Unlocking the Power of Identity Verification
Unlock On-Demand Webinar
Video Transcript
Robert MacDonald:
Okay, everybody. Welcome to our webinar today. We're going to be talking about how to unlock the power of identity verification. My name's Robert MacDonald. I'm the handsome gentleman on your right. I'm the VP of Product Marketing here at 1Kosmos. The handsome gentleman on the left of that screen is Mike Engle. Mike, why don't you give us a little introduction of yourself?
Mike Engle:
Yeah. Handsome is not anywhere on my LinkedIn profile. We'll start there. But, yeah. I'm a security geek by trade. I grew up in the era of modems and hacking CompuServe, and made my way into Wall Street Cybersecurity. Did that for quite a while, and now I'm all identity all the time. So, enjoying this world and the difference that we can make in it.
Robert MacDonald:
Yeah. I mean, this world is certainly changing quickly. I've been in identity for a number of years as well, worked at a couple of different identity-based organizations. Where identity is going is certainly a vast departure from where it's been over the last 20 plus years. There's been a lot of stuff happening over the last little bit that's going to initiate some of that change. A lot of the phone scams that we've seen, like at MGM, and other identity-based attacks that are really tripping up majority of the US/Canadian population, I'm based in Canada, so majority of the population in general. Including help desk workers are getting tricked to reset credentials for people that actually aren't on the other end of that phone. There's social engineering attacks where people are getting tricked out of their online account of whatever that might be, and their account's getting taken over and they're losing money out of their bank accounts, all kinds of things going on. You and I are going to talk a little bit today about ways that you can use identity verification to prevent a lot of this stuff from happening, right?
Mike Engle:
Well, yes we are. Let's get started.
Robert MacDonald:
Let's do it.
Mike Engle:
Yeah. We're going to talk about three distinct functions that every IM program deals with every day. It's how do you get people into your system or change them to something better? We like to think of that as enroll, very simple. But simple in concept, but the way you do it varies. It's the number one question we have is, how do I deploy your tech without causing pain? We'll talk about that here today. But then at the time of enrollment, or maybe sometime later, what's really important is verifying the person that is at the other end of the connection. The example you gave, remote callers into a help desk, or an agent, a store associate and the frontline worker or in a factory that needs to prove who they are, or of course employees getting into the top secret critical systems or remote access, whatever it is.
This has been missing from authentication, period. It's time that it gets put together with the authentication process. We all know how to authenticate, we do it hundreds of times a day. Whether we're unlocking our iPhone or logging into your bank, you still have to prove who you are. Then maybe you could touch on what the industry thinks about all this stuff. There's all these little logos at the bottom here. What do they mean, Robert?
Robert MacDonald:
Well, they're certifications. There are ways in which you should be going about doing these things. There are guidelines that can help steer organizations, such as 1Kosmos and others, down the path to make sure that if you are doing verification or authentication or enrollment, that you're doing it in a way that meets market expectations and demands, right?
Mike Engle:
Yeah. We're going to dive deep into a couple of these. We're going to talk a lot about NIST, 800-63-3, about Kantara Certification, which is the non-profit that certifies that other standard. We're going to talk a lot about privacy too, because when you start doing this stuff and you start looking people in the face with a camera, you can raise a lot of eyebrows in legal, or your customers may not just like it unless you do it right. Really important topics, we'll be diving into all that here today. Let's do that though. Let's dive a bit into... I have to turn off my little screen-drawer here. Let's dive into those two standards that I mentioned first, NIST 800-63-3. I didn't know what a 63-3 was until probably 2018. I hadn't followed it that much, but it seems to be all everybody is talking about in the identity world, mainly in certain business verticals. If you talk to Joe Schmo user, they're not going to know what it is, but the people who architect these solutions definitely do. Robert, what is it that really comes to mind when you think of 63-3?
