatever it is you're doing.
Mike Engle:
Yeah, thank you so much for joining. Thanks everybody for attending the webinar and a recording of this will be sent out to everybody who registered and it'll be posted on our website in the coming days. So if you're seeing this after, then thanks for joining a second time. All right.
Sam Tang:
Thank you everyone. Thank you Mike.
Mike Engle
CSO
1Kosmos
Sam Tang
Partner/Principal
Ernst & Young
Max Cope
Principal Architect
HSBC
Unlock to learn:
- How to drive OpEx savings in IT with examples from actual deployments
- Why prioritizing high-assurance ID proofing is critical to reduce operational risk
- How to use passwordless biometrics for users who can’t use mobile devices
- Ways to enable cross-boundary authentication (M&A, divestitures, affiliates)
- Why Zero Trust depends on verified biometrics
Despite efforts to secure logins and prevent fraud, organizations are still struggling to adopt the latest in identity verification and authentication. It’s clear band-aid approaches are not solving the problem.
Complexity is at the root of it – security and privacy challenges top among them and usually emanating from proprietary technologies planted deep in platforms such as Microsoft AD (ADFS) and Entra ID (Azure AD).
During this session, Mike Engle, Sam Tang and Max Cope took a critical look at the underlying technology that got us here. They discussed a game-changing approach to modernization that quickly augments core IT to mitigate risk, reduce technical debt, and enhance access controls.
Mike Engle
CSO
1Kosmos
Sam Tang
Partner/Principal
Ernst & Young
Max Cope
Principal Architect
HSBC
Video Transcript
Mike Engle:
Thanks everybody for joining. We're here today to talk about all kinds of identity constructs mostly in the workforce. I'm sure we'll have some tangents because identity is identity, whether you're an employee, a consumer, citizen, customer, it doesn't matter. And I'm joined today by two esteemed giants in the industry. Good longtime friend, Sam Tang. You want to say hi Sam and introduce yourself?
Sam Tang:
Hello everyone. Happy holidays. Thank you, EY. Thanks 1Kosmos for hosting this session. Very excited and also very privileged to be speaking with you and Max at the same time as you guys are industry powerhouses. So thank you very much.
Mike Engle:
You're making me blush and Max.
Max Cope:
Yeah, hi. Well, look, I'd like to say thank everyone for coming to the webinar and thank you Mike and Sam for the opportunity to allow us to show what we're doing, what we're about, and what identity means for us. And I'm looking forward to the conversation. It's always great to talk with you, Sam. We've been talking for a while now, and Mike, we're new friends but I think there's a bright future.
Mike Engle:
That's right. Yeah. And I'm Mike Engel, head of strategy and co-founder over here at 1Kosmos. So just real quick on 1Kosmos, we are an identity company. We'll get into a little bit more down the road here, but we'll prove anybody's identity and make it really easy to prove that over and over again, which you do that, it solves all kinds of problems, pretty much anywhere you're engaging with digital services, even in person.
So with that, let's jump in and get the show in the road here. We're talking about three really big challenges that impact us as we either build systems or even try to use them as end users. And the first is we have hundreds of ways that we engage with different systems, whether it's your computer, your phone, a website, government systems, it doesn't matter. It's pretty painful. The goal is to streamline that and make it consistent, repeatable, secure, of course.
And everybody's talking about passwordless. Let's go beyond just trying to solve passwordless on an application by application basis. You're seeing these great popups on this website, that website on your computer, on your phone. Let's unify that. Let's figure out a common way to do that across the enterprise and along the way if you do that right, we're going to talk about cost savings, the drivers, reduction of risk. Because of all this fragmentation you're seeing the scattered spider type stuff, just decimate companies. And so we're going to get into this a bit. So I'll start by asking, Sam, what are your thoughts on expanding the concept of ID beyond your SSO system or point solution X, Y, Z?
Sam Tang:
Yeah, as the geopolitical environment that we're in, there's a lot of focus on risk, safety and privacy. If you think of those three things, you got to cover more than just applications. As an industry, I think we've all been dealing with application access and provisioning and all that for a long time now, but it's going to expand to network infrastructure, cloud, physical locations, devices, and so on and so forth. As we're expanding the coverage of IAM, we need to consider those elements as well.
Mike Engle:
Right. And Max, what's the common theme as you think about new stuff that you need to deploy and what are some of the drivers for that?
Max Cope:
Well, exactly. I mean, A, you've hit on it. We are a very distributed and disparate organization in operating out of over 178 locations globally. A common authentication experience is very hard to come by but something that's on my Christmas list. Passwordless is a buzzword we've got every regulator known to man knocking on our door. Because of the countries we operate in, we have not just one set of regulators, but lots of sets of regulators and they say passwordless, but each one means a slightly different thing. And all of the internal drivers are around simplifying and reducing cost. And what you get is sometimes you get things like, "Hey, you guys are using Azure, so use Entra and that will give you that simplicity in that single common authentication." And then unfortunately, reality bytes and we end up with, we've got mainframes, we've got SQL databases, we've got apps that don't hook up to anything but are super critical for the operation of the business.
So for our strategy, when we have a common authentication experience, we've got to take all of these things into account. And it's not easy to come up with a single common approach to passwordless. Is it a pass key? Is it a certificate? What is it? What is that common approach? And actually a common approach in one place might not even legally be allowed in other places such as China. So when you operate in all these disparate environments, a single identity strategy is not maybe possible, but a number of streamlined identity strategies that drive that simplicity, extend the common authentication and bring a decent passwordless experience within the bounds of those geo-environments is potentially possible. But I think it's always going to be hard. And unless we have a common lexicon, we say, "This is what password means to us, this is what the common authentication gateway section is", then we're always going to be on an uphill struggle.
Mike Engle:
And I think that's a great point. Let's do that. Let's deconstruct what passwordless means. So I did a couple of things. Is passwordless the objective? I say no. It's almost like a feature. It's a byproduct of doing identity right. And so second line here, identity objective, it's a rhetorical question, but how do I cover all of my applications with identity? I mean, you can't do it overnight. And as I said in the intro, it doesn't matter if you're an employee or a customer, you're still you. How do you prove that every time? We're seeing tokens and authenticator this and at the end of the day, those things can be given to somebody else, which means you don't have zero trust and we don't want to kill our IT staff with product after product after product. So I went out and did a quick GPT of this.
We're going to talk about a couple of strategies of what it takes to introduce identity across an enterprise. And when I asked GPT and Claude, the two main competitors, you see all these different things come up. The legacy one-time code generators, they're calling themselves passwordless and that's why GPT-4 says one-time codes must be passwordless as well, so technically maybe. But I think if we start with what the success criteria would be, there's really some straightforward objectives that we all aspire to. And so Sam, if you would start with these four drivers. We've been talking about these for a long time, but what are you seeing for these objectives?
Sam Tang:
Yeah, thank you, Mike. And these four things, the objectives has done very well for us in driving justification as to why people spend money on cybersecurity and IAM. But what's emerging right now are three additional things I would like the audience to consider that's being asked of us now, cost, value and trust. And I'm not talking about zero trust, I'll explain that in a minute. And in terms of value and cost, what we have found is that everybody in the audience, I've been in this space for 30 years, I'm pretty confident by listening to Max. We've all been dealing with identities, credentials, passwords, and entitlements for quite a long time now. And we're still not in a place where we're truly optimized because we're still managing a lot. And on top of that, we're finding it very hard to actually allow our sponsors and leadership and they're asking for more justification now. How do you justify the spend and the cost associated to digital identity in IAM?
