Passwordless Authentication Has An Identity Crisis
Unlock On-Demand Webinar
Video Transcript
Mike Engle: Everybody will be starting in just a minute will give people one or two minutes to get connected. Alright, we are two past the hour, we say we get started Steve.
Steve Hunt: I'm ready to rock and roll Mike.
Mike Engle: Alright well thanks everybody for joining my name is Mike Engle, with one cosmos I run strategy I'm joined today by Steve hunt from the ID Nevada group Steve Would you mind saying hello and introducing yourself, give us a bit about your background.
Steve Hunt: hey everybody I'm a strategic advisor at it no Baraka I 10 of our because a boutique advisory firm for financial services and insurance and I've been covering identity management for about 30 years happy to join your MIC.
Mike Engle: Thanks yeah and just a little bit about one cosmos we're redefining the way customers and employees engage with identity and prove who they are remotely. Today we're going to focus on the concept of password lists and kind of what it really means in the industry, what it should mean what it means for us so it'll be. Less a slide where slide presentation, a little more dialogue to go along with some slides and conversation, and hopefully you'll find it enjoyable we also have the Q amp a open so as you're going along if you have a question feel free to pop it right into the chat we have. A couple of teams are members of the team will be moderating the chat and we'll try to answer them in real time if it's relevant to the topic that we're discussing at the time. Alright, so I'll just do one warm up slide here, we do have a real time live experience that you can do directly on our website so if you go to one cosmos calm. And just say experience you can go grab the APP out of the APP store and just try a password list experience it takes about a minute total and most of that time is spent downloading the application right. And then from there, you can even drill down and do a deeper evaluation of the product, without having to interact with any humans right so feel free to try it out we'd love your feedback on that as well. So so let's jump in we're talking about a very specific problem set here, and it really is a lack of identity in our identity and access management systems. And it's funny Steve I know I mean I know you back from geez late 90s early 2000s going way back to our work together on Wall Street and. We've been doing identity in our IT systems for 20 plus years but you really don't have identity. At the heart of what we're doing today I think about what did identity mean for you and your clients back in 2000s can can you even put a you know, a finger on that.
Steve Hunt: You know identity has always been this like this annoying layer of of our security architecture is this this orphan. Poor thing because it's like we just want to get past it we just want to like deal with it, so we can get to the good stuff let's roll out a security architecture or let's let's put together asset. Asset Management and access, controls for every asset and resource in the organization and for every person with their privileges and all of that is seem to be the meat and potatoes and oh yeah yeah yeah. We need to know who these people are first and to identify them and then authenticate them, and that was always been like this tedious task often relegated, as you know, to the physical Security Department way down at the end of the hall. At the end of the darkest corridor in the basement of the building where you get your picture taken gutter ID badge and. Maybe got some of your first passwords so it's hesitant, you know it's I think of Rodney Dangerfield I think of identity it's like you know never getting quite the respected needs.
Mike Engle: And sorry yeah you're only corporate identity was really your badge with a little picture on it with the horrible quality and then your active directory, and then the 50 other systems like mainframe and whatever but those aren't identity right they they are what I call hope based authentication.
Steve Hunt: What do you mean by hope based?
Mike Engle: yeah so you hope that the person, first of all can remember their username and password. You hope that they don't get messed up when you force them to change it every 90 days and now they're getting 16 characters complexity requirements. You hope they don't get stolen you hope they don't use the same password that they use on Facebook. And then you start putting band AIDS, on top of two FA and codes and security tokens and all those things you hope they don't lose that and you hope all that stuff doesn't get man in the middle there finished by bad guys.
Steve Hunt: Right that's that is so hilarious I think I have heard you say that before that.
Mike Engle: yeah yeah I'm trying to get it to catch on but I don't have quite the platform yet so I'm working on it. So I'm we're migrating away from home based authentication we're gonna talk about that here today. But you know along the journey of having to deal with passwords all the time is we have you know. I'm not trying to use food here to promote anything I don't need to the press does it for me, but. We know how bad the problem is because you know colonial pipeline or name your breach of the weekend and millions and hundreds of millions of identities being lost. In addition, all those systems that you mentioned Steve they have a lot of costs, not just for the software and hardware fees on them, but the complexity that they introduce to our environment right how many one time code generator platforms for customers versus employees. How many different ad trees, do you have it's just it's it's really maddening of what I think the the sunk cost is on this stuff right.
Steve Hunt: yeah for sure this is a it's a big challenge it just keeps getting bigger as organizations grow in organically through mergers and acquisitions they. They acquire more and more identity platforms more identity management solutions and even business units deploying their own identity systems that. It makes. The weaknesses, the historic weaknesses of credentials and like passwords especially challenging especially daunting for security personnel and especially ripe for the picking for those ransomware arsonists.
Mike Engle: destroying ourselves yeah, and so I have two slides that I would like to share with the audience, most of the audience today are probably it professionals. And we, I have a couple really new kind of fresh stats on the problem statement that can be used to help sell to you know upstream and management, the C suite even the board. And so, this is the 2021 Verizon data breach investigation report is only a few months old it's 114 pages of just incredible real world research right not made up statistics. And you see social engineering is still the primary way to get credentials from somebody right, so they the bad guys are really good at that here on the left. And then on the right side 85% of the breaches now they just they've classified this differently used to be. 81% was stolen credential now it's 85% involves a human factor, a human element right with credentials, being one ransomware being a major impact so take a screenshot of this. As well as the business impact right, this is why we get budget, this is why we do what we do. So I really like the focus here on business email compromise right They range from, of course, very low, depending on the size of your company, but up to a million dollars a pop.
For a business email compromise ransomware according to Verizon and their survey right, this is a very broad range goes up to 1,000,001. And this is cool, this is the Lockton companies they do cybersecurity insurance a very reputable company and just look at the stats they speak for themselves so i'm sure your clients Steve are very much this is top of mind for them right.
Steve Hunt: This is new data, the Verizon report gets better every year their their population of respondents gets better. All the time and the data you're showing my is is it's profound it, it shows that the bad guys are taking advantage of human error human foibles and the weaknesses of our identity infrastructure, both both of them they're they're using both of them in this in this intertwined multi faceted attack vector that they're they're using to wreak havoc on us and so this data is is sobering for sure.
Mike Engle: yeah it's going to move further and further into the consumer trend chain right imagine if they could ransomware my mom's phone because she clicked a link right it's going to ruin my weekend but, but you know now they're getting they can spread it out to millions of people with one you know potential vector. So we'll see how that goes, but these are you know real reasons why we do what we do and the things that keep us up at night.
So now let's talk about the solution right we're here to talk about password list, and you know there's a lot of misconceptions about password list. It's gotten so crazy with investments and every basically authentication company is now pivoting trying to call themselves password list, whether they really are not. But the goal of password list is to get rid of something that can be obtained by somebody else right, yes, typically. Your password username password or even those secrets that if you go sign up for some accounts on the web. My favorite one is go sign up for United airlines account and the last few questions like you know what was your mother's shoe size, when you were 12 or something. But those things can be found out by others right the credit bureaus have all been hacked all this data is out there. So that leaves us with a couple other factors that we can focus on right, and you can see, you know you know preaching to the choir a bit I'm sure, with the folks on this call.
But my question really for you Steve is, do you think that MFA is password list generically or is it a little more nuanced than that.
Steve Hunt: I'd say password list solutions, first of all, when I first heard password list a couple of years ago, I thought yeah right like that's on the one hand, is what we've been dreaming up for 2030 years a password list infrastructure. It in remember after 911 after Sarbanes Oxley and you know the crush of Enron, we all biometrics, where the was the talk of the town and we thought that was the beginning of the password list movement, but it wasn't. It's only now with the ubiquity of the capabilities of our technology, the ubiquity of cell phones that we can have what I might call MFA with a cell phone and that's the start of password list that can that people can really wrap their hands around, even though I think. What we're what we're talking about when we talk about password list is the natural evolution of two trends from the last 20 years and that's single sign on and MFA multi factor authentication those two working together kind of. You know and adding smartphones in every single person's hands and complimenting Fido On top of that will say another word about Fido in a few minutes so hold your questions. I think that's what put some meat on the bones of password list today.
Mike Engle: yeah yeah and and password list really for us at one cosmos it's a feature of using your identity to authenticate. Right and that comes to really the topic of the webinar the identity crisis and password list. So just because you're using something besides a password doesn't mean you know who it is that's using it right, so I can take your username and password and give you a Public Private key pair and use your touch ID on your phone, but how do I know it's you, and if you come to the Wikipedia definition of password list. I chopped some of the stuff out to make this you know, really, to the point and it's an authentication method that does blah blah blah without entering and having to remember a password or any other knowledge base secret and then it goes on a little more in the paragraph and it says. A secure proof of identity through a registered device or token So how do you have proof of identity right. What is it that proves that this is Steve hunt at the other end of the line right it comes down to the word identity. And this is where the crisis is and most password list solutions So how do you define identity, and I think you might know where this is going on the next slide Steve but the figurehead up.
Steve Hunt: I did this big survey the first independent industry wide analysis of all the password lists solution vendors out there and one cosmos got special recognition in that report, for its answer to this question of what is identity to go on Mike.
Mike Engle: So this is from either Webster's or one of those real dictionaries right and it's The fact of being who or what a person or thing is a fact right.
So Steve today I would think that you're if I log into your bank website today Bank of America chase whatever you use and I had your username password and I had access to your email your your text messages I could log into that account at least that's the way mine works if you had those things for me. Because my bank sadly doesn't do identity based authentication So the question is, does having a username password MFA or any of those things really prove identity and the answer is no, because it doesn't prove that this is the citizen Steve hunt that logged into that back right, I think this comes down to where Hopefully, this is what you were talking about for the special recognition.
00:16:31.650 --> 00:16:37.710
Steve Hunt: Well, almost going and you'll see and I'll pointed out I'll say hey everybody, this is talking about.
00:16:38.010 --> 00:16:53.910
Mike Engle: Right, so the way we define identity and getting away from hope based authentication where you don't really know who's coming in, and they have to worry about all these different mechanisms to identity based authentication focuses on two very. Important and relatively new industry standards, the first is from the NIST body it's the NIST 800-63-3 and the purpose of that is to prove remotely who somebody is right, the government has gone through a lot of effort to say that. How do you establish a real identity and typically involves multiple what they call sources of truth? That can be strong or superior like a driver's license and password are superior forms of identity, compared with somebody live face, right. And if you think about how you prove somebody identity in the quote real world TSA state trooper pulls you over whatever it is it's very similar you have a trusted credential compared to your live face. And that, combined with the password list technologies embedded in the same standard there's two sides of it there's how you prove where they are and and how you use it. And Fido is also a mechanism that covers how you use it and you mentioned. That we'd be talking a little bit about Fido here and now, is our chance right so putting this together is is how we think about identity and the word password list isn't really a part of this identity based authentication is all about identity.
00:18:13.950
Steve Hunt: For folks who aren't crystal clear about Fido it's an alliance, the Fido alliance is the standards body it's made up of over 250 companies government agencies around the world and. With the mission of standardizing and simplifying cybersecurity and it's got a couple of standards out here the the fighter to that we're talking about here is includes something the audience may have seen the Web on earth and web athan specification, plus the client to authenticator protocol called see tap so there's some geeky side to this really boils down to something pretty simple we get to validate the quality of a user's identity during. An authentication event during the different stages of a transaction and weaved in with single sign on and strong authentication, that is what is especially cool about. Our conversation right now about identity it's how to make this practical usable and in order to use jargon seamless I guess. During the transaction so that it's not an annoying layer anymore.
107
00:19:39.810 --> 00:19:55.440
Mike Engle: yeah no you're right the Fido alliance nonprofit been around for almost 10 years and they've done yeoman's work to get this to become a real thing right with without this There probably be 10 different fragmented standards out there to how to how to implement these things, and then. On the converse side on this side the certifying body, the nonprofit there is called the kantar initiative So there you know the globally certify companies to be able to prove identity remotely and we are one of the few companies that has both can Tara and Fido certified, so these we think they're very important but we're finding out that we're not the only ones right government bodies and large corporations care about these standards.
00:20:22.500
Steve Hunt: Now this is really good on paper, this shows that okay Mike and his team at one cosmos have done their homework but I get turned on by how the technology really works and I don't remember if you said you're going to show us some more of this but let's keep going because I want to point out, for the audience the things that I think are particularly interesting about this.
00:20:46.020
Mike Engle: yeah for sure so we think that standards right when when you have a standard, it allows technology to to you know become ubiquitous right so examples on the authentication side or your saml and oh IDC they allow your current log on to be used in multiple places and with a layer of trust, and so I have a standards based view of what we refer to as user managed identity. And there's four actually more than that, but four key standards here that tie all this together, and how organizations can leverage identity, rather than leveraging. You know weaker forms of authentication so on the enrollment side, this is that NIST 800-63-3 side. What's typically done is you are given a key and enrolling your biometrics rights right there out of the box, you have those two factors that don't involve a username or password. And then you can strengthen it with several forms of industry identity or citizen identity.