Robert MacDonald:
Again, I didn't know anything about it really until I started working here, to be honest with you, because the circles in which I played in weren't covered by the circle. It's really about, how do I make sure that the person that I'm proofing is the person that's being proofed at the end of the day? How do I make sure that I know that either my employee or my customer, their identity that they're presenting is them on the other side of that digital connection? Because we are doing these things remotely these days, we're not doing them in-person anymore.
Mike Engle:
That's right. There's different levels of this certification. Really today there's three levels, one, two, and three. One is meaningless, and there's going to be another change to that standard coming out soon. But when somebody is certified for this, it means that they've gone through a process. It's like you wouldn't want to use a product in your house that isn't certified for UL Labs electrical stuff. It could burn your house down. What if you implement an identity verification thing and it's not certified? It could burn your IM down. Maybe not quite the right analogy, but it is really important to have certifications. So, this standard has an A part of it, section A and a B section. The B section is authentication and it ties heavily into your dog, FIDO.
Robert MacDonald:
Yes.
Mike Engle:
Right, Robert?
Robert MacDonald:
That's right. FIDO, four legs. There are a couple of different ways you can certainly authenticate users, but after you did the identity proofing, how do you make sure that the person you proofed is now the person that is actually authenticating? Because as you and I know, based on the space that we play in, people share passwords all the time. Or they have their passwords phished and their MFA phished and then somebody else is in, and there's no way of proving that that user is who they claim to be through any part of the authentication step. But this certainly puts us down a path where we can prove the user is who they claim to be on the other side of that authentication, right?
Mike Engle:
Love it. Then there is a certification for this. You need to work with certified FIDO products, that is super important. Then when you start verifying the face of a person to these government documents, you need biometrics that are certified. One of the independent testing labs, very prominent, is called iBeta. So, these are some things you can look for in a product. Kantara, FIDO, and iBeta, when you put these together, we like to refer to them as Identity Based Authentication or IBA, and that is much better than HBA, which Robert, Pop Quiz, stands for?
Robert MacDonald:
Hope Based Authentication.
Mike Engle:
Good.
Robert MacDonald:
I wasn't prepared for that. But Hope Based Authentication, which a lot of authentication methods are based on.
Mike Engle:
That's right.
Robert MacDonald:
At the end of the day, right?
Mike Engle:
Yeah, it is. I hope that this is who they say they are, the password is them using it, the 2FA wasn't intercepted, et cetera, et cetera. There we go. Maureen, would you like to pop up our survey question so that we can just see what some people are thinking here? All right. What are you most eager to explore in this session today? Four questions popping up. I am not allowed to answer, so we'll give this a couple of seconds until people can answer. The questions are, instant document validation. This is typically hard to do. You have to go into person, or you're using a social security number instead so this gives you some great capabilities. Verifying remote callers, do you care about privacy? Some people don't really know it's a thing because they put their face all over videos like this today. Here I am putting my face out on YouTube again. Then the fourth option in the poll here is, how it can really improve the user experience and security at the same time. We'll talk about that. Thanks for that, Maureen. Okay. It seems that privacy is the number one-
Robert MacDonald:
Privacy is high. Yeah.
Mike Engle:
Yeah.
Robert MacDonald:
Interesting.
Mike Engle:
You start. Over to you.
Robert MacDonald:
In stack rank order here, we've got privacy and then instant state ID validation, then modern UX and remote caller verification. It's interesting, I don't know if we've ever put up a survey and privacy was top of the list.
Mike Engle:
Yeah. I think that it's making the circuit. You have the issue with deepfakes, which we'll talk about, and you have, "I don't want my face used against me in a court of law," which you could go make a deepfake for me right now and prove or disprove that I was somewhere. It's getting pretty scary. We'll talk about that as well. I mentioned the NIST 800-63-3 has several levels to it. This goes really way beyond just scanning a driver's license. If you've opened a bank account recently with a modern bank, I have to say that I guess the right way or I'll get in trouble, or like a Neobank or a recent Fintech. For example, go open a crypto account, they're going to scan your driver's license. I had to scan my driver's license recently to get a 2FA for my Ring doorbell. It said, "You have to do 2FA, but wait. We don't trust you so scan a driver's license." It's getting out there.
