Unlocking Security: The Passwordless Promise with 1Kosmos Identity and Access Management
It’s no secret that passwords are not meeting the security needs of workers, customers, and citizens or the organizations that serve them. Passwordless authentication has promise, but has yet to be widely adopted, and for good reason.
1Kosmos simplifies Identity and Access Management by effectively obsoleting traditional passwords and message-based MFA, reducing the attack surface for phishing and credential-based ransomware and data breach attacks.
I will send it back to you. Please introduce yourself and 1Kosmos team and explain about the product.
Right. Thank you. Let me just share my screen. Okay, so I will share my screen here. So firstly, I want to say thank you for joining us. Primarily today the presentation will be done by Jaya and myself. Jay is our solution engineering director of 1Kosmos. My name is Albert and I'm the AVP of channel in the APAC region. What we will do is that we will start off with a demo. Jay will do a demo on authentication, and then I will talk a little bit about identity. I believe that we already spoke about identity. I will speak more about it in detail. Then Jay will come back and talk about how we do our products, and then I will come back in the end to talk a little bit about 1Kosmos.
Joining us is also one of our other colleagues called Amit. Amit will be in the background. If you have any question, please put it into the chat and Amit will reply to all your questions. But please write to him in English because Amit hasn't learned how to read Thai yet. So maybe later on in the next webinar he might be able to do, but right now, none of us can speak Thai. So sorry about that. Any question, I'm sure we can translate a little bit later.
I'm happy with that.
Yeah. For him to continue with the demo, yeah. Jay, please. Thank you.
Thank you. So let me bring up my screen here. Hello everyone. So what I'm going to show you is how quickly you can authenticate. And like they said, you don't authenticate with OTP or passwords. You authenticate with who you are. Either the biometrics is through your facial recognition or using your fingerprint or some kind of biometrics, right? So let me show you how an authentication can happen. Actually, okay, so let's quickly go ahead and do an authentication. So this is a Windows machine, how an authentication can happen. Traditionally, you are going to put in your long username.
Jay, we are not seeing the full screen. We're still seeing a presenter's view. Yeah, that's right.
Yeah. Thank you. Thanks for that. Yeah. So traditionally how we authenticate is you type in your username, it's going to be a long username, and then your long password, and then wait for an OTP and then enter the OTP. So the problem with that is it takes a long time to authenticate and also the chances of fraud is also high. So if somebody hacks your password, they just need to get the OTP, right? Once they have the OTP, they can log in as you. Whereas with 1Kosmos, you don't need to do that. The authentication is very simple. You'll see now, right? So let me play this.
So you just click on this and then a QR code appears. So every machine, this is a simple way to authenticate. No need to type in any usernames, you just click on this button here at the login screen and the QR code will pop up. And what you do as a user is you take your smartphone, the Block ID mobile app, we provide a mobile app which can act as an authenticator through which you can scan the keyword code that's in here. So you take the mobile app, scan the QR code, and then it is going to ask you for your consent. And after that it is going to check for your face. So here you just blink your eyes, smile, and that is a successful authentication. So very simple, very quick. You did not even need to touch the keyboard. That's how quick an authentication can happen using biometrics. So it is all MFA, passwordless, and very secure.
Let's say, for example, I walk away and then I need to come back. So I want to lock my machine and then go have my lunch and then come back and then want to enter again. So here I click on it and then a push notification to the device is sent, whether it's your phone or your smartwatch. It can help you log in again. So it's very simple authentication that can happen. So this is Real Biometrics. So this will help you provide the utmost security that is needed to log into somewhere where you have to be absolutely sure it is the same person that is authenticating.
So let me show you another example. Let me bring this up here. So this is a similar thing into a Linux machine. Say I want to authenticate using SSH, right? So I have my smartphone, what I need to enter is my username. And then I enter the push notification enablement. And then what I receive on the smartphone here is a notification. A notification comes to the smartphone, I service that and then do a face ID check. And then I am logged into .. okay, I need to approve my login. Another face ID check, and then an authentication will happen in the SSH. So this is one platform that can provide you login into many things. So whether you're using Windows or Mac or Linux or VPN or cloud application.