So the most common type is right scanning a driver's license or passport or other national identity document. And there we support 150 countries right that's it's a very well maturing space with lots of players in it, but you can take it a step further. And leverage, you know embed your corporate identity on top of that as well that could be your active directory or X five or nine. And then there's some really neat global initiatives coming out around bank and TELCO identity. So I'm going to pop one up here on the screen, that is not that well known, but will be soon in the US, that is your TELCO identity that can be used a login soon to thousands of websites called Zen key. So that's you know, the first pillar of identity that the way we think about it is that that that the enrollment. And then, using that identity anywhere here's your 863 dash three be combined with fight out to allow it to be used without usernames and passwords so I'll pause there and see if you have any thoughts on that Steve.
00:22:56.400
Steve Hunt: yeah this is, this is what most people forget about that enroll part is the the tedium that happens, by HR or security, taking care of identifying who we are in a workplace, and then the initial paperwork, maybe at our bank to open an account that's where this enroll happens and it's. And for a lot of online. Retailers and businesses that enroll part is pretty weak and we focus our energy on authenticate like giving them a user ID and password helping them change it when they lose it and maybe even giving them two factor authentication like an SMS code to their phones and the thinking has been that Okay, as long as we do something a little more robust around authentication then. The rest of the transaction is reliable, but Mike, as you have already pointed out just by talking about these two elements so far they're intrinsically weak and the way the way we've deployed them over the last 2030 years and it's only the combination of technologies and approaches that you've put on this slide that I think if the audience focuses on it a little bit and just let it soak in they'll have this Aha moment the same one I had, which was I yes it's it's a combination of factors. At enrollment and a combination of factors at authentication that really make this strong, yeah really strong authentication.
00:24:45.690
Mike Engle: yeah exactly and and the the other anchors are really key because you can get a lot of people to scan a driver's license it's a very heavy thing to do, though. I imagine you're just trying to do something that needs medium security it's you know logging into your Saks fifth avenue account. You that's not a high level of trust needed for that there's no html or anti money laundering or KYC required for that. But sacks would really like to have a stronger identity coming into their website, and so this is where banks telcos and other industry sources of truth can be used so I'll show you one here for those that haven't seen it, this is the TELCO initiative in the United States called Zen key so what's happened is the three carriers have come together to form a digital a trusted digital identity that can be used by Saks fifth avenue to onboard a new user and to authenticate them without usernames and passwords right, so this is great, because this is this this gets over the issue of scale of you know how do you get network effect and get user adoption well everybody has one of these carriers already.
So their existing at amp T T mobile Verizon or the Zen APP itself will let you do this, so let me hide my phone number, this is how I login to the my at amp T account now and I'm not going to do that because I have an embarrassing phone bill. So I press a button here I whipped out my Zen key APP or my at amp T APP I scan this code and I'm in this is an example of an industry anchor I didn't need to scan my driver's license for them to prove who I am.
00:26:28.890
Steve Hunt: I see this sort of thing is, as the future. I didn't even dream of such an alliance, years ago, but now that this is becoming real I'm excited about it.
00:26:44.37
Mike Engle: yeah and globally there's this has happened in other countries right United States is a little big and messy for it to happen fast so that's why I'm excited that this is happening here. The banks are perfectly positioned to have a trusted identity right if I could log in my Wells Fargo account you know, instead of login with Google or Facebook. I would log in with Wells Fargo across thousands of website I would trust that I trust my bank with everything else, so I think this is a great first step. You said you wanted to see it, you know, right here on our websites the.
Steve Hunt: Mike before you go into that - an attendee is asking provocative question how is this sort of a login with Zen key. Any different than just logging in with my Facebook authentication or my Google authentication.
00:27:32.670
Mike Engle: that's a great question alright so there's a couple reasons for that first.
Facebook and Google don't need to have any proof about who you are the carriers do so, the carriers, when you go to open a new phone line or phone account they do a credit check and most times they need your proof of citizenship and your driver's license to open that account.
Secondly, they know and trust your mobile so was then key hands, along with the authentication is not only am I, is this Mike angle, but this is the same like angle that's had the same phone account for 12 years. And it's the same same it hasn't been Sim swapped right and so all those end if you know, without my consent, they could even share location right the. Carriers know where my phone is all times they know that it's not in Uzbekistan at a minimum right, so they can provide a fraud score along with that authentication signal login with Facebook, I could be anybody right there's no really sense of assurance there.
00:28:42.810
Steve Hunt: yeah I know people who aren't who they say they are on Facebook for sure okay yeah just that answer alone makes me pretty confident and Sankey thanks.
00:28:53.070
sure.
00:28:55.170
Mike Engle: So just following this through the login with QR code in from our perspective is one of the primary mechanisms that's going to change the way we engage with remote systems. Mike Engle: Then key is already an indicator of this you're seeing it from some of the banks right so now. If you're a city customer, you can log into your city bank by scanning it with your city APP on your phone right on the Channel experience trusted Public Private key pair cryptography etc. So, as I mentioned, our audience can can try this or anybody can just by simply coming to our website grab the APP and with the press of a button. I'll show you how this works.
Scan a code give consent and it's showing some really basic information about the session right we don't go deep into identity verification for just a simple come to our website DEMO, but you can dive further into that and do higher levels of DEMO there as well. So that experience as you saw it's that easy every time whether you're logging into your your your bank resource windows workstation into Okta paying for drop whatever it is. That's it no more username no more password face it touch ID or, even better, real biometrics right because real biometrics is one of the key differentiators.
00:30:24.600
Steve Hunt: So you think of this as the front end to your single sign on so use this as the authentication event. And hand this token essentially off to the single sign on the single sign on logs you into every application all day long as needed, so this is the password list front end to single sign on this way I look at it yeah.
00:30:50.700
Mike Engle: yeah and the model of where identity is going in the future all right let's talk about this for just a second because I'll give a demonstration of this, if time permits, is they call it the trust triangle, you have identity issuers today I get my identity issued by the government driver's license or passport in a digital world now I can be issued an identity by Zen key alright, so that would be an example of telcos flash Sim. And you know if you ask the the research and the analysts and the industry experts and even the big tech companies they feel like these are. The trusted sources of truth that could be used to for you to prove who you are remotely right multiple options in that journey once you've done that you're handed the cryptographic proof of possession of that digital certificate put in your digital wallet. Now, one of the standards that I mentioned to something called decentralized identity, this allows your identity to be used in a cross company cross industry or even cross country scenario with privacy, preserving features. And the real the real root of trust here is that the verifiers right So these are the downstream service providers the Saks fifth avenue like I mentioned. They will trust this enrolled exercise, and this is what's being set up now globally in different verticals different you know automotive healthcare banking etc and we're super excited about the potential here, are you following this space Steve.
00:32:24.570
Steve Hunt: Well, I know, one of our audience is and they they asked an inch a fun question, I can I. Can I use this with one cosmos or with Zen key or something and go through this proofing process and then use it later for some other login somewhere else, and in this digital wallet may hold the key What if all of my identity attributes were individually parsed and stored in this digital wallet could I then just present my digital wallet to any participating commerce site or browser?
00:33:04.260
Mike Engle: yeah that's that's the promise of decentralized identity of self sovereign identity it's called me some circles. And, and why we built the platform with those standards under the hood because when let's say we've got three big institutional. Wall Street customers that are our customers with them just simply defining the business arrangement and turning on you know participation in an identity directory. Those identities can flow cross stream so you're not enough to set up heavy federated authentication between them, for example. So it's just a matter of the end you know the the organizations wanting to plug in and participating and there's a lot of these popping up globally around the world, already.
00:33:51.780
Steve Hunt: Okay, so one day we're still, this is still the one day scenario one day we'll be able to have this have these distributed identifiers relied on and used by the various sites, we visit.
00:34:08.130
Mike Engle: For sure one day is here in some other countries, for example in Singapore, they have something called sing past which is used at hundreds of merchant and government websites in South Korea, they have SK pass you know SK Telecom, one of the big providers and again your driver's license can be put into your identity. They prove that you have the mobile number, and you can go log into all kinds of downstream systems and do payments so.
Those you know nice small 40 million person countries they can get it done here in the US, we have a little more wood to chop before it's going to happen, but again he's there today it's happening, the bank step up to the plate and form a trusted bank identity we've got two of the three that we need to really make it happen, the third being the government. And we're seeing now apple right have a relationship with some of the states in the TSA. So it's popping out right imagine you can use your apple ID or your you know Google's going to have to step up and do the same thing right it's really opening up the doors and allowing your identity to go digital the way it should.
00:35:16.440
Steve Hunt: yeah exciting stuff yeah.
00:35:19.080
Mike Engle: So I'll show one more example and then we'll head over to Q amp a, so I think, similar to what the participant was asking the question here can your identity be used in different scenarios, so in my wallet This is my production wallet so is my real phone, I have several identities in here right and with the press of a button, I can come to my corporate portal and authenticate into my workforce applications now here's one of the big differentiators you can see my real biometrics.
00:36:00.060
Steve Hunt: We don't see anything.
00:36:02.010
Mike Engle: I'm sorry, let me refresh my screen. Okay, so on the left is my phone I'm sorry on the right is my phone on the left is is our corporate workforce authentication portal, not a lot going on here right, not a lot to type in.
00:36:20.430
Steve Hunt: Russia, this is not the prettiest site I've seen.
00:36:23.280
Mike Engle: So I have multiple credentials in my wallet I've got a banking credential I've got a workforce credential and with the press of a button, I can simply scan this code and do real biometrics validated that's a certified by metric engine and to your point now I'm getting into my sso applications my windows workstations or my downstream Apps right, that same identity, could be used for really by any third party as long as the trust is set up between the parties that's what it was designed to do.
00:36:57.330 --> 00:36:57.600
Right.
00:36:58.650 --> 00:37:05.520
Mike Engle: So um I think will CAP it there and get into QA we have a couple questions coming in.
217
00:37:06.570 --> 00:37:13.440
Steve Hunt: And we've we've addressed some of these but there's one scroll up and look at the question in the chat from Mauricio around fragmented digital identity silos and zero trust world maybe we can both tag team on that. Look at it and tell me what you think of that Mike.
00:37:27.420
Mike Engle: Yes So all the silos in a zero trust world right yeah for sure. That's the risk whenever what you know here on the left, you have these layers and the the layer one just like your trust your osi model right physical data link etc up the application layer and layer seven there's multiple layers in an identity stack. And layer one is kind of the The ability for an identity, just to move between two parties that's the the main industry body there it's a part of the Linux foundation called trust over IP. So that is there in place today and there's a couple trust over IP networks already out there functioning in different parts of the world to some in the US some in Europe, etc, getting further up the stack and how wallets interact.
Now you're you're seeing a little bit of fragmentation and it's going to take some time for the tech giants, I think, to come together right is that apple wallet that's holding the credential standards based and actually do you know the answer to that one Steve I don't really sure it's not. Maybe maybe somebody in the audience knows and can comment if they if there's anything about the apple wallet that standards based but that's typically not how apple operates so right there's a problem apple has created a digital driver's license and credit card wallet that can only be used by apple people. And that's their their M.O. right they do that with things like I message and create their walled garden. But there are industry standards that come out of w three see on how a wallet should be defined and how you can use across party and moving further up the application stack will be happening over time as well, so Maurice I think I think you you very much plugged into this and know that the challenges there there's an interesting group called the code credentials organization that defined how you should put a coven vaccination credential into a digital wallet. And we're a member of that there's you know dozens of Members so you're seeing some real good work come out of those taxi groups as well.
00:39:40.440
Steve Hunt: seems like we address the other questions in here if I'm wrong then feel free to send a note to us, Michael How do people get in touch with you.
00:39:51.750
Mike Engle: Great question, I hope you don't mind, but I took the liberty of popping up your email address on this slide as well, so let's get this back up here. Alright, so yeah obviously our website is a great source of information, we are very open our over our documentation is online, you can experience it live feel free to reach out reach out to me or contact us on the website and Steve do you have any events coming up that you want to tell the audience about.
00:40:24.420
Steve Hunt: Oh I'm speaking at the API conference that's the petroleum industry cyber security conference next month, so if any of you are related to critical infrastructure feel free to connect to that conference great presentations there.
00:40:44.010
Mike Engle: awesome yeah there's a couple other questions I'll just read through because, just to wrap up here, will we be sharing this presentation, with the participants, the webinar is being recorded and it will be posted on our website, probably by tomorrow, so you can review it there I'm not sure if we'll have the slides there as well, but if you reach out to us, be happy to send this deck over and a few other slides to go with it and there's a handful of other questions specifically about Sankey that are probably out of scope.
00:41:13.590
Steve Hunt: yeah I think I think we're done yeah. Well hey everybody, this was a this was a pleasure Mike I always always enjoy these conversations and everyone, I hope you got something great out of it and feel free to keep in touch.
00:41:30.300
Mike Engle: yep thanks for coming see have a great day, everybody.
Steve Hunt: I'm ready to rock and roll Mike.