But scanning a driver's license is defeatable at some level, because the deepfakes are getting better. The face matching is only guaranteed to a certain level. When you combine that with other sources of truth, look the driver's license up in AMVA, which is the DMV aggregator. Or let's ask them for their social, which that's not very secure but when you start triangulating all of this data, now you have a much higher level of assurance. These extra controls are what will help mitigate your deepfake threats. So, go get Kantara certified or get a Kantara certified product. It's great. IAL1 is really weak. IAL2 is very strong. IAL3 is super strong, superior, and it really involves an in-person or supervised process. IAL2 is where the world is aiming to get that high level of assurance from a remote location, right?
Robert MacDonald:
Yeah, absolutely.
Mike Engle:
Okay. I'm going to pop up a little chart on this. When people ask me, "What is the difference between just scanning a driver's license and NIST 800-63-3 IAL2?" Now, this is an eye-popping chart. I know, the graphics are awesome.
Robert MacDonald:
It's a good one.
Mike Engle:
But it needs to be simple, because people, sometimes they don't even know what a NIST is. It's not the thing that my birds are sitting in out in a tree. Really, when you're scanning just a document, what are you doing? Well, you can check for fraud signals and is the picture in the right spot and is the font good? Is there a hologram? But like I said, deepfakes are going to get very good at defeating that. Typically when you're just doing this, you are not verifying the data on it. How do I know that Robert MacDonald lives in Beverly Hills?
Well, you have to go out and do some extra, what's called identity verification. Now, many legacy banks are just doing this, and that's really scary, because the bad guys have stolen all of our identity information. I recently opened up an account with a big retailer, and all I needed was my social. They sent me a text message. I think I had to type in my address, done. Now I have a debit card coming in the mail. So easy to defeat, but it is an important piece when it's combined. That's really what NIST 800=63-3 does, it combines these things together, and adds on an address of record. So, this is really important too. Something the NIST standard says is, "You have to reach out to the person, add an address of record," not just some phone number they gave you and say, "Yes. I contacted them at their proven phone number or at their proven address." It's another step. It's a hurdle. The bad guys are going to go to the legacy bank and not to your bank. Right?
Robert MacDonald:
Absolutely.
Mike Engle:
That's how I like to think about this.
Robert MacDonald:
I guess the key thing to remember there too is, Mike, is that not all platform vendors that deliver capabilities do all of these things. That's not to toot our own horn because we know that we do the bottom one. But you do have to be relatively careful and cognizant of what you're signing up for when you go down one of these roads.
Mike Engle:
That's right.
Robert MacDonald:
And risk that's associated with each one of those, by either doing or not doing some of those capabilities.
Mike Engle:
Right. It really comes down to risk and user experience. Two examples. I'm opening up an account to be able to pay my taxes, or get my tax refund sent to me. The government mandates this, this is really important, but let's say I'm a big retailer and I have somebody walking up to the counter and saying, "I am Robert MacDonald," and today the agent will... I have a real license here. I'm going to show it on live. Will say, "All right." They eyeball it and they look at it and they get hoodwinked every time because the agent, the cashier doesn't know how to validate a document. "Well, let's scan it." Pop up their little point of sale scanner and scan it, and now you've upped the bar quite a bit. But in that example, you don't even need this because you've let the agent just look at the photo and don't put the user through that eeriness of having to, "Here, look at the camera." So, it depends on the risk, the environment, and you need customizable journeys on this that we'll talk about here in just a minute as well.
Robert MacDonald:
Right on.
Mike Engle:
Cool. All right. Enough of that. Let's move on to the identity assurance piece of this. This is really in line with the risk level. So, what does it mean by identity affirmation here on the left, Robert?