Let me show you an example for cloud application as well. So any SaaS application or even legacy applications for that matter. So here I'll also show you what's happening on my phone as well. I'll bring in my phone on the side here. So this is my smartphone that I have right now and I'm just casting the display here. So I'll open up the smartphone. So here, this is the BlockID mobile app, and this app will allow me to login into many things that are supported by or protected by 1Kosmos. So I'll select that particular ...
And then here I am approving my authentication. I'm getting in. Let's say, for example, this is my first time logging in and I want to access a SaaS application like Salesforce. I just click on that, and then in Salesforce I say I want to go to BlockID. You will see a redirection. Since 1Kosmos is an IDP, we can also provide you SSO using SAML. There are many different SSO standards. So I approve my authentication, face ID check, and then what you will see here is first I authenticate into 1Kosmos and then you'll be redirected back to the SaaS application the user tried to go to. So I'll be logged into Salesforce.
So really simple authentication, very quick way to authenticate as well. Let's say I don't have a smartphone. How will I log in? So if you don't have phone, no problem, you can still authenticate. I'll show you one example and then we can move on. I'll give it back to Albert after that. So here I want to authenticate. Hold on one second.
So here, let's say I don't have a smartphone. So I want to authenticate. When I don't have a smartphone, I cannot log in with a QR code. So here what I'm going to do is I have my Windows machine. Let me open this up and show here. Here I have my Windows machine, I have my fingerprint reader on my laptop. I'm going to leverage that to authenticate. So what I'm going to do is I'm going to type in my username and then what I'm going to do is I'm going to ask the platform to use the Windows Hello that is on my laptop to authenticate.
I think there's some network issue here. Okay, so it's asking me for my fingerprint. I put in my thumb and my Windows authenticates me and 1Kosmos is able to leverage that Windows authentication to provide me a login. And then I'll see what are the devices that I use to authenticate, whether it's my smartphone or Windows Hello, or I can also use something like this, like a USB-based hardware security key, like FIDO2. So we can use that to authenticate. So there are many ways to authenticate in our platform. It's very quick authentication.
Sorry Albert, I took some more time over-
No worries at all, yeah. Yeah. So let me continue once you've stopped sharing. All right, so that was a very, very good quick demo on authentication and how we are authenticating very, very quickly. So let me continue and share my screen.
Okay, so here we are talking about what about identity and passwords? So we know that very, very well, right? So what are the problem with identity and passwords today? Today the problem with passwords is that the experience is very bad. If you know you have to change your password every 60 days, you get your passwords to be longer and longer. Now eight digits, now they go 12 digits, you need a special character and so on and so forth. And you forget your password. Password is also very much used for fraud, account takeover, phishing and so on. And when you use an OTP, what you call other-factor authentication, one-time passwords and all that, then it becomes very expensive. Different systems have different ways of logging in, so it's very complex. It's not very good.
What we need, we need to have a very, very good user experience. So right at the top, a user experience where Jay has shown you, you log in very easy, no need to remember password, and also very secure. We need to bring the security risk down, take away phishing, take away account takeover and so on. And if we take those away, then we will minimize fraud. We won't lose money from fraud. People's bank account will not get stolen, the money. And in the IT area, we want to have efficiency. We want to have a single system that do MFA. No need to add another system. And this all must be able to comply to government and other regulations.
So what is possible today is that the user can now control their identity. I don't know whether you saw, but every time Jay do an authentication, he say, "I approve." The way he say, "I approve," it means, "I approve my identity to be used." So the user control. If you don't have this, you can't get into the identity. And today we have very, very good cameras on our notebook computer, on our phone, and we're able to have biometric that we can certify. So all this means that we now know who is the person who wants to log in. Once you know who is the person, a company can achieve very high security. Phishing is basically about someone, not you, using your account. That's phishing. Now, if you know exactly who is there, then the phishing cannot happen. If there's no phishing, no account takeover, then the fraud, ransom will all drop. And then if you take away all the password, the experience will be much better for people in the sense that, "I don't need to remember password. I don't need to change password." And logging in is a matter of three seconds, four seconds. "I don't have to wait for an OTP to come on my email or on my mobile phone."
