Freedom from Passwords 2.0

Anuj Gupta:
Good evening, everyone. A warm welcome, and thank you so much for joining this full webinar around freedom from passwords. We've seen a crazy year and a half, right? Starting from March of 2020, where we started this whole COVID scare, to the first wave, to India really getting impacted in the second wave of COVID, which was about three months back. And here we are where things have started opening up again. Things are starting getting back in normal, but then again, we are seeing globally this whole third wave really creating havoc again. So we really don't know what's in store for us, how things are going to pan out. From a security domain as well, we've seen, again, equally crazy one and a half years, the kind of ransomware attacks, the kind of attacks that we've seen, the kind of password breach or kind of weak passwords that we have got compromised with.

The kind of attacks we've seen over last one year has just been phenomenal. And you really go into the depth of most of these hacks or these attacks or the cyber crimes that have happened, 80% of them have actually got attributed to having a weak password ,or having something which is called not a strong password. Again, if you see what Gartner has come out with, or what the leaders in security research are saying that password is passing, password is done. And now the time is where we are talking about freedom from passwords. Effectively, we are saying that no longer you need to create a user name and password for logging in. We need to look at identity based authentication. We need to look at password-less authentication. We need to look at biometric-based authentication.

So that's the whole domain that is the discussion going on. And you look at regulatory, look at survey, look at RBI, look at even a lot of government initiatives, they're all talking about how can we now start eliminating passwords, OTP, different kind of factors, and really get into identity-based authentication. So today's whole ... The whole webinar we are focusing more on about as to what is happening around the world in this domain, where is this whole password-less authentication going to, where are we heading towards in terms of, as we call, it the next-gen multifactor authentication, the next-gen MFA. And of course, we have a very elite panel who are going to give you a lot of insight what is happening in their business verticals, especially in the banking sector, or in global delivery centers, as to how we are looking at identity becoming the authentication.

With that, would like to hand over the mic to Mike. Mike is going to run us. Mike is from 1Kosmos and he's going to run us what 1Kosmos has been doing around this for the last one and a half years. And I think a lot of you would be aware for the last one year as Hitachi, we've been really promoting together with 1Kosmos this whole journey for password-less protection. And in the last nine months, we've also acquired about close to 25 customers who've embarked on this journey or who have really gone on to take this journey very seriously and implement these solutions in their organization. So Mike Engle, CSO, 1Kosmos. Over to you, Mike.

Mike Engle:
Yeah, thanks, Anuj. It's really great to be here, despite it being 7:00 in the morning. I'm ready to go. So my first conversation of the day, I'm not sure if my voice will work, but we'll find out. So yeah, as Anuj mentioned, my name's Mike Engle, I run strategy for 1Kosmos. 1Kosmos makes a distributed digital identity platform. It combines identity proofing and password-less technologies, serves both B2B and B2C users. We'll touch on these concepts quite a bit today. And we're here today to talk about your journey away from passwords. So everybody knows how bad they are. We suffer through them with every application we launch. And until recently, they've been the only option. Password plus what we call stupid human tricks or two FA and things like that. And it's been an attempt to try to identify a remote person with passwords, but all that's changing.

There's been a whole bunch of innovations in cryptography. The hardware we have now at our disposal allows us to do all kinds of different things and work with users in different ways. And for both with employees and customers, that's a key factor. Also, at the end of this webinar, we're going to be giving away a software package worth approximately $30,000 to a lucky winner. And if the winner gives consents, we'll post the results when we post the webinar recording. So stay tuned for that.

So let's jump in. First, take a look at what's been going on in the past year with regards to identity and hacks and things like that. It is really bad. And there's some really striking statistics that have come out. Anuj touched on a few of them. For those of you that were on last year's webinar. We had one called freedom from passwords last year, slightly different theme. But you might remember me showing a bunch of statistics from the Verizon data breach investigations report.

They've just come out with a new version about a month ago. If you haven't seen it, you should check it out. Just Google, Verizon, DBIR. It's 114 pages and very detailed analysis of what's been going on in the security industry, not just about passwords. But I pulled a few very relevant statistics that everybody on this call will appreciate. The first one here on the left shows the fact that social engineering is the leading way for bad guys to get into the front door. So this makes sense. We all know that humans are the weakest element in any system. You can also see that about 35% of breaches involve social engineering as well.

So diving in a little deeper, over 85% of breaches involve a human element. 61% involve credentials, which is what we're here to talk about today. And 13% of all incidents involve ransomware. And ransomware's number one vector is, of course, stolen usernames and credentials. So if you put all these together, you have really a major problem that's due from the reliance on passwords.

Now looking at some of the financial impact of what's been going on when credentials get into the wrong hands. So check out these numbers here on the left. The range of business email compromises, or what they call BEC, goes up to almost a million dollars, with the average sitting around $100,000. So a $100,000 average cost for when your business email gets compromised. And ransomware, across a very large sample set from Verizon, went up to $1.1 million in impact in this survey.

And then we found some data from one of the leading cyber insurance brokers, they're called the Lockton Company. So they do Fortune 100, a lot of big companies. So they see higher-valued impacts. And for these types of organizations, the numbers are really shocking. So you can see them here, they're reporting an average ransomware payment of about a million and a half dollars, a $5 million business interruption impact. So what happens when your colonial pipeline shuts down? And over 66% of all their losses are over a million dollars. So the threat is very real. The impact is very real. So I'm going to talk a little bit about how we got here and then where we can go next.