Robert MacDonald:
Yeah. So, this falls very much in line with how Gartner is viewing this as well. But the affirmation side of it is, you're collecting information from the user, but it's providing a relatively low assurance that that user is present. So, a phone number, an email, social security number, none of those things are necessarily tied back to the actual user. Frankly, there's no photo on any of these. When we get into the proofing side, which we're going to get into here in a second, with these types of identities you're just proving that somebody's in possession of something. Not that it's actually the person that owns it, if that makes sense.
Mike Engle:
Yeah, it does. Social login, it's okay for some things. But some of these are much stronger than the others. You have my phone number, I've had the same phone number for 30 years, and if I could prove possession of it that says something about me, it's pretty good. But to your point, somebody could have picked up my phone or swapped my SIM and now they're not matching it to my face. Right?
Robert MacDonald:
That's right.
Mike Engle:
Very important.
Robert MacDonald:
Then when you add those things into the proofing side, which you're going to cover here in a second, you talked about triangulation earlier, you talked about it here again. But that's where you really start to build a benefit of doing these steps, right?
Mike Engle:
That's right. Yeah. Going down the verification, we call this our identity pyramid. These are ways that organizations can verify identity and create what we call a reusable identity along the way. Here is where the internet has been since the internet has existed. You have an email address, maybe then you add, what? Just a credit card, and that's all you need in most... They're not low security because Amazon does care if there's fraud and Visa cares, but it doesn't prove identity at all. So, you try to add in all these fraud signals and figure it out without bothering the user. How's that going? What's the total in billions of fraud?
Robert MacDonald:
Fraud, and then technology layered on top of it. It's not just the fraud, it's all the technology you bought to try to catch it on top of it.
Mike Engle:
Exactly. You're looking behind the scenes, inferential. Then we start to add on all these other concepts that we've already mentioned. SIM binding is one that's unique to 1Kosmos. We can prove possession of the SIM in the phone, and we're doing this in international regions, even where they have two SIMs in a phone and you have to prove possession of it. It's a really nice factor. Then we go all the way down to a reusable identity, which we'll touch on here in just a minute. One of the most powerful user experience tools is something we call LiveID. We'll touch on that as well.
Robert MacDonald:
Yeah.
Mike Engle:
Excellent. How does it come together? In the first slide that we showed, you had three linking square links in a chain. Let's talk about how we create a reusable credential. We spoke at length about ID enrollment. How is it that we turn that into something that can be used over and over again?
Robert MacDonald:
That's the key thing here. Being able to take those steps, which typically organizations use and then they're a throwaway. It's a one and done. The cool thing with what we're talking about here and bringing it into authentication is that, here at 1Kosmos anyway, we're able to look back at that identity verification step and then use it to authenticate the user. By binding what we did at the proofing and verification stage, and then using it as the authentication method, I guess, if we look at LiveID, which we're going to show here in a minute, where we store a private key and the TPM of the device, which unlocks the user's identity credential of which then they're able to then utilize for authentication.
All backed with an immutable audit trail so we can track what users are doing. Or sorry, keep track of how users authenticated, but being able to leverage that step one and two there in this chart, where we use the enrollment and we use the verification, and then we bind it to the authentication with the private and public keys, is really where the power of a technology like what we bring here at 1Kosmos comes to light.
Mike Engle:
Yeah. That's right. Without enrolling, and authenticating without this, really is a weakness in our system that we communicate today and people should insist on it. Let's do that. Now, when you do these and we talk about issuance, then we can give the user a wallet. I just went through a proofing exercise, I scanned my face, my driver's license, my passport, whatever it is, and then I made sure that I linked it to the biometrics. These were tightly coupled. You had chain of custody of this experience in the same session. Great. Then we can now authenticate and know that it's that person every time.
We don't talk a lot about it too much, but under the hood of many well-built systems is a distributed ledger that has this chain of custody. If I can prove that at step one I was here, step two, I enrolled my biometrics, and then I'm using it, step three, four, five, each one of these can go back and verify, "Yep, this is still the same person that had that original exercise or credential under the hood." So, the term wallet or identity purse, I don't want to get in trouble with the gender police.