These three things actually, the cost, value, and trust, equate to two measurements, quantification measurement and maturity measurement. And the quantification wise is based on these four things, how can you justify what really is the cost savings or toss justification or what's the cost of not doing something? So there's always continued efforts in how we justify what we do on a day-to-day basis. But for maturity measurement, there's four other things that I like the audience to consider. And Mike, I've been speaking to you about four Rs, readiness, resiliency, realization, and also recovery and remediation.
And realization really is how much do you trust what you know about your environment? What data do you know about your environment? How much have you classified in your CMDB or your levels of access and readiness? How ready are you in event where there's another Covid? Are you really ready for it in your environment or M&A or business transaction? Are you ready? Resilience stays, how much do you really have control over the access to your devices, environments, physical locations, and so on, so forth. And then the recovery is how much trust do you have in the environment that you can recover from the events that you didn't anticipate. So really it's all about measurements and cost, value and trust.
Mike Engle:
Yeah, no, well said. And Max, how would you prioritize these as you think about these types of applications across HSBC's environment?
Max Cope:
So I mean, Sam's hit the nail on the head around the realization piece. I think that's probably one of the most important pieces for us because although we have highly complicated and highly regulated environments, what we also have are a lot of suppliers and third parties. And the risk around those is probably equally as great as our internal staff, trying to understand how their identities work, how we create B2B bridges to enable identity transfer, to be able to be sure that we're identifying the right people, the right place at the right time to allow the right access to the right system for the right thing. And on top of all of that, make sure that that is logged, monitored, assessed is exceedingly hard because you have to vet your suppliers, you have to vet the technology that you're using, you have to be ready to receive that technology. You have to be able to operate it.
So if we take a simple thing like pass keys, becoming mainstream norm for consumer type applications, but in the enterprise, there's very few people that are actually doing anything with actually enterprise grade pass keys right now because well, FIDO2, we're not entirely there yet with the enterprise level standard. And even if we were to adopt it, how do we then push that technology out? Is it going to be through Entra, is it going to be through a gateway, is it going to be through something like 1Kosmos? What does that mean for us and how do we scale that out? So we've got multiple dimensions to the sets of products issues that Sam's talking about.
Mike Engle:
Yeah. Yeah. And you mentioned an important standard in identity. I'm a big fan of standards as we really, the goal is to get rid of the password. And you mentioned FIDO, it stands for Fast Identity Online, was founded in 2013. A whole bunch of tech companies got together, Google, Apple, Microsoft, and 1Kosmos and 200 others. But there's a couple of standards that go together to make passwordless be verified with a real identity. And I want to call out NIST 800-63-3. It is the US government standard. This latest draft was out in 2017, and it is what nearly every organization is talking about. It says, "Here's how you prove who you are remotely." That's different in passwordless. And in order to do that, you need a biometric. I have to match my face. Mike Engel matches this real citizen or constituent identity.
And so that together and then issuing a FIDO authenticator or some other type of credential and making sure you have a chain of custody of the credential throughout its life. If I can give my YubiKey to somebody else, this whole thing breaks down. And so how do you back that up? It's with a verified identity, with a biometric. So a couple of standards that people are keeping their eyes on these days and the identity components are the first step is proving who you are remotely, verifying that data. So just because I have a license that says Mike Engel, do I live at that address, can I prove that I'm actually in possession of it and then assigning the credential? And it's really a subset of identity. Sam, your thoughts on this?
Sam Tang:
Yeah, something I want to touch on is the importance, not just verification, but continuous verification, just because someone is trustworthy in the industry or even in what data is available to vet the person, that's just because I'm trusted today doesn't mean that I'm trusted tomorrow, even a week later. And more importantly, what the trust factor and the verification is going to enable or emerging topics that people will talk about, which is privacy, I think you touched on for cross border access and classification of data as to what people can have access to or not, and also safety. How can you apply this technology to actually address privacy and safety as well?
Mike Engle:
Yeah. Max, are you guys keeping an eye on some of the standards and the concepts of proofing, obviously the organization your side it's a loaded question.
Max Cope:
Yeah, just a touch. So I mean, obviously we are subject to multi-jurisdictional KYC and AML, which applies on the customer side for all our CM-type identities, which we've got just shy of a billion identities under management. But actually for the staff side, it's a very different equation. And the reason for that is, again, the multi-jurisdictional bits and pieces. If we're in Europe, for instance, doing this proofing would mean that that would need to stay inside a European silo. Same applies for China, same applies for Singapore, Hong Kong. So where and how we would enact this would then become more difficult because we'd have silos of proofing and we'd have to go and check multiple sources of proofing across a user journey through the system.
And there's a large element of complexity driven by local regulation that is stopping us deploying some of this stuff. But in areas where we can deploy, this is something that we are looking at with a big lens at the moment because being able to have that continuous proofing is very important. But how we deploy that will also then depend on the technology stacks. So at the moment, you've got things like Windows Hello that can help you with the biometric pieces, but then stitching that together into FIDO compliant bits and pieces to deliver what you're talking about. Again, I think that's definitely on my Christmas list.
Mike Engle:
Yeah, yeah. Well, we're building a list as you go, so hopefully you don't get a bucket of coal at the end of that list. So we'll see. So as I mentioned, focusing on identity for us is obviously we can authenticate into anything, but the verified identity is really important. And where we're seeing our phone rang off the hook is in three areas. How do you know who you're hiring, whether it's an employee or a contractor, especially in the light of Covid, you heard stories about people having four jobs at the same time or proxy interviewing, I'm going to apply and put my cousin Vinny in the seat to do the interviewing 'cause he's better and then you show up for work, nobody knows any better.
So an example would be on interview, day one on talent acquisition, prove your identity, scan the license front back, here's a credential, can you show that to the next person, please? And we make that really simple. This is his first box. And then with, again, I mentioned scattered spider, when your employee database gets dumped, how do you verify remote callers? Because 90X percent of organizations use secrets. Well, all the secrets went out the door. And I spoke to an organization yesterday that has their employees holding up their employee badge like this and looking it at their face, this is what they've resorted to.
And we said, "Hold on a minute, I'm going to give you a button where you can press, put their phone number in, they'll proof in 60 seconds, and you'll get a green check mark", a hundred times more accurate than this and handles deep fix. And of course, Max, I mean you guys have massive KYC requirements as a regulated entity as well. So just these are things that are typically forgotten by the big box platform providers. They leave that to somebody else, it leaves a big hole for us to come in and we will talk about some of the techniques to get it out there as well. So we'll just move on on this one. I like to say Sam, I know you're a big fan of some of the remote proofing technologies. Anything to wrap up on this slide?
Sam Tang:
Yeah, the only thing I'll add here is that on the enterprise you have means to really detect JML. We always talk about JML, joiner, mover, lever. With an HR platform we can, and with the talent recruiting you can, but for the B2C and B2B use cases, you really don't have that. You don't have the luxury. So the proving I'm talking about, and the verification I'm talking about is more than just about the employee, it's about the consumer, it's about the merchant, it's about the third party and add on to the complexity, there's not just the identity risk, there's the third party risk as well. So the proving I'm talking about, the verification we're talking about is not just about identities, it's about everything that we need to do to control access to things.
Mike Engle:
Right. Yeah. And actually Max, I'd love your take on conditional access because the theme for the webinar here today is Continuous Identity Verification. So imagine if you could have some type of fraud signal or any condition before you get access to CyberArk, I want you to prove who it is. How much of a game changer would that be from your security posture perspective?
Max Cope:
Well, I think this goes back to the thing I touched on earlier, which is again, something that Sam talked about, which is your third parties. It would be high on the Christmas list because as it stands at the moment, understanding its making that link between the keyboard and the things that are doing the actions and the individual that are doing those actions via the device. So you can have very high certainty to a device, but between the device and the person, there's very low certainty as to who it is and being able to up that certainty so that you know whether or not someone's trying to use lifted credentials or anything like that, or you're being subject to a social engineering attack would be super helpful for just even a small percentage of the really sensitive and high priority stuff that we do.