Mike Engle: Alright well thanks everybody for joining my name is Mike Engle, with one cosmos I run strategy I'm joined today by Steve hunt from the ID Nevada group Steve Would you mind saying hello and introducing yourself, give us a bit about your background.
Steve Hunt: hey everybody I'm a strategic advisor at it no Baraka I 10 of our because a boutique advisory firm for financial services and insurance and I've been covering identity management for about 30 years happy to join your MIC.
Mike Engle: Thanks yeah and just a little bit about one cosmos we're redefining the way customers and employees engage with identity and prove who they are remotely. Today we're going to focus on the concept of password lists and kind of what it really means in the industry, what it should mean what it means for us so it'll be. Less a slide where slide presentation, a little more dialogue to go along with some slides and conversation, and hopefully you'll find it enjoyable we also have the Q amp a open so as you're going along if you have a question feel free to pop it right into the chat we have. A couple of teams are members of the team will be moderating the chat and we'll try to answer them in real time if it's relevant to the topic that we're discussing at the time. Alright, so I'll just do one warm up slide here, we do have a real time live experience that you can do directly on our website so if you go to one cosmos calm. And just say experience you can go grab the APP out of the APP store and just try a password list experience it takes about a minute total and most of that time is spent downloading the application right. And then from there, you can even drill down and do a deeper evaluation of the product, without having to interact with any humans right so feel free to try it out we'd love your feedback on that as well. So so let's jump in we're talking about a very specific problem set here, and it really is a lack of identity in our identity and access management systems. And it's funny Steve I know I mean I know you back from geez late 90s early 2000s going way back to our work together on Wall Street and. We've been doing identity in our IT systems for 20 plus years but you really don't have identity. At the heart of what we're doing today I think about what did identity mean for you and your clients back in 2000s can can you even put a you know, a finger on that.
Steve Hunt: You know identity has always been this like this annoying layer of of our security architecture is this this orphan. Poor thing because it's like we just want to get past it we just want to like deal with it, so we can get to the good stuff let's roll out a security architecture or let's let's put together asset. Asset Management and access, controls for every asset and resource in the organization and for every person with their privileges and all of that is seem to be the meat and potatoes and oh yeah yeah yeah. We need to know who these people are first and to identify them and then authenticate them, and that was always been like this tedious task often relegated, as you know, to the physical Security Department way down at the end of the hall. At the end of the darkest corridor in the basement of the building where you get your picture taken gutter ID badge and. Maybe got some of your first passwords so it's hesitant, you know it's I think of Rodney Dangerfield I think of identity it's like you know never getting quite the respected needs.
Mike Engle: And sorry yeah you're only corporate identity was really your badge with a little picture on it with the horrible quality and then your active directory, and then the 50 other systems like mainframe and whatever but those aren't identity right they they are what I call hope based authentication.
Steve Hunt: What do you mean by hope based?
Mike Engle: yeah so you hope that the person, first of all can remember their username and password. You hope that they don't get messed up when you force them to change it every 90 days and now they're getting 16 characters complexity requirements. You hope they don't get stolen you hope they don't use the same password that they use on Facebook. And then you start putting band AIDS, on top of two FA and codes and security tokens and all those things you hope they don't lose that and you hope all that stuff doesn't get man in the middle there finished by bad guys.
Steve Hunt: Right that's that is so hilarious I think I have heard you say that before that.
Mike Engle: yeah yeah I'm trying to get it to catch on but I don't have quite the platform yet so I'm working on it. So I'm we're migrating away from home based authentication we're gonna talk about that here today. But you know along the journey of having to deal with passwords all the time is we have you know. I'm not trying to use food here to promote anything I don't need to the press does it for me, but. We know how bad the problem is because you know colonial pipeline or name your breach of the weekend and millions and hundreds of millions of identities being lost. In addition, all those systems that you mentioned Steve they have a lot of costs, not just for the software and hardware fees on them, but the complexity that they introduce to our environment right how many one time code generator platforms for customers versus employees. How many different ad trees, do you have it's just it's it's really maddening of what I think the the sunk cost is on this stuff right.
Steve Hunt: yeah for sure this is a it's a big challenge it just keeps getting bigger as organizations grow in organically through mergers and acquisitions they. They acquire more and more identity platforms more identity management solutions and even business units deploying their own identity systems that. It makes. The weaknesses, the historic weaknesses of credentials and like passwords especially challenging especially daunting for security personnel and especially ripe for the picking for those ransomware arsonists.
Mike Engle: destroying ourselves yeah, and so I have two slides that I would like to share with the audience, most of the audience today are probably it professionals. And we, I have a couple really new kind of fresh stats on the problem statement that can be used to help sell to you know upstream and management, the C suite even the board. And so, this is the 2021 Verizon data breach investigation report is only a few months old it's 114 pages of just incredible real world research right not made up statistics. And you see social engineering is still the primary way to get credentials from somebody right, so they the bad guys are really good at that here on the left. And then on the right side 85% of the breaches now they just they've classified this differently used to be. 81% was stolen credential now it's 85% involves a human factor, a human element right with credentials, being one ransomware being a major impact so take a screenshot of this. As well as the business impact right, this is why we get budget, this is why we do what we do. So I really like the focus here on business email compromise right They range from, of course, very low, depending on the size of your company, but up to a million dollars a pop.
For a business email compromise ransomware according to Verizon and their survey right, this is a very broad range goes up to 1,000,001. And this is cool, this is the Lockton companies they do cybersecurity insurance a very reputable company and just look at the stats they speak for themselves so i'm sure your clients Steve are very much this is top of mind for them right.
Steve Hunt: This is new data, the Verizon report gets better every year their their population of respondents gets better. All the time and the data you're showing my is is it's profound it, it shows that the bad guys are taking advantage of human error human foibles and the weaknesses of our identity infrastructure, both both of them they're they're using both of them in this in this intertwined multi faceted attack vector that they're they're using to wreak havoc on us and so this data is is sobering for sure.
Mike Engle: yeah it's going to move further and further into the consumer trend chain right imagine if they could ransomware my mom's phone because she clicked a link right it's going to ruin my weekend but, but you know now they're getting they can spread it out to millions of people with one you know potential vector. So we'll see how that goes, but these are you know real reasons why we do what we do and the things that keep us up at night.
So now let's talk about the solution right we're here to talk about password list, and you know there's a lot of misconceptions about password list. It's gotten so crazy with investments and every basically authentication company is now pivoting trying to call themselves password list, whether they really are not. But the goal of password list is to get rid of something that can be obtained by somebody else right, yes, typically. Your password username password or even those secrets that if you go sign up for some accounts on the web. My favorite one is go sign up for United airlines account and the last few questions like you know what was your mother's shoe size, when you were 12 or something. But those things can be found out by others right the credit bureaus have all been hacked all this data is out there. So that leaves us with a couple other factors that we can focus on right, and you can see, you know you know preaching to the choir a bit I'm sure, with the folks on this call.
But my question really for you Steve is, do you think that MFA is password list generically or is it a little more nuanced than that.
Steve Hunt: I'd say password list solutions, first of all, when I first heard password list a couple of years ago, I thought yeah right like that's on the one hand, is what we've been dreaming up for 2030 years a password list infrastructure. It in remember after 911 after Sarbanes Oxley and you know the crush of Enron, we all biometrics, where the was the talk of the town and we thought that was the beginning of the password list movement, but it wasn't. It's only now with the ubiquity of the capabilities of our technology, the ubiquity of cell phones that we can have what I might call MFA with a cell phone and that's the start of password list that can that people can really wrap their hands around, even though I think. What we're what we're talking about when we talk about password list is the natural evolution of two trends from the last 20 years and that's single sign on and MFA multi factor authentication those two working together kind of. You know and adding smartphones in every single person's hands and complimenting Fido On top of that will say another word about Fido in a few minutes so hold your questions. I think that's what put some meat on the bones of password list today.
Mike Engle: yeah yeah and and password list really for us at one cosmos it's a feature of using your identity to authenticate. Right and that comes to really the topic of the webinar the identity crisis and password list. So just because you're using something besides a password doesn't mean you know who it is that's using it right, so I can take your username and password and give you a Public Private key pair and use your touch ID on your phone, but how do I know it's you, and if you come to the Wikipedia definition of password list. I chopped some of the stuff out to make this you know, really, to the point and it's an authentication method that does blah blah blah without entering and having to remember a password or any other knowledge base secret and then it goes on a little more in the paragraph and it says. A secure proof of identity through a registered device or token So how do you have proof of identity right. What is it that proves that this is Steve hunt at the other end of the line right it comes down to the word identity. And this is where the crisis is and most password list solutions So how do you define identity, and I think you might know where this is going on the next slide Steve but the figurehead up.
Steve Hunt: I did this big survey the first independent industry wide analysis of all the password lists solution vendors out there and one cosmos got special recognition in that report, for its answer to this question of what is identity to go on Mike.
Mike Engle: So this is from either Webster's or one of those real dictionaries right and it's The fact of being who or what a person or thing is a fact right.
So Steve today I would think that you're if I log into your bank website today Bank of America chase whatever you use and I had your username password and I had access to your email your your text messages I could log into that account at least that's the way mine works if you had those things for me. Because my bank sadly doesn't do identity based authentication So the question is, does having a username password MFA or any of those things really prove identity and the answer is no, because it doesn't prove that this is the citizen Steve hunt that logged into that back right, I think this comes down to where Hopefully, this is what you were talking about for the special recognition.
00:16:31.650 --> 00:16:37.710
Steve Hunt: Well, almost going and you'll see and I'll pointed out I'll say hey everybody, this is talking about.
00:16:38.010 --> 00:16:53.910
Mike Engle: Right, so the way we define identity and getting away from hope based authentication where you don't really know who's coming in, and they have to worry about all these different mechanisms to identity based authentication focuses on two very. Important and relatively new industry standards, the first is from the NIST body it's the NIST 800-63-3 and the purpose of that is to prove remotely who somebody is right, the government has gone through a lot of effort to say that. How do you establish a real identity and typically involves multiple what they call sources of truth? That can be strong or superior like a driver's license and password are superior forms of identity, compared with somebody live face, right. And if you think about how you prove somebody identity in the quote real world TSA state trooper pulls you over whatever it is it's very similar you have a trusted credential compared to your live face. And that, combined with the password list technologies embedded in the same standard there's two sides of it there's how you prove where they are and and how you use it. And Fido is also a mechanism that covers how you use it and you mentioned. That we'd be talking a little bit about Fido here and now, is our chance right so putting this together is is how we think about identity and the word password list isn't really a part of this identity based authentication is all about identity.
00:18:13.950
Steve Hunt: For folks who aren't crystal clear about Fido it's an alliance, the Fido alliance is the standards body it's made up of over 250 companies government agencies around the world and. With the mission of standardizing and simplifying cybersecurity and it's got a couple of standards out here the the fighter to that we're talking about here is includes something the audience may have seen the Web on earth and web athan specification, plus the client to authenticator protocol called see tap so there's some geeky side to this really boils down to something pretty simple we get to validate the quality of a user's identity during. An authentication event during the different stages of a transaction and weaved in with single sign on and strong authentication, that is what is especially cool about. Our conversation right now about identity it's how to make this practical usable and in order to use jargon seamless I guess. During the transaction so that it's not an annoying layer anymore.
107
00:19:39.810 --> 00:19:55.440
Mike Engle: yeah no you're right the Fido alliance nonprofit been around for almost 10 years and they've done yeoman's work to get this to become a real thing right with without this There probably be 10 different fragmented standards out there to how to how to implement these things, and then. On the converse side on this side the certifying body, the nonprofit there is called the kantar initiative So there you know the globally certify companies to be able to prove identity remotely and we are one of the few companies that has both can Tara and Fido certified, so these we think they're very important but we're finding out that we're not the only ones right government bodies and large corporations care about these standards.
00:20:22.500
Steve Hunt: Now this is really good on paper, this shows that okay Mike and his team at one cosmos have done their homework but I get turned on by how the technology really works and I don't remember if you said you're going to show us some more of this but let's keep going because I want to point out, for the audience the things that I think are particularly interesting about this.
00:20:46.020
Mike Engle: yeah for sure so we think that standards right when when you have a standard, it allows technology to to you know become ubiquitous right so examples on the authentication side or your saml and oh IDC they allow your current log on to be used in multiple places and with a layer of trust, and so I have a standards based view of what we refer to as user managed identity. And there's four actually more than that, but four key standards here that tie all this together, and how organizations can leverage identity, rather than leveraging. You know weaker forms of authentication so on the enrollment side, this is that NIST 800-63-3 side. What's typically done is you are given a key and enrolling your biometrics rights right there out of the box, you have those two factors that don't involve a username or password. And then you can strengthen it with several forms of industry identity or citizen identity.