Robert MacDonald:
Satchel.
Mike Engle:
Your satchel. It is important. We all have wallets today. In fact, we probably have a dozen wallets on our phone. It just depends on what you define it. Do you have Apple Pay, Robert?
Robert MacDonald:
I do.
Mike Engle:
You have a wallet, right?
Robert MacDonald:
I do.
Mike Engle:
Do you have an app, a banking app?
Robert MacDonald:
I do.
Mike Engle:
That's a wallet, because you have a banking credential in there that's trusted by the bank. You can present it with face ID and there's no username and password. It's a digital signature flowing over the wire. You already have many wallets, but you don't have an identity wallet yet. Well, you do actually because you have the 1Kosmos wallet, but...
Robert MacDonald:
That is also true. Yeah. I guess one of the key things here, Mike, that we didn't really touch on the previous slides is that on that verification step, we're pulling that image off of the passport or driver's license like we have here, and we're comparing those images to a selfie that we capture, which is the reference biometric at the time of that identity proofing stage. We want to make sure that the images that we're pulling off those documents match the image that the user's providing at the time that that's all taking place. That's that reference biometric that we're talking about here. That's how we can do that chain of command that you mentioned a couple of seconds ago, is through that capability.
Mike Engle:
Right. Let's talk about why this is really cool, but also can be really hard. If you've been through some of these proofing exercises or you've gone to clear at the airport, or there's different ways to do it. Sometimes you have a camera shoved in your face and they're telling you to get precise and they're scanning your iris or whatever. But when you're at home, there's a lot of benefits to that. I can be sitting on my sofa watching Seinfeld and creating a bank account that's trusted. But the bad guys are taking advantage of this as well. Sometimes the user experience is terrible. What we've done, and it's been really well received by our customer, is deconstructed the entire identity verification and fraud detection to make it incredibly flexible. How, you ask? Well, let me tell you.
Image capture, it is an art. You use the camera. Yeah, that's great. That's the science. But you have different quality camera, different platforms. You have webcams. Doing that right is hard. We have multiple ways to capture an image, and then multiple ways to extract the data, multiple ways to check it for fraud, for liveness, for deepfakes, et cetera, et cetera. This is really important because as I mentioned before, you might want to skip the selfie part. Let's just do some fraud mitigation here and get the results because for whatever reason, this journey doesn't warrant an image capture of the face. But wait. Maybe you want to use a face out of your corporate photo database, your access control system, instead of the selfie. Can you inject another type of selfie into this process? Flexibility in this journey is really important. When you do this, it allows you to flip the script a bit. I was expecting some ohs and ahs on those graphics there.
Robert MacDonald:
I'm still waiting for it to finish. It's amazing.
Mike Engle:
It is breathtaking. But you have those capture and flexible options in the middle. Then now you can do all of your checks on the periphery on each of these steps inside. What have you seen from our customers in the field about the time to adoption for these types of concepts?
Robert MacDonald:
Yeah. It's interesting, because every customer is different, and the use cases that they have and what they're looking for, like you said, some don't want to do the selfie capture for whatever reason. But that flexibility, like you said, is pretty key. I mean, we've seen customers get stuff like this up off the ground in as little as two or three months for 24 million users. The flexibility of the platform and being able to customize the journey that goes along with it is really core to our platform and our platform's capabilities. It really doesn't take a whole lot of time, once you know what you're looking for or once you know what you want to deploy. Sometimes that's the trick. But, yeah. I mean, we've seen very, very quick turnaround and you've been part of some of those deals.
Mike Engle:
Yeah. No, we've dropped this into help desks in a couple of days.
Robert MacDonald:
Oh, the help desk one, yeah. I mean, we're going to talk about that in a minute. That's an instant on. Yeah. Like you said, that takes less than a week.