Mike Engle:
Yeah, excellent. Thank you for that. So again, we're talking about some strategies here and common themes, first one being don't just focus on passwordless. But the other one is really making it easy to deploy, not only for the users. And you're seeing now, for example, out in the consumer world, FIDO is getting popular. You log into Best Buy here in the US and it says, "Would you like to get rid of your password?" People are going to say yes. And people are now trusting their face ID and touch IDs more and more. So we can extend that to the enterprise. And the common approach that you can either make easy or hard is how do you enroll people into it? So we call this coexistence, and this is an idea where you put the old alongside the new. So for example, on the right is PingFed, ID, username, password, some kind of token comes after this.
And so your existing a hundred thousand users can do this while the first user figures this out, and the first user will take about the same amount of time as your next 90,000 because you get your run books down and you start to figure out how to deprecate some of these legacy systems. So this has been really a game changer for us and our customers where we could say, "Listen, you don't have to change anything. Add the button." And that goes for Windows and Mac and web systems, et cetera. And in that same theme of making it easy to get is to allow self-service onboarding.
So Max, I'm sure in the banking industry, everybody, I used to have to go into a branch to open an account, everybody had to come into the office to become a new employee, but now you're allowing it remote, mostly self-service, obviously with lots of background checks and things like that. So this is an example of, hey, it goes viral. If I'm asking you guys, Max and Sam on our weekly management call, "Hey, did you guys get rid of your passwords yet?" You're like, "What do you mean?" "Well you knucklehead, just go scan the QR code and self-enroll." So making it that easy is really critical as one of the steps. The question for Max, how much is user experience a priority for you as you roll out new systems for either employees or consumers?
Max Cope:
I would say it's absolutely critical. I don't think any kind of large scale identity program would succeed without it. And the reason for that is that we have proven time and time again that large scale migrations and forcing user populations to move to something new is expensive, error-prone, constantly changing the run book, things always crop up. It's never entirely thought through. And there are always, always gaps and problems. Whereas doing it like this, making it easier, ironing out a lot of the problems upfront and having something that allows the user to make a choice on their timeline just drives adoption. It drives that adoption because they want to do it because their mates done it and somebody else has done it. And, "Oh, look, I can get slightly better services quicker and easier if I do this and I can see other people around me doing it." And it gives them the confidence. Whereas even though there's no technical difference in doing a forced migration and just taking them through it, it's about that buy-in and that adoption. And if you have that buy-in and adoption, you end up with a more successful program.
Mike Engle:
Yeah. Sam, your thoughts?
Sam Tang:
Yeah, spot on Max. I mean, end user experience truly enables business adoption. And without business adoption, you're probably not going to get funding for your program. So it goes hand in hand with user experience. But going back to Mike, what you said about 863, if you look at that spec, there's a lot of conversation around allowing people to classify the information that they can share, self sovereignty. So without a simple end user experience, self sovereignty is probably not likely to be as small.
Mike Engle:
Yeah. Imagine if you... I'm sure at E&Y, if you go to one of your clients and say, "I just need to add four buttons to your customer signup process", it'd be like, "Okay, pack your things, you're out of here." So yeah, it's the same thing. You want people to enjoy using your systems, don't put them through hoops. I deployed my first secure ID server in the nineties, and oh my god, the friction, it was as bad as when I had to enable swipe out of the building at the turnstiles. People are bouncing off the turnstiles. So yeah, this goes way back. So no, thanks for your thoughts there. So we've covered two strategies. The third, I'm going to preface this, and I didn't talk to Max or Sam about this, but what is one of the biggest challenges when you try to get rid of passwords? I'll throw it out there, but it's the fact that you don't know your password anymore. How long is it going to take a Fortune 100 organization to get rid of passwords? What do you guys think?
Sam Tang:
Max, you want to give it a shot?
Mike Engle:
All passwords.
Max Cope:
I mean, I'm going to say not in my lifetime, hence I have pretty good evidence for that. We've got these funny things called mainframes, they really don't like working without passwords.
Mike Engle:
Yeah, yeah. No, that's exactly it. So it's actually all over Microsoft's like Windows Hello and Authenticator documentation. Be careful, if you let somebody go without passwords for 90 or 180 days, great, congratulations, high five. But on day 181, or even you make them rotate their password or they hit that legacy HR benefits system that hasn't been migrated, you just created a disaster. And so part of a successful passwordless deployment is to find better ways to support the password when you need it. And so we got a button here, it's like a smack your head against the glass button. Yeah, all right, I need it. Press the button, do your biometrics and reset it.
And so it's obvious once you hear it, but people think that, oh, if I roll out passwordless I'm good. It's not the case. And how many times have you heard this is for both of you guys, just use your phone for everything. Well, some people can't use a phone. Some people won't. It's illegal to make people use a phone in some countries or some states here in the US. So you need multiple modalities as part of the strategy. Max, I'm sure I'm preaching to the choir in this one.
Max Cope:
A hundred percent. So I mean we have exactly that issue. Well, we've got two things, right? We've got trading floors. You're not taking a phone on one of those and you're certainly not going to be scanning a QR code or using your biometrics for that. We've got areas and jurisdictions, even like for Germany for instance, on how you identify and manage user identity. It's not easy. So all of the things that you're talking about that, everything runs at a different velocity, but you need to cater for all velocities at all times. And therefore you're always going to have something that either requires a password or you need a way back or you need to do something and then you need to make sure that your help desk is spun up. You've got people who can actually understand those processes. There's still a whole load of wrap around the outside. It doesn't matter how cool the tech is if you don't have that right support wrap around the outside.
Mike Engle:
Oh, great. Yeah. Sam, I know you have a lot to say on this one 'cause you've told me.
Sam Tang:
Yeah. This close to my heart, this has been a pet peeve of mine as to why we've been managing physical access and access separately. And those two environments typically don't even talk to each other. So having a phone is not the answer for everything because there's always going to be restricted areas where a phone is not allowed. Manufacturing sites and highly sensitive areas like energy locations and so on and so forth. And there's techniques to use password certification to actually address it.
And by the way, I'm going to throw this out there. Having a physical wearable device like the UV key is not going to answer all your questions as well. So if there's always going to be shared workstation that you have to address and using technologies like this and combine it with physical access, I think it's going to give you the power that you need in order for you to manage physical access to things like turnstiles, to forklifts, even for financial institutions or ATM machines and so on and so forth. So again, without this strategy, it's going to cause a lot of friction when people want to modernize.
Mike Engle:
And physical access is one of the classic examples that's been used in biometrics for 20, 30 years. You get proofed by your physical security, you got a picture, goes into a database, sometimes people look at it and you're seeing more and more biometric readers get put at turnstiles and data centers and locked cabinets and all those things. Windows Hello, right, making its push out. Apple's touch ID, face ID, et cetera.
Mike Engle:
Should we put a new fax machine on your Christmas list as well?
Max Cope:
Yes, absolutely. Why not make it color this time? It'll be fun.
Mike Engle:
Okay, we can do that. All right, cool. No, thanks for that. So we're on strategy four, the last one, and we'll slide into the end of the presentation here with ROI, user experience. We talked a lot about the UX, but measuring the success of any program I think is top of mind. You can't just say we're kicking it off and then not check in on it later. So there's a couple of metrics that we focus on on day one, and this is examples of you have password resets, there's the legacy applications which costs 1, 3, 5, $10 per user per month. There's hardware tokens, and then there's the IT staff to manage all that, those seven separate identity platforms. So Max, I think I'll start with you on this one, how do you balance what the business thinks, wants, and then how do you measure the success of it as they take it on?