Taking a quick walk down memory lane around authentication. So the password was created in 1960, about 61 years ago. Think about that. Is there anything else in our lives that's 61 years old? The purpose of it was to protect a mainframe at MIT. And since then, we've attempted to protect passwords with all kinds of band-aids. About 15 years later, they introduced hashing, which is where you encrypt them and store them, create a one-way function. In 1974, the first smart card was introduced. And then in 1993, the mid-90's, the secure ID token was created. And for those of you who aren't as old as me, a secure ID token was this great little piece of plastic that generated a six-digit code. And they're still out there today. Lots of them in production. But this is a real favorite of mine because I deployed my first secure ID server as a young cybersecurity kid at Lehman Brothers in the mid-90s.

Now, check this one out too. First of all, Bill Gates predicted the end of passwords in 1984. You should Google that article. It's pretty fascinating. He thought that you were going to use secure ID on Windows to get rid of passwords. And as we all know, that never happened. But two-factor codes via email and SMS were first used in the mid-2000s by the banking sector. That's almost 20 years ago. And unfortunately, this is still the primary method of authentication that all kinds of websites use today and are still putting in place.

I can't tell you how many apps I launch where they say, "Wait a minute, I have to send you a text message." It feels like a step backwards. And I'm sure everybody on this call agrees with me that how cumbersome it is, especially with some of the new regulations coming out that mandate MFA. So the combination of passwords, plus secret codes, is something that we hear at 1Kosmos refer to as hope-based authentication or HPA. I created this term about a year ago, and we used the word hope because when you start your journey with a password, you're hoping that all kinds of things go right. And I'll explain this in just a minute. So if you fast forward over the next 50 years, we're trying to migrate away from HBA and get rid of the stupid human tricks where you have to go fetch a code and type it into a webpage.

So now ,this is the second half of authentication. You can see the timeline now is very compressed. There's all kinds of new standards and technologies that allow better options. Of course, this stuff had to evolve because the hackers and bad guys are evolving as well. So in 2013, the FIDO Alliance was formed. FIDO stands for fast identity online, and their goal is to get rid of passwords over time. They've been working on it really hard. There's a whole bunch of major tech companies working on this initiative. Like Google, Yahoo, Microsoft, 1Kosmos. But their goal is to help set and implement these new standards. And we don't have time to get into all the details of FIDO right now, but you can see how the velocity of what FIDO's been doing and new standards have increased compared to the prior four decades.

And also of note here is one key identity standard in the evolution of authentication. This is no mistake. I put this on here on purpose. In 2017, the NIST right, the government standards body, the European Union, and the ISO, came out with standards that provide guidance on how you prove a remote digital identity. And this is going to be a real game-changer of how we engage with people remotely. I'll touch on this as well, as well as the latest FIDO2 password standard in just a minute.

So when you put these two together, identity proofing and FIDO password-less authentication, now you have a new way to work with your employees, your contractors, and your customers in a password-less architecture, with a very strong source of truth about that person. So we refer to this now as identity-based authentication or IBA. And let's take a look at the journey here, going from HBA to IBA and what's involved in it.

So as I mentioned, HBA, the reason that we call it hope is that you're hoping the person's real. You hope that it's not somebody else's identity. You hope they can get in because you're making it very difficult for them with 16 character passwords that change every 90 days and two FA and all this stuff. And you hope nobody else gets in as well. So over the years, we've added all these band-aids on top. We've added two FA, KBA, or knowledge-based, risk BA. Oh, by the way, the other meaning for KBA, if you're in the United States, especially, means known by anybody because if you haven't seen KBA, what's your mother's maiden name? What street did you grow up? All that data's been leaked and is on the dark web. And we've also introduced single sign on systems and password managers. That is not the answer.

The answer to all of our users' journeys is what we call identity-based authentication. And it's enabled by those two standards. The first is NIST 800-63-3. Now every country has their own version of this with a slightly different spin, but they're all based on the same body of work set by the ISO. And there's two components to the NIST 800-63-3 standard. The first is what they call the A standard. 800-63-3 A. that answers the question who is this person? And there's a standards body out there called KANTARA. So whenever you're working with companies that use this standard for their identity onboarding, make sure that you have a certified product.

The second part of the standard is what they call 800-63-3 B, the authentication assurance level. So the I stands for identity, the A stands for authentication. These two go together. The B side stands for how do I authenticate them? So now you have who is it and how do I let them in? Again, KANTARA will certify for this. And when you combine that with the mechanics of FIDO password-less architecture, you have what we call identity-based authentication.

And I'm going to jump in and show you how this works with a live demo here in just a second. So setting the stage for that, there's a couple components that go into IBA. The first is a user-controlled identity. So we're going to remove something you know, something you know is a password, a secret, from the equation. That should not be involved in what you ask a user for. The user's in control of what we're calling a private key that can be put onto any phone, Windows, or Mac computer. These private keys and biometrics are typically stored inside the secure element of a phone or a laptop. It's also called the trusted platform module. And this is really the equivalent of having your own smart card at everybody's computer and the hardware to go along with it. We're using modern technology inside of our phones and laptops for that.

So now we have a private key, which is given to the user, and this is a key principle of FIDO, plus biometrics. This becomes the only two factors that you need to prove somebody's identity, and you can do them in one step. So despite it being called MFA, it's really a single process. In terms of biometrics, Google and Apple have done a great job on billions of devices, making touch ID, face ID, fingerprint, et cetera, ubiquitous and easy to use. So I'll be showing you that employed on web properties today. I'll also be showing you a real live biometric, which is another way you can engage with users in an even more secure fashion. And so now we have everything you need for strong authentication and continuous authentication. This is a key principle of zero trust. It's never trust, always verify, right?

