Why Guidelines, Standards and Certifications Are Key to the Future of Passwordless Authentication
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
Welcome everyone to our webinar. My name is Mike Engle. I run strategy for 1Kosmos. For those who don't know who we are, 1Kosmos makes distributed digital identity platform and it performs identity proofing and passwordless biometric authentication. We serve both customers and B2B be with this platform.
Mike Engle:
We're here today to talk about identity standards, specifically NIST 800-63-3 and standards from the FIDO Alliance. And you may think that these standards and identity components are boring and that they work behind the scenes, but the reality is that they're key to keeping your identity safe and reducing friction for your customers.
Mike Engle:
And specifically they'll let you onboard employees and customers better than ever before. And best of all, you can get rid of passwords along the way. We're also going to give away a $50,000 software package to a lucky winner after this call. If the winner gives consent, we'll post the results when we post the webinar recording.
Mike Engle:
We couldn't do it live. We just had too many people signing up. In the last half hour, we've gotten over 20 registrations. So we'll have to keep you in suspense on that. Now, if you're familiar with the standards that we have on our cover page here, then that's great.
Mike Engle:
We'll get into the weeds on some real world use cases and how they can be applied today to both employee and customer enablement. If you're not, well, then we've got you covered as well. We'll talk about the mechanics of them. And to that end, I'm joined today by two industry colleagues, Ruth Puente from Kantara and David Turner from the FIDO Alliance. So let's hear from them now. Ruth, would you mind introducing yourself, where you're from, what you do for a living and that kind of thing?
Ruth Puente:
Good morning, everyone. I'm Ruth Puente. I'm the director of assurance operations at Kantara Initiative. I'm raised in Madrid, but originally from Uruguay.
Mike Engle:
Great. Thanks Ruth. And David, would you mind saying hi to the audience as well?
David Turner:
Sure. David Turner, I'm the director of standards development for the FIDO Alliance. So I oversee the production creation and whole process around the creation of all the FIDO technical standards.
Mike Engle:
Right. And you're on the other side of the planet, you're over on the West Coast of the United States?
David Turner:
That's right. I'm on the West Coast of the US just outside of Seattle.
Mike Engle:
That's right. Well, we've got participants from all over the world today. So thanks for everybody who stayed up late to watch this as well. All right. So let me jump in here. We're all familiar with lots of types of authentication, right? We live typically that non-friendly experience every day when we do things online. The 'A' in these two acronyms that I have here represent authentication.
Mike Engle:
HBA is something we refer to as Hope Based Authentication. And you have the 60-year-old mechanism of a username and a password, which is really just a secret word. The problem with secrets is that they usually are not secret. They can be known by anyone, as bad guys have proven.
Mike Engle:
And if somebody does get your password, then you, your bank account, maybe your employer could be toast. This is the reason we call it Hope Based Authentication. Because with these weak forms of authentication, keyboards not working, you'll hope that the person is real.
Mike Engle:
You'll hope that they are the stated person that is coming in. You'll hope that they can successfully get in, putting them through all these hoops. And you'll hope that nobody else gets in as well. To augment that, we've been layering on all kinds of other forms of A's and other types of authenticators.
Mike Engle:
So we've layered on 2FA, two-factor authentication, KBA, which is Knowledge Based Authentication, and maybe even risk-based authentication. And then some other non A type things like single sign-on systems or maybe a password manager come into the mix as well.
Mike Engle:
The answer to this, to mitigate all these challenges, is to migrate to identity-based authentication. In 2017, the US federal government introduced the NIST 800-63-3 identity proofing and authentication standards. So these determine how you enroll a remote digital identity and how you use that identity for authentication.
Mike Engle:
So for organizations hiring new employees or onboarding sensitive customers, this determines how to get verifiable proof backed by a rigorous standard that everyone signing into their systems is who they say they are every time. So the standard is carved into three sections.
Mike Engle:
800-63-3A focuses on identity assurance or proofing with government based issued documentation. It has three levels of assurance. The most common level sought after is Identity Assurance Level two or what they call IAL2. And Ruth is going to tell us about her certification program from Kantara on that front.
Mike Engle:
The second section of NIST standard is 800-63-3B. And this determines how you authenticate somebody in a strong fashion. So to achieve this, you would use the Kantara certification combined with FIDO public private key-based authentication. For those of you who know about these standards, you probably think of them for onboarding new customers, maybe for banking or cryptocurrency accounts.
Mike Engle:
You have KYC or Know Your Customer, and you need to meet anti-money laundering requirements. But this post COVID world that we're in now, everything's remote. Even without COVID, this capability has been sorely needed. So if you think about it, you can walk up to any airport security checkpoint and prove who you are every time with strong documentation and a real biometric.
Mike Engle:
They look at your face. That's your biometric. Now, because of the standard and the capabilities in every modern smartphone and laptop, we can do the same thing remotely. The mechanics behind this sound really simple, right? You scan some documents, take a selfie, and you're done.
Mike Engle:
But if it were that easy, everyone would be doing it. And we would not need Ruth's rigorous certification process to prove compliance and make sure it's done right. There's definitely a lot of devil in the details to make this work efficiently for an employees and customers.
Mike Engle:
Now, when combined with David's FIDO authentication, we have a match made in heaven. Now we can prove who the person is with strong proofed identity and without requiring a username and password to get them into our systems. Once the user is enrolled, their NIST 800-63-3 digital identity with the appropriate IAL, the Identity Assurance Level, you give them a public and private key that only they can use. That's one of the key principles behind FIDO authentication.
Mike Engle:
David's organization will make sure that your authentication providers are doing this properly. The key to both IAL and AAL, or those A and B components of the certification is that they leverage real biometrics, not just the built-in biometrics from your phone, which can be used by anyone, spouse, child.
Mike Engle:
This is a key enabler for both sides of the standard. And with this real biometric, you get identity based authentication and can let the user into your system every time with cryptographic proof that they are who they say they are and with the stated identity that's proved in the upper left hand box here.
Mike Engle:
Now, one thing to watch for as you select products and embrace these standards into your IAM stack is siloed applications of these features. If you don't take a holistic view of these three activities here, proofing, authentication and fraud detection, you'll be introducing avoidable technical debt.
Mike Engle:
And on the identity proofing side of the house, you have a whole industry that's popped up just to scan a government credential and match it to a selfie. But after that, many of these organizations throw the identity proofing away. They proof who you are on that first touch only.
Mike Engle:
There's no reoccurring proof of that identity existence in the system or something they can give you after the fact. And similarly on the authentication front, many IAM systems give the user a username, a password, some other factors, maybe a biometric.
Mike Engle:
But if you've not given them a private key that links back to the enrolled identity from the first step, you're not really proving anything. You may be letting them in without a password, but you're going back to really a form of that dreaded hope based authentication.
Mike Engle:
And lastly, if you detect fraud as any part of your IAM strategy, which you are, maybe with session based monitoring or geographic monitoring, other types of fraud or behavioral biometrics, it's likely that this is a siloed activity as well and it's not linked to the other two identity functions on the left and top center.
Mike Engle:
This is where the combination of these two standards can revolutionize both your workforce and your customer identity and access management functions. So what's the end state? The industry analysts are calling this identity convergence. When you marry strong identity proofing and strong user authentication, it's truly a game changer for how you let people into your systems, how you onboard them.
Mike Engle:
And think about it. If you could prove who someone is, an employee or a customer, and give them a digital credential, or it's often called digital wallet, on day one, you could use it repeatedly. No more line managers handing somebody a password or figuring out how to authenticate them on day two.