Max Cope:
So that is a key thing. The cost of any change that we make will be intensely measured by our finance colleagues, but it will also be intensely measured by the users themselves who will have absolutely no qualms in telling you how they feel about it. So what you end up with is you end up with two really good metrics. You have a metric of cost, where for the money that we save, have we achieved the ROI and how does that ROI get measured against? It's measured partly through the help desk and whether or not we're getting those resets, but then it's also in costs of other things. The opportunity cost of putting in what we've put in has taken out a cost somewhere else. And now we've realized that cost because we absolutely don't need that other thing that we had.
So there's two finance metrics there and then obviously there's the user feedback forums, which are generally a, "Hey, this thing's amazing, we love it", or "Oh my God, just take this out of my life, just please, I don't like it. It's new." There is a very negative ROI on negative feedback and there's a positive ROI on positive feedback. So we work on those three metrics. We have user feedback, we have help desk reduction cost feedback, and then we have opportunity cost through finance and that's how we pick those things. And like Sam said, that gives us that justification for the next project.
Mike Engle:
Yeah, and Sam, I threw this up here a second ago, but could you touch on the justifications that you'll cover when you're working with clients on this stuff?
Sam Tang:
Yeah, and Max, spot on again, and I'm going to couple what I asked earlier about quantification of cost and it's associated to what the value it's gained and the way that people would need to think about this. It's not just about the technology, it's about I'm from EY, so if I don't say people, process and technology at least once in my presentation, that means I have failed, but I'm going to add on data as well. So every step of the way, so this is not a one-time thing, this has got to be a recurring thing. And what I've been telling my clients, you've got to do this twice a year. How much money are you spending on the management of your identities? How much money are you spending on your credentials across people, process, technology, and also entitlements?
We've all been dealing with passwords for the past 30 years, and I'm hoping before I retire I can see in three to five year time, here's my goal for a lot of my clients. What if you are able to get to reduce 90% of dependencies on passwords. What would you think that the ROI is? If you go across what it takes to manage people, process, technology and data across just those two things alone, the number is extremely high.
Mike Engle:
Yeah, no, I'll throw out a real world use case, and this is a public testimonial from the CSO for Vodafone. We happen, right time, right place, they asked if we could help them go passwordless for remote access to deprecate a one-time code generating product, to mention who. And we had... No, I mean, there's a couple of them out there. It was a three-week go live from the time we started really talking to them and we did it. And if you go to 1Kosmos Insights testimonials, you'll see that out there. But here's the cool part. So we did that.
Now, the cost of deprecating that old product and the 11 seconds average control, delete whatever login time, go fetch the code, saved over those users over the course of a year, you put the whole thing together and they're saving millions of dollars. So yeah, it's out there to be had and if you measure it, you can manage it properly and take credit for it as you're doing it along the way. So I'm sure there's just some levers that you'll pull on with your clients as well, Sam. So an example of this, just ask your customers how much they like logging in today.
Dear remote access or Windows user, how much do you like logging in today? And then ask them three months after the deployment and you get a one to 10, you get a one, you'll get an eight, you'll get a nine. And this is an example of just a very simple question that we will make sure our customers get asked. They ask their end users as part of the deployment, "Did you have any issues registering for passwordless?" And so another one is, "Did it make it easier, yes or no?" So we'll get high eighties into low nineties. Some people are sticklers for passwords, but they'll come around pretty quickly.
So just a couple questions here. I think we've about done it, if you have any closing thoughts, but I got a couple questions here that have come in. Sam, I'll field this one to you first. When you think about identity, and I'm paraphrasing here a bit on the question, but passwordless is obviously one component. Where do you see, you mentioned verifiable credentials and other identity constructs like that having an important role for organizations?
Sam Tang:
So I personally feel using a password to log into anything, it's only because people have not really addressed the real problem. I think Max, you touched on this earlier, conditional access. So access to things. What if you flipped it on its head? What if you gave everybody access? It really depends on what you're authorized to, even if you log in, if you're not authorized to anything, what is the real harm of giving people access to a device? So my last statement here, my closing thought, is really focus on understanding what your environment is, where you're spending money on, start patronizing as to what the usage patterns are to the services that people are accessing, and stop worrying about how people gain access to things. If you have passwordless, you shouldn't have to worry about passwords and allow that technology to just allow you to think about how to really control what people have access to based on the 863 spec for assurance lines. So that's my last statement there.
Mike Engle:
Yeah, I'll expand on that just real quickly. What we're seeing, because we have a verifiable credential engine of the hood and you see Microsoft with renaming their entire product to Entra and having verifiable credentials at the heart. So it is an up and coming, it's going to take years to get out there, just like chip and pin on credit cards took us 10 years here in the US but it's coming. And so when you need your employee identity or your customer identity or your bank identity to be used out in the industry, verifiable credentials is the way. So again, it's not just about getting rid of the password. If you have a verifiable credential, there is no password, but it's just part of the mix. And the last question here, biometrics are all the rage, either pro or con. There's deep fakes, there's Tom Cruise videos circulating the internet.
How do you think about biometrics and do them right? And this is really a question for all three of us. I think it's TBD. Well, the first step is never store a face in a database that even your admins can get to. That's just like you need this privacy by design approach. Max, over to you. You mentioned a little bit about the legality. I'm sure the way you would do identity in Singapore is much different than Germany or Italy where you can't even have a camera on a cashier, because their face could be in view.
Max Cope:
Yep. You are not wrong. We have, I think you could call it multiple strategies for this. And there's also obviously multiple biometrics. It depends on how far down the line of biometrics you want to go. But you've got full body biometrics, you've got gait biometrics, you've got facial biometrics, you've got fingerprints and hand prints. You've got all sorts of mad things that form a biometric, from your voice and your eyes and your face to pretty much everything that makes up you to other things that are the way that you do something, all of which have a different cadence of some form of regulation against them. And when you work in a highly regulated environment, we could probably enforce something in certain areas, but it would never be consistent. And actually to have a good solid identity program, it's got to be consistent, reliable, and repeatable.
If it isn't any of those things, then you've got a great silo of something, but you can't then use that as the benchmark or the guarantee for the next thing that you want to do. So for me, verified credentials, banked by some form of government organization would be super useful in terms of onboarding, but maybe not very useful in terms of day-to-day access and control. And like Sam's talking about, we are in a world where we're doing a bit of shift left from authentication, which is now super easy and very commoditized to authorization, which is now coming of age a little bit. And we're talking now not just about, "Hey, my authorization hangs on, I'm a member of a group on NAD." And then that group's been tied to a set of permissions in an application, but rather a real time check of should Sam be having access to this thing at this time from this device in this location?
And the answer is no, he's on holiday and he really shouldn't be checking his email. So it's moving towards that policy-based access control driven by a set of different things that are also potentially, include biometrics, is absolutely key. And how you then keep those things, how you make that authorization real time is now very dependent because then you have to keep a load of stuff. So what you end up doing is profiling your users, which in most parts of Europe you're not allowed to do. So as much as it would be a great nirvana to have from a security point of view for us to keep our customers and our systems safe, there's actually very hard limits on what we can and can't do to move towards that.
Mike Engle:
Yeah, yeah. Proceed carefully for sure. You get yourself in legal trouble pretty quickly. In the US we have the State of Illinois put out laws called BIPA and they're suing everybody who's captured a face and hasn't used it even just a little bit right. So yeah, tread carefully there, run it by legal and all those great things. So I think we've about done it. I really appreciate you guys coming on here. We'll give people a few minutes to get a break between their back-to-back meetings these days. Max, really good luck with your Christmas list. I'd managed to capture a couple of the elements here for you, right? So single log on experience, conditional access, and a new fax machine in color. And Sam, I think yours is just no volcano eruptions, right?