So the most common type is right scanning a driver's license or passport or other national identity document. And there we support 150 countries right that's it's a very well maturing space with lots of players in it, but you can take it a step further. And leverage, you know embed your corporate identity on top of that as well that could be your active directory or X five or nine. And then there's some really neat global initiatives coming out around bank and TELCO identity. So I'm going to pop one up here on the screen, that is not that well known, but will be soon in the US, that is your TELCO identity that can be used a login soon to thousands of websites called Zen key. So that's you know, the first pillar of identity that the way we think about it is that that that the enrollment. And then, using that identity anywhere here's your 863 dash three be combined with fight out to allow it to be used without usernames and passwords so I'll pause there and see if you have any thoughts on that Steve.
00:22:56.400
Steve Hunt: yeah this is, this is what most people forget about that enroll part is the the tedium that happens, by HR or security, taking care of identifying who we are in a workplace, and then the initial paperwork, maybe at our bank to open an account that's where this enroll happens and it's. And for a lot of online. Retailers and businesses that enroll part is pretty weak and we focus our energy on authenticate like giving them a user ID and password helping them change it when they lose it and maybe even giving them two factor authentication like an SMS code to their phones and the thinking has been that Okay, as long as we do something a little more robust around authentication then. The rest of the transaction is reliable, but Mike, as you have already pointed out just by talking about these two elements so far they're intrinsically weak and the way the way we've deployed them over the last 2030 years and it's only the combination of technologies and approaches that you've put on this slide that I think if the audience focuses on it a little bit and just let it soak in they'll have this Aha moment the same one I had, which was I yes it's it's a combination of factors. At enrollment and a combination of factors at authentication that really make this strong, yeah really strong authentication.
00:24:45.690
Mike Engle: yeah exactly and and the the other anchors are really key because you can get a lot of people to scan a driver's license it's a very heavy thing to do, though. I imagine you're just trying to do something that needs medium security it's you know logging into your Saks fifth avenue account. You that's not a high level of trust needed for that there's no html or anti money laundering or KYC required for that. But sacks would really like to have a stronger identity coming into their website, and so this is where banks telcos and other industry sources of truth can be used so I'll show you one here for those that haven't seen it, this is the TELCO initiative in the United States called Zen key so what's happened is the three carriers have come together to form a digital a trusted digital identity that can be used by Saks fifth avenue to onboard a new user and to authenticate them without usernames and passwords right, so this is great, because this is this this gets over the issue of scale of you know how do you get network effect and get user adoption well everybody has one of these carriers already.
So their existing at amp T T mobile Verizon or the Zen APP itself will let you do this, so let me hide my phone number, this is how I login to the my at amp T account now and I'm not going to do that because I have an embarrassing phone bill. So I press a button here I whipped out my Zen key APP or my at amp T APP I scan this code and I'm in this is an example of an industry anchor I didn't need to scan my driver's license for them to prove who I am.
00:26:28.890
Steve Hunt: I see this sort of thing is, as the future. I didn't even dream of such an alliance, years ago, but now that this is becoming real I'm excited about it.
00:26:44.37
Mike Engle: yeah and globally there's this has happened in other countries right United States is a little big and messy for it to happen fast so that's why I'm excited that this is happening here. The banks are perfectly positioned to have a trusted identity right if I could log in my Wells Fargo account you know, instead of login with Google or Facebook. I would log in with Wells Fargo across thousands of website I would trust that I trust my bank with everything else, so I think this is a great first step. You said you wanted to see it, you know, right here on our websites the.
Steve Hunt: Mike before you go into that - an attendee is asking provocative question how is this sort of a login with Zen key. Any different than just logging in with my Facebook authentication or my Google authentication.
00:27:32.670
Mike Engle: that's a great question alright so there's a couple reasons for that first.
Facebook and Google don't need to have any proof about who you are the carriers do so, the carriers, when you go to open a new phone line or phone account they do a credit check and most times they need your proof of citizenship and your driver's license to open that account.
Secondly, they know and trust your mobile so was then key hands, along with the authentication is not only am I, is this Mike angle, but this is the same like angle that's had the same phone account for 12 years. And it's the same same it hasn't been Sim swapped right and so all those end if you know, without my consent, they could even share location right the. Carriers know where my phone is all times they know that it's not in Uzbekistan at a minimum right, so they can provide a fraud score along with that authentication signal login with Facebook, I could be anybody right there's no really sense of assurance there.
00:28:42.810
Steve Hunt: yeah I know people who aren't who they say they are on Facebook for sure okay yeah just that answer alone makes me pretty confident and Sankey thanks.
00:28:53.070
sure.
00:28:55.170
Mike Engle: So just following this through the login with QR code in from our perspective is one of the primary mechanisms that's going to change the way we engage with remote systems. Mike Engle: Then key is already an indicator of this you're seeing it from some of the banks right so now. If you're a city customer, you can log into your city bank by scanning it with your city APP on your phone right on the Channel experience trusted Public Private key pair cryptography etc. So, as I mentioned, our audience can can try this or anybody can just by simply coming to our website grab the APP and with the press of a button. I'll show you how this works.
Scan a code give consent and it's showing some really basic information about the session right we don't go deep into identity verification for just a simple come to our website DEMO, but you can dive further into that and do higher levels of DEMO there as well. So that experience as you saw it's that easy every time whether you're logging into your your your bank resource windows workstation into Okta paying for drop whatever it is. That's it no more username no more password face it touch ID or, even better, real biometrics right because real biometrics is one of the key differentiators.
00:30:24.600
Steve Hunt: So you think of this as the front end to your single sign on so use this as the authentication event. And hand this token essentially off to the single sign on the single sign on logs you into every application all day long as needed, so this is the password list front end to single sign on this way I look at it yeah.
00:30:50.700
Mike Engle: yeah and the model of where identity is going in the future all right let's talk about this for just a second because I'll give a demonstration of this, if time permits, is they call it the trust triangle, you have identity issuers today I get my identity issued by the government driver's license or passport in a digital world now I can be issued an identity by Zen key alright, so that would be an example of telcos flash Sim. And you know if you ask the the research and the analysts and the industry experts and even the big tech companies they feel like these are. The trusted sources of truth that could be used to for you to prove who you are remotely right multiple options in that journey once you've done that you're handed the cryptographic proof of possession of that digital certificate put in your digital wallet. Now, one of the standards that I mentioned to something called decentralized identity, this allows your identity to be used in a cross company cross industry or even cross country scenario with privacy, preserving features. And the real the real root of trust here is that the verifiers right So these are the downstream service providers the Saks fifth avenue like I mentioned. They will trust this enrolled exercise, and this is what's being set up now globally in different verticals different you know automotive healthcare banking etc and we're super excited about the potential here, are you following this space Steve.
00:32:24.570
Steve Hunt: Well, I know, one of our audience is and they they asked an inch a fun question, I can I. Can I use this with one cosmos or with Zen key or something and go through this proofing process and then use it later for some other login somewhere else, and in this digital wallet may hold the key What if all of my identity attributes were individually parsed and stored in this digital wallet could I then just present my digital wallet to any participating commerce site or browser?
00:33:04.260
Mike Engle: yeah that's that's the promise of decentralized identity of self sovereign identity it's called me some circles. And, and why we built the platform with those standards under the hood because when let's say we've got three big institutional. Wall Street customers that are our customers with them just simply defining the business arrangement and turning on you know participation in an identity directory. Those identities can flow cross stream so you're not enough to set up heavy federated authentication between them, for example. So it's just a matter of the end you know the the organizations wanting to plug in and participating and there's a lot of these popping up globally around the world, already.
00:33:51.780
Steve Hunt: Okay, so one day we're still, this is still the one day scenario one day we'll be able to have this have these distributed identifiers relied on and used by the various sites, we visit.
00:34:08.130
Mike Engle: For sure one day is here in some other countries, for example in Singapore, they have something called sing past which is used at hundreds of merchant and government websites in South Korea, they have SK pass you know SK Telecom, one of the big providers and again your driver's license can be put into your identity. They prove that you have the mobile number, and you can go log into all kinds of downstream systems and do payments so.
Those you know nice small 40 million person countries they can get it done here in the US, we have a little more wood to chop before it's going to happen, but again he's there today it's happening, the bank step up to the plate and form a trusted bank identity we've got two of the three that we need to really make it happen, the third being the government. And we're seeing now apple right have a relationship with some of the states in the TSA. So it's popping out right imagine you can use your apple ID or your you know Google's going to have to step up and do the same thing right it's really opening up the doors and allowing your identity to go digital the way it should.
00:35:16.440
Steve Hunt: yeah exciting stuff yeah.
00:35:19.080
Mike Engle: So I'll show one more example and then we'll head over to Q amp a, so I think, similar to what the participant was asking the question here can your identity be used in different scenarios, so in my wallet This is my production wallet so is my real phone, I have several identities in here right and with the press of a button, I can come to my corporate portal and authenticate into my workforce applications now here's one of the big differentiators you can see my real biometrics.
00:36:00.060
Steve Hunt: We don't see anything.
00:36:02.010
Mike Engle: I'm sorry, let me refresh my screen. Okay, so on the left is my phone I'm sorry on the right is my phone on the left is is our corporate workforce authentication portal, not a lot going on here right, not a lot to type in.
00:36:20.430
Steve Hunt: Russia, this is not the prettiest site I've seen.
00:36:23.280
Mike Engle: So I have multiple credentials in my wallet I've got a banking credential I've got a workforce credential and with the press of a button, I can simply scan this code and do real biometrics validated that's a certified by metric engine and to your point now I'm getting into my sso applications my windows workstations or my downstream Apps right, that same identity, could be used for really by any third party as long as the trust is set up between the parties that's what it was designed to do.
00:36:57.330 --> 00:36:57.600
Right.
00:36:58.650 --> 00:37:05.520
Mike Engle: So um I think will CAP it there and get into QA we have a couple questions coming in.
217
00:37:06.570 --> 00:37:13.440
Steve Hunt: And we've we've addressed some of these but there's one scroll up and look at the question in the chat from Mauricio around fragmented digital identity silos and zero trust world maybe we can both tag team on that. Look at it and tell me what you think of that Mike.
00:37:27.420
Mike Engle: Yes So all the silos in a zero trust world right yeah for sure. That's the risk whenever what you know here on the left, you have these layers and the the layer one just like your trust your osi model right physical data link etc up the application layer and layer seven there's multiple layers in an identity stack. And layer one is kind of the The ability for an identity, just to move between two parties that's the the main industry body there it's a part of the Linux foundation called trust over IP. So that is there in place today and there's a couple trust over IP networks already out there functioning in different parts of the world to some in the US some in Europe, etc, getting further up the stack and how wallets interact.
Now you're you're seeing a little bit of fragmentation and it's going to take some time for the tech giants, I think, to come together right is that apple wallet that's holding the credential standards based and actually do you know the answer to that one Steve I don't really sure it's not. Maybe maybe somebody in the audience knows and can comment if they if there's anything about the apple wallet that standards based but that's typically not how apple operates so right there's a problem apple has created a digital driver's license and credit card wallet that can only be used by apple people. And that's their their M.O. right they do that with things like I message and create their walled garden. But there are industry standards that come out of w three see on how a wallet should be defined and how you can use across party and moving further up the application stack will be happening over time as well, so Maurice I think I think you you very much plugged into this and know that the challenges there there's an interesting group called the code credentials organization that defined how you should put a coven vaccination credential into a digital wallet. And we're a member of that there's you know dozens of Members so you're seeing some real good work come out of those taxi groups as well.
00:39:40.440
Steve Hunt: seems like we address the other questions in here if I'm wrong then feel free to send a note to us, Michael How do people get in touch with you.
00:39:51.750
Mike Engle: Great question, I hope you don't mind, but I took the liberty of popping up your email address on this slide as well, so let's get this back up here. Alright, so yeah obviously our website is a great source of information, we are very open our over our documentation is online, you can experience it live feel free to reach out reach out to me or contact us on the website and Steve do you have any events coming up that you want to tell the audience about.
00:40:24.420
Steve Hunt: Oh I'm speaking at the API conference that's the petroleum industry cyber security conference next month, so if any of you are related to critical infrastructure feel free to connect to that conference great presentations there.
00:40:44.010
Mike Engle: awesome yeah there's a couple other questions I'll just read through because, just to wrap up here, will we be sharing this presentation, with the participants, the webinar is being recorded and it will be posted on our website, probably by tomorrow, so you can review it there I'm not sure if we'll have the slides there as well, but if you reach out to us, be happy to send this deck over and a few other slides to go with it and there's a handful of other questions specifically about Sankey that are probably out of scope.
00:41:13.590
Steve Hunt: yeah I think I think we're done yeah. Well hey everybody, this was a this was a pleasure Mike I always always enjoy these conversations and everyone, I hope you got something great out of it and feel free to keep in touch.
00:41:30.300
Mike Engle: yep thanks for coming see have a great day, everybody.
Mike Engle
CSO
1Kosmos
Steve Hunt
Co-Founder & President Emeritas Chicago Chapter
Information Systems Security Association
The move towards Passwordless begs one simple question. What will we use instead of passwords for authentication?
With many available solutions and an already complex IAM IT infrastructure, it’s a good time to evaluate the problems we’re setting out to solve and the strategy that best addresses them.
During this webinar, Aite Group Senior Analyst Steve Hunt shared insights from his research into the factors that motivate many organizations to augment or replace passwords.