Mike Engle:
Well, yeah. You teed it up for me. We have to talk about it. Let's step through this. There may be a lot of steps here, but it's really simple, and we'll show a live demo of this in just a couple of seconds. Not a live demo, a demo demo. Live demos are scary on webinars. When somebody calls the help desk, what do people typically do today to verify that remote caller, Robert?
Robert MacDonald:
It's all knowledge-based, right? "Hey, Mike. Glad you called. I'd be happy to help you out. Can you tell me your mother's maiden name? How long have you been employed here? What's your social security number? What's the last four digits of your credit card number?" All kinds of things.
Mike Engle:
Exactly.
Robert MacDonald:
Right.
Mike Engle:
All of that has been stolen 10 times over at a minimum. It is really useless. So, what we will do is the help desk agent will simply click a link. They will engage with the remote employee or customer, get a text message, and they from there will complete the journey to a verification. The beauty of this is, it's really right here. It's just getting a link and then handing it over to the user and then getting it back. You don't have to integrate it. Of course you can. We've integrated with ServiceNow and other help desk platforms to make it really tight, so it's maybe on the user's customer profile and they click a button, it's automated. But it's not necessary. Should we show it?
Robert MacDonald:
Yeah, I think we should, because it's super exciting.
Mike Engle:
Yeah. Let's do that. So, this is-
Robert MacDonald:
Again, something that we see a lot of heartburn for, with some of our customers. There are people pounding down our door, because we can do these kinds of things now. MGM, it was really the linchpin that started the wave of customers looking for this technology.
Mike Engle:
That's right. Yeah. Let's let the tape roll here. This is a one minute video, and on the left you have the help desk agent who's handling the call from the person on the right. It really does speak for itself. This first step is just to authenticate as the help desk user, so it's an authorized system. We do that by tying into Active Directory, Azure AD Entra, and that should be really a click and go. Now we're sending the user a link that they can work with in their email or on their phone. This is really simple, it happens fast.
We do it by scanning the front, checking the integrity of the document. All the fraud signals are handled here in real time. Now we ask the user for the selfie. Again, this is optional, but you do want to do a selfie for a high risk call. That selfie is now matched to the credential here, again in real time. Now, the help desk agent doesn't need to see all of this data. They just need to know if it's okay. So, what comes back? Well, a green check mark is really all that they need.
Robert MacDonald:
That's important.
Mike Engle:
Their run book is very simple. That's why we can deploy this in one day. You can dial these knobs. Well, this is a systems administrator who's trying to get root access into some system or whatever. Let's dial it up for those users and maybe even put them through some other type of check, maybe a second credential. Because what they'll do is they'll call and say, "I lost my phone. I don't remember my employee ID. But listen, Bob, the boss is going to fire me if I don't get in and fix the whatever." So, it's all based on social engineering and pressure.
Robert MacDonald:
I guess one of the big things here too, Mike, now that I'm looking at the screen, is that there's no additional information about the user being shared with the help desk agent. Driver's license number hasn't been shared, address hasn't been shared, nothing's been shared. From a PII perspective, it's just a pass or fail and a name.
Mike Engle:
Exactly.
Robert MacDonald:
Yeah.
Mike Engle:
Exactly. But it is all available. If you do need to retain it for whatever purposes, either internal auditing-
Robert MacDonald:
ID purposes or whatever, yeah.
Mike Engle:
It is all available. In fact, these data retention requirements are really important. We do have all this data here, but again, green check marks sometimes is all you need. This stuff can be redacted based on how you want to configure the system. Of course, role-based access to this data isn't just as important, so you saw the view for the help desk admin. You can have the systems administrators or the fraud team or the risk team have access to this stuff differently. We do make the integration with the help desk software.
On the left, you might have something like this would be the input screen, or it would automatically fetch it from the customer database or the employee database, and then present with just buttons that you would send the user. Maybe your policy says you have to send it to an address of record, that doesn't work for, "I've lost my phone and I, for some reason, can't get to the AT&T store because..." I don't know what the reason would be, "I'm on an island." But there's lots of different ways that this cat can be skinned. Let's talk a little bit about... Don't have Tom Yum soup before webinar. About the privacy.