Mike Engle:
There's all kinds of downstream purposes. You could ask them for this credential every time they authenticate. You're still, of course, going to have scenarios where you have to authenticate people with username passwords and 2FA. But for high value transactions, what if you could prompt them to up their identity assurance level from level one, which is just a name on the internet, your PetSmart account level two, which is a very strong identity as per the NIST 800-63-3A standard.
Mike Engle:
And what if this was as seamless as simply prompting them for that proof and then building it into a consistent experience? So as you onboard new users into your system, these cryptographically proven identities can flow into your HR, your IGA systems, your governance, and your user directories. They can all be populated with the press of a button with an authoritative identity from day one.
Mike Engle:
This is the piece that's missing from many IAM stacks today. And on that same day one, your single sign-on, your privilege access management systems and other downstream systems will also have access to true user identity for making decisions. And both of these identity components, proofing and authentication, should and really must be powerful signals that flow into your fraud engine.
Mike Engle:
So now your fraud engine can be armed with some really key data, like, did this user provide one or two forms of government identity or none? Did they give me an Active Directory private user certificate or authenticate with a weak one time password or with strong FIDO 2 certified authentication?
Mike Engle:
So when you're armed with this information, your fraud engine can reduce friction. It'll make better decisions about whether or not to prompt a user and introduce friction when it's needed and ultimately save money and have better user experiences.
Mike Engle:
So I'll head towards the finish line on my part here with just a few common use cases for standards based converged identity proofing and authentication that we're seeing in the market today and helping customers with. When you apply certified IAL2 identities to your employee or contractor onboarding, you can simplify the way they get into an HR system.
Mike Engle:
So rather than emailing a driver's license or passport to some HR admin, they can digitally enroll now. This avoids all kinds of privacy issues where PII is being sent in the clear, user documents are illegible. Things are sitting in email being printed out.
Mike Engle:
And second it'll ensure that your people are who they say they are again with cryptographic proof and a privacy preserving wallet. So one of the primary use cases that we're hearing is how do I know the contractor I hired is the same person that's authenticating on day two? Because they can sub that seat out for somebody else to sit in it.
Mike Engle:
If you have strong AAL2 levels of authentication, that's impossible. For customers, you can onboard them with strong Kantara certified proof that they are who they say they are, reducing the risk of regulatory fines, making their onboarding much easier. And the same biometric live selfie that they used to link their documents and proof them will also prove their authentication every time.
Mike Engle:
Both of these use cases are now supported with strong identity based authentication with a FIDO certified passwordless experience. So every time they authenticate, they will in essence be proving who they are and not relying on hope. So with that, I'm going to hand it over to Ruth, who's going to give some details on Kantara certification and then we'll follow up with David and his information on the FIDO.
Mike Engle:
Along the way, if you have questions about anything I'm asking or David or Ruth are asking, just throw them into chat and we'll have somebody aggregating these questions and we can get through some of them at the end. All right. So Ruth, over to you.
Ruth Puente:
Thank you, Mike. And will you... Okay, great. Thank you. Yeah. Well, Kantara operates a trust framework since 2009. Through that framework, it's approved credential service providers and also accredited assessors. The model that Kantara used to approve those risk providers is based on our third party independent assessment.
Ruth Puente:
So given that Kantara is aligned with ISO standards and in the certification service, mostly with 17065. One of the core elements of that certification is that the approval relies on the termination of conformity of the audit that is performed by a Kantara accredited assessor.
Ruth Puente:
So that's one of the key elements of the certification. And then Kantara also has as part of the assurance firm that is called assurance review board, which is responsible for the evaluation of the applications that come from vendors that are pursuing certification.
Ruth Puente:
So these assurance review board are comprised by subject matter experts from the identity field, from the academia, and also from some other organizations. They all are subject work under NDA and also they are subject to conflict of interest against our policy. So they are the experts that review the applications and consider the termination of conformity against on a specific criteria that this vendor has chosen for certification, such as for example, 63 at a specific assurance level.
Ruth Puente:
So the assurance review board evaluates that and also the conformity that was concluded by the assessment. And with that, Kantara, if everything is acceptable and the assessment has broad results of conformity, Kantara grants an approval. And with that, it issues our Trustmark. And also aligned with ISO, the Trustmark is set to a three-year cycle.
Ruth Puente:
So in this case, when the applicants first come to a certification journey, the first ER is a full assessment. And then to keep the certification, it needs to go through conformity reviews. So it's part of monitoring that certification that was granted in the first year.
Ruth Puente:
So basically those are the key elements of the Kantara certification and in terms of how Kantara contributes to these developments and also help their market to grow and provide confidence to the market, Kantara with 800-63, what it did since 2018, after NIST released the rev.3, Kantara interpret the NIST guidelines and create a service system and criteria.
Ruth Puente:
So with that, it provides the rules and the requirements for the certification that this part of the framework that Kantara operates. And with this, Kantara plays a critical role in the market because it provides to those vendors, business customers, the confidence that those identity solutions that they have chosen or they are considering have been certified, have been verified, and therefore they are reliable. It is a reliable service.
Ruth Puente:
So in this sense, Kantara contributes to reduce friction and also reduce fraud, which is one of the growing problems mostly we have seen with the COVID. So Kantara contributes to reduce fraud in this sense also to provide confidence to the customers.
Mike Engle:
Very good. Thank you, Ruth. I appreciate that. Next, I'm going to hand it over to David and he'll walk us through a couple aspects of FIDO and tell us what's on their roadmap.
David Turner:
Great. Thank you. Mike, next slide, please?
Mike Engle:
You bet.
David Turner:
So I don't know how many of you're familiar with FIDO Alliance, but we're a nonprofit organization and, as I'll show you in a moment, a broad array of industry participants. Our goal is to provide standards for basically getting rid of passwords, providing a public key based model for doing authentication.
David Turner:
We back that up with strong certification programs, as well as various market adoption programs. So it's the technology, it's the testing, and it's the adoption. We focus on all three. Next slide, please. And it's a build slide. So next. Yeah. So what you see here, all of these logos represent the board members.
David Turner:
There's about 250 members total in FIDO right now. All of these logos represent the board members and you can see it's a very diverse group of people. We have financial services companies. We have very large relying parties. We have chip manufacturers, device manufacturers.
David Turner:
It's a very complete set of industry partners to help us develop these standards. And in addition to our board members, we have sponsor members, associates, and then we have liaison partners. So we interact with other organizations to try and coordinate activities such as The Kantara Initiative. Next slide, please.
David Turner:
Another build. Good. So just to give a brief history of what we've done at FIDO, FIDO was formed in 2012, and the first specifications produced were FIDO UAF and FIDO U2F. UAF was focused mostly on the biometric use for authentication, U2F was for the model second factor authentication.
David Turner:
FIDO2 essentially combines those two, combines work with the W3C, something called WebAuthn to provide a very rich approach, standardized approach for doing authentication, both in native apps, as well as web browsers. To do authentication without the need for using passwords. It's all based on public key cryptography.
David Turner:
So no password are ever stored on the server, no passwords go over the air or over the wire. So it voids things like phishing and man in the middle attacks. And so just as a quick note, this fits in very solidly in the AAL2 that was discussed earlier from the NIST program. But I'll point out that even within AAL2, not all authentication factors are equal.