Joining Aite Group Senior Analyst Steve Hunt was our own 1Kosmos CSO Mike Engle. Mike explored Identity Based Authentication as the solution which eliminates passwords while giving organizations certainty about who is on the other side of the digital connections in their network.
So, whether you are new to Passwordless or are looking to upgrade your strategy, this on-demand webinar is full of actionable takeaways.
Mike Engle
CSO
1Kosmos
Steve Hunt
Co-Founder & President Emeritas Chicago Chapter
Information Systems Security Association
Video Transcript
Mike Engle: Everybody will be starting in just a minute will give people one or two minutes to get connected. Alright, we are two past the hour, we say we get started Steve.
Steve Hunt: I'm ready to rock and roll Mike.
Mike Engle: Alright well thanks everybody for joining my name is Mike Engle, with one cosmos I run strategy I'm joined today by Steve hunt from the ID Nevada group Steve Would you mind saying hello and introducing yourself, give us a bit about your background.
Steve Hunt: hey everybody I'm a strategic advisor at it no Baraka I 10 of our because a boutique advisory firm for financial services and insurance and I've been covering identity management for about 30 years happy to join your MIC.
Mike Engle: Thanks yeah and just a little bit about one cosmos we're redefining the way customers and employees engage with identity and prove who they are remotely. Today we're going to focus on the concept of password lists and kind of what it really means in the industry, what it should mean what it means for us so it'll be. Less a slide where slide presentation, a little more dialogue to go along with some slides and conversation, and hopefully you'll find it enjoyable we also have the Q amp a open so as you're going along if you have a question feel free to pop it right into the chat we have. A couple of teams are members of the team will be moderating the chat and we'll try to answer them in real time if it's relevant to the topic that we're discussing at the time. Alright, so I'll just do one warm up slide here, we do have a real time live experience that you can do directly on our website so if you go to one cosmos calm. And just say experience you can go grab the APP out of the APP store and just try a password list experience it takes about a minute total and most of that time is spent downloading the application right. And then from there, you can even drill down and do a deeper evaluation of the product, without having to interact with any humans right so feel free to try it out we'd love your feedback on that as well. So so let's jump in we're talking about a very specific problem set here, and it really is a lack of identity in our identity and access management systems. And it's funny Steve I know I mean I know you back from geez late 90s early 2000s going way back to our work together on Wall Street and. We've been doing identity in our IT systems for 20 plus years but you really don't have identity. At the heart of what we're doing today I think about what did identity mean for you and your clients back in 2000s can can you even put a you know, a finger on that.
Steve Hunt: You know identity has always been this like this annoying layer of of our security architecture is this this orphan. Poor thing because it's like we just want to get past it we just want to like deal with it, so we can get to the good stuff let's roll out a security architecture or let's let's put together asset. Asset Management and access, controls for every asset and resource in the organization and for every person with their privileges and all of that is seem to be the meat and potatoes and oh yeah yeah yeah. We need to know who these people are first and to identify them and then authenticate them, and that was always been like this tedious task often relegated, as you know, to the physical Security Department way down at the end of the hall. At the end of the darkest corridor in the basement of the building where you get your picture taken gutter ID badge and. Maybe got some of your first passwords so it's hesitant, you know it's I think of Rodney Dangerfield I think of identity it's like you know never getting quite the respected needs.
Mike Engle: And sorry yeah you're only corporate identity was really your badge with a little picture on it with the horrible quality and then your active directory, and then the 50 other systems like mainframe and whatever but those aren't identity right they they are what I call hope based authentication.
Steve Hunt: What do you mean by hope based?
Mike Engle: yeah so you hope that the person, first of all can remember their username and password. You hope that they don't get messed up when you force them to change it every 90 days and now they're getting 16 characters complexity requirements. You hope they don't get stolen you hope they don't use the same password that they use on Facebook. And then you start putting band AIDS, on top of two FA and codes and security tokens and all those things you hope they don't lose that and you hope all that stuff doesn't get man in the middle there finished by bad guys.
Steve Hunt: Right that's that is so hilarious I think I have heard you say that before that.
Mike Engle: yeah yeah I'm trying to get it to catch on but I don't have quite the platform yet so I'm working on it. So I'm we're migrating away from home based authentication we're gonna talk about that here today. But you know along the journey of having to deal with passwords all the time is we have you know. I'm not trying to use food here to promote anything I don't need to the press does it for me, but. We know how bad the problem is because you know colonial pipeline or name your breach of the weekend and millions and hundreds of millions of identities being lost. In addition, all those systems that you mentioned Steve they have a lot of costs, not just for the software and hardware fees on them, but the complexity that they introduce to our environment right how many one time code generator platforms for customers versus employees. How many different ad trees, do you have it's just it's it's really maddening of what I think the the sunk cost is on this stuff right.
Steve Hunt: yeah for sure this is a it's a big challenge it just keeps getting bigger as organizations grow in organically through mergers and acquisitions they. They acquire more and more identity platforms more identity management solutions and even business units deploying their own identity systems that. It makes. The weaknesses, the historic weaknesses of credentials and like passwords especially challenging especially daunting for security personnel and especially ripe for the picking for those ransomware arsonists.
Mike Engle: destroying ourselves yeah, and so I have two slides that I would like to share with the audience, most of the audience today are probably it professionals. And we, I have a couple really new kind of fresh stats on the problem statement that can be used to help sell to you know upstream and management, the C suite even the board. And so, this is the 2021 Verizon data breach investigation report is only a few months old it's 114 pages of just incredible real world research right not made up statistics. And you see social engineering is still the primary way to get credentials from somebody right, so they the bad guys are really good at that here on the left. And then on the right side 85% of the breaches now they just they've classified this differently used to be. 81% was stolen credential now it's 85% involves a human factor, a human element right with credentials, being one ransomware being a major impact so take a screenshot of this. As well as the business impact right, this is why we get budget, this is why we do what we do. So I really like the focus here on business email compromise right They range from, of course, very low, depending on the size of your company, but up to a million dollars a pop.
For a business email compromise ransomware according to Verizon and their survey right, this is a very broad range goes up to 1,000,001. And this is cool, this is the Lockton companies they do cybersecurity insurance a very reputable company and just look at the stats they speak for themselves so i'm sure your clients Steve are very much this is top of mind for them right.
Steve Hunt: This is new data, the Verizon report gets better every year their their population of respondents gets better. All the time and the data you're showing my is is it's profound it, it shows that the bad guys are taking advantage of human error human foibles and the weaknesses of our identity infrastructure, both both of them they're they're using both of them in this in this intertwined multi faceted attack vector that they're they're using to wreak havoc on us and so this data is is sobering for sure.
Mike Engle: yeah it's going to move further and further into the consumer trend chain right imagine if they could ransomware my mom's phone because she clicked a link right it's going to ruin my weekend but, but you know now they're getting they can spread it out to millions of people with one you know potential vector. So we'll see how that goes, but these are you know real reasons why we do what we do and the things that keep us up at night.
So now let's talk about the solution right we're here to talk about password list, and you know there's a lot of misconceptions about password list. It's gotten so crazy with investments and every basically authentication company is now pivoting trying to call themselves password list, whether they really are not. But the goal of password list is to get rid of something that can be obtained by somebody else right, yes, typically. Your password username password or even those secrets that if you go sign up for some accounts on the web. My favorite one is go sign up for United airlines account and the last few questions like you know what was your mother's shoe size, when you were 12 or something. But those things can be found out by others right the credit bureaus have all been hacked all this data is out there. So that leaves us with a couple other factors that we can focus on right, and you can see, you know you know preaching to the choir a bit I'm sure, with the folks on this call.
But my question really for you Steve is, do you think that MFA is password list generically or is it a little more nuanced than that.
Steve Hunt: I'd say password list solutions, first of all, when I first heard password list a couple of years ago, I thought yeah right like that's on the one hand, is what we've been dreaming up for 2030 years a password list infrastructure. It in remember after 911 after Sarbanes Oxley and you know the crush of Enron, we all biometrics, where the was the talk of the town and we thought that was the beginning of the password list movement, but it wasn't. It's only now with the ubiquity of the capabilities of our technology, the ubiquity of cell phones that we can have what I might call MFA with a cell phone and that's the start of password list that can that people can really wrap their hands around, even though I think. What we're what we're talking about when we talk about password list is the natural evolution of two trends from the last 20 years and that's single sign on and MFA multi factor authentication those two working together kind of. You know and adding smartphones in every single person's hands and complimenting Fido On top of that will say another word about Fido in a few minutes so hold your questions. I think that's what put some meat on the bones of password list today.
Mike Engle: yeah yeah and and password list really for us at one cosmos it's a feature of using your identity to authenticate. Right and that comes to really the topic of the webinar the identity crisis and password list. So just because you're using something besides a password doesn't mean you know who it is that's using it right, so I can take your username and password and give you a Public Private key pair and use your touch ID on your phone, but how do I know it's you, and if you come to the Wikipedia definition of password list. I chopped some of the stuff out to make this you know, really, to the point and it's an authentication method that does blah blah blah without entering and having to remember a password or any other knowledge base secret and then it goes on a little more in the paragraph and it says. A secure proof of identity through a registered device or token So how do you have proof of identity right. What is it that proves that this is Steve hunt at the other end of the line right it comes down to the word identity. And this is where the crisis is and most password list solutions So how do you define identity, and I think you might know where this is going on the next slide Steve but the figurehead up.
Steve Hunt: I did this big survey the first independent industry wide analysis of all the password lists solution vendors out there and one cosmos got special recognition in that report, for its answer to this question of what is identity to go on Mike.
Mike Engle: So this is from either Webster's or one of those real dictionaries right and it's The fact of being who or what a person or thing is a fact right.
So Steve today I would think that you're if I log into your bank website today Bank of America chase whatever you use and I had your username password and I had access to your email your your text messages I could log into that account at least that's the way mine works if you had those things for me. Because my bank sadly doesn't do identity based authentication So the question is, does having a username password MFA or any of those things really prove identity and the answer is no, because it doesn't prove that this is the citizen Steve hunt that logged into that back right, I think this comes down to where Hopefully, this is what you were talking about for the special recognition.
00:16:31.650 --> 00:16:37.710
Steve Hunt: Well, almost going and you'll see and I'll pointed out I'll say hey everybody, this is talking about.
00:16:38.010 --> 00:16:53.910
Mike Engle: Right, so the way we define identity and getting away from hope based authentication where you don't really know who's coming in, and they have to worry about all these different mechanisms to identity based authentication focuses on two very. Important and relatively new industry standards, the first is from the NIST body it's the NIST 800-63-3 and the purpose of that is to prove remotely who somebody is right, the government has gone through a lot of effort to say that. How do you establish a real identity and typically involves multiple what they call sources of truth? That can be strong or superior like a driver's license and password are superior forms of identity, compared with somebody live face, right. And if you think about how you prove somebody identity in the quote real world TSA state trooper pulls you over whatever it is it's very similar you have a trusted credential compared to your live face. And that, combined with the password list technologies embedded in the same standard there's two sides of it there's how you prove where they are and and how you use it. And Fido is also a mechanism that covers how you use it and you mentioned. That we'd be talking a little bit about Fido here and now, is our chance right so putting this together is is how we think about identity and the word password list isn't really a part of this identity based authentication is all about identity.
00:18:13.950
Steve Hunt: For folks who aren't crystal clear about Fido it's an alliance, the Fido alliance is the standards body it's made up of over 250 companies government agencies around the world and. With the mission of standardizing and simplifying cybersecurity and it's got a couple of standards out here the the fighter to that we're talking about here is includes something the audience may have seen the Web on earth and web athan specification, plus the client to authenticator protocol called see tap so there's some geeky side to this really boils down to something pretty simple we get to validate the quality of a user's identity during. An authentication event during the different stages of a transaction and weaved in with single sign on and strong authentication, that is what is especially cool about. Our conversation right now about identity it's how to make this practical usable and in order to use jargon seamless I guess. During the transaction so that it's not an annoying layer anymore.
107
00:19:39.810 --> 00:19:55.440
Mike Engle: yeah no you're right the Fido alliance nonprofit been around for almost 10 years and they've done yeoman's work to get this to become a real thing right with without this There probably be 10 different fragmented standards out there to how to how to implement these things, and then. On the converse side on this side the certifying body, the nonprofit there is called the kantar initiative So there you know the globally certify companies to be able to prove identity remotely and we are one of the few companies that has both can Tara and Fido certified, so these we think they're very important but we're finding out that we're not the only ones right government bodies and large corporations care about these standards.
00:20:22.500
Steve Hunt: Now this is really good on paper, this shows that okay Mike and his team at one cosmos have done their homework but I get turned on by how the technology really works and I don't remember if you said you're going to show us some more of this but let's keep going because I want to point out, for the audience the things that I think are particularly interesting about this.