Robert MacDonald:
Spicy.
Mike Engle:
Yeah, exactly. Whew. In March of last year, the White House put out a paper about preserving privacy, yet still using data, which are contradictory. How do you get my face, use my face, but use my face only for good? Or my whatever data, either my biographic or biometric information. In this paper, I recommend everybody just Google the title of this paper, there's a link to it here. Maybe we should send this as a follow-up to folks on the call as part of the deck. But they talk about a couple of technologies that allow you to work with user data, yet keep not only yourself safe but their data safe as well. These technologies are what are called PETs and PPDSAs, because I always say there's not enough acronyms in IAM. We need more.
Robert MacDonald:
I agree.
Mike Engle:
Yeah. We need two FAM, FARBA, PTs, PPDSAs, we need all that stuff.
Robert MacDonald:
UEDA, all kinds of stuff. Yeah.
Mike Engle:
Yeah. HBA, IBA. SAML, OIDC. We could go on all day, right?
Robert MacDonald:
We can go on FIDO. Yeah.
Mike Engle:
All right. That's it. We ran out. There's no more left. What this means is I can work with the data, but you want to remove as much of it as you can. Minimize, reduce, least data necessary. Sometimes you can even work with the data without seeing it. Two technologies that allow this are something called homomorphic encryption and multi-party computing. these technologies of working with data while it stays encrypted, have been in practice and research for 20 years. But it's actually been made practical through commercial implementations like ours in the last couple of years. Really exciting stuff. It's one of those things again where you ask a traditional CISO or head of IAM or engineering, they'll have heard about it, but don't know how it applies. We basically are using this to work with faces in a way that keeps them encrypted. Really exciting stuff. It's basically the same as working with hashes instead of working with the real biometrics themselves.
Robert MacDonald:
Right. Yeah. I mean, these privacy laws have continued to evolve. It started, GDPR was really one of the first ones to kick that off. But as we move into digital identity wallets and biometrics, those laws have to continue to evolve to account for some of the things that we're doing. Because at the end of the day, whether intentionally or unintentionally, vendors can do bad things with data where they're selling it off to marketing agencies so we can get them to buy stuff, being a marketing guy. But this stuff is really, really important, since now that we're really starting to deal with faces and some of the things that you want to talk about here in a little bit with the deepfake technologies that are coming down.
Mike Engle:
Oh, yeah. Don't get me started on deepfakes, Robert, just don't.
Robert MacDonald:
Okay. Sorry.
Mike Engle:
Too late. Now you did it. Come on. We were like, we're ready to be done. Now we've got to talk about deepfakes.
Robert MacDonald:
Yeah. It's almost like I knew what the slides were.
Mike Engle:
Sounds like you read my mind. But, yeah. There's been celebrities that have had their likeness created many times now, Elon Musk, Tom Cruise, Taylor Swift. But these attacks are becoming real. People are opening accounts and stealing accounts and doing things, so we need to stay on top of it. We have a whole set of research around this, where you can generate the content and you can go ask Sora or these other open AI type tools, to make images now. Go to the website thispersondoesnotexist.com, and it'll make a fake face for you. You could use that for synthetic identities.
Some of the techniques that are used are to use a picture of a picture, and we can detect that with reflection and some other ways to see that it's not real physical media. What you'll see sometimes is the bad guys have this picture on the left, which is obviously a picture of a picture. This is a photo sitting on somebody's desk. You zoom in a little bit and it looks pretty good. It looks like they're holding a selfie. But what's missing from this are a whole bunch of signals, that if your software is implemented properly, can detect that this is a reproduction. So, we've implemented these at various parts in the squiggly line stack that we showed a couple of minutes ago.
Robert MacDonald:
Right on. Yeah. It's scary stuff.