David Turner:
Today, SMS is still also in AAL2, but the use of SMS is a second factor. It is a highly phishable one. And so it's still prone to a lot of standard attack vectors and FIDO was not. And in the current revision of that specification, they're looking at making that distinction between phishable and unphishable authentication mechanisms.
David Turner:
Support for FIDO is now extensive. Somebody did a kind of a rush calculation that it's currently supported now on over 4 billion devices. It's integrated into all the major platforms, Android, Windows under Windows Hello, and both Mac and iOS. It's supported by all of the major browsers.
David Turner:
So with that platform support, it's now available for relying parties to deploy FIDO and to build FIDO based authentication solutions. And then the market adoption there, that's now an aging subset of the large organizations that have actively deployed FIDO solutions and are using FIDO authentication in their solutions today.
David Turner:
Some of them are transparent. eBay and PayPal have actually been doing them on their mobile apps for some time using biometrics. I'm guessing a lot of you weren't even aware that that's what was going on. So we're seeing very significant adoption, within corporate, consumer solutions, within B2B and enterprise solutions, as well as in government solutions. Next slide. Please.
David Turner:
So a standard is great, but only if you get adoption, which the previous slide addressed, and also if you get first off interoperability. If you don't get interoperability, you don't get conformance to a spec, it's useless. It has no value. It doesn't help the market. It doesn't help anybody.
David Turner:
So the first level of certification that we are providing at FIDO is a functional end-to-end conformance and interoperability testing. We have interop tests throughout the year to help products get certified, both the authenticators, whether it's the platform or whether it's the security key, as well as the server products.
David Turner:
The next step up from there is to actually test the strength of the security of whatever keys that you're using for this. So we have three levels of security testing now, L1, L2, and L3. And in the diagram, it shows L1 for one, L2 for one, and L3 for the third. Those three levels actually apply to all three of them, just sort of a graphical shortcut that somebody did.
David Turner:
I didn't want anyone to think that you could only get L1 for U2F. All three levels are available for all three of the specifications. I'll quickly go through the differences between them. Level one provides your basic level of authenticator security. Typically, it's a software-based solution for protecting the keys.
David Turner:
And by the way, the diff distinction between each of these levels is, how strong is the protection for the keys? So in the first one, it's primarily software based. It's white box encryption and so on. It's actually pretty good in the mid majority of cases.
David Turner:
Level two of our testing allows for a restricted operating environment where you may have a first level of hardware protection in the solution. So the keys are actually stored, managed, created within a hardware-based solution. And then level three, which is the highest, that gets into physical hardware protection approaches.
David Turner:
So that it helps mitigate against literal physical attacks on the piece of hardware. Trying to rip it open, trying to touch the contact leads to find the clock and figure out where the private keys are and what they are. And we actually do have some product certified at level three.
David Turner:
So we've got many certified products as the top, over 830, meeting all of these to address the different requirements of different organizations. Now, we've actually complimented this work with a biometric certification test process. This tests the biometric component in isolation.
David Turner:
So it'll test a fingerprint reader by itself separate from the authenticator. So there's, how are the keys managed? And that's tested. But then there's a separate testing for the biometric component. And this way you can actually have a device where the biometric meets a certain bar for security and reliability in terms of false acceptance, false trajectory.
David Turner:
And then you can have another level of certification or security for the hardware, the protection of the keys themselves. And then the final aspect of certification we have is for the server products. So this is the relying party side of it to make sure that what's been implemented is compatible with all the various specifications and authenticator types that are out there.
David Turner:
And again, this goes back to my first point about without conformance and interoperability, you have no valid ecosystem. The value of FIDO and what it provides comes when you have a very large ecosystem implementing the standard in the same way, so that you get the benefits of security across all the solutions, but you also get the benefit of better usability because the end users, the employees, the customers, they start to become familiar with the process and they understand it and are more willing to accept it.
David Turner:
Next slide. So there's a new area that FIDO's gotten into recently, which is authenticators plus ID verification. And you heard Mike talk about some of this earlier, this idea of trying to bind these two things together, and this comes up in a variety of places. One is at the time of registration, but then there's also the issue of, well, what happens if I lose my authenticator key?
David Turner:
One more tap for the next build. There we go. And so what we saw is a gap in the market and the need to not define how this process is done, but rather to be able to evaluate mechanisms that are used for doing account recovery. Next slide, please. So a common mechanism being used today is this notion of remote authentication or rather remote proofing doing what's a so-called selfie proofing.
David Turner:
And this is where you take a picture of some kind of high value document, typically a government issued document that has a photo on it. Then the user takes a selfie of themselves. The two them are compared to ensure that it's you. And then based on that, the relying party can then proceed to either do account recovery or in some cases actually create new accounts.
David Turner:
Now, in many cases, this may not achieve the IAL2, the identity assurance level two, but it's more of a reality in that this is one of the few solutions that we have available today or few approaches for doing remote identity proofing. Clearly in person provides a higher level of assurance, but there are quite a few scenarios these days where we need something that can be done remotely.
David Turner:
Now, the challenge with this is, how do you evaluate it? How do I know as a relying party that one system is as good as another, or that it meets my standards for what is considered reliable? Next slide, I think, please. Nope. Back up one more. I'm not ready for that yet.
David Turner:
So what FIDO's currently working on is a certification program, much like the biometric certification, where we're not prescribing how you do something. For example, like our biometrics, we don't say, how do you do your fingerprint testing? What we do is we have tests and requirements that say here are the standards you need to meet for the reliability.
David Turner:
How well do you accept good documents? How often do you reject good documents, accept bad documents, reject fraudulent, all those variations? So we're setting certification testing standards for this particular approach to identity proofing. Next slide. And then a related aspect is, again, one that Mike discussed earlier, which is, how do I bind the notion of David Turner with David Turner's authenticator?
David Turner:
So today when you use as a FIDO authenticator, what you get is a very strong cryptographic binding between a piece of hardware, whether it's a security key you carry, or the phone that you use, and the relying party that you've registered with. Now, all that really tells them when I've unlocked it, and it may be a pin, it may be a biometric, is that it's the same piece of hardware that was used the last time.
David Turner:
They don't necessarily know that it was David Turner that used it to create the account and to authenticate later. Now, when you're using biometrics, clearly you have a better sense of that if you've done the registration of David Turner's biometrics in advance and can do that comparison to authentication time. So there's this problem of binding reliably, cryptographically David Turner, this known entity at say IAL2 with the authenticator also operating at IAL2.
David Turner:
And what FIDO is looking at is, how do we define that relationship? Is it a matter of defining the proofing process or binding somehow the proofing process with the FIDO registration process in a secure way? Because there can be gaps in how is one done versus how is the other done. If somebody takes my picture using one machine at a face to face, how is the binding done to the hardware authenticator I'm using in my laptop?
David Turner:
Then related that, how do you prevent someone from hijacking in a man in the middle, in a phishing approach to intercepting that and perhaps disrupting it? And then if I want to be able to share that with some other party involved in a process, what kind of metadata do I need to pass on to say, yes, these two bits of data have been verifiably bound in a way that you can trust to do whatever action it is you need to follow?
David Turner:
So this is a piece of work that's earlier than the other things I've already discussed, but it is actively being considered now. And it's very relevant, of course, to what FIDO's doing. It's a big problem that we're working to solve today. I think that's the end of my slides.