Sam Tang:
Thank you.
Mike Engle:
I think then we will have done it. But any closing remarks? Just wish everybody a happy holiday.
Sam Tang:
Yeah, happy holidays everyone.
Max Cope:
Yeah, absolutely. Have a fantastic time in whatever it is you're doing.
Mike Engle:
Yeah, thank you so much for joining. Thanks everybody for attending the webinar and a recording of this will be sent out to everybody who registered and it'll be posted on our website in the coming days. So if you're seeing this after, then thanks for joining a second time. All right.
Sam Tang:
Thank you everyone. Thank you Mike.
Thanks everybody for joining. We're here today to talk about all kinds of identity constructs mostly in the workforce. I'm sure we'll have some tangents because identity is identity, whether you're an employee, a consumer, citizen, customer, it doesn't matter. And I'm joined today by two esteemed giants in the industry. Good longtime friend, Sam Tang. You want to say hi Sam and introduce yourself?
Sam Tang:
Hello everyone. Happy holidays. Thank you, EY. Thanks 1Kosmos for hosting this session. Very excited and also very privileged to be speaking with you and Max at the same time as you guys are industry powerhouses. So thank you very much.
Mike Engle:
You're making me blush and Max.
Max Cope:
Yeah, hi. Well, look, I'd like to say thank everyone for coming to the webinar and thank you Mike and Sam for the opportunity to allow us to show what we're doing, what we're about, and what identity means for us. And I'm looking forward to the conversation. It's always great to talk with you, Sam. We've been talking for a while now, and Mike, we're new friends but I think there's a bright future.
Mike Engle:
That's right. Yeah. And I'm Mike Engel, head of strategy and co-founder over here at 1Kosmos. So just real quick on 1Kosmos, we are an identity company. We'll get into a little bit more down the road here, but we'll prove anybody's identity and make it really easy to prove that over and over again, which you do that, it solves all kinds of problems, pretty much anywhere you're engaging with digital services, even in person.
So with that, let's jump in and get the show in the road here. We're talking about three really big challenges that impact us as we either build systems or even try to use them as end users. And the first is we have hundreds of ways that we engage with different systems, whether it's your computer, your phone, a website, government systems, it doesn't matter. It's pretty painful. The goal is to streamline that and make it consistent, repeatable, secure, of course.
And everybody's talking about passwordless. Let's go beyond just trying to solve passwordless on an application by application basis. You're seeing these great popups on this website, that website on your computer, on your phone. Let's unify that. Let's figure out a common way to do that across the enterprise and along the way if you do that right, we're going to talk about cost savings, the drivers, reduction of risk. Because of all this fragmentation you're seeing the scattered spider type stuff, just decimate companies. And so we're going to get into this a bit. So I'll start by asking, Sam, what are your thoughts on expanding the concept of ID beyond your SSO system or point solution X, Y, Z?
Sam Tang:
Yeah, as the geopolitical environment that we're in, there's a lot of focus on risk, safety and privacy. If you think of those three things, you got to cover more than just applications. As an industry, I think we've all been dealing with application access and provisioning and all that for a long time now, but it's going to expand to network infrastructure, cloud, physical locations, devices, and so on and so forth. As we're expanding the coverage of IAM, we need to consider those elements as well.
Mike Engle:
Right. And Max, what's the common theme as you think about new stuff that you need to deploy and what are some of the drivers for that?
Max Cope:
Well, exactly. I mean, A, you've hit on it. We are a very distributed and disparate organization in operating out of over 178 locations globally. A common authentication experience is very hard to come by but something that's on my Christmas list. Passwordless is a buzzword we've got every regulator known to man knocking on our door. Because of the countries we operate in, we have not just one set of regulators, but lots of sets of regulators and they say passwordless, but each one means a slightly different thing. And all of the internal drivers are around simplifying and reducing cost. And what you get is sometimes you get things like, "Hey, you guys are using Azure, so use Entra and that will give you that simplicity in that single common authentication." And then unfortunately, reality bytes and we end up with, we've got mainframes, we've got SQL databases, we've got apps that don't hook up to anything but are super critical for the operation of the business.
So for our strategy, when we have a common authentication experience, we've got to take all of these things into account. And it's not easy to come up with a single common approach to passwordless. Is it a pass key? Is it a certificate? What is it? What is that common approach? And actually a common approach in one place might not even legally be allowed in other places such as China. So when you operate in all these disparate environments, a single identity strategy is not maybe possible, but a number of streamlined identity strategies that drive that simplicity, extend the common authentication and bring a decent passwordless experience within the bounds of those geo-environments is potentially possible. But I think it's always going to be hard. And unless we have a common lexicon, we say, "This is what password means to us, this is what the common authentication gateway section is", then we're always going to be on an uphill struggle.
Mike Engle:
And I think that's a great point. Let's do that. Let's deconstruct what passwordless means. So I did a couple of things. Is passwordless the objective? I say no. It's almost like a feature. It's a byproduct of doing identity right. And so second line here, identity objective, it's a rhetorical question, but how do I cover all of my applications with identity? I mean, you can't do it overnight. And as I said in the intro, it doesn't matter if you're an employee or a customer, you're still you. How do you prove that every time? We're seeing tokens and authenticator this and at the end of the day, those things can be given to somebody else, which means you don't have zero trust and we don't want to kill our IT staff with product after product after product. So I went out and did a quick GPT of this.
We're going to talk about a couple of strategies of what it takes to introduce identity across an enterprise. And when I asked GPT and Claude, the two main competitors, you see all these different things come up. The legacy one-time code generators, they're calling themselves passwordless and that's why GPT-4 says one-time codes must be passwordless as well, so technically maybe. But I think if we start with what the success criteria would be, there's really some straightforward objectives that we all aspire to. And so Sam, if you would start with these four drivers. We've been talking about these for a long time, but what are you seeing for these objectives?
Sam Tang:
Yeah, thank you, Mike. And these four things, the objectives has done very well for us in driving justification as to why people spend money on cybersecurity and IAM. But what's emerging right now are three additional things I would like the audience to consider that's being asked of us now, cost, value and trust. And I'm not talking about zero trust, I'll explain that in a minute. And in terms of value and cost, what we have found is that everybody in the audience, I've been in this space for 30 years, I'm pretty confident by listening to Max. We've all been dealing with identities, credentials, passwords, and entitlements for quite a long time now. And we're still not in a place where we're truly optimized because we're still managing a lot. And on top of that, we're finding it very hard to actually allow our sponsors and leadership and they're asking for more justification now. How do you justify the spend and the cost associated to digital identity in IAM?
These three things actually, the cost, value, and trust, equate to two measurements, quantification measurement and maturity measurement. And the quantification wise is based on these four things, how can you justify what really is the cost savings or toss justification or what's the cost of not doing something? So there's always continued efforts in how we justify what we do on a day-to-day basis. But for maturity measurement, there's four other things that I like the audience to consider. And Mike, I've been speaking to you about four Rs, readiness, resiliency, realization, and also recovery and remediation.
And realization really is how much do you trust what you know about your environment? What data do you know about your environment? How much have you classified in your CMDB or your levels of access and readiness? How ready are you in event where there's another Covid? Are you really ready for it in your environment or M&A or business transaction? Are you ready? Resilience stays, how much do you really have control over the access to your devices, environments, physical locations, and so on, so forth. And then the recovery is how much trust do you have in the environment that you can recover from the events that you didn't anticipate. So really it's all about measurements and cost, value and trust.