00:20:46.020
Mike Engle: yeah for sure so we think that standards right when when you have a standard, it allows technology to to you know become ubiquitous right so examples on the authentication side or your saml and oh IDC they allow your current log on to be used in multiple places and with a layer of trust, and so I have a standards based view of what we refer to as user managed identity. And there's four actually more than that, but four key standards here that tie all this together, and how organizations can leverage identity, rather than leveraging. You know weaker forms of authentication so on the enrollment side, this is that NIST 800-63-3 side. What's typically done is you are given a key and enrolling your biometrics rights right there out of the box, you have those two factors that don't involve a username or password. And then you can strengthen it with several forms of industry identity or citizen identity.
So the most common type is right scanning a driver's license or passport or other national identity document. And there we support 150 countries right that's it's a very well maturing space with lots of players in it, but you can take it a step further. And leverage, you know embed your corporate identity on top of that as well that could be your active directory or X five or nine. And then there's some really neat global initiatives coming out around bank and TELCO identity. So I'm going to pop one up here on the screen, that is not that well known, but will be soon in the US, that is your TELCO identity that can be used a login soon to thousands of websites called Zen key. So that's you know, the first pillar of identity that the way we think about it is that that that the enrollment. And then, using that identity anywhere here's your 863 dash three be combined with fight out to allow it to be used without usernames and passwords so I'll pause there and see if you have any thoughts on that Steve.
00:22:56.400
Steve Hunt: yeah this is, this is what most people forget about that enroll part is the the tedium that happens, by HR or security, taking care of identifying who we are in a workplace, and then the initial paperwork, maybe at our bank to open an account that's where this enroll happens and it's. And for a lot of online. Retailers and businesses that enroll part is pretty weak and we focus our energy on authenticate like giving them a user ID and password helping them change it when they lose it and maybe even giving them two factor authentication like an SMS code to their phones and the thinking has been that Okay, as long as we do something a little more robust around authentication then. The rest of the transaction is reliable, but Mike, as you have already pointed out just by talking about these two elements so far they're intrinsically weak and the way the way we've deployed them over the last 2030 years and it's only the combination of technologies and approaches that you've put on this slide that I think if the audience focuses on it a little bit and just let it soak in they'll have this Aha moment the same one I had, which was I yes it's it's a combination of factors. At enrollment and a combination of factors at authentication that really make this strong, yeah really strong authentication.
00:24:45.690
Mike Engle: yeah exactly and and the the other anchors are really key because you can get a lot of people to scan a driver's license it's a very heavy thing to do, though. I imagine you're just trying to do something that needs medium security it's you know logging into your Saks fifth avenue account. You that's not a high level of trust needed for that there's no html or anti money laundering or KYC required for that. But sacks would really like to have a stronger identity coming into their website, and so this is where banks telcos and other industry sources of truth can be used so I'll show you one here for those that haven't seen it, this is the TELCO initiative in the United States called Zen key so what's happened is the three carriers have come together to form a digital a trusted digital identity that can be used by Saks fifth avenue to onboard a new user and to authenticate them without usernames and passwords right, so this is great, because this is this this gets over the issue of scale of you know how do you get network effect and get user adoption well everybody has one of these carriers already.
So their existing at amp T T mobile Verizon or the Zen APP itself will let you do this, so let me hide my phone number, this is how I login to the my at amp T account now and I'm not going to do that because I have an embarrassing phone bill. So I press a button here I whipped out my Zen key APP or my at amp T APP I scan this code and I'm in this is an example of an industry anchor I didn't need to scan my driver's license for them to prove who I am.
00:26:28.890
Steve Hunt: I see this sort of thing is, as the future. I didn't even dream of such an alliance, years ago, but now that this is becoming real I'm excited about it.
00:26:44.37
Mike Engle: yeah and globally there's this has happened in other countries right United States is a little big and messy for it to happen fast so that's why I'm excited that this is happening here. The banks are perfectly positioned to have a trusted identity right if I could log in my Wells Fargo account you know, instead of login with Google or Facebook. I would log in with Wells Fargo across thousands of website I would trust that I trust my bank with everything else, so I think this is a great first step. You said you wanted to see it, you know, right here on our websites the.
Steve Hunt: Mike before you go into that - an attendee is asking provocative question how is this sort of a login with Zen key. Any different than just logging in with my Facebook authentication or my Google authentication.
00:27:32.670
Mike Engle: that's a great question alright so there's a couple reasons for that first.
Facebook and Google don't need to have any proof about who you are the carriers do so, the carriers, when you go to open a new phone line or phone account they do a credit check and most times they need your proof of citizenship and your driver's license to open that account.
Secondly, they know and trust your mobile so was then key hands, along with the authentication is not only am I, is this Mike angle, but this is the same like angle that's had the same phone account for 12 years. And it's the same same it hasn't been Sim swapped right and so all those end if you know, without my consent, they could even share location right the. Carriers know where my phone is all times they know that it's not in Uzbekistan at a minimum right, so they can provide a fraud score along with that authentication signal login with Facebook, I could be anybody right there's no really sense of assurance there.
00:28:42.810
Steve Hunt: yeah I know people who aren't who they say they are on Facebook for sure okay yeah just that answer alone makes me pretty confident and Sankey thanks.
00:28:53.070
sure.
00:28:55.170
Mike Engle: So just following this through the login with QR code in from our perspective is one of the primary mechanisms that's going to change the way we engage with remote systems. Mike Engle: Then key is already an indicator of this you're seeing it from some of the banks right so now. If you're a city customer, you can log into your city bank by scanning it with your city APP on your phone right on the Channel experience trusted Public Private key pair cryptography etc. So, as I mentioned, our audience can can try this or anybody can just by simply coming to our website grab the APP and with the press of a button. I'll show you how this works.
Scan a code give consent and it's showing some really basic information about the session right we don't go deep into identity verification for just a simple come to our website DEMO, but you can dive further into that and do higher levels of DEMO there as well. So that experience as you saw it's that easy every time whether you're logging into your your your bank resource windows workstation into Okta paying for drop whatever it is. That's it no more username no more password face it touch ID or, even better, real biometrics right because real biometrics is one of the key differentiators.
00:30:24.600
Steve Hunt: So you think of this as the front end to your single sign on so use this as the authentication event. And hand this token essentially off to the single sign on the single sign on logs you into every application all day long as needed, so this is the password list front end to single sign on this way I look at it yeah.
00:30:50.700
Mike Engle: yeah and the model of where identity is going in the future all right let's talk about this for just a second because I'll give a demonstration of this, if time permits, is they call it the trust triangle, you have identity issuers today I get my identity issued by the government driver's license or passport in a digital world now I can be issued an identity by Zen key alright, so that would be an example of telcos flash Sim. And you know if you ask the the research and the analysts and the industry experts and even the big tech companies they feel like these are. The trusted sources of truth that could be used to for you to prove who you are remotely right multiple options in that journey once you've done that you're handed the cryptographic proof of possession of that digital certificate put in your digital wallet. Now, one of the standards that I mentioned to something called decentralized identity, this allows your identity to be used in a cross company cross industry or even cross country scenario with privacy, preserving features. And the real the real root of trust here is that the verifiers right So these are the downstream service providers the Saks fifth avenue like I mentioned. They will trust this enrolled exercise, and this is what's being set up now globally in different verticals different you know automotive healthcare banking etc and we're super excited about the potential here, are you following this space Steve.
00:32:24.570
Steve Hunt: Well, I know, one of our audience is and they they asked an inch a fun question, I can I. Can I use this with one cosmos or with Zen key or something and go through this proofing process and then use it later for some other login somewhere else, and in this digital wallet may hold the key What if all of my identity attributes were individually parsed and stored in this digital wallet could I then just present my digital wallet to any participating commerce site or browser?
00:33:04.260
Mike Engle: yeah that's that's the promise of decentralized identity of self sovereign identity it's called me some circles. And, and why we built the platform with those standards under the hood because when let's say we've got three big institutional. Wall Street customers that are our customers with them just simply defining the business arrangement and turning on you know participation in an identity directory. Those identities can flow cross stream so you're not enough to set up heavy federated authentication between them, for example. So it's just a matter of the end you know the the organizations wanting to plug in and participating and there's a lot of these popping up globally around the world, already.
00:33:51.780
Steve Hunt: Okay, so one day we're still, this is still the one day scenario one day we'll be able to have this have these distributed identifiers relied on and used by the various sites, we visit.
00:34:08.130
Mike Engle: For sure one day is here in some other countries, for example in Singapore, they have something called sing past which is used at hundreds of merchant and government websites in South Korea, they have SK pass you know SK Telecom, one of the big providers and again your driver's license can be put into your identity. They prove that you have the mobile number, and you can go log into all kinds of downstream systems and do payments so.
Those you know nice small 40 million person countries they can get it done here in the US, we have a little more wood to chop before it's going to happen, but again he's there today it's happening, the bank step up to the plate and form a trusted bank identity we've got two of the three that we need to really make it happen, the third being the government. And we're seeing now apple right have a relationship with some of the states in the TSA. So it's popping out right imagine you can use your apple ID or your you know Google's going to have to step up and do the same thing right it's really opening up the doors and allowing your identity to go digital the way it should.
00:35:16.440
Steve Hunt: yeah exciting stuff yeah.
00:35:19.080
Mike Engle: So I'll show one more example and then we'll head over to Q amp a, so I think, similar to what the participant was asking the question here can your identity be used in different scenarios, so in my wallet This is my production wallet so is my real phone, I have several identities in here right and with the press of a button, I can come to my corporate portal and authenticate into my workforce applications now here's one of the big differentiators you can see my real biometrics.
00:36:00.060
Steve Hunt: We don't see anything.
00:36:02.010
Mike Engle: I'm sorry, let me refresh my screen. Okay, so on the left is my phone I'm sorry on the right is my phone on the left is is our corporate workforce authentication portal, not a lot going on here right, not a lot to type in.
00:36:20.430
Steve Hunt: Russia, this is not the prettiest site I've seen.
00:36:23.280
Mike Engle: So I have multiple credentials in my wallet I've got a banking credential I've got a workforce credential and with the press of a button, I can simply scan this code and do real biometrics validated that's a certified by metric engine and to your point now I'm getting into my sso applications my windows workstations or my downstream Apps right, that same identity, could be used for really by any third party as long as the trust is set up between the parties that's what it was designed to do.
00:36:57.330 --> 00:36:57.600
Right.
00:36:58.650 --> 00:37:05.520
Mike Engle: So um I think will CAP it there and get into QA we have a couple questions coming in.
217
00:37:06.570 --> 00:37:13.440
Steve Hunt: And we've we've addressed some of these but there's one scroll up and look at the question in the chat from Mauricio around fragmented digital identity silos and zero trust world maybe we can both tag team on that. Look at it and tell me what you think of that Mike.
00:37:27.420
Mike Engle: Yes So all the silos in a zero trust world right yeah for sure. That's the risk whenever what you know here on the left, you have these layers and the the layer one just like your trust your osi model right physical data link etc up the application layer and layer seven there's multiple layers in an identity stack. And layer one is kind of the The ability for an identity, just to move between two parties that's the the main industry body there it's a part of the Linux foundation called trust over IP. So that is there in place today and there's a couple trust over IP networks already out there functioning in different parts of the world to some in the US some in Europe, etc, getting further up the stack and how wallets interact.
Now you're you're seeing a little bit of fragmentation and it's going to take some time for the tech giants, I think, to come together right is that apple wallet that's holding the credential standards based and actually do you know the answer to that one Steve I don't really sure it's not. Maybe maybe somebody in the audience knows and can comment if they if there's anything about the apple wallet that standards based but that's typically not how apple operates so right there's a problem apple has created a digital driver's license and credit card wallet that can only be used by apple people. And that's their their M.O. right they do that with things like I message and create their walled garden. But there are industry standards that come out of w three see on how a wallet should be defined and how you can use across party and moving further up the application stack will be happening over time as well, so Maurice I think I think you you very much plugged into this and know that the challenges there there's an interesting group called the code credentials organization that defined how you should put a coven vaccination credential into a digital wallet. And we're a member of that there's you know dozens of Members so you're seeing some real good work come out of those taxi groups as well.
00:39:40.440
Steve Hunt: seems like we address the other questions in here if I'm wrong then feel free to send a note to us, Michael How do people get in touch with you.
00:39:51.750
Mike Engle: Great question, I hope you don't mind, but I took the liberty of popping up your email address on this slide as well, so let's get this back up here. Alright, so yeah obviously our website is a great source of information, we are very open our over our documentation is online, you can experience it live feel free to reach out reach out to me or contact us on the website and Steve do you have any events coming up that you want to tell the audience about.
00:40:24.420
Steve Hunt: Oh I'm speaking at the API conference that's the petroleum industry cyber security conference next month, so if any of you are related to critical infrastructure feel free to connect to that conference great presentations there.
00:40:44.010
Mike Engle: awesome yeah there's a couple other questions I'll just read through because, just to wrap up here, will we be sharing this presentation, with the participants, the webinar is being recorded and it will be posted on our website, probably by tomorrow, so you can review it there I'm not sure if we'll have the slides there as well, but if you reach out to us, be happy to send this deck over and a few other slides to go with it and there's a handful of other questions specifically about Sankey that are probably out of scope.