So in short, we can improve who you are without a username or a password. We can do it with different levels of assurance, too. It's a good identity. It's a very strong identity, and you can increase that identity over time. And along the way, you can combine this for your customers with your behavioral biometrics engine. So how's the user engaging with your technology? Are they typing differently? Is it a bot? And when it is, just reach out to them and ask them to prove who they are again without friction.

All right, so now I'm going to jump in and show you a little bit of how this stuff works live, and then we'll get into some discussion with our panelists here. So let me get my phone and browser up on the screen. Now, I'm going to invite everybody on this call to do what I'm doing here today. Everything I'm showing here today, almost everything, is available to do directly on our website. You just get the app and try it out for yourself. And I'll show you exactly how to do that right now.

So inside the app store ... First, we'll go to a website here. And right here on our homepage is a button called its Experience Block ID. I'm going to pull my phone up and put it on the right hand side. Okay, so here it'll instruct you how you can go get the app in Google Play or the App Store. You'll need to do this part on your browser and this part on your phone. So the idea is go out and get the app. I already have it here on the bottom row. And after you launch it, what's happening behind the scenes is my phone just created a private key which is stored in the enclave of my phone. And it'll ask you to put a pin in. This is just a simple eight-digit pin, which is just a way to protect the wallet ahead of you putting your biometrics in.

Now, you'll see here, we've got a one-time code generator. I'll show you that momentarily. But on this little fly out here, you can enroll your digital assets. So that can be your biometrics, government issued IDs, and lots of other types of identity documents from 150 countries. Now I'm going to start by just putting on my touch ID and face ID with this button here. And that's the same as the app experience that you do every day on your phones. So I now really have two factors in my hand. I have a private key and I have my touch ID, face ID biometrics. And with the press of a button now I simply engage with the remote system. That went a little fast. I'm going to show it a little slower.

So I'm pressing the QR code button here on the right. I'm scanning the QR code. And I give consent to transmit my digital signature over to this website. And there it is. Now, this is a standard, basic internet level of identity. I don't have any government documents in my wallet. I haven't proven my identity in any way, but it shows you the mechanism where now I can enforce the same level of authentication over and over again with that same experience.

So I'm now going to walk through how you would use those same mechanics with your customers or your employees to get rid of passwords for them as well. All right, so we have a demo portal here where we can engage with consumers, or engage with your workforce, in different ways. So ahead of this webinar, I emailed myself a link to join a password-less experience. And this is how banks and other web properties are doing this today. So in my Gmail, I got an invitation that says, "Welcome. Please link this identity with your mobile authenticator." I just installed the mobile authenticator a minute ago.

There we go. Okay. So I've now linked my email address to the mobile authenticator. And you can see here, I have a username in my wallet. This username is my web identity inside of Active Directory, or LDAP, or whatever your CIM system uses. And now to engage with my system, I simply do the exact same thing that I did before, scan the QR code, authenticate with my touch ID, face ID. And I'm looking at my banking app, my e-commerce app, or whatever it is. I don't even know what my password is at this point. The system has some type of random password behind in the scenes.

Now we all know how strong customer authentication works and the requirements around PSD2 is you have to verify your user's identity as best you can before they can transfer funds. So in this demo application, you'll see that we have different levels of ways to engage with the customer, depending on the value or the risk of the transaction. Because you don't want to bother the user unless you absolutely have to, so you can combine this with your fraud signals, your geo location signals, and so forth. And at the right time, or when your RBI requirements require it, ask them for authentication.

So in this example, I'm going to try to transfer $499. And it's going to ask me to simply touch a button on my phone. You can see, I just got a push message here on the right. And it says just press this green button and allow that transfer to go through. All right, and it says, verified the transfer. Now think about that experience compared to what it takes to go request a two FA, go fetch that, copy it, paste it, or type it into a webpage, and hit okay. You don't have to wait for it. It's there instantly. You have that direct channel with the end user.

Now taking it up one level further, I'm going to come in here and authenticate again because I like showing it because it's super fast. You can see, I just logged into the portal again. It took me less than a second. Oops. Moving a little too fast. Sorry. And this time, I'm going to ask the user for their device biometrics. So device biometrics are touch ID and face ID. So we'll say this is a $750 transfer, and our rules behind the system require to ask for device biometrics on this front. Okay, so again, I got a push message. And you'll see this goes kind of quickly, face ID, and my funds transfer has been permitted.

Now this is the way most apps work, touch ID, face ID, but that doesn't really prove my identity. So what I can do now is strengthen my identity. Let's say I need to open a new credit card application or a new mortgage application, and that requires me to verify my identity. And I'm just pulling out my New Jersey driver's license here. So before you're allowed to join an organization or open a banking account, you have to prove your citizen identity. So what I can do now is strengthen my identity. And this is where that NIST 800-63-3 and KANTARA certification comes in.

So here on the right, you can see my driver's license, passport. You could have national identity documents, Aadhaar card. Again, we have support for many different countries. So I'll scan my driver's license, but in order to do that, it has to get my live face, what we call live ID. So I'm going to enroll my real biometrics. This is a real game-changer in terms of proving remote identity because now, we have a real biometric anchor that I can use in a zero-trust capacity. Before you let an administrator SSH into your infrastructure or login as an admin on a Windows Domain Controller prove who they are. Don't let that credential be used by somebody else. So now I can use that same biometric to validate my government documents. So I'm going to pause my sharing so you can't see my driver's license. And I'm scanning the front now.