Mike Engle:
Yeah, no, well said. And Max, how would you prioritize these as you think about these types of applications across HSBC's environment?
Max Cope:
So I mean, Sam's hit the nail on the head around the realization piece. I think that's probably one of the most important pieces for us because although we have highly complicated and highly regulated environments, what we also have are a lot of suppliers and third parties. And the risk around those is probably equally as great as our internal staff, trying to understand how their identities work, how we create B2B bridges to enable identity transfer, to be able to be sure that we're identifying the right people, the right place at the right time to allow the right access to the right system for the right thing. And on top of all of that, make sure that that is logged, monitored, assessed is exceedingly hard because you have to vet your suppliers, you have to vet the technology that you're using, you have to be ready to receive that technology. You have to be able to operate it.
So if we take a simple thing like pass keys, becoming mainstream norm for consumer type applications, but in the enterprise, there's very few people that are actually doing anything with actually enterprise grade pass keys right now because well, FIDO2, we're not entirely there yet with the enterprise level standard. And even if we were to adopt it, how do we then push that technology out? Is it going to be through Entra, is it going to be through a gateway, is it going to be through something like 1Kosmos? What does that mean for us and how do we scale that out? So we've got multiple dimensions to the sets of products issues that Sam's talking about.
Mike Engle:
Yeah. Yeah. And you mentioned an important standard in identity. I'm a big fan of standards as we really, the goal is to get rid of the password. And you mentioned FIDO, it stands for Fast Identity Online, was founded in 2013. A whole bunch of tech companies got together, Google, Apple, Microsoft, and 1Kosmos and 200 others. But there's a couple of standards that go together to make passwordless be verified with a real identity. And I want to call out NIST 800-63-3. It is the US government standard. This latest draft was out in 2017, and it is what nearly every organization is talking about. It says, "Here's how you prove who you are remotely." That's different in passwordless. And in order to do that, you need a biometric. I have to match my face. Mike Engel matches this real citizen or constituent identity.
And so that together and then issuing a FIDO authenticator or some other type of credential and making sure you have a chain of custody of the credential throughout its life. If I can give my YubiKey to somebody else, this whole thing breaks down. And so how do you back that up? It's with a verified identity, with a biometric. So a couple of standards that people are keeping their eyes on these days and the identity components are the first step is proving who you are remotely, verifying that data. So just because I have a license that says Mike Engel, do I live at that address, can I prove that I'm actually in possession of it and then assigning the credential? And it's really a subset of identity. Sam, your thoughts on this?
Sam Tang:
Yeah, something I want to touch on is the importance, not just verification, but continuous verification, just because someone is trustworthy in the industry or even in what data is available to vet the person, that's just because I'm trusted today doesn't mean that I'm trusted tomorrow, even a week later. And more importantly, what the trust factor and the verification is going to enable or emerging topics that people will talk about, which is privacy, I think you touched on for cross border access and classification of data as to what people can have access to or not, and also safety. How can you apply this technology to actually address privacy and safety as well?
Mike Engle:
Yeah. Max, are you guys keeping an eye on some of the standards and the concepts of proofing, obviously the organization your side it's a loaded question.
Max Cope:
Yeah, just a touch. So I mean, obviously we are subject to multi-jurisdictional KYC and AML, which applies on the customer side for all our CM-type identities, which we've got just shy of a billion identities under management. But actually for the staff side, it's a very different equation. And the reason for that is, again, the multi-jurisdictional bits and pieces. If we're in Europe, for instance, doing this proofing would mean that that would need to stay inside a European silo. Same applies for China, same applies for Singapore, Hong Kong. So where and how we would enact this would then become more difficult because we'd have silos of proofing and we'd have to go and check multiple sources of proofing across a user journey through the system.
And there's a large element of complexity driven by local regulation that is stopping us deploying some of this stuff. But in areas where we can deploy, this is something that we are looking at with a big lens at the moment because being able to have that continuous proofing is very important. But how we deploy that will also then depend on the technology stacks. So at the moment, you've got things like Windows Hello that can help you with the biometric pieces, but then stitching that together into FIDO compliant bits and pieces to deliver what you're talking about. Again, I think that's definitely on my Christmas list.
Mike Engle:
Yeah, yeah. Well, we're building a list as you go, so hopefully you don't get a bucket of coal at the end of that list. So we'll see. So as I mentioned, focusing on identity for us is obviously we can authenticate into anything, but the verified identity is really important. And where we're seeing our phone rang off the hook is in three areas. How do you know who you're hiring, whether it's an employee or a contractor, especially in the light of Covid, you heard stories about people having four jobs at the same time or proxy interviewing, I'm going to apply and put my cousin Vinny in the seat to do the interviewing 'cause he's better and then you show up for work, nobody knows any better.
So an example would be on interview, day one on talent acquisition, prove your identity, scan the license front back, here's a credential, can you show that to the next person, please? And we make that really simple. This is his first box. And then with, again, I mentioned scattered spider, when your employee database gets dumped, how do you verify remote callers? Because 90X percent of organizations use secrets. Well, all the secrets went out the door. And I spoke to an organization yesterday that has their employees holding up their employee badge like this and looking it at their face, this is what they've resorted to.
And we said, "Hold on a minute, I'm going to give you a button where you can press, put their phone number in, they'll proof in 60 seconds, and you'll get a green check mark", a hundred times more accurate than this and handles deep fix. And of course, Max, I mean you guys have massive KYC requirements as a regulated entity as well. So just these are things that are typically forgotten by the big box platform providers. They leave that to somebody else, it leaves a big hole for us to come in and we will talk about some of the techniques to get it out there as well. So we'll just move on on this one. I like to say Sam, I know you're a big fan of some of the remote proofing technologies. Anything to wrap up on this slide?
Sam Tang:
Yeah, the only thing I'll add here is that on the enterprise you have means to really detect JML. We always talk about JML, joiner, mover, lever. With an HR platform we can, and with the talent recruiting you can, but for the B2C and B2B use cases, you really don't have that. You don't have the luxury. So the proving I'm talking about, and the verification I'm talking about is more than just about the employee, it's about the consumer, it's about the merchant, it's about the third party and add on to the complexity, there's not just the identity risk, there's the third party risk as well. So the proving I'm talking about, the verification we're talking about is not just about identities, it's about everything that we need to do to control access to things.
Mike Engle:
Right. Yeah. And actually Max, I'd love your take on conditional access because the theme for the webinar here today is Continuous Identity Verification. So imagine if you could have some type of fraud signal or any condition before you get access to CyberArk, I want you to prove who it is. How much of a game changer would that be from your security posture perspective?
Max Cope:
Well, I think this goes back to the thing I touched on earlier, which is again, something that Sam talked about, which is your third parties. It would be high on the Christmas list because as it stands at the moment, understanding its making that link between the keyboard and the things that are doing the actions and the individual that are doing those actions via the device. So you can have very high certainty to a device, but between the device and the person, there's very low certainty as to who it is and being able to up that certainty so that you know whether or not someone's trying to use lifted credentials or anything like that, or you're being subject to a social engineering attack would be super helpful for just even a small percentage of the really sensitive and high priority stuff that we do.
Mike Engle:
Yeah, excellent. Thank you for that. So again, we're talking about some strategies here and common themes, first one being don't just focus on passwordless. But the other one is really making it easy to deploy, not only for the users. And you're seeing now, for example, out in the consumer world, FIDO is getting popular. You log into Best Buy here in the US and it says, "Would you like to get rid of your password?" People are going to say yes. And people are now trusting their face ID and touch IDs more and more. So we can extend that to the enterprise. And the common approach that you can either make easy or hard is how do you enroll people into it? So we call this coexistence, and this is an idea where you put the old alongside the new. So for example, on the right is PingFed, ID, username, password, some kind of token comes after this.