Mike Engle:
It is. Yeah. Thanks. That's very informative. Thanks for that, David. And yeah, the next phase of all this is exciting, and there's even a new phase of the NIST 800-63-3 standard which is in draft review. It's 800-63-4. So they're sequencing that. And it's just going to keep expanding on the capabilities and levels of fidelity that all of these standards have.
Mike Engle:
So we'll see more and more of that coming. COVID has really accelerated all this stuff and made it incredibly needed because all the fraud and things like that, that are underway. So we're going to get into a couple of questions and answers here. Let me pull up our list which our host has been manicuring behind the scenes. So the first question was for Ruth. Ruth, does Kantara set the standards that they test against?
Ruth Puente:
Well, Kantara develops service assessment criteria or conformity assessment criteria that are derived from standards or guidelines or specifications or rules that, for example, an organization has. Let's say, I don't know, a healthcare federation has a set of rules or a framework and they want to have certified companies to be part of that.
Ruth Puente:
And for that, Kantara develops service assessment criteria. So it's like an interpretation or make the standards auditable, but it is a development. Kantara does not set the rules in terms of, for example, NIST. It's NIST that provides those guidelines and those rules, Kantara interprets those according to the market needs, according to the market demand.
Ruth Puente:
Or sometimes a regulator that wants to be able to get vendor certified for something and Kantara is able to develop specifications or profiles to that certification scheme that is already there. For example, 63-3 is part of the Kantara certification scheme.
Ruth Puente:
But if there are other specific needs of, I don't know, I'd say a federal agency, a healthcare organization, or another country or government that needs to develop something and wants certification for that specific rules or framework, Kantara can develop the services and criteria for that.
Ruth Puente:
And it's the identity assurance working group that develop that and maintain those rules as part of the Kantara framework. And with that, Kantara offers different classes of approval according to the standards that are available and that it has created services and criteria derived from, I don't know, let's say ISO standard, NIST 63-3, and others.
Mike Engle:
Great. Thank you. And another one is, do we see any requirement by government bodies for customer payments tied to these standards? David, I'm wondering what you've seen going on with all the various global organizations that you work with. We hear about SCA, PSD2 overseas, open banking. Do you see them specifically calling out for these types of standards in those working groups or government bodies?
David Turner:
Yeah. Transaction...
Mike Engle:
Security, right?
David Turner:
Thank you. Transaction security is actually a very big issue. It's one that has sort of skirted the edge of the FIDO development over the last couple of years. There's different approaches that are being considered, but it's definitely on the radar. There's a couple of groups within the W3C that are looking at how to do secure payments making use of FIDOs public key cryptography.
David Turner:
So they're very closely bound. And the goal is to provide the same level of public key based protection, but leveraging existing technology. So rather reintroducing or introducing something new that requires new infrastructure and the like. So yes, it is work that's actively underway.
Mike Engle:
Excellent. And then here's one, why haven't these standards and capabilities been availed before now? I guess if we consider before now, these are all relatively recent, at least from a public perspective. I mean, the FIDO Alliance has been around since 2013, I believe, right, David? But it really got popular I think in the last couple years. Especially in the last year, I mean, it's blown up.
Mike Engle:
Everything is FIDO. People running around raising half a billion dollars to talk about their FIDO certification is the norm now. But I think the main driver is the fact that now we have the technology to do it. In 2013, it was difficult to pull this stuff off. Mobile phones were very young. The cameras were young.
Mike Engle:
The cryptographic providers, even the cryptographic technologies have matured quite a bit since then. So I think for me, that's been a real game changer in the last four or five years. You now have very powerful smartphones in hands of billions of people, trusted platform modules.
Mike Engle:
The place to keep a private key have really gotten popular and embedded into nearly every laptop and workstation that allows things like WebAuthn to function. So it's really just a maturation of all these things coming together, I think, that's making it ubiquitous.
David Turner:
A big part of that is the fact that, as I mentioned earlier, all the major OS's have FIDO built in now, both in the platform and within the browsers themselves. So it's reduced the barrier to adoption. People developing solutions don't have to say, "Well, is it spotted here? Is it spotted there?"
David Turner:
Now they know that WebAuthn and FIDO2 is available in all the major browsers. It's available on all the major platforms and they can now just build against it taking advantage of those features. So that's really been a big step forward is once we got that platform level adoption.
Mike Engle:
That's right. Yeah. And there's a question here about moving identity based authentication to the cloud. There's a component that in order for it to be really portable, you mentioned, David, the challenge where you have to bind a particular piece of hardware to the remote target system.
Mike Engle:
It creates a very tight channel, but it's a channel that has to be set up then on a new browser or a new workstation or a new phone. And that's where you can introduce the identity component. And there's cloud components to that as well. I mean, our answer for it at 1Kosmos is to use the encryption principles behind blockchain. A private blockchain. Nothing public, but it is in a private cloud.
Mike Engle:
If you think about it, your crypto keys for your digital wallets out there, your Bitcoins, your Moneros, Ethereums are very secure. There's people with billion dollar wallets or hundreds of millions of dollar wallets that are in the hands of the holder and you apply that same principles to identity. It's a proven model, a proven cryptography.
Mike Engle:
There's pros and cons to it. Now the user is in control, but the user can lose it. We've heard about the people who can lose their $220 million wallets and go digging through dumps trying to find them. But it's secure. And there's a lot of efforts underway to try to figure out how to make it secure and recoverable as you pointed out in that last slide.
Mike Engle:
So I'm very optimistic about the future of that. I think just really one final question here as we wrap up for both Ruth and David. The question is, can people participate in the FIDO Alliance and the Kantara Initiative even if they're not members? Obviously if they're members they would participate, but is there a way for people to plug in, get involved as citizens or non participating organizations?
David Turner:
Well, from the FIDO standpoint, you need to be a member of either the FIDO Alliance or the W3C to directly participate in the work that's being done. I believe the WebAuthn GitHub repo is publicly visible and the mailing lists for W3C are also publicly visible. But for actual participation in the working group, that requires membership, as it does in FIDO.
Mike Engle:
And Ruth on the Kantara side.
Ruth Puente:
Yes. I mean, in terms of working groups, you don't need to be a Kantara member to participate on a group, both in our no bonding participants of those working groups. But in terms of certification, you must be a member. But for example, to help develop the services and criteria or to make additions already to the Kantara framework, you can participate in the arranged test runs working group without being a member.
David Turner:
I should add actually, in order to get a FIDO product certified, you do not have to be a member. So anybody is free to implement the specifications. They're publicly available on a royalty free basis. And so if somebody produces their own security key or server, those products can be certified. You get a discount if you're a member of the FIDO Alliance, but there is no barrier to having your product certified.
Mike Engle:
Okay, excellent. I think that's it for today. We'll give people back a few minutes of their day and have time to do what they need to do before their next back to back meeting. But Ruth and David, thank you so much for joining the webinar today. Thanks for all the participants. We had amazing participation today.
Mike Engle:
We will be posting this webinar. We'll have it on the 1Kosmos website and we'll make it available for FIDO and Kantara to do with it as they please as well. And as I mentioned, we will be announcing the winner once the dust settles here. We look forward to sharing that with everybody. So with that, thanks again, everybody. And we'll see you all online.
David Turner:
Thank you for having me.
Ruth Puente:
Thank you, Mike.
Mike Engle:
Thank you.
Welcome everyone to our webinar. My name is Mike Engle. I run strategy for 1Kosmos. For those who don't know who we are, 1Kosmos makes distributed digital identity platform and it performs identity proofing and passwordless biometric authentication. We serve both customers and B2B be with this platform.