Okay, so I just scanned my document. It took me about 10 seconds. And now what happened is my live face was matched to the face on the driver's license. My first and last name, my date of birth, et cetera, were encrypted with my private key and stored in my digital wallet. And now with my permission, I can transmit them to a requesting party. That requesting party's going to get the documents one way or another. Typically, you have to take a picture and email them or upload them. And that is a PII nightmare, especially when it comes to like new hires et cetera. So now, when I come to authenticate for a very high valued transaction, let's say, for example, I'm going to change a routing number on an account, or move an inordinate amount of money, I can reach out and verify this identity, not just with my device biometrics, but with real citizen identity-backed documentation. And now the funds transfer has gone through.

So minimal friction, far easier than getting a code off of a device or a text message, impossible to intercept with man-in-the-middle and other types of social engineering. And it proved my identity. The same person that put in that driver's license is the same person that did that $75,000 wire. That same application can also be used to onboard for your workforce. So the idea here is you could engage with your human resources in a similar fashion. And with the press of a button, my driver's license, passport, identity documents, et cetera, can be used as a source of truth to come in and authenticate me. And now I can launch all of my applications without a password as well.

And again, it's the same experience over and over. Ask the user to prove their identity, cryptographic proof, some biometrics, no username, no password, and you're in every time. For remote onboarding, it's the last thing I'm going to show here, and then we'll get into some questions and answers with our panelists, is you could just ask the user to enroll their identity and then have this data transmitted directly into your human resources system.

Now all my data was transmitted with my permission, validated with my face, and uploaded in directly into the HR system, including the same images that you'd be mailing or faxing. And with the press of a button, my active directory credentials would be put directly into my wallet, and I could authenticate directly into any corporate system that I need to. All right, so I believe that is the end. Murphy's law did not get me this time, Anuj. I think I'm good. So I'm going to pause there and we'll open up for some discussion. Anuj, you want to take over?

Anuj Gupta:
Sure. Thank you so much, Mike, it's been great to just see the whole journey the way you've shown it, the simplicity in the product, the way it can be used. And I think it has a lot of use cases that we can look into. So every organization, if you see what Mike has showed you right now, is you can have different use cases for different kind of problems that you are facing in an organization, especially in this whole new environment where we are working from home, you're working remote. We really don't know where that individual is and is it the right individual logging in logging out. It really helps you overcome a lot of these challenges.

And Mike, I honestly love the slide that you showed about the history of passwords. I think that actually talks about that it's time. It's time to change the way we have been authenticating. It's time to really move out from passwords and get into something called identity-based authentication, identity being the password itself. So thank you so much, Mike.

Without any further ado, you let me quickly introduce the elite panel that we have here. So we have TR Venkateswaran. He is the CISO with Punjab National Bank. He has about 37 years of experience with Punjab National Bank, worn different hats there, and at this point in time, he's running the entire security for Punjab National Bank. Venkateswaran, sir, can you switch on your camera please? Then I have Dilip Panjwani here with me who is the CISO and IT controller at LTI. He has a rich experience. He's been about four years with LTI. Before that ,he was with FIS. And before that, he spent time with DBS Singapore. And he comes in with a strong experience of multinational, as well as giving services to global customers.

And I have Muneer here with me who has close to 27 years of experience. He's worked in various roles. And for the last 12 years, he's been with J&K Bank. And currently, he's running the entire security there as well. Plus we have Shashank here with us, who's the CISO at ECGC limited. And he's, again, been in this domain. He's worked with ACKO Insurance, he's with BSC, and he's worn different hats of different times. And today, he's running again, the whole of security for ECGC. Shashank, honestly guys, is stuck in another meeting at this point in time. Shashank, are you there? So he might-

Shashank Bajpai:
Yeah. I'm here, but I'm juggling between the two tabs. Yeah, I'm sorry this happened.

Anuj Gupta:
So whenever you're available, you can just say so and I can then direct the questions to you and then we can [crosstalk 00:32:01].

Shashank Bajpai:
Sure. Sure.

Anuj Gupta:
All right, so, Mike, let's continue with what you showed us. And I think first, Dilip, I will go with you. At LTI and as a company, that you guys believe in getting everyone to office. LTI has made these fancy offices across India. And you believe that workforce should come to office and work from office. And your clients also believe that, and you're doing global deliveries and you're working with different kind of customers set. All of them expect that it has to be in a secured environment. It has to be a regulated environment and you cannot have any kind of data or people logging in from places which are not in your control. Now in that, there are two challenges that you're facing. First is it the right person authenticating and getting in? And second is how are you really managing this whole identity, is the right identity logging in, right identity getting in, and how are they going to be surely secured in this whole new work from home?

Dilip Panjwani:
Sure, Anuj. Thanks and good afternoon, everybody. When you look at it from a service organization perspective, you have customers from cross industry, cross countries, and various regulations that are applicable. Pre-pandemic, yes, as you highlighted, customers were more into a ring fenced ODC kind of structure, which required more physical access into a office environment and a structured working model. And remote working was very limited for only specific accounts, which were allowed based on their profile of operations. But now, as part of pandemic, while we are all working remotely, but obvious, and that might have impacts on ways of working in future, which is happening across industries also, not only IT and services.

Yes, as you rightly said, it does impact. And our main concern that comes in remote working, or anywhere working, is related to how I authenticate and authorize my end users who are coming in. Like I was having a huddle with a couple of my CISO friends few weeks ago. And one of the very interesting cases came out over there that as part of the instant response, they came to know that one of the users kind of subcontracted, another person outside, and he gave him his ID and password and access to his mobile token, and allowed all the work to be done by this third person on behalf of him, while he's taking the salary from the organization. Eventually, this person kind had to log into a customer call, and he got caught on that call because he had to come on video. And that's where the whole incident response came into picture. I was kind of correlating that specific point when Mike was running their demo actually, and was very much specific ghosting aspect against live ID.