00:41:13.590
Steve Hunt: yeah I think I think we're done yeah. Well hey everybody, this was a this was a pleasure Mike I always always enjoy these conversations and everyone, I hope you got something great out of it and feel free to keep in touch.
00:41:30.300
Mike Engle: yep thanks for coming see have a great day, everybody.
Steve Hunt: I'm ready to rock and roll Mike.
Mike Engle: Alright well thanks everybody for joining my name is Mike Engle, with one cosmos I run strategy I'm joined today by Steve hunt from the ID Nevada group Steve Would you mind saying hello and introducing yourself, give us a bit about your background.
Steve Hunt: hey everybody I'm a strategic advisor at it no Baraka I 10 of our because a boutique advisory firm for financial services and insurance and I've been covering identity management for about 30 years happy to join your MIC.
Mike Engle: Thanks yeah and just a little bit about one cosmos we're redefining the way customers and employees engage with identity and prove who they are remotely. Today we're going to focus on the concept of password lists and kind of what it really means in the industry, what it should mean what it means for us so it'll be. Less a slide where slide presentation, a little more dialogue to go along with some slides and conversation, and hopefully you'll find it enjoyable we also have the Q amp a open so as you're going along if you have a question feel free to pop it right into the chat we have. A couple of teams are members of the team will be moderating the chat and we'll try to answer them in real time if it's relevant to the topic that we're discussing at the time. Alright, so I'll just do one warm up slide here, we do have a real time live experience that you can do directly on our website so if you go to one cosmos calm. And just say experience you can go grab the APP out of the APP store and just try a password list experience it takes about a minute total and most of that time is spent downloading the application right. And then from there, you can even drill down and do a deeper evaluation of the product, without having to interact with any humans right so feel free to try it out we'd love your feedback on that as well. So so let's jump in we're talking about a very specific problem set here, and it really is a lack of identity in our identity and access management systems. And it's funny Steve I know I mean I know you back from geez late 90s early 2000s going way back to our work together on Wall Street and. We've been doing identity in our IT systems for 20 plus years but you really don't have identity. At the heart of what we're doing today I think about what did identity mean for you and your clients back in 2000s can can you even put a you know, a finger on that.
Steve Hunt: You know identity has always been this like this annoying layer of of our security architecture is this this orphan. Poor thing because it's like we just want to get past it we just want to like deal with it, so we can get to the good stuff let's roll out a security architecture or let's let's put together asset. Asset Management and access, controls for every asset and resource in the organization and for every person with their privileges and all of that is seem to be the meat and potatoes and oh yeah yeah yeah. We need to know who these people are first and to identify them and then authenticate them, and that was always been like this tedious task often relegated, as you know, to the physical Security Department way down at the end of the hall. At the end of the darkest corridor in the basement of the building where you get your picture taken gutter ID badge and. Maybe got some of your first passwords so it's hesitant, you know it's I think of Rodney Dangerfield I think of identity it's like you know never getting quite the respected needs.
Mike Engle: And sorry yeah you're only corporate identity was really your badge with a little picture on it with the horrible quality and then your active directory, and then the 50 other systems like mainframe and whatever but those aren't identity right they they are what I call hope based authentication.
Steve Hunt: What do you mean by hope based?
Mike Engle: yeah so you hope that the person, first of all can remember their username and password. You hope that they don't get messed up when you force them to change it every 90 days and now they're getting 16 characters complexity requirements. You hope they don't get stolen you hope they don't use the same password that they use on Facebook. And then you start putting band AIDS, on top of two FA and codes and security tokens and all those things you hope they don't lose that and you hope all that stuff doesn't get man in the middle there finished by bad guys.
Steve Hunt: Right that's that is so hilarious I think I have heard you say that before that.
Mike Engle: yeah yeah I'm trying to get it to catch on but I don't have quite the platform yet so I'm working on it. So I'm we're migrating away from home based authentication we're gonna talk about that here today. But you know along the journey of having to deal with passwords all the time is we have you know. I'm not trying to use food here to promote anything I don't need to the press does it for me, but. We know how bad the problem is because you know colonial pipeline or name your breach of the weekend and millions and hundreds of millions of identities being lost. In addition, all those systems that you mentioned Steve they have a lot of costs, not just for the software and hardware fees on them, but the complexity that they introduce to our environment right how many one time code generator platforms for customers versus employees. How many different ad trees, do you have it's just it's it's really maddening of what I think the the sunk cost is on this stuff right.
Steve Hunt: yeah for sure this is a it's a big challenge it just keeps getting bigger as organizations grow in organically through mergers and acquisitions they. They acquire more and more identity platforms more identity management solutions and even business units deploying their own identity systems that. It makes. The weaknesses, the historic weaknesses of credentials and like passwords especially challenging especially daunting for security personnel and especially ripe for the picking for those ransomware arsonists.
Mike Engle: destroying ourselves yeah, and so I have two slides that I would like to share with the audience, most of the audience today are probably it professionals. And we, I have a couple really new kind of fresh stats on the problem statement that can be used to help sell to you know upstream and management, the C suite even the board. And so, this is the 2021 Verizon data breach investigation report is only a few months old it's 114 pages of just incredible real world research right not made up statistics. And you see social engineering is still the primary way to get credentials from somebody right, so they the bad guys are really good at that here on the left. And then on the right side 85% of the breaches now they just they've classified this differently used to be. 81% was stolen credential now it's 85% involves a human factor, a human element right with credentials, being one ransomware being a major impact so take a screenshot of this. As well as the business impact right, this is why we get budget, this is why we do what we do. So I really like the focus here on business email compromise right They range from, of course, very low, depending on the size of your company, but up to a million dollars a pop.
For a business email compromise ransomware according to Verizon and their survey right, this is a very broad range goes up to 1,000,001. And this is cool, this is the Lockton companies they do cybersecurity insurance a very reputable company and just look at the stats they speak for themselves so i'm sure your clients Steve are very much this is top of mind for them right.
Steve Hunt: This is new data, the Verizon report gets better every year their their population of respondents gets better. All the time and the data you're showing my is is it's profound it, it shows that the bad guys are taking advantage of human error human foibles and the weaknesses of our identity infrastructure, both both of them they're they're using both of them in this in this intertwined multi faceted attack vector that they're they're using to wreak havoc on us and so this data is is sobering for sure.
Mike Engle: yeah it's going to move further and further into the consumer trend chain right imagine if they could ransomware my mom's phone because she clicked a link right it's going to ruin my weekend but, but you know now they're getting they can spread it out to millions of people with one you know potential vector. So we'll see how that goes, but these are you know real reasons why we do what we do and the things that keep us up at night.
So now let's talk about the solution right we're here to talk about password list, and you know there's a lot of misconceptions about password list. It's gotten so crazy with investments and every basically authentication company is now pivoting trying to call themselves password list, whether they really are not. But the goal of password list is to get rid of something that can be obtained by somebody else right, yes, typically. Your password username password or even those secrets that if you go sign up for some accounts on the web. My favorite one is go sign up for United airlines account and the last few questions like you know what was your mother's shoe size, when you were 12 or something. But those things can be found out by others right the credit bureaus have all been hacked all this data is out there. So that leaves us with a couple other factors that we can focus on right, and you can see, you know you know preaching to the choir a bit I'm sure, with the folks on this call.
But my question really for you Steve is, do you think that MFA is password list generically or is it a little more nuanced than that.
Steve Hunt: I'd say password list solutions, first of all, when I first heard password list a couple of years ago, I thought yeah right like that's on the one hand, is what we've been dreaming up for 2030 years a password list infrastructure. It in remember after 911 after Sarbanes Oxley and you know the crush of Enron, we all biometrics, where the was the talk of the town and we thought that was the beginning of the password list movement, but it wasn't. It's only now with the ubiquity of the capabilities of our technology, the ubiquity of cell phones that we can have what I might call MFA with a cell phone and that's the start of password list that can that people can really wrap their hands around, even though I think. What we're what we're talking about when we talk about password list is the natural evolution of two trends from the last 20 years and that's single sign on and MFA multi factor authentication those two working together kind of. You know and adding smartphones in every single person's hands and complimenting Fido On top of that will say another word about Fido in a few minutes so hold your questions. I think that's what put some meat on the bones of password list today.
Mike Engle: yeah yeah and and password list really for us at one cosmos it's a feature of using your identity to authenticate. Right and that comes to really the topic of the webinar the identity crisis and password list. So just because you're using something besides a password doesn't mean you know who it is that's using it right, so I can take your username and password and give you a Public Private key pair and use your touch ID on your phone, but how do I know it's you, and if you come to the Wikipedia definition of password list. I chopped some of the stuff out to make this you know, really, to the point and it's an authentication method that does blah blah blah without entering and having to remember a password or any other knowledge base secret and then it goes on a little more in the paragraph and it says. A secure proof of identity through a registered device or token So how do you have proof of identity right. What is it that proves that this is Steve hunt at the other end of the line right it comes down to the word identity. And this is where the crisis is and most password list solutions So how do you define identity, and I think you might know where this is going on the next slide Steve but the figurehead up.
Steve Hunt: I did this big survey the first independent industry wide analysis of all the password lists solution vendors out there and one cosmos got special recognition in that report, for its answer to this question of what is identity to go on Mike.
Mike Engle: So this is from either Webster's or one of those real dictionaries right and it's The fact of being who or what a person or thing is a fact right.
So Steve today I would think that you're if I log into your bank website today Bank of America chase whatever you use and I had your username password and I had access to your email your your text messages I could log into that account at least that's the way mine works if you had those things for me. Because my bank sadly doesn't do identity based authentication So the question is, does having a username password MFA or any of those things really prove identity and the answer is no, because it doesn't prove that this is the citizen Steve hunt that logged into that back right, I think this comes down to where Hopefully, this is what you were talking about for the special recognition.
00:16:31.650 --> 00:16:37.710
Steve Hunt: Well, almost going and you'll see and I'll pointed out I'll say hey everybody, this is talking about.
00:16:38.010 --> 00:16:53.910
Mike Engle: Right, so the way we define identity and getting away from hope based authentication where you don't really know who's coming in, and they have to worry about all these different mechanisms to identity based authentication focuses on two very. Important and relatively new industry standards, the first is from the NIST body it's the NIST 800-63-3 and the purpose of that is to prove remotely who somebody is right, the government has gone through a lot of effort to say that. How do you establish a real identity and typically involves multiple what they call sources of truth? That can be strong or superior like a driver's license and password are superior forms of identity, compared with somebody live face, right. And if you think about how you prove somebody identity in the quote real world TSA state trooper pulls you over whatever it is it's very similar you have a trusted credential compared to your live face. And that, combined with the password list technologies embedded in the same standard there's two sides of it there's how you prove where they are and and how you use it. And Fido is also a mechanism that covers how you use it and you mentioned. That we'd be talking a little bit about Fido here and now, is our chance right so putting this together is is how we think about identity and the word password list isn't really a part of this identity based authentication is all about identity.
00:18:13.950
Steve Hunt: For folks who aren't crystal clear about Fido it's an alliance, the Fido alliance is the standards body it's made up of over 250 companies government agencies around the world and. With the mission of standardizing and simplifying cybersecurity and it's got a couple of standards out here the the fighter to that we're talking about here is includes something the audience may have seen the Web on earth and web athan specification, plus the client to authenticator protocol called see tap so there's some geeky side to this really boils down to something pretty simple we get to validate the quality of a user's identity during. An authentication event during the different stages of a transaction and weaved in with single sign on and strong authentication, that is what is especially cool about. Our conversation right now about identity it's how to make this practical usable and in order to use jargon seamless I guess. During the transaction so that it's not an annoying layer anymore.
107
00:19:39.810 --> 00:19:55.440
Mike Engle: yeah no you're right the Fido alliance nonprofit been around for almost 10 years and they've done yeoman's work to get this to become a real thing right with without this There probably be 10 different fragmented standards out there to how to how to implement these things, and then. On the converse side on this side the certifying body, the nonprofit there is called the kantar initiative So there you know the globally certify companies to be able to prove identity remotely and we are one of the few companies that has both can Tara and Fido certified, so these we think they're very important but we're finding out that we're not the only ones right government bodies and large corporations care about these standards.
00:20:22.500
Steve Hunt: Now this is really good on paper, this shows that okay Mike and his team at one cosmos have done their homework but I get turned on by how the technology really works and I don't remember if you said you're going to show us some more of this but let's keep going because I want to point out, for the audience the things that I think are particularly interesting about this.
00:20:46.020
Mike Engle: yeah for sure so we think that standards right when when you have a standard, it allows technology to to you know become ubiquitous right so examples on the authentication side or your saml and oh IDC they allow your current log on to be used in multiple places and with a layer of trust, and so I have a standards based view of what we refer to as user managed identity. And there's four actually more than that, but four key standards here that tie all this together, and how organizations can leverage identity, rather than leveraging. You know weaker forms of authentication so on the enrollment side, this is that NIST 800-63-3 side. What's typically done is you are given a key and enrolling your biometrics rights right there out of the box, you have those two factors that don't involve a username or password. And then you can strengthen it with several forms of industry identity or citizen identity.