Mike Engle:
We're here today to talk about identity standards, specifically NIST 800-63-3 and standards from the FIDO Alliance. And you may think that these standards and identity components are boring and that they work behind the scenes, but the reality is that they're key to keeping your identity safe and reducing friction for your customers.
Mike Engle:
And specifically they'll let you onboard employees and customers better than ever before. And best of all, you can get rid of passwords along the way. We're also going to give away a $50,000 software package to a lucky winner after this call. If the winner gives consent, we'll post the results when we post the webinar recording.
Mike Engle:
We couldn't do it live. We just had too many people signing up. In the last half hour, we've gotten over 20 registrations. So we'll have to keep you in suspense on that. Now, if you're familiar with the standards that we have on our cover page here, then that's great.
Mike Engle:
We'll get into the weeds on some real world use cases and how they can be applied today to both employee and customer enablement. If you're not, well, then we've got you covered as well. We'll talk about the mechanics of them. And to that end, I'm joined today by two industry colleagues, Ruth Puente from Kantara and David Turner from the FIDO Alliance. So let's hear from them now. Ruth, would you mind introducing yourself, where you're from, what you do for a living and that kind of thing?
Ruth Puente:
Good morning, everyone. I'm Ruth Puente. I'm the director of assurance operations at Kantara Initiative. I'm raised in Madrid, but originally from Uruguay.
Mike Engle:
Great. Thanks Ruth. And David, would you mind saying hi to the audience as well?
David Turner:
Sure. David Turner, I'm the director of standards development for the FIDO Alliance. So I oversee the production creation and whole process around the creation of all the FIDO technical standards.
Mike Engle:
Right. And you're on the other side of the planet, you're over on the West Coast of the United States?
David Turner:
That's right. I'm on the West Coast of the US just outside of Seattle.
Mike Engle:
That's right. Well, we've got participants from all over the world today. So thanks for everybody who stayed up late to watch this as well. All right. So let me jump in here. We're all familiar with lots of types of authentication, right? We live typically that non-friendly experience every day when we do things online. The 'A' in these two acronyms that I have here represent authentication.
Mike Engle:
HBA is something we refer to as Hope Based Authentication. And you have the 60-year-old mechanism of a username and a password, which is really just a secret word. The problem with secrets is that they usually are not secret. They can be known by anyone, as bad guys have proven.
Mike Engle:
And if somebody does get your password, then you, your bank account, maybe your employer could be toast. This is the reason we call it Hope Based Authentication. Because with these weak forms of authentication, keyboards not working, you'll hope that the person is real.
Mike Engle:
You'll hope that they are the stated person that is coming in. You'll hope that they can successfully get in, putting them through all these hoops. And you'll hope that nobody else gets in as well. To augment that, we've been layering on all kinds of other forms of A's and other types of authenticators.
Mike Engle:
So we've layered on 2FA, two-factor authentication, KBA, which is Knowledge Based Authentication, and maybe even risk-based authentication. And then some other non A type things like single sign-on systems or maybe a password manager come into the mix as well.
Mike Engle:
The answer to this, to mitigate all these challenges, is to migrate to identity-based authentication. In 2017, the US federal government introduced the NIST 800-63-3 identity proofing and authentication standards. So these determine how you enroll a remote digital identity and how you use that identity for authentication.
Mike Engle:
So for organizations hiring new employees or onboarding sensitive customers, this determines how to get verifiable proof backed by a rigorous standard that everyone signing into their systems is who they say they are every time. So the standard is carved into three sections.
Mike Engle:
800-63-3A focuses on identity assurance or proofing with government based issued documentation. It has three levels of assurance. The most common level sought after is Identity Assurance Level two or what they call IAL2. And Ruth is going to tell us about her certification program from Kantara on that front.
Mike Engle:
The second section of NIST standard is 800-63-3B. And this determines how you authenticate somebody in a strong fashion. So to achieve this, you would use the Kantara certification combined with FIDO public private key-based authentication. For those of you who know about these standards, you probably think of them for onboarding new customers, maybe for banking or cryptocurrency accounts.
Mike Engle:
You have KYC or Know Your Customer, and you need to meet anti-money laundering requirements. But this post COVID world that we're in now, everything's remote. Even without COVID, this capability has been sorely needed. So if you think about it, you can walk up to any airport security checkpoint and prove who you are every time with strong documentation and a real biometric.
Mike Engle:
They look at your face. That's your biometric. Now, because of the standard and the capabilities in every modern smartphone and laptop, we can do the same thing remotely. The mechanics behind this sound really simple, right? You scan some documents, take a selfie, and you're done.
Mike Engle:
But if it were that easy, everyone would be doing it. And we would not need Ruth's rigorous certification process to prove compliance and make sure it's done right. There's definitely a lot of devil in the details to make this work efficiently for an employees and customers.
Mike Engle:
Now, when combined with David's FIDO authentication, we have a match made in heaven. Now we can prove who the person is with strong proofed identity and without requiring a username and password to get them into our systems. Once the user is enrolled, their NIST 800-63-3 digital identity with the appropriate IAL, the Identity Assurance Level, you give them a public and private key that only they can use. That's one of the key principles behind FIDO authentication.
Mike Engle:
David's organization will make sure that your authentication providers are doing this properly. The key to both IAL and AAL, or those A and B components of the certification is that they leverage real biometrics, not just the built-in biometrics from your phone, which can be used by anyone, spouse, child.
Mike Engle:
This is a key enabler for both sides of the standard. And with this real biometric, you get identity based authentication and can let the user into your system every time with cryptographic proof that they are who they say they are and with the stated identity that's proved in the upper left hand box here.
Mike Engle:
Now, one thing to watch for as you select products and embrace these standards into your IAM stack is siloed applications of these features. If you don't take a holistic view of these three activities here, proofing, authentication and fraud detection, you'll be introducing avoidable technical debt.
Mike Engle:
And on the identity proofing side of the house, you have a whole industry that's popped up just to scan a government credential and match it to a selfie. But after that, many of these organizations throw the identity proofing away. They proof who you are on that first touch only.
Mike Engle:
There's no reoccurring proof of that identity existence in the system or something they can give you after the fact. And similarly on the authentication front, many IAM systems give the user a username, a password, some other factors, maybe a biometric.
Mike Engle:
But if you've not given them a private key that links back to the enrolled identity from the first step, you're not really proving anything. You may be letting them in without a password, but you're going back to really a form of that dreaded hope based authentication.
Mike Engle:
And lastly, if you detect fraud as any part of your IAM strategy, which you are, maybe with session based monitoring or geographic monitoring, other types of fraud or behavioral biometrics, it's likely that this is a siloed activity as well and it's not linked to the other two identity functions on the left and top center.
Mike Engle:
This is where the combination of these two standards can revolutionize both your workforce and your customer identity and access management functions. So what's the end state? The industry analysts are calling this identity convergence. When you marry strong identity proofing and strong user authentication, it's truly a game changer for how you let people into your systems, how you onboard them.
Mike Engle:
And think about it. If you could prove who someone is, an employee or a customer, and give them a digital credential, or it's often called digital wallet, on day one, you could use it repeatedly. No more line managers handing somebody a password or figuring out how to authenticate them on day two.
Mike Engle:
There's all kinds of downstream purposes. You could ask them for this credential every time they authenticate. You're still, of course, going to have scenarios where you have to authenticate people with username passwords and 2FA. But for high value transactions, what if you could prompt them to up their identity assurance level from level one, which is just a name on the internet, your PetSmart account level two, which is a very strong identity as per the NIST 800-63-3A standard.