Mike Engle:
And what was his motivation for doing that? Was he hiring that person because they were cheaper and he was keeping the difference?

Shashank Bajpai:
Yeah. So for example, if he's get getting let's say $30,000 as a salary from the organization, he's subcontract somebody at say $8,000. And he's working somewhere else at the same time.

Mike Engle:
Yeah, we call that contractor jacking. That's the term.

Shashank Bajpai:
Yeah. In the IT industry, or at least in the CISO community, we call it ghosting.

Mike Engle:
Ghosting, I like that. Yeah. Yeah. The biometrics become a real game changer for that in terms of that's a zero-trust principle right there, right?

Shashank Bajpai:
Definitely. So I think that's where the zero-trust framework definitely applies in the current age, where you have to trust but verify at stage. And you cannot rely on authentication tokens or static authentication methods, which is very rightly put up by Mike as hope authentications.

Anuj Gupta:
Got it. So his actually, Dilip, because as a system integrator, we cut across all kind of customers. And this is a challenge. We faced at least 15 of 20 of my customers have come back and said, we've had this problem, where the right identity either subcontracting, or they log in the morning and then someone else actually takes over and is doing the work, which then becomes a big problem because secrecy, privacy, all of that is compromised. Yeah, it is a problem. And actually, as we talk, we are implementing it for a legal firm. They wanted this because lawyers have these junior lawyers, and then they have the junior lawyers.

So what was happening is senior lawyer or senior council would take the job, and the junior [inaudible 00:36:39] was working on it, on the calls. So now they have actually implemented this, the authentication has to happen. The same guy has to authenticate live ID, and then you get into those discussions. So that's something, it is true. And it is happening everywhere. But thank you for the perspective.

Venkateswaran, sir, you've been with the bank, and the biggest problem in bank today we are seeing is the kind of thefts where OTPs have been compromised, left, right, and center. Username, passwords, and transfer of funds have been compromised again, left, right and center. Every day in the newspaper, there is some article about how someone did a cyber crime on someone, and money got siphoned off. And most of the places we've seen either OTPs were either compromised or given, or we've seen there was a weak password and the hackers cracked the password and they've done the transfer. So in this kind of situation, where do you see SPNB or Punjab National Bank? What do you feel is the kind of authentication or multifactor authentication that you would want implement, which will help you really detail or cut these kind of frauds out?

TR Venkateswaran:
We have been trying various methods of authentication and identification. What is happening is, generally, while in the cybersecurity industry, there are various advancements which are happening, but some of the social engineering techniques and the cyber frauds, still it requires more focused fraud prevention. I think the multifactor authentication, the regulator also mandates it, this will help in minimizing the frauds. It may not eliminate, but it may minimize. I think this password-less, yes, it has to be tried and explored. With some more fine-tuning, yes, we will be able minimize the frauds.

Anuj Gupta:
Yeah. What are your plans in getting ... Are you planning in getting rid of passwords, or are you looking at authentication, which is biometric or liveliness-based?

TR Venkateswaran:
Yeah, we are looking at authentications, which are maybe liveliness-based with proper authentications. But still, these are all ... See, what we are seeing is when we go over volumes, still the success rates are still questionable. Fine-tuning is required in the applications. Fine-tuning is required in the devices. So that is where the challenge is.

Anuj Gupta:
All right, Mike, just a quick one. Are you going to be taking the question answer in the chat box that is coming in?

Mike Engle:
Yeah. Yeah. We'll share a couple of them. A few of them have been answered already. But we'll get to them.

Anuj Gupta:
Okay, they've been answered already. I'm not keeping a tab on that. But for all the viewers who are here, you can just keep asking questions to all of us on the question and answer session, and on the tab, and we will keep taking those questions and keep answering them as well. Muneer, over to you. You, again, very similar to what Venkateswaran is running. You're running a similar kind of a setup. It's a bank and you've got all kind of users. Now, I want to ask you one question [inaudible 00:40:24] we are talking about, a convenience or a wow factor from a B2C, from a consumer to business right.

Today, I think all of us are done with putting those long user names, then those passwords, and every bank has a different password. And then if I have it with j&K, I have two other products. If I'm doing mutual fund, I'm doing something else. I need to put, again, different IDs, different passwords. Are you really looking at creating a digital identity for a J&K user? So that means if I have a digital identity, whether it be my mobile app, it be my web app, it be my different products that you offer, be it home loan, be it car loan. All of it can be integrated into one and authenticate using me as an identity.

Muneer KongaWani:
Very good afternoon. Thanks, Anuj. Let me start with one important thing. Banks have invariably been adopting cybersecurity framework from the day when RBA directed the banks to ensure implementation of cybersecurity framework. And when we are talking about implementation of cybersecurity framework, or adoption of cybersecurity framework, we are talking about very core of the cybersecurity framework is identity and authentication management. That is the baseline. It comes into the baseline control, which invariably is to be deployed. And in fact, when you are talking about what are you doing for the customers, or what are your plans for the in-house users? In fact, Reserve Bank of India has come up with a circular, which is [inaudible 00:41:57] groups in 16 circular, wherein they direct banks to ensure that user access management becomes the whole focus of this whole principle of the cybersecurity framework.