And so your existing a hundred thousand users can do this while the first user figures this out, and the first user will take about the same amount of time as your next 90,000 because you get your run books down and you start to figure out how to deprecate some of these legacy systems. So this has been really a game changer for us and our customers where we could say, "Listen, you don't have to change anything. Add the button." And that goes for Windows and Mac and web systems, et cetera. And in that same theme of making it easy to get is to allow self-service onboarding.
So Max, I'm sure in the banking industry, everybody, I used to have to go into a branch to open an account, everybody had to come into the office to become a new employee, but now you're allowing it remote, mostly self-service, obviously with lots of background checks and things like that. So this is an example of, hey, it goes viral. If I'm asking you guys, Max and Sam on our weekly management call, "Hey, did you guys get rid of your passwords yet?" You're like, "What do you mean?" "Well you knucklehead, just go scan the QR code and self-enroll." So making it that easy is really critical as one of the steps. The question for Max, how much is user experience a priority for you as you roll out new systems for either employees or consumers?
Max Cope:
I would say it's absolutely critical. I don't think any kind of large scale identity program would succeed without it. And the reason for that is that we have proven time and time again that large scale migrations and forcing user populations to move to something new is expensive, error-prone, constantly changing the run book, things always crop up. It's never entirely thought through. And there are always, always gaps and problems. Whereas doing it like this, making it easier, ironing out a lot of the problems upfront and having something that allows the user to make a choice on their timeline just drives adoption. It drives that adoption because they want to do it because their mates done it and somebody else has done it. And, "Oh, look, I can get slightly better services quicker and easier if I do this and I can see other people around me doing it." And it gives them the confidence. Whereas even though there's no technical difference in doing a forced migration and just taking them through it, it's about that buy-in and that adoption. And if you have that buy-in and adoption, you end up with a more successful program.
Mike Engle:
Yeah. Sam, your thoughts?
Sam Tang:
Yeah, spot on Max. I mean, end user experience truly enables business adoption. And without business adoption, you're probably not going to get funding for your program. So it goes hand in hand with user experience. But going back to Mike, what you said about 863, if you look at that spec, there's a lot of conversation around allowing people to classify the information that they can share, self sovereignty. So without a simple end user experience, self sovereignty is probably not likely to be as small.
Mike Engle:
Yeah. Imagine if you... I'm sure at E&Y, if you go to one of your clients and say, "I just need to add four buttons to your customer signup process", it'd be like, "Okay, pack your things, you're out of here." So yeah, it's the same thing. You want people to enjoy using your systems, don't put them through hoops. I deployed my first secure ID server in the nineties, and oh my god, the friction, it was as bad as when I had to enable swipe out of the building at the turnstiles. People are bouncing off the turnstiles. So yeah, this goes way back. So no, thanks for your thoughts there. So we've covered two strategies. The third, I'm going to preface this, and I didn't talk to Max or Sam about this, but what is one of the biggest challenges when you try to get rid of passwords? I'll throw it out there, but it's the fact that you don't know your password anymore. How long is it going to take a Fortune 100 organization to get rid of passwords? What do you guys think?
Sam Tang:
Max, you want to give it a shot?
Mike Engle:
All passwords.
Max Cope:
I mean, I'm going to say not in my lifetime, hence I have pretty good evidence for that. We've got these funny things called mainframes, they really don't like working without passwords.
Mike Engle:
Yeah, yeah. No, that's exactly it. So it's actually all over Microsoft's like Windows Hello and Authenticator documentation. Be careful, if you let somebody go without passwords for 90 or 180 days, great, congratulations, high five. But on day 181, or even you make them rotate their password or they hit that legacy HR benefits system that hasn't been migrated, you just created a disaster. And so part of a successful passwordless deployment is to find better ways to support the password when you need it. And so we got a button here, it's like a smack your head against the glass button. Yeah, all right, I need it. Press the button, do your biometrics and reset it.
And so it's obvious once you hear it, but people think that, oh, if I roll out passwordless I'm good. It's not the case. And how many times have you heard this is for both of you guys, just use your phone for everything. Well, some people can't use a phone. Some people won't. It's illegal to make people use a phone in some countries or some states here in the US. So you need multiple modalities as part of the strategy. Max, I'm sure I'm preaching to the choir in this one.
Max Cope:
A hundred percent. So I mean we have exactly that issue. Well, we've got two things, right? We've got trading floors. You're not taking a phone on one of those and you're certainly not going to be scanning a QR code or using your biometrics for that. We've got areas and jurisdictions, even like for Germany for instance, on how you identify and manage user identity. It's not easy. So all of the things that you're talking about that, everything runs at a different velocity, but you need to cater for all velocities at all times. And therefore you're always going to have something that either requires a password or you need a way back or you need to do something and then you need to make sure that your help desk is spun up. You've got people who can actually understand those processes. There's still a whole load of wrap around the outside. It doesn't matter how cool the tech is if you don't have that right support wrap around the outside.
Mike Engle:
Oh, great. Yeah. Sam, I know you have a lot to say on this one 'cause you've told me.
Sam Tang:
Yeah. This close to my heart, this has been a pet peeve of mine as to why we've been managing physical access and access separately. And those two environments typically don't even talk to each other. So having a phone is not the answer for everything because there's always going to be restricted areas where a phone is not allowed. Manufacturing sites and highly sensitive areas like energy locations and so on and so forth. And there's techniques to use password certification to actually address it.
And by the way, I'm going to throw this out there. Having a physical wearable device like the UV key is not going to answer all your questions as well. So if there's always going to be shared workstation that you have to address and using technologies like this and combine it with physical access, I think it's going to give you the power that you need in order for you to manage physical access to things like turnstiles, to forklifts, even for financial institutions or ATM machines and so on and so forth. So again, without this strategy, it's going to cause a lot of friction when people want to modernize.
Mike Engle:
And physical access is one of the classic examples that's been used in biometrics for 20, 30 years. You get proofed by your physical security, you got a picture, goes into a database, sometimes people look at it and you're seeing more and more biometric readers get put at turnstiles and data centers and locked cabinets and all those things. Windows Hello, right, making its push out. Apple's touch ID, face ID, et cetera.
Mike Engle:
Should we put a new fax machine on your Christmas list as well?
Max Cope:
Yes, absolutely. Why not make it color this time? It'll be fun.
Mike Engle:
Okay, we can do that. All right, cool. No, thanks for that. So we're on strategy four, the last one, and we'll slide into the end of the presentation here with ROI, user experience. We talked a lot about the UX, but measuring the success of any program I think is top of mind. You can't just say we're kicking it off and then not check in on it later. So there's a couple of metrics that we focus on on day one, and this is examples of you have password resets, there's the legacy applications which costs 1, 3, 5, $10 per user per month. There's hardware tokens, and then there's the IT staff to manage all that, those seven separate identity platforms. So Max, I think I'll start with you on this one, how do you balance what the business thinks, wants, and then how do you measure the success of it as they take it on?
Max Cope:
So that is a key thing. The cost of any change that we make will be intensely measured by our finance colleagues, but it will also be intensely measured by the users themselves who will have absolutely no qualms in telling you how they feel about it. So what you end up with is you end up with two really good metrics. You have a metric of cost, where for the money that we save, have we achieved the ROI and how does that ROI get measured against? It's measured partly through the help desk and whether or not we're getting those resets, but then it's also in costs of other things. The opportunity cost of putting in what we've put in has taken out a cost somewhere else. And now we've realized that cost because we absolutely don't need that other thing that we had.