So I want to talk about two aspects of identity here. Let me show you all the slide first. On the left is what we call the identity assurance; to establish identity. To know who is the person registering for something. On the right is to enforce authentication, or enforce the identity, meaning you want to know who is the person that is really logging in. Here the difference is that we are not looking at credential. We are not saying, "This ID, this password, this OTP is logging in." We are saying, "This person is logging in." We know exactly the person. You see the word NIST up there, N-I-S-T. This is the standard that is being used worldwide to talk about identity assurance and identity authentication. And here 1Kosmos is dealing all about identity, and identity is going to be the most important.
So digital identity today, basically what you do is that you use 1Kosmos, one single platform, in order for that platform to assess all your application. So you need only one, on all your different applications, it's one to sign on. And then you get rid of all your authenticators. No need for O T P anymore because 1Kosmos does that, right? So basically you are talking about the 1Kosmos that is a system that allows you very, very quick log in. So this is what we are today. Okay?
So I will stop here and I will let Jay talk about how 1Kosmos' work is providing us with this solution here. Any question, please remember to put in the chat so that we can answer. Just put in the chat the question. Right Jay, over to you for your 1Kosmos explanation.
Okay, thank you. So let me bring up my slide again. Hold on. Let me share my screen. Okay. So yeah, the 1Kosmos mobile app is not just an authenticator. It can do more than just being an authenticator, right? So you can establish your digital identity there as well. You can recover your accounts from there. You can do offline authentication as well. We perform also zero trust security checks on the device. So if the device is compromised, let's say somebody hacks into your smartphone, we will be able to detect it and stop the user from using that to authenticate.
And the mobile app is also a blockchain wallet. So you have the built-in data privacy because of the blockchain. And you can also establish your digital identity, like your driver license, your passport, your government-issued water ID. So there are many different forms of identity documents that you can onboard onto your digital wallet. So your digital identity will be backed by some government-issued documents to enhance the strength of our identity assurance of that digital identity. So that you can enable.
And then we also do some advanced biometrics. So we are not going to just use the touch ID/face ID of the mobile phone. We will also use live ID, like I said. It's real biometrics where we capture the emotions of the user to log in. So I'll show you a little bit more about that. And with respect to government-issued documents, we support more than 205 countries, and within the country it's not just driver license and passport. So there's also water IDs, in India we have other cards, in Philippines they have their government-issued documents. We support all of that as well. So many different government documents are all supported. And yeah we use real biometrics.
So here, we showed that. So this is our architecture diagram that tells you how we integrate with your environment. So on the right side you have BlockID. BlockID is a SaaS solution. It is a single-tenant architecture. Single-tenant architecture means whenever we get a new customer, we have a dedicated separate standalone tenant for that customer. So if there is a bank that becomes a customer, that bank will get a dedicated BlockID tenant that will have all the services. So the authentication services, the blockchain, the storage for the blockchain, all of those will be dedicated for that customer. So we don't do any sharing of that data or anything. So there is some built-in data protection provided by the blockchain. On top of that we have dedicated tenants as well.
So that's a platform that will be sitting in the cloud and then we also service it from your region. So usually customers in the APAC region leverage the cloud-hosting region as Singapore. Singapore provides. Whether you go AWS or Azure or Google Cloud, Singapore is usually a region that is supported, so we will deliver our services from the Singapore cloud. And the way we integrate with your environment is let's say you have an Active Directory in your environment and that is where all the identities are in your environment. What we do is we have this thing called a BlockID broker that will sit inside your premises, that will communicate with Active Directory, and it'll make an outbound communication to us. So whenever the user authenticates, we authenticate the user and then we check in Active Directory through our agent to see if the user can authenticate or if the user is disabled. So we check those things in Active Directory before we do the authentication. So that is how we integrate with Active Directory. And all the Windows, Mac, Linux machines that you will be using will be running the 1Kosmos agent that will help you authenticate into the laptop and also other applications like cloud applications, your VPNs, your firewalls; all of those other systems will also use 1Kosmos to authenticate.