And then, not withstanding with the user access management, they as well talk about, you need to actually deploy and implement a very dynamic customer authentication mechanism as well. So when we are talking about cybersecurity framework, we are talking about user access management, and we are talking about customer authentication mechanisms as well. And as he told you, identification, authentication, and authorization, these are three important pillars. And what we have been doing means all across the industry, as it's very difficult for me to speak out because Mike has really articulated it absolutely well during his presentation, that many of the organizations are still living off with user-made passwords, which were actually started way back in 1960. And then in early 90s, we saw the emergence of one of the Windows software, which was known as Windows 3.11 work group. If I'm not wrong, wherein smart keycard-based authentication mechanisms were started.

But what we have done is after password based authentications, organizations started talking about okay, now they have been sorted, the passwords have been encrypted, so on and so forth. But then eventually all the organizations, including the banking organization, graduated and started adapting two-factor authentication. And we all know that the issues, limitations, with two factor authentications, where it means Mike was talking about hope-based authentication. Yes, we have seen what happened with the two-factor authentication in 2011, when one of the biggest companies who was supplying the two-factor authentication solution, the seed units were hacked and it led to huge supply chain attack all across the globe. And then many of the organizations got impacted. And nowadays that means like any of the banks, we as well, as on date, we as well have been using this multifactor authentication wherein we are talking about position factor plus what you know, and what you have.

We have been using that as a multifactor authentication for customers or for our internal [inaudible 00:44:15]. But then we are privy to the fact that these authentication mechanisms as well are seeing major issues with respective to if we recall what is happening by virtue, or for example, we send OTPs through SMSs to the customers to authenticate, but we know seems to have attack. So we know means, what you call, is a SIM-based attack and they are there visibly. We know it has all been eroded. So yes, very important factor for any of the organizations, including the banks, is to have a kind of a mechanism in place which will not only be position-based, which will not only be the something you have in terms of the secret key or secret code, but some kind inherence factor when we talk about merging the biometric part along with it.

But once we do that, very important thing is this solution should give us certain level of confidence in terms of what is the identification assurance level which we are getting out of it? Mike, beautifully articulated it. He spoke about, if I'm not wrong, NIST special publication 800-63 A, 800-63 B, and 800-63 C. Why didn't they talk about identity assurance levels? And they talk about authentication assurance levels. And if any of the solutions, whether it is Kosmos or any of the solutions, is able to provide that assurance levels, absolutely, yes. Now organizations will definitely want to go through that because as we speak, as we talk about, as Anuj started it, we have seen majority of the attacks, whether they are supply chain attacks, whether they are, for example, ransomware attacks, whether somebody's following the Lockheed Martin kill chain, we know the first exploitation happens with respect to either the identity theft, or it is the impersonation attack, or it is the credential-based theft, or it is the credential stuffing kind of attack.

So we know it starts from there. So the whole principle, even we have seen organizations like banks are gradually moving towards zero-trust as an environment. Again, when we are talking about zero-trust, we talk about two important factors. One auth A, and second, auth Z. Authentication and authorization. And when we are talking about zero-trust, if we do not focus on these two things, why don't we talk about dynamic authentication? Why will we talk about mixing something? Knowing the identity, the real identity, again, is the digital user who is logging in. It's very important. Else, it was well articulated, one of the articles in, in the New York Times where they said internet does not know that you are a dog.

It means who knows the digital identity of the person? Nobody knows. But if these solutions are put in, adopted well by the industry, that's very important as well. It cannot be just for sake of technology. We get it. But if there's a beautiful adoption and we know that whatever we are storing in terms of biometric, in terms of other factors, whatever we are storing within our digital ecosystem, within our digital world, may it be the TPM, trusted platform module, on the mobile, may it be the cloud hosting platform, if it is assured, if there is an assurance in terms of that it is stored somewhere which is immutable, then why not. These solutions are welcome and they will be picked up in the market. Beautiful.

Anuj Gupta:
Thank you, Muneer, for that perspective. And I think you touched on some right points in authorization, authentication, zero-trust. And it's been a year, this journey that we've been doing. A year plus that we've been talking to a lot of customers on this whole password-less or identity-based authentication. And we've also seen this whole thing evolve. And we are seeing that in the evolution, everyone is now coming up and putting their mind out to say how can I integrate it with different ways, in different use cases? Where is it relevant for me, where it's not relevant. Again, nothing can be learned lock, stock and barrel, but then again, you pick up the critical applications, you pick up the area, which are the weaker zones for you, and then you start building from there on.

So that is what we've been seeing in the last one year. And just to tell all of you that our ... Of course, we can't publicly name the bank, but one of the bank has actually gone all-in with us. They're talking about 5 million users that is consumers, as well as about a 100,000 internal employees. All of them in the next six months will have their own digital identity if it be B2C. So if you're logging in on a web application, or you're going onto the website, or from the phone, you'll have a digital identity. As well as for internal users, they've actually 100% password-less. So that is a journey that we are doing. And that's a big one. And as we implement, probably a lot of learnings will come for us.

Dilip, this is to you. You have two hats, right? One is, of course, the internal NTA that you do. And then you work with a lot of your global clients, and you have, in the Forbes 500, probably the top 200 of that. You might be having 40, 50% of them as your clients. And how are you seeing global trends? Because if you read the Gartner, you read Forester, you read all those reports, they're all talking about getting into digital identities, of creating digital identity-based integration into all kinds of app. And are you seeing the same kind of traction globally? And second question, and this is do you believe that truly that identity-based authentication will take over the normal forms of authentication?