So there's two finance metrics there and then obviously there's the user feedback forums, which are generally a, "Hey, this thing's amazing, we love it", or "Oh my God, just take this out of my life, just please, I don't like it. It's new." There is a very negative ROI on negative feedback and there's a positive ROI on positive feedback. So we work on those three metrics. We have user feedback, we have help desk reduction cost feedback, and then we have opportunity cost through finance and that's how we pick those things. And like Sam said, that gives us that justification for the next project.
Mike Engle:
Yeah, and Sam, I threw this up here a second ago, but could you touch on the justifications that you'll cover when you're working with clients on this stuff?
Sam Tang:
Yeah, and Max, spot on again, and I'm going to couple what I asked earlier about quantification of cost and it's associated to what the value it's gained and the way that people would need to think about this. It's not just about the technology, it's about I'm from EY, so if I don't say people, process and technology at least once in my presentation, that means I have failed, but I'm going to add on data as well. So every step of the way, so this is not a one-time thing, this has got to be a recurring thing. And what I've been telling my clients, you've got to do this twice a year. How much money are you spending on the management of your identities? How much money are you spending on your credentials across people, process, technology, and also entitlements?
We've all been dealing with passwords for the past 30 years, and I'm hoping before I retire I can see in three to five year time, here's my goal for a lot of my clients. What if you are able to get to reduce 90% of dependencies on passwords. What would you think that the ROI is? If you go across what it takes to manage people, process, technology and data across just those two things alone, the number is extremely high.
Mike Engle:
Yeah, no, I'll throw out a real world use case, and this is a public testimonial from the CSO for Vodafone. We happen, right time, right place, they asked if we could help them go passwordless for remote access to deprecate a one-time code generating product, to mention who. And we had... No, I mean, there's a couple of them out there. It was a three-week go live from the time we started really talking to them and we did it. And if you go to 1Kosmos Insights testimonials, you'll see that out there. But here's the cool part. So we did that.
Now, the cost of deprecating that old product and the 11 seconds average control, delete whatever login time, go fetch the code, saved over those users over the course of a year, you put the whole thing together and they're saving millions of dollars. So yeah, it's out there to be had and if you measure it, you can manage it properly and take credit for it as you're doing it along the way. So I'm sure there's just some levers that you'll pull on with your clients as well, Sam. So an example of this, just ask your customers how much they like logging in today.
Dear remote access or Windows user, how much do you like logging in today? And then ask them three months after the deployment and you get a one to 10, you get a one, you'll get an eight, you'll get a nine. And this is an example of just a very simple question that we will make sure our customers get asked. They ask their end users as part of the deployment, "Did you have any issues registering for passwordless?" And so another one is, "Did it make it easier, yes or no?" So we'll get high eighties into low nineties. Some people are sticklers for passwords, but they'll come around pretty quickly.
So just a couple questions here. I think we've about done it, if you have any closing thoughts, but I got a couple questions here that have come in. Sam, I'll field this one to you first. When you think about identity, and I'm paraphrasing here a bit on the question, but passwordless is obviously one component. Where do you see, you mentioned verifiable credentials and other identity constructs like that having an important role for organizations?
Sam Tang:
So I personally feel using a password to log into anything, it's only because people have not really addressed the real problem. I think Max, you touched on this earlier, conditional access. So access to things. What if you flipped it on its head? What if you gave everybody access? It really depends on what you're authorized to, even if you log in, if you're not authorized to anything, what is the real harm of giving people access to a device? So my last statement here, my closing thought, is really focus on understanding what your environment is, where you're spending money on, start patronizing as to what the usage patterns are to the services that people are accessing, and stop worrying about how people gain access to things. If you have passwordless, you shouldn't have to worry about passwords and allow that technology to just allow you to think about how to really control what people have access to based on the 863 spec for assurance lines. So that's my last statement there.
Mike Engle:
Yeah, I'll expand on that just real quickly. What we're seeing, because we have a verifiable credential engine of the hood and you see Microsoft with renaming their entire product to Entra and having verifiable credentials at the heart. So it is an up and coming, it's going to take years to get out there, just like chip and pin on credit cards took us 10 years here in the US but it's coming. And so when you need your employee identity or your customer identity or your bank identity to be used out in the industry, verifiable credentials is the way. So again, it's not just about getting rid of the password. If you have a verifiable credential, there is no password, but it's just part of the mix. And the last question here, biometrics are all the rage, either pro or con. There's deep fakes, there's Tom Cruise videos circulating the internet.
How do you think about biometrics and do them right? And this is really a question for all three of us. I think it's TBD. Well, the first step is never store a face in a database that even your admins can get to. That's just like you need this privacy by design approach. Max, over to you. You mentioned a little bit about the legality. I'm sure the way you would do identity in Singapore is much different than Germany or Italy where you can't even have a camera on a cashier, because their face could be in view.
Max Cope:
Yep. You are not wrong. We have, I think you could call it multiple strategies for this. And there's also obviously multiple biometrics. It depends on how far down the line of biometrics you want to go. But you've got full body biometrics, you've got gait biometrics, you've got facial biometrics, you've got fingerprints and hand prints. You've got all sorts of mad things that form a biometric, from your voice and your eyes and your face to pretty much everything that makes up you to other things that are the way that you do something, all of which have a different cadence of some form of regulation against them. And when you work in a highly regulated environment, we could probably enforce something in certain areas, but it would never be consistent. And actually to have a good solid identity program, it's got to be consistent, reliable, and repeatable.
If it isn't any of those things, then you've got a great silo of something, but you can't then use that as the benchmark or the guarantee for the next thing that you want to do. So for me, verified credentials, banked by some form of government organization would be super useful in terms of onboarding, but maybe not very useful in terms of day-to-day access and control. And like Sam's talking about, we are in a world where we're doing a bit of shift left from authentication, which is now super easy and very commoditized to authorization, which is now coming of age a little bit. And we're talking now not just about, "Hey, my authorization hangs on, I'm a member of a group on NAD." And then that group's been tied to a set of permissions in an application, but rather a real time check of should Sam be having access to this thing at this time from this device in this location?
And the answer is no, he's on holiday and he really shouldn't be checking his email. So it's moving towards that policy-based access control driven by a set of different things that are also potentially, include biometrics, is absolutely key. And how you then keep those things, how you make that authorization real time is now very dependent because then you have to keep a load of stuff. So what you end up doing is profiling your users, which in most parts of Europe you're not allowed to do. So as much as it would be a great nirvana to have from a security point of view for us to keep our customers and our systems safe, there's actually very hard limits on what we can and can't do to move towards that.
Mike Engle:
Yeah, yeah. Proceed carefully for sure. You get yourself in legal trouble pretty quickly. In the US we have the State of Illinois put out laws called BIPA and they're suing everybody who's captured a face and hasn't used it even just a little bit right. So yeah, tread carefully there, run it by legal and all those great things. So I think we've about done it. I really appreciate you guys coming on here. We'll give people a few minutes to get a break between their back-to-back meetings these days. Max, really good luck with your Christmas list. I'd managed to capture a couple of the elements here for you, right? So single log on experience, conditional access, and a new fax machine in color. And Sam, I think yours is just no volcano eruptions, right?
Sam Tang:
Thank you.
Mike Engle:
I think then we will have done it. But any closing remarks? Just wish everybody a happy holiday.
Sam Tang:
Yeah, happy holidays everyone.
Max Cope:
Yeah, absolutely. Have a fantastic time in whatever it is you're doing.
Mike Engle:
Yeah, thank you so much for joining. Thanks everybody for attending the webinar and a recording of this will be sent out to everybody who registered and it'll be posted on our website in the coming days. So if you're seeing this after, then thanks for joining a second time. All right.
Sam Tang:
Thank you everyone. Thank you Mike.