So that is our platform. Any questions around here? Okay, I'll take that as a no. And another cool thing about our platform is the different range of authenticators that are available. So if you see at the bottom here, that is legacy MFA, right? So if you're using password plus OTP, whether the OTP is through SMS or email or the in-app OTP or your radius or using push notifications, these are all really old ways to authenticate using MFA and attackers and hackers are using this to bypass MFA. So post pandemic, we have seen a tremendous amount of hacker groups that have bypassed MFA that are using this kind of MFA. So the industry is moving away from this kind of MFA. So where we are going to help you with is with 1Kosmos allowing you to leverage the biometric capability of the laptops or the workstations, whether it's a Windows Hello or the Mac Touch ID, or just a webcam for that matter that's there on the device, we can leverage that to authenticate.
And also, if you want to adopt FIDO as a standard, recently we met somebody who wanted to see if ... Taiwan, the government, is trying to have its own FIDO2 server. So we can integrate with FIDO as well. So we are a FIDO-certified platform, which will allow us to authenticate anything that is FIDO, whether it's a physical USB key that has the biometric capability or the PIN, we support that. Also, our mobile app is also a FIDO-based authenticator as well. So your mobile phone, any Android phone in the market where the iOS can act as a FIDO authenticator, we support that as well. Apart from that, we also do the live ID, which is log in using your face. So the front camera opens up, it's asks you to turn your head, smile, blink your eyes. So that kind of authentication is also possible. We can also send email magic links to authenticate as well.
So what 1Kosmos provides you is a flexibility in the number of different ways a user can authenticate. So you as an organization can choose, what is the best mechanisms you want to provide your users with. So what we have seen is customers who implement 1Kosmos typically keep the legacy MFA for a grace period, like six months. So users can continue to authenticate with passwordless OTP, but after that time, once adoption is high for the passwordless, we disable these kind of mechanisms at the bottom, so you make it more secure.
Any questions, anyone? Okay, I take that as a no. And this is where 1Kosmos is going to sit. So when it comes to authentication, we are going to be sitting at the top, where any user interactions for the authentication will come to us, whether it's based on the QR code-based authentication or the live ID or leveraging the Windows Hello or the FIDO2 or just using the touch ID/face ID that's on the smartphone. Or if you want to do a radius based or a password plus OTP, all of those authentication will go through us and we will sit on top of your single sign-on solutions, your Okta, Ping, ForgeRock, ADFS. So all of those things we can integrate with. And if you have your CyberArk, Arcon, those kinds of solutions that do privileged access, we can integrate with them too.
And also your OAS, whether it's Linux or Mac or Windows and your network devices, the VPNs and firewalls, we can also integrate with them through standards-based integration, whether it's SAML or OAuth or OpenID Connect. And we can also do native. We also provide you web SDKs. So if you have legacy applications, let's say you have an application that was developed 15 years ago, a .net application by a developer and you still use password-based authentication, we will provide you web SDK. You just change a couple of lines of code and we will authenticate the user using the QR code. So even legacy applications you can support with passwordless. Let me check the chat. Somebody has asked a question. Pussit, can you help me with the translation?
No, this is Pussit asking whether-
Oh, he's asking. Okay, sorry, I saw only PP. I didn't know it was Pussit himself. Sorry. Okay. Okay.
And we also have something to help you with the account onboarding, the KYC/KYE process as well. Because we help you have a digital wallet, we don't just help you with authentication. We can also help you with the onboarding of the user. Typically, traditionally, when you hire a new contractor or an employee, how do you do it usually? The HR team is going to send the individual an email and is going to ask for the government-issued documents of the user, say their driver license or their passport, to verify that they are indeed the person that they're going to hire. So when it is done through email, the PII of the user is exposed. So it stays in the email forever. What we allow you to do is streamline the process for secure transfer of information when it comes to KYC/KYE. Let me show you how that's done, right? Just a brief demo.