Dilip Panjwani:
So, Anuj, let me take a step by step. When I look at it from a global trend, customers are having a mixed approach. Some customers are still very apprehensive in moving out of passwords, but obviously there are some regulators which have not yet acknowledged moving out of passwords as a new way of authentication. So that's where some of our customers ... These customers, though they understand the importance of moving out of passwords and the user experience and the added security comes in, they do not want to be the first one to approach the regulator and kind of be the first one to kind of allocate the approach. But there are discussion in this aspect. And I think that would really materialize sometime soon because there is no other option beyond looking at a strength and authentication mechanism in order to achieve better security, because that is the first line of defense for everybody, be it the most basic user in your organization or your most privileged user.

Dilip Panjwani:
And when you look at it on how people are adopting such approaches, you would say, again, it depends on sector to sector, and depends on the applications that may support such authentications. For example, if you look at a manufacturing or OT kind of environment, there might be certain concerns on interoperability and support for those applications because some applications do not even get changed very often. And they do not have much open APIs as we have in the banking sector, which is one of the most cutting -dge technologies. On the other side, you will have banking and you can say health-related sectors, which might be having the best of digital adoptions, and they would be ready to adopt in those aspects. But again, there would be some concerns where they would look at it from how to plug in the user experience aspects also as part of the whole journey.

Because definitely when you look at it from user perspective, let me take a perspective of I want to can do it with my cash logins, kind of an option, for example, or I want to give the user experience of not too many multiple hops or multiple devices to really go and authenticate. What if I lose my mobile phone and I need to authenticate today? Or what if I am in airplane mode, will work or no? They have those thoughts. And not all solutions today really go towards the breadth of user experience when they kind of achieve or come to clients for certain requirements.

But yes, the customers are looking at strengthening authentication. They are looking at how are we looking at perspectives of valuing the user and as well as putting some fingerprints or experience on the user of how the real, I would say, threat is really managed around, for example, risk based authentication as we speak, basically. So from a perspective, some organization look at say, mixing it with UEBA, or getting risk-based authentication related alerts coming in, or getting tax surface monitoring and compromised passwords monitoring aspects are getting attached to the profiling. So there are multiple methods that people are adopting. It's not kind of fixed mantra that everybody is going forward for.

Mike Engle:
Yeah, it really is a journey. The first slide said it's a journey to pass or listen, just showing one web property that everybody will recognize. Citibank has rolled out QR code for their customers. So if you have the Citibank app, you already have a very strong Citi identity. Don't bother with usernames and passwords. So of course you lose your phone, you still can use username password, two FA. But over time, you're going to see more and more organizations rolling out these new password-less technologies like this here. So I have many of examples like this, but obviously this is a big brand name that helps validate the use of QR code as an example. And the other reason that this has happened recently is because of COVID. Everybody now uses their phone to scan a QR code to look at menus and order food. And so that just was an event, right place, right time. That is an enabler for password-less technologies to kind of get burned into everybody's mind.

Anuj Gupta:
And Mike, if I'm not mistaken, 1K has an out-of-the-box solution for this, right? There's nothing that we need to do. We can plug into the web apps and create this like PNB QR code, or a J&K QR code, for that to see customers?

Mike Engle:
Exactly. Yeah. It's developer friendly with four lines of JavaScript code on any webpage your password list. And you just have to get the app into the hands of the users, either your app, our app, or we have an SDK to make it very flexible. So that is exactly the idea to do it with as few moving parts as possible.

Anuj Gupta:
All right, so I think in the interest of time, I'm going to quickly. Mike, two questions that Dilip raised those points, and I would want you to probably take those things. What if I lose my phone? What if I'm on airplane mode, how is the user experience changing? Can you throw some light on that?

Mike Engle:
Yeah, so, I mean, everybody knows what it's like to lose your phone in general, right? It's incredibly painful and there's going to be friction when you lose your phone. If your phone becomes part of your strong authentication story, it's like losing your passport or losing your driver's license. And you have to go through a recovery process. Every organization will have a slightly different recovery process. What we do for our customers is you have a fallback mechanism, which could be prove your identity some other way, get a username, get a password, and some other two FA. We support radius to do legacy two FA as well. We support UBI keys, we support smart cards. So there's a whole bunch of options in the journey. Many times, they'll just re-enroll their identity and just link it back to the corporate accounts. So that's a very common way to handle it. But that is something that is part of a risk profile for your journey into your help desk and things like that. And what was your other question, Anuj?

Anuj Gupta:
Second question was airplane mode.

Mike Engle:
Oh yeah, offline. So that's a tricky one because now everything is connected all the time. The approach that we've come up with is inside of the application, there's ... I don't know if this will show up, it will not. But there's a button that says offline login. And what that does is it turns your screen into a rotating QR code that your laptop will scan. So basically, you hold your phone up to your laptop and it sends the credential through the camera and allows you to log in when you're on an air airplane, for example. So a pretty innovative way to handle it. Doesn't require Bluetooth and all that other stuff, which is very cumbersome.

Anuj Gupta:
I think last one is privacy concerns, right, because it's biometric based. We are getting into getting all kinds of data about an individual. How do you take care of privacy concerns?

Mike Engle:
Yeah, a couple things. That's a great question. So whenever you use real biometrics, right now you're stepping into a whole new world. And one of the most important things for somebody adopting this technology is to understand where that biometric is stored. Sometimes it's stored only in the device. Other times, like in our architecture, it's stored into a private permission blockchain and it's protected with the user's private key. And the reason is that allows you to have recovery. If it's stored in your device, you lose the device, you basically have to go re-enroll. But with us, with recovery and the data being encrypted and stored using blockchain, everybody trusts blockchain for $200 million wallets in your Bitcoin or Ethereum type world. It is just as safe to store your biometric image. And we put other controls on top of that, where it's not a public blockchain, it's a private blockchain. Every organization has their own architecture that's stood it up. So it's single-tenant model, et cetera, but that's a very important aspect, Anuj.