Mike Engle:
And what if this was as seamless as simply prompting them for that proof and then building it into a consistent experience? So as you onboard new users into your system, these cryptographically proven identities can flow into your HR, your IGA systems, your governance, and your user directories. They can all be populated with the press of a button with an authoritative identity from day one.
Mike Engle:
This is the piece that's missing from many IAM stacks today. And on that same day one, your single sign-on, your privilege access management systems and other downstream systems will also have access to true user identity for making decisions. And both of these identity components, proofing and authentication, should and really must be powerful signals that flow into your fraud engine.
Mike Engle:
So now your fraud engine can be armed with some really key data, like, did this user provide one or two forms of government identity or none? Did they give me an Active Directory private user certificate or authenticate with a weak one time password or with strong FIDO 2 certified authentication?
Mike Engle:
So when you're armed with this information, your fraud engine can reduce friction. It'll make better decisions about whether or not to prompt a user and introduce friction when it's needed and ultimately save money and have better user experiences.
Mike Engle:
So I'll head towards the finish line on my part here with just a few common use cases for standards based converged identity proofing and authentication that we're seeing in the market today and helping customers with. When you apply certified IAL2 identities to your employee or contractor onboarding, you can simplify the way they get into an HR system.
Mike Engle:
So rather than emailing a driver's license or passport to some HR admin, they can digitally enroll now. This avoids all kinds of privacy issues where PII is being sent in the clear, user documents are illegible. Things are sitting in email being printed out.
Mike Engle:
And second it'll ensure that your people are who they say they are again with cryptographic proof and a privacy preserving wallet. So one of the primary use cases that we're hearing is how do I know the contractor I hired is the same person that's authenticating on day two? Because they can sub that seat out for somebody else to sit in it.
Mike Engle:
If you have strong AAL2 levels of authentication, that's impossible. For customers, you can onboard them with strong Kantara certified proof that they are who they say they are, reducing the risk of regulatory fines, making their onboarding much easier. And the same biometric live selfie that they used to link their documents and proof them will also prove their authentication every time.
Mike Engle:
Both of these use cases are now supported with strong identity based authentication with a FIDO certified passwordless experience. So every time they authenticate, they will in essence be proving who they are and not relying on hope. So with that, I'm going to hand it over to Ruth, who's going to give some details on Kantara certification and then we'll follow up with David and his information on the FIDO.
Mike Engle:
Along the way, if you have questions about anything I'm asking or David or Ruth are asking, just throw them into chat and we'll have somebody aggregating these questions and we can get through some of them at the end. All right. So Ruth, over to you.
Ruth Puente:
Thank you, Mike. And will you... Okay, great. Thank you. Yeah. Well, Kantara operates a trust framework since 2009. Through that framework, it's approved credential service providers and also accredited assessors. The model that Kantara used to approve those risk providers is based on our third party independent assessment.
Ruth Puente:
So given that Kantara is aligned with ISO standards and in the certification service, mostly with 17065. One of the core elements of that certification is that the approval relies on the termination of conformity of the audit that is performed by a Kantara accredited assessor.
Ruth Puente:
So that's one of the key elements of the certification. And then Kantara also has as part of the assurance firm that is called assurance review board, which is responsible for the evaluation of the applications that come from vendors that are pursuing certification.
Ruth Puente:
So these assurance review board are comprised by subject matter experts from the identity field, from the academia, and also from some other organizations. They all are subject work under NDA and also they are subject to conflict of interest against our policy. So they are the experts that review the applications and consider the termination of conformity against on a specific criteria that this vendor has chosen for certification, such as for example, 63 at a specific assurance level.
Ruth Puente:
So the assurance review board evaluates that and also the conformity that was concluded by the assessment. And with that, Kantara, if everything is acceptable and the assessment has broad results of conformity, Kantara grants an approval. And with that, it issues our Trustmark. And also aligned with ISO, the Trustmark is set to a three-year cycle.
Ruth Puente:
So in this case, when the applicants first come to a certification journey, the first ER is a full assessment. And then to keep the certification, it needs to go through conformity reviews. So it's part of monitoring that certification that was granted in the first year.
Ruth Puente:
So basically those are the key elements of the Kantara certification and in terms of how Kantara contributes to these developments and also help their market to grow and provide confidence to the market, Kantara with 800-63, what it did since 2018, after NIST released the rev.3, Kantara interpret the NIST guidelines and create a service system and criteria.
Ruth Puente:
So with that, it provides the rules and the requirements for the certification that this part of the framework that Kantara operates. And with this, Kantara plays a critical role in the market because it provides to those vendors, business customers, the confidence that those identity solutions that they have chosen or they are considering have been certified, have been verified, and therefore they are reliable. It is a reliable service.
Ruth Puente:
So in this sense, Kantara contributes to reduce friction and also reduce fraud, which is one of the growing problems mostly we have seen with the COVID. So Kantara contributes to reduce fraud in this sense also to provide confidence to the customers.
Mike Engle:
Very good. Thank you, Ruth. I appreciate that. Next, I'm going to hand it over to David and he'll walk us through a couple aspects of FIDO and tell us what's on their roadmap.
David Turner:
Great. Thank you. Mike, next slide, please?
Mike Engle:
You bet.
David Turner:
So I don't know how many of you're familiar with FIDO Alliance, but we're a nonprofit organization and, as I'll show you in a moment, a broad array of industry participants. Our goal is to provide standards for basically getting rid of passwords, providing a public key based model for doing authentication.
David Turner:
We back that up with strong certification programs, as well as various market adoption programs. So it's the technology, it's the testing, and it's the adoption. We focus on all three. Next slide, please. And it's a build slide. So next. Yeah. So what you see here, all of these logos represent the board members.
David Turner:
There's about 250 members total in FIDO right now. All of these logos represent the board members and you can see it's a very diverse group of people. We have financial services companies. We have very large relying parties. We have chip manufacturers, device manufacturers.
David Turner:
It's a very complete set of industry partners to help us develop these standards. And in addition to our board members, we have sponsor members, associates, and then we have liaison partners. So we interact with other organizations to try and coordinate activities such as The Kantara Initiative. Next slide, please.
David Turner:
Another build. Good. So just to give a brief history of what we've done at FIDO, FIDO was formed in 2012, and the first specifications produced were FIDO UAF and FIDO U2F. UAF was focused mostly on the biometric use for authentication, U2F was for the model second factor authentication.
David Turner:
FIDO2 essentially combines those two, combines work with the W3C, something called WebAuthn to provide a very rich approach, standardized approach for doing authentication, both in native apps, as well as web browsers. To do authentication without the need for using passwords. It's all based on public key cryptography.
David Turner:
So no password are ever stored on the server, no passwords go over the air or over the wire. So it voids things like phishing and man in the middle attacks. And so just as a quick note, this fits in very solidly in the AAL2 that was discussed earlier from the NIST program. But I'll point out that even within AAL2, not all authentication factors are equal.
David Turner:
Today, SMS is still also in AAL2, but the use of SMS is a second factor. It is a highly phishable one. And so it's still prone to a lot of standard attack vectors and FIDO was not. And in the current revision of that specification, they're looking at making that distinction between phishable and unphishable authentication mechanisms.
David Turner:
Support for FIDO is now extensive. Somebody did a kind of a rush calculation that it's currently supported now on over 4 billion devices. It's integrated into all the major platforms, Android, Windows under Windows Hello, and both Mac and iOS. It's supported by all of the major browsers.