So here what I'm going to do is let's say I am a new contractor that's been hired and I went ahead and used the mobile app to set up my digital identity. What I mean by that is I have downloaded the mobile app. So let me go through the app here. So I downloaded the mobile app and then in my app ... what I go here, identity. So here you see that I've validated my email, so I am in control of this particular email, and then I have validated my driver license, my passport. Since I was in the US, there's also social security number in the US that I have validated as well. And then I also have the live ID to get my real facial recognition done. And you see the date at the bottom here? That tells me the date of the blockchain wallet that this mobile app is. So that's the unique identifier.
So once I have this set up, then I'm ready to be hired. So what I do here, let me keep this on the side so you can see what's happening. So let's say I want to start the demo. So I have my phone, which is my digital identity wallet. So that has my digital identity and it has government-issued documents scanned to prove that physical identity is in charge of digital identity. Right now the HR team doesn't need to send me an email. All they need to do is show me this QR code, maybe on a portal somewhere.
Actually, hold on a second, let me ...
I think there's a question in the Q and A. So Amit, if you are there, can you answer that question? It's in the Q and A chat. It's a different-
In the chat, yeah.
Yeah. Well no, in the Q and A. There are two chats. One of them is the regular chat, one of them is Q and A.
Thank you. Thank you, Amit, for taking that.
Okay. So yeah, here I'm going to scan this QR code. So I scanned this QR code and then I'm going to approve the transaction where I am going to share my driver license or passport with the HR portal here. So here it is checking my actual biometrics, and then smile, and then that is going to be taken from me and then compared with my original set of expressions that I have registered with and then it authenticates me. And once the authentication is done, this HR portal, without use of any email, got all the information about me. It tells me my passport, the information that it got from the passport, my driver license scanned images and the information from there, and also where I'm authenticating from. I'm sitting in India in Pune, that's where I'm authenticating from. So the HR portal at the time of onboarding, no need to send any emails and expose the private data of the individual. It's very secure data transfer that we can do.
On top of that, hold on a second, we can integrate with something like SailPoint. So whatever you use for identity governance or identity lifecycle management, we can integrate with that to have an API-based integration to create the user in Active Directory and all those. So one thing you can leverage from 1Kosmos is when you employ a contractor or an employee, you can create an identity without a password. Or it could be a complex password in Active Directory, the user doesn't even need to know the password. So they get an enrollment email and then they can immediately authenticate into applications without using any passwords. So the danger of sharing the password with the new contractor or an employee is not going to be there. So it is very secure, end-to-end. From the moment the user creates a digital identity with you till the moment the user leaves the organization, it can completely be secured.
Let me look at the Q and A. So somebody has said, "That means we're back to the traditional platform." I didn't understand that question.
They're just saying, "Are we going back to the password?" I explained it's not that we are going back to the user ID password. PIN is set at the authenticator level. I'm typing the answer here.
Thank you, thank you. So yeah, from the application we can enforce what authentication I want. So I showed you the Windows login where just the face ID on the app was enough. But then I showed you the video where there was the actual biometrics that were captured. So from the application, you can enforce whether you want a touch ID/face ID on the device, or a live ID, or what kind of authentication you want. You can decide from the application level. So yeah, we do support password-based authentication because there are some customers who still want to use password plus OTP. So we do support it, but we recommend our customers to stop using that.
And we use our own platform. And when I was hired at 1Kosmos, there was no password that was shared with me. I started using my email through the BlockID mobile app. There is no password. I don't have a password at 1Kosmos that I need to remember. So I'm pretty proud to say that we are completely passwordless ourselves.
Okay. And another question is what challenges might authentication without passwords ... if a user encounters a situation where the biometric data becomes inaccessible due to injury and there's no alternative biometric authentication available-
I already answered them. We can use LiveID, right?
Okay, that's what you answered. Okay, thank you, Ahmed. It's okay. So that's an old question I'm reading. Sorry about that.