Anuj Gupta:
Excellent. I think in the interest of time, now I'm going to first quickly ask the last questions to everyone. Is password-less or identity-based authentication first [inaudible 00:59:04] present, future, or reality?

TR Venkateswaran:
It is emerging as a reality, but general, at present, the banks, I think mostly they are focusing on the mobile digital payment security controls. The reason the guideline [inaudible 00:59:26], which has come in 2021, and that is getting implemented. Then they are speaking about various things, including this multifactor authentication, adapted authentication, all the device authentication, all those things is a combining which they're speaking. So the password-less [inaudible 00:59:53] will emerge, but I think passwords continue for some more time.

Anuj Gupta:
So what you're trying to say is co-existence right? Both will e.

TR Venkateswaran:
Yes.

Anuj Gupta:
And then you enter [crosstalk 01:00:02] journey. Muneer, your thoughts on the same question?

Muneer KongaWani:
Absolutely what Venkateswaran said. It is actually a journey. It has started. It is going to take some time for adoption because we have seen means. From 1960 onwards up to now, we have been moving from one technology, embedding another technology on top of it. But then eventually it has to happen because how long with will ask our customers and our users to use user names, passwords, multiple passwords, login passwords, transactional passwords, and then OTPs? It has definitely become cumbersome as on date. We know there are issues with it, but then eventually it'll go off. But it's only a matter of when than if. It's just a matter of when. That's all.

Anuj Gupta:
So what I hear from you, it's a matter of time. But again, it is someone who has to build the cat, right? Someone has to take the initiative within the organization.

Muneer KongaWani:
It has started. In fact, if you see in the BFSA sector, across globe, it is being replicated all across. If you see Bank of America has been using the biometric authentication. There are internal directions. Though it is not officially documented in RBI, I would say I had a couple of interactions with RBI, and RBI says you need to go with multifactor authentication. They don't talk about what kind of multifactor, but it is mentioned that you should have multifactor. But then when we discuss, they say the preferred model would definitely be the biometric part of it. So people are moving towards that. It's only maybe somewhere, maybe six months down the line, three months down the line, the things will change. And eventually it is to be adopted. I would say matter of when, rather than if.

Anuj Gupta:
So, Dilip, this is to you. In insecurity, we love to call these things next-gen. We have next-gen firewall, next-gen IPS, next-gen EDR. And this is the next-gen MFA. So your views, is it future, past, reality? And again, identity, will it be the center of authentication?

Dilip Panjwani:
Well, if I look at from a user perspective, not as a CISO perspective, Anuj, let's face the facts. Attacker is able to compromise our passwords in social engineering. Attacker is able to get access to our mobile devices and access our OTPs or MFAs. So there has to be a next level of authentication which goes beyond those aspects, which an attacker can see on the device or see the keyword. So it has to go to identity-based authentication, it has to have some different parameters now to authenticate in order to be able to secure the account more beyond what the attacker can see. I would leave it at that point over there. And I then think we have an option to continue with the old ways of authentications.

Anuj Gupta:
Yeah. So I think coexistence is something which is loud and clear. Change is the toughest thing, and something like this is a radical change. We've been using passwords from the time we've been born, so it's a radical change. I'm sure it'll be coexisting and then probably it'll sunset out and this will take over. So that is probably my confusion on how this will go. But yeah, do you agree with my next-gen theory? All right, Mike, last closing word. I think we are just over time. Have you answered most of the question and answer, Mike? Is someone ... Maureen. Maureen, have you answered most of the questions?

Mike Engle:
Yeah, over a dozen questions were in there and answered. There are some great questions about architecture, and security, and how the integrations work. So the audience is very engaged. So I think we've done it. We're at the top of the hour and it was really great speaking with all of you here. I enjoyed the discussion very much. Thanks for letting me present as well.

Anuj Gupta:
Yeah. Thank you. Thank you everyone for joining this session. I hope it was interesting. And thank you, Venkateswaran, Muneer, Dilip, for joining in and then really giving your views on this whole theory. And we will be back. We'll keep coming up with newer ways of how we can really implement this. I think we answered all, more or less, most of the question answer. If we missed out, you can reach out to team Hitachi or team 1Kosmos, and we will be more than happy to respond to all of this. On the raffle, do we announce it now, Mike? It's going to be post-webinar, right?

Mike Engle:
It'll be post because we have to get permission from the person to make sure they want their company and their name and all that to be announced. And some people may not have permission, and we would go on to the second winner. So we'll make an announcement. And just to show everybody where this webinar will be posted is here on our website. On on-demand webinars, you'll see it'll be ... We have a whole bunch of them out here. This will be put out here in the next couple days. And if anybody's interested, we have a couple more live webinars coming up with KuppingerCole and Forrester and a couple other customer ones. So feel free to join us again in the coming weeks.

Anuj Gupta:
Right. So we will post it on that. And just to repeat the price, is it's 30 lakhs worth licenses, along with implementation, one year support, for implementation of 1K in your enterprise. So that's the raffle.

Mike Engle:
[crosstalk 01:05:28].

Anuj Gupta:
It will be given out soon as soon as we announce the winner. So once again, thank you everyone. Thank you for taking this time out. And I know that there's been an overdose of webinar and I'm really happy to see almost 140, 150 participants. And most all of you are staying till the end, so I hope it was interesting. Thank you.