David Turner:
So with that platform support, it's now available for relying parties to deploy FIDO and to build FIDO based authentication solutions. And then the market adoption there, that's now an aging subset of the large organizations that have actively deployed FIDO solutions and are using FIDO authentication in their solutions today.
David Turner:
Some of them are transparent. eBay and PayPal have actually been doing them on their mobile apps for some time using biometrics. I'm guessing a lot of you weren't even aware that that's what was going on. So we're seeing very significant adoption, within corporate, consumer solutions, within B2B and enterprise solutions, as well as in government solutions. Next slide. Please.
David Turner:
So a standard is great, but only if you get adoption, which the previous slide addressed, and also if you get first off interoperability. If you don't get interoperability, you don't get conformance to a spec, it's useless. It has no value. It doesn't help the market. It doesn't help anybody.
David Turner:
So the first level of certification that we are providing at FIDO is a functional end-to-end conformance and interoperability testing. We have interop tests throughout the year to help products get certified, both the authenticators, whether it's the platform or whether it's the security key, as well as the server products.
David Turner:
The next step up from there is to actually test the strength of the security of whatever keys that you're using for this. So we have three levels of security testing now, L1, L2, and L3. And in the diagram, it shows L1 for one, L2 for one, and L3 for the third. Those three levels actually apply to all three of them, just sort of a graphical shortcut that somebody did.
David Turner:
I didn't want anyone to think that you could only get L1 for U2F. All three levels are available for all three of the specifications. I'll quickly go through the differences between them. Level one provides your basic level of authenticator security. Typically, it's a software-based solution for protecting the keys.
David Turner:
And by the way, the diff distinction between each of these levels is, how strong is the protection for the keys? So in the first one, it's primarily software based. It's white box encryption and so on. It's actually pretty good in the mid majority of cases.
David Turner:
Level two of our testing allows for a restricted operating environment where you may have a first level of hardware protection in the solution. So the keys are actually stored, managed, created within a hardware-based solution. And then level three, which is the highest, that gets into physical hardware protection approaches.
David Turner:
So that it helps mitigate against literal physical attacks on the piece of hardware. Trying to rip it open, trying to touch the contact leads to find the clock and figure out where the private keys are and what they are. And we actually do have some product certified at level three.
David Turner:
So we've got many certified products as the top, over 830, meeting all of these to address the different requirements of different organizations. Now, we've actually complimented this work with a biometric certification test process. This tests the biometric component in isolation.
David Turner:
So it'll test a fingerprint reader by itself separate from the authenticator. So there's, how are the keys managed? And that's tested. But then there's a separate testing for the biometric component. And this way you can actually have a device where the biometric meets a certain bar for security and reliability in terms of false acceptance, false trajectory.
David Turner:
And then you can have another level of certification or security for the hardware, the protection of the keys themselves. And then the final aspect of certification we have is for the server products. So this is the relying party side of it to make sure that what's been implemented is compatible with all the various specifications and authenticator types that are out there.
David Turner:
And again, this goes back to my first point about without conformance and interoperability, you have no valid ecosystem. The value of FIDO and what it provides comes when you have a very large ecosystem implementing the standard in the same way, so that you get the benefits of security across all the solutions, but you also get the benefit of better usability because the end users, the employees, the customers, they start to become familiar with the process and they understand it and are more willing to accept it.
David Turner:
Next slide. So there's a new area that FIDO's gotten into recently, which is authenticators plus ID verification. And you heard Mike talk about some of this earlier, this idea of trying to bind these two things together, and this comes up in a variety of places. One is at the time of registration, but then there's also the issue of, well, what happens if I lose my authenticator key?
David Turner:
One more tap for the next build. There we go. And so what we saw is a gap in the market and the need to not define how this process is done, but rather to be able to evaluate mechanisms that are used for doing account recovery. Next slide, please. So a common mechanism being used today is this notion of remote authentication or rather remote proofing doing what's a so-called selfie proofing.
David Turner:
And this is where you take a picture of some kind of high value document, typically a government issued document that has a photo on it. Then the user takes a selfie of themselves. The two them are compared to ensure that it's you. And then based on that, the relying party can then proceed to either do account recovery or in some cases actually create new accounts.
David Turner:
Now, in many cases, this may not achieve the IAL2, the identity assurance level two, but it's more of a reality in that this is one of the few solutions that we have available today or few approaches for doing remote identity proofing. Clearly in person provides a higher level of assurance, but there are quite a few scenarios these days where we need something that can be done remotely.
David Turner:
Now, the challenge with this is, how do you evaluate it? How do I know as a relying party that one system is as good as another, or that it meets my standards for what is considered reliable? Next slide, I think, please. Nope. Back up one more. I'm not ready for that yet.
David Turner:
So what FIDO's currently working on is a certification program, much like the biometric certification, where we're not prescribing how you do something. For example, like our biometrics, we don't say, how do you do your fingerprint testing? What we do is we have tests and requirements that say here are the standards you need to meet for the reliability.
David Turner:
How well do you accept good documents? How often do you reject good documents, accept bad documents, reject fraudulent, all those variations? So we're setting certification testing standards for this particular approach to identity proofing. Next slide. And then a related aspect is, again, one that Mike discussed earlier, which is, how do I bind the notion of David Turner with David Turner's authenticator?
David Turner:
So today when you use as a FIDO authenticator, what you get is a very strong cryptographic binding between a piece of hardware, whether it's a security key you carry, or the phone that you use, and the relying party that you've registered with. Now, all that really tells them when I've unlocked it, and it may be a pin, it may be a biometric, is that it's the same piece of hardware that was used the last time.
David Turner:
They don't necessarily know that it was David Turner that used it to create the account and to authenticate later. Now, when you're using biometrics, clearly you have a better sense of that if you've done the registration of David Turner's biometrics in advance and can do that comparison to authentication time. So there's this problem of binding reliably, cryptographically David Turner, this known entity at say IAL2 with the authenticator also operating at IAL2.
David Turner:
And what FIDO is looking at is, how do we define that relationship? Is it a matter of defining the proofing process or binding somehow the proofing process with the FIDO registration process in a secure way? Because there can be gaps in how is one done versus how is the other done. If somebody takes my picture using one machine at a face to face, how is the binding done to the hardware authenticator I'm using in my laptop?
David Turner:
Then related that, how do you prevent someone from hijacking in a man in the middle, in a phishing approach to intercepting that and perhaps disrupting it? And then if I want to be able to share that with some other party involved in a process, what kind of metadata do I need to pass on to say, yes, these two bits of data have been verifiably bound in a way that you can trust to do whatever action it is you need to follow?
David Turner:
So this is a piece of work that's earlier than the other things I've already discussed, but it is actively being considered now. And it's very relevant, of course, to what FIDO's doing. It's a big problem that we're working to solve today. I think that's the end of my slides.
Mike Engle:
It is. Yeah. Thanks. That's very informative. Thanks for that, David. And yeah, the next phase of all this is exciting, and there's even a new phase of the NIST 800-63-3 standard which is in draft review. It's 800-63-4. So they're sequencing that. And it's just going to keep expanding on the capabilities and levels of fidelity that all of these standards have.
Mike Engle:
So we'll see more and more of that coming. COVID has really accelerated all this stuff and made it incredibly needed because all the fraud and things like that, that are underway. So we're going to get into a couple of questions and answers here. Let me pull up our list which our host has been manicuring behind the scenes. So the first question was for Ruth. Ruth, does Kantara set the standards that they test against?