Mike Engle:
Cat and mouse game. Yeah.
Robert MacDonald:
It's scary stuff. But knowing that there are people like us working on it, certainly makes me feel a little bit better about it.
Mike Engle:
Well, good. I don't want you losing sleep at night. There's a real busy diagram, but the concept here is, there's a couple of different types of attacks. There's where I'm just presenting a fake image or face or document, and you can just hold these up to a camera, you can inject stills, and there's a couple of different ways that the bad actors will try to attack and do this. The other is with injection. I'm working with you now and I'm becoming somebody else in real time, maybe even doing what they call active liveness and fooling the camera. "Turn your head left, turn your head right, stick out your tongue," that kind of thing. We're on top of this. This is evolving. I'd say we're implementing new methods in our stack every three to six months, just because of how quickly the space is evolving.
More to follow there. I think we'll wrap it up today with a little bit of our deepfake demo. For those that were at some of the recent shows, like FS-ISAC, I had this rolling at our booth. But this is me becoming Jude Law. It's really as simple as pressing a button in a piece of software now. You can see I'm doing it now, obviously my hair's not as cool as his, but that's me again, coming back to normal. Now I'm scrunchy faced Tom Cruise. But my favorite one is, I think I make a really good Jude Krasinski. Boom, there we are.
Robert MacDonald:
There he is. John.
Mike Engle:
Again, I have to figure out how to get that hair. Once I get that hair, you can guarantee that I'm opening up an account as John Krasinski, and I'm going to probably be on Amazon as Jack Ryan, so I'm just warning you right now.
Robert MacDonald:
Yep, yep, yep. I mean, listen, getting his paychecks would certainly go a long way to helping you towards retirement, but absolutely. I mean, that stuff is so... I mean, looking at it just from an outsider looking in, playing around with that stuff is pretty cool. But you just showed me one earlier before you even jumped on, where you took a picture of me and then you started to look like me a little bit, which is somewhat frightening.
Mike Engle:
Yeah. Because man.
Robert MacDonald:
It's proof that there is something lower than where you already are. Do you know what I mean? Anyway. No. But it's weird. It's crazy that the technology is where it is today. But again, it's just staying ahead of where these guys are, to making sure that we have technologies to make it too difficult for them to do.
Mike Engle:
That's right.
Robert MacDonald:
It's cool. Really, really, really cool demo.
Mike Engle:
Cool. In closing, I think we've got a couple of things coming up that we might want to tell people about.
Robert MacDonald:
Yeah. We do. We're going to be at RSA. You're going to be at RSA, correct?
Mike Engle:
That's right.
Robert MacDonald:
Yep. On our website, if you do want to meet with us at RSA, you can go to our website and you can put in a request to sit down and chat with Mike if you like. That's May 6th to 9th. For those of you that are on the phone, I'm sure that you knew that because RSA is a very big event, as we all know. May is a bit of a busy month for us. Then after RSA, we're at Identiverse, which is in Las Vegas this year. I think it was there last year as well. I'll also be there too. I think you'll be there as well, Mike. That's May 28th to the 31st. As well on our website, if you'd like to book a meeting with us and chat a little bit more about the technologies and some of the things maybe you saw today, or even just swing by the booth at Identiverse, we'd be more than happy to show you some of the technologies that we've got in place.
Mike Engle:
Well, that sounds great.
Robert MacDonald:
Yeah.
Mike Engle:
Well, I appreciate the audience in coming on joining us. Robert, thanks for helping me put this together today.
Robert MacDonald:
Yeah. Listen, I always like coming on with you, man. It's fun.
Mike Engle:
Yeah. We typically have one of these a month, so keep an eye on the website and social and we'll see you on the line.
Robert MacDonald:
Thanks again.
Mike Engle:
All right. Take care everybody.
Okay, everybody. Welcome to our webinar today. We're going to be talking about how to unlock the power of identity verification. My name's Robert MacDonald. I'