Okay. And just to go through the process of how do we scan these government-issued documents, what we do is from the mobile app, users can take whatever documents they need to prove with and then they scan the document. And then what the mobile app does is before it does the proofing, it is actually checking with the live image of the user. So the front camera will open. When you scan your driver license or passport, it is going to then open up the front camera to say, "Hey, I want to check your face if it matches with the document to see if you are the rightful owner of that document." So it is not going to let Albert use my identity card to onboard onto his wallet, right? It's not going to allow you to do that. So there's a lot of fraud checks that happen as well. If you put a photo on top of the ID, for example, we'll be able to detect that, and also the information that's in there. So we are able to capture the fraud that is happening there. And then like I said, you scan the QR code to transfer the images and then your HR, whether it's SAP or PeopleSoft, they can get that information from us and then kickstart a workflow to create the user identity in different endpoints.
So if you look at the NIST 863, it gives different scores. So let me go back to my screen. So here there is an IEL score here. So this score is dictated by the NIST standard that tells me if I come with one government-issued documents, then the score is one. If I come with no documents then it could be zero. My account could be a synthetic account, that is a bot account or a hacker. But once I come with two or three, then it's stronger assurance that I am a human account and I'm the rightful owner of this particular digital identity. So this score can also be provided at the time of authentication. So what some of our customers are doing is at the time of authentication to some sensitive applications, like say HR applications where I go check in my salary, you can put in logic to say, "I only want to allow users that have IEL score of two or more." If my account gets hacked for some reason and the hacker is trying to access my salary and HR information, if then the hacker has his own smartphone, the score will be zero because the hacker is not going to have the same government-issued documents that I have or the appearance that I have.
So we will be able to catch synthetic accounts from authenticating into applications. That is what NIST is suggesting the industry should adopt. And we have a couple of customers of ours who are adopting that. That's where the market is heading. And we are successfully able to tie the KYC user security with the authentication security through that.
So yeah, so that is the essence of the completeness of solution that 1Kosmos is able to provide, where the identity that was created at the time of KYC, that is completely identity proof, is able to be leveraged at the time of authentication as well. That is the completeness of solution that 1Kosmos is able to provide you.
Yeah, over to you Albert. Thank you.
All right, thank you. Okay, let me just share my screen again and go into the last parts. Thank you very much for everyone. Let me just share. Okay, so let us now talk about who is 1Kosmos. What is this company all about? So 1Kosmos is all about identity. Yes, Jay has shown, we are 99% decision accuracy in identity. We are quite an established company now with more than 50 million active identity that we are managing for many companies around the world. And we can remove 80% of the passwords if you put them on the side-by-side basis in the sense that if you give them two ways of doing it, traditional way or passwordless way, we find that 80% or more will go to passwordless within the first three months. We are also fully certified in our platform, from NIST to Cantara, FIDO, GDPR and so on. So we are fully certified with a lot of customers that are international, like Kotak Bank, the third-largest commercial bank in India. We're talking about Vodafone, big company, telecom operators, Union Digital in the Philippines, as well as international global banks like BlackRock and Jefferies.
What do we do in our platform? As Jay has showed you, I just want to summarize, is that we do verification of identity whenever it's required; financial institution, insurance, telco and all that. We verify identity. We also provide the capability to do authentication, secure authentication for the workforce, meaning the people in your company, as well as customers. They could be bank customers, insurance customers. We provide the identity part in a seamless way.
So what we are doing is that we are solving three key challenges to give user a very common and easy experience. And as Jay showed you, we extend the passwordless beyond the existing platform to all the different applications and requirements. And at the same time, we support longterm business objectives in compliances, in upgrading of the network and so on. Here is a quick slide to show all the compliances that we face.
And in the areas of identity we have been recognized as a leader by KuppingerCole. We talk about identity authentication, passwordless, access management, customer identity, access and management, reusable, verify identity and so on. We have been leading those areas in identity. We win a lot of awards along the way. This shows the quality of the products, the company as well, such an important part of identity.
So that is the end of my presentation. I just want to again thank all of you and I want to add that we have a distributor, NextWave in Thailand. They are there. You can engage all of us, Jay, myself, Amit will be happy to have follow-up sessions with you, meaning we go exactly with you one-on-one, talk about the area that you are interested in, show you a deeper demonstration, give you information, as well as if you are able to create a requirement, we can talk about a POC and all that. Yeah. All right. So thank you very much again for this webinar. Thanks to my colleagues, Jay and Amit, and over to you.