Ruth Puente:
Well, Kantara develops service assessment criteria or conformity assessment criteria that are derived from standards or guidelines or specifications or rules that, for example, an organization has. Let's say, I don't know, a healthcare federation has a set of rules or a framework and they want to have certified companies to be part of that.
Ruth Puente:
And for that, Kantara develops service assessment criteria. So it's like an interpretation or make the standards auditable, but it is a development. Kantara does not set the rules in terms of, for example, NIST. It's NIST that provides those guidelines and those rules, Kantara interprets those according to the market needs, according to the market demand.
Ruth Puente:
Or sometimes a regulator that wants to be able to get vendor certified for something and Kantara is able to develop specifications or profiles to that certification scheme that is already there. For example, 63-3 is part of the Kantara certification scheme.
Ruth Puente:
But if there are other specific needs of, I don't know, I'd say a federal agency, a healthcare organization, or another country or government that needs to develop something and wants certification for that specific rules or framework, Kantara can develop the services and criteria for that.
Ruth Puente:
And it's the identity assurance working group that develop that and maintain those rules as part of the Kantara framework. And with that, Kantara offers different classes of approval according to the standards that are available and that it has created services and criteria derived from, I don't know, let's say ISO standard, NIST 63-3, and others.
Mike Engle:
Great. Thank you. And another one is, do we see any requirement by government bodies for customer payments tied to these standards? David, I'm wondering what you've seen going on with all the various global organizations that you work with. We hear about SCA, PSD2 overseas, open banking. Do you see them specifically calling out for these types of standards in those working groups or government bodies?
David Turner:
Yeah. Transaction...
Mike Engle:
Security, right?
David Turner:
Thank you. Transaction security is actually a very big issue. It's one that has sort of skirted the edge of the FIDO development over the last couple of years. There's different approaches that are being considered, but it's definitely on the radar. There's a couple of groups within the W3C that are looking at how to do secure payments making use of FIDOs public key cryptography.
David Turner:
So they're very closely bound. And the goal is to provide the same level of public key based protection, but leveraging existing technology. So rather reintroducing or introducing something new that requires new infrastructure and the like. So yes, it is work that's actively underway.
Mike Engle:
Excellent. And then here's one, why haven't these standards and capabilities been availed before now? I guess if we consider before now, these are all relatively recent, at least from a public perspective. I mean, the FIDO Alliance has been around since 2013, I believe, right, David? But it really got popular I think in the last couple years. Especially in the last year, I mean, it's blown up.
Mike Engle:
Everything is FIDO. People running around raising half a billion dollars to talk about their FIDO certification is the norm now. But I think the main driver is the fact that now we have the technology to do it. In 2013, it was difficult to pull this stuff off. Mobile phones were very young. The cameras were young.
Mike Engle:
The cryptographic providers, even the cryptographic technologies have matured quite a bit since then. So I think for me, that's been a real game changer in the last four or five years. You now have very powerful smartphones in hands of billions of people, trusted platform modules.
Mike Engle:
The place to keep a private key have really gotten popular and embedded into nearly every laptop and workstation that allows things like WebAuthn to function. So it's really just a maturation of all these things coming together, I think, that's making it ubiquitous.
David Turner:
A big part of that is the fact that, as I mentioned earlier, all the major OS's have FIDO built in now, both in the platform and within the browsers themselves. So it's reduced the barrier to adoption. People developing solutions don't have to say, "Well, is it spotted here? Is it spotted there?"
David Turner:
Now they know that WebAuthn and FIDO2 is available in all the major browsers. It's available on all the major platforms and they can now just build against it taking advantage of those features. So that's really been a big step forward is once we got that platform level adoption.
Mike Engle:
That's right. Yeah. And there's a question here about moving identity based authentication to the cloud. There's a component that in order for it to be really portable, you mentioned, David, the challenge where you have to bind a particular piece of hardware to the remote target system.
Mike Engle:
It creates a very tight channel, but it's a channel that has to be set up then on a new browser or a new workstation or a new phone. And that's where you can introduce the identity component. And there's cloud components to that as well. I mean, our answer for it at 1Kosmos is to use the encryption principles behind blockchain. A private blockchain. Nothing public, but it is in a private cloud.
Mike Engle:
If you think about it, your crypto keys for your digital wallets out there, your Bitcoins, your Moneros, Ethereums are very secure. There's people with billion dollar wallets or hundreds of millions of dollar wallets that are in the hands of the holder and you apply that same principles to identity. It's a proven model, a proven cryptography.
Mike Engle:
There's pros and cons to it. Now the user is in control, but the user can lose it. We've heard about the people who can lose their $220 million wallets and go digging through dumps trying to find them. But it's secure. And there's a lot of efforts underway to try to figure out how to make it secure and recoverable as you pointed out in that last slide.
Mike Engle:
So I'm very optimistic about the future of that. I think just really one final question here as we wrap up for both Ruth and David. The question is, can people participate in the FIDO Alliance and the Kantara Initiative even if they're not members? Obviously if they're members they would participate, but is there a way for people to plug in, get involved as citizens or non participating organizations?
David Turner:
Well, from the FIDO standpoint, you need to be a member of either the FIDO Alliance or the W3C to directly participate in the work that's being done. I believe the WebAuthn GitHub repo is publicly visible and the mailing lists for W3C are also publicly visible. But for actual participation in the working group, that requires membership, as it does in FIDO.
Mike Engle:
And Ruth on the Kantara side.
Ruth Puente:
Yes. I mean, in terms of working groups, you don't need to be a Kantara member to participate on a group, both in our no bonding participants of those working groups. But in terms of certification, you must be a member. But for example, to help develop the services and criteria or to make additions already to the Kantara framework, you can participate in the arranged test runs working group without being a member.
David Turner:
I should add actually, in order to get a FIDO product certified, you do not have to be a member. So anybody is free to implement the specifications. They're publicly available on a royalty free basis. And so if somebody produces their own security key or server, those products can be certified. You get a discount if you're a member of the FIDO Alliance, but there is no barrier to having your product certified.
Mike Engle:
Okay, excellent. I think that's it for today. We'll give people back a few minutes of their day and have time to do what they need to do before their next back to back meeting. But Ruth and David, thank you so much for joining the webinar today. Thanks for all the participants. We had amazing participation today.
Mike Engle:
We will be posting this webinar. We'll have it on the 1Kosmos website and we'll make it available for FIDO and Kantara to do with it as they please as well. And as I mentioned, we will be announcing the winner once the dust settles here. We look forward to sharing that with everybody. So with that, thanks again, everybody. And we'll see you all online.
David Turner:
Thank you for having me.
Ruth Puente:
Thank you, Mike.
Mike Engle:
Thank you.
You see it every day:
Headlines of another costly and embarrassing data breach.
Luckily, individuals like Ruth Puente and David Turner work to build frameworks to stop this.
The Kantara Initiative and the FIDO Alliance establish benchmarks so you can trust that certain Identity solutions are certified to the highest level.
This webinar explains it all very clearly:
• How organizations can embrace FIDO today to fix password problems
• How to introduce strong identity to the FIDO process to jump-start a user’s passwordless journey
• How a strong identity & strong authentication combined with verifiable credentials is opening the door for better user experiences
Watch the recording now to see how you can scale compliance without sacrificing the user experience.