So the most common type is right scanning a driver's license or passport or other national identity document. And there we support 150 countries right that's it's a very well maturing space with lots of players in it, but you can take it a step further. And leverage, you know embed your corporate identity on top of that as well that could be your active directory or X five or nine. And then there's some really neat global initiatives coming out around bank and TELCO identity. So I'm going to pop one up here on the screen, that is not that well known, but will be soon in the US, that is your TELCO identity that can be used a login soon to thousands of websites called Zen key. So that's you know, the first pillar of identity that the way we think about it is that that that the enrollment. And then, using that identity anywhere here's your 863 dash three be combined with fight out to allow it to be used without usernames and passwords so I'll pause there and see if you have any thoughts on that Steve.
00:22:56.400
Steve Hunt: yeah this is, this is what most people forget about that enroll part is the the tedium that happens, by HR or security, taking care of identifying who we are in a workplace, and then the initial paperwork, maybe at our bank to open an account that's where this enroll happens and it's. And for a lot of online. Retailers and businesses that enroll part is pretty weak and we focus our energy on authenticate like giving them a user ID and password helping them change it when they lose it and maybe even giving them two factor authentication like an SMS code to their phones and the thinking has been that Okay, as long as we do something a little more robust around authentication then. The rest of the transaction is reliable, but Mike, as you have already pointed out just by talking about these two elements so far they're intrinsically weak and the way the way we've deployed them over the last 2030 years and it's only the combination of technologies and approaches that you've put on this slide that I think if the audience focuses on it a little bit and just let it soak in they'll have this Aha moment the same one I had, which was I yes it's it's a combination of factors. At enrollment and a combination of factors at authentication that really make this strong, yeah really strong authentication.
00:24:45.690
Mike Engle: yeah exactly and and the the other anchors are really key because you can get a lot of people to scan a driver's license it's a very heavy thing to do, though. I imagine you're just trying to do something that needs medium security it's you know logging into your Saks fifth avenue account. You that's not a high level of trust needed for that there's no html or anti money laundering or KYC required for that. But sacks would really like to have a stronger identity coming into their website, and so this is where banks telcos and other industry sources of truth can be used so I'll show you one here for those that haven't seen it, this is the TELCO initiative in the United States called Zen key so what's happened is the three carriers have come together to form a digital a trusted digital identity that can be used by Saks fifth avenue to onboard a new user and to authenticate them without usernames and passwords right, so this is great, because this is this this gets over the issue of scale of you know how do you get network effect and get user adoption well everybody has one of these carriers already.
So their existing at amp T T mobile Verizon or the Zen APP itself will let you do this, so let me hide my phone number, this is how I login to the my at amp T account now and I'm not going to do that because I have an embarrassing phone bill. So I press a button here I whipped out my Zen key APP or my at amp T APP I scan this code and I'm in this is an example of an industry anchor I didn't need to scan my driver's license for them to prove who I am.
00:26:28.890
Steve Hunt: I see this sort of thing is, as the future. I didn't even dream of such an alliance, years ago, but now that this is becoming real I'm excited about it.
00:26:44.37
Mike Engle: yeah and globally there's this has happened in other countries right United States is a little big and messy for it to happen fast so that's why I'm excited that this is happening here. The banks are perfectly positioned to have a trusted identity right if I could log in my Wells Fargo account you know, instead of login with Google or Facebook. I would log in with Wells Fargo across thousands of website I would trust that I trust my bank with everything else, so I think this is a great first step. You said you wanted to see it, you know, right here on our websites the.
Steve Hunt: Mike before you go into that - an attendee is asking provocative question how is this sort of a login with Zen key. Any different than just logging in with my Facebook authentication or my Google authentication.
00:27:32.670
Mike Engle: that's a great question alright so there's a couple reasons for that first.
Facebook and Google don't need to have any proof about who you are the carriers do so, the carriers, when you go to open a new phone line or phone account they do a credit check and most times they need your proof of citizenship and your driver's license to open that account.
Secondly, they know and trust your mobile so was then key hands, along with the authentication is not only am I, is this Mike angle, but this is the same like angle that's had the same phone account for 12 years. And it's the same same it hasn't been Sim swapped right and so all those end if you know, without my consent, they could even share location right the. Carriers know where my phone is all times they know that it's not in Uzbekistan at a minimum right, so they can provide a fraud score along with that authentication signal login with Facebook, I could be anybody right there's no really sense of assurance there.
00:28:42.810
Steve Hunt: yeah I know people who aren't who they say they are on Facebook for sure okay yeah just that answer alone makes me pretty confident and Sankey thanks.
00:28:53.070
sure.
00:28:55.170
Mike Engle: So just following this through the login with QR code in from our perspective is one of the primary mechanisms that's going to change the way we engage with remote systems. Mike Engle: Then key is already an indicator of this you're seeing it from some of the banks right so now. If you're a city customer, you can log into your city bank by scanning it with your city APP on your phone right on the Channel experience trusted Public Private key pair cryptography etc. So, as I mentioned, our audience can can try this or anybody can just by simply coming to our website grab the APP and with the press of a button. I'll show you how this works.
Scan a code give consent and it's showing some really basic information about the session right we don't go deep into identity verification for just a simple come to our website DEMO, but you can dive further into that and do higher levels of DEMO there as well. So that experience as you saw it's that easy every time whether you're logging into your your your bank resource windows workstation into Okta paying for drop whatever it is. That's it no more username no more password face it touch ID or, even better, real biometrics right because real biometrics is one of the key differentiators.
00:30:24.600
Steve Hunt: So you think of this as the front end to your single sign on so use this as the authentication event. And hand this token essentially off to the single sign on the single sign on logs you into every application all day long as needed, so this is the password list front end to single sign on this way I look at it yeah.
00:30:50.700
Mike Engle: yeah and the model of where identity is going in the future all right let's talk about this for just a second because I'll give a demonstration of this, if time permits, is they call it the trust triangle, you have identity issuers today I get my identity issued by the government driver's license or passport in a digital world now I can be issued an identity by Zen key alright, so that would be an example of telcos flash Sim. And you know if you ask the the research and the analysts and the industry experts and even the big tech companies they feel like these are. The trusted sources of truth that could be used to for you to prove who you are remotely right multiple options in that journey once you've done that you're handed the cryptographic proof of possession of that digital certificate put in your digital wallet. Now, one of the standards that I mentioned to something called decentralized identity, this allows your identity to be used in a cross company cross industry or even cross country scenario with privacy, preserving features. And the real the real root of trust here is that the verifiers right So these are the downstream service providers the Saks fifth avenue like I mentioned. They will trust this enrolled exercise, and this is what's being set up now globally in different verticals different you know automotive healthcare banking etc and we're super excited about the potential here, are you following this space Steve.
00:32:24.570
Steve Hunt: Well, I know, one of our audience is and they they asked an inch a fun question, I can I. Can I use this with one cosmos or with Zen key or something and go through this proofing process and then use it later for some other login somewhere else, and in this digital wallet may hold the key What if all of my identity attributes were individually parsed and stored in this digital wallet could I then just present my digital wallet to any participating commerce site or browser?
00:33:04.260
Mike Engle: yeah that's that's the promise of decentralized identity of self sovereign identity it's called me some circles. And, and why we built the platform with those standards under the hood because when let's say we've got three big institutional. Wall Street customers that are our customers with them just simply defining the business arrangement and turning on you know participation in an identity directory. Those identities can flow cross stream so you're not enough to set up heavy federated authentication between them, for example. So it's just a matter of the end you know the the organizations wanting to plug in and participating and there's a lot of these popping up globally around the world, already.
00:33:51.780
Steve Hunt: Okay, so one day we're still, this is still the one day scenario one day we'll be able to have this have these distributed identifiers relied on and used by the various sites, we visit.
00:34:08.130
Mike Engle: For sure one day is here in some other countries, for example in Singapore, they have something called sing past which is used at hundreds of merchant and government websites in South Korea, they have SK pass you know SK Telecom, one of the big providers and again your driver's license can be put into your identity. They prove that you have the mobile number, and you can go log into all kinds of downstream systems and do payments so.
Those you know nice small 40 million person countries they can get it done here in the US, we have a little more wood to chop before it's going to happen, but again he's there today it's happening, the bank step up to the plate and form a trusted bank identity we've got two of the three that we need to really make it happen, the third being the government. And we're seeing now apple right have a relationship with some of the states in the TSA. So it's popping out right imagine you can use your apple ID or your you know Google's going to have to step up and do the same thing right it's really opening up the doors and allowing your identity to go digital the way it should.
00:35:16.440
Steve Hunt: yeah exciting stuff yeah.
00:35:19.080
Mike Engle: So I'll show one more example and then we'll head over to Q amp a, so I think, similar to what the participant was asking the question here can your identity be used in different scenarios, so in my wallet This is my production wallet so is my real phone, I have several identities in here right and with the press of a button, I can come to my corporate portal and authenticate into my workforce applications now here's one of the big differentiators you can see my real biometrics.
00:36:00.060
Steve Hunt: We don't see anything.
00:36:02.010
Mike Engle: I'm sorry, let me refresh my screen. Okay, so on the left is my phone I'm sorry on the right is my phone on the left is is our corporate workforce authentication portal, not a lot going on here right, not a lot to type in.
00:36:20.430
Steve Hunt: Russia, this is not the prettiest site I've seen.
00:36:23.280
Mike Engle: So I have multiple credentials in my wallet I've got a banking credential I've got a workforce credential and with the press of a button, I can simply scan this code and do real biometrics validated that's a certified by metric engine and to your point now I'm getting into my sso applications my windows workstations or my downstream Apps right, that same identity, could be used for really by any third party as long as the trust is set up between the parties that's what it was designed to do.
00:36:57.330 --> 00:36:57.600
Right.
00:36:58.650 --> 00:37:05.520
Mike Engle: So um I think will CAP it there and get into QA we have a couple questions coming in.
217
00:37:06.570 --> 00:37:13.440
Steve Hunt: And we've we've addressed some of these but there's one scroll up and look at the question in the chat from Mauricio around fragmented digital identity silos and zero trust world maybe we can both tag team on that. Look at it and tell me what you think of that Mike.
00:37:27.420
Mike Engle: Yes So all the silos in a zero trust world right yeah for sure. That's the risk whenever what you know here on the left, you have these layers and the the layer one just like your trust your osi model right physical data link etc up the application layer and layer seven there's multiple layers in an identity stack. And layer one is kind of the The ability for an identity, just to move between two parties that's the the main industry body there it's a part of the Linux foundation called trust over IP. So that is there in place today and there's a couple trust over IP networks already out there functioning in different parts of the world to some in the US some in Europe, etc, getting further up the stack and how wallets interact.
Now you're you're seeing a little bit of fragmentation and it's going to take some time for the tech giants, I think, to come together right is that apple wallet that's holding the credential standards based and actually do you know the answer to that one Steve I don't really sure it's not. Maybe maybe somebody in the audience knows and can comment if they if there's anything about the apple wallet that standards based but that's typically not how apple operates so right there's a problem apple has created a digital driver's license and credit card wallet that can only be used by apple people. And that's their their M.O. right they do that with things like I message and create their walled garden. But there are industry standards that come out of w three see on how a wallet should be defined and how you can use across party and moving further up the application stack will be happening over time as well, so Maurice I think I think you you very much plugged into this and know that the challenges there there's an interesting group called the code credentials organization that defined how you should put a coven vaccination credential into a digital wallet. And we're a member of that there's you know dozens of Members so you're seeing some real good work come out of those taxi groups as well.
00:39:40.440
Steve Hunt: seems like we address the other questions in here if I'm wrong then feel free to send a note to us, Michael How do people get in touch with you.
00:39:51.750
Mike Engle: Great question, I hope you don't mind, but I took the liberty of popping up your email address on this slide as well, so let's get this back up here. Alright, so yeah obviously our website is a great source of information, we are very open our over our documentation is online, you can experience it live feel free to reach out reach out to me or contact us on the website and Steve do you have any events coming up that you want to tell the audience about.
00:40:24.420
Steve Hunt: Oh I'm speaking at the API conference that's the petroleum industry cyber security conference next month, so if any of you are related to critical infrastructure feel free to connect to that conference great presentations there.
00:40:44.010
Mike Engle: awesome yeah there's a couple other questions I'll just read through because, just to wrap up here, will we be sharing this presentation, with the participants, the webinar is being recorded and it will be posted on our website, probably by tomorrow, so you can review it there I'm not sure if we'll have the slides there as well, but if you reach out to us, be happy to send this deck over and a few other slides to go with it and there's a handful of other questions specifically about Sankey that are probably out of scope.
00:41:13.590
Steve Hunt: yeah I think I think we're done yeah. Well hey everybody, this was a this was a pleasure Mike I always always enjoy these conversations and everyone, I hope you got something great out of it and feel free to keep in touch.
00:41:30.300
Mike Engle: yep thanks for coming see have a great day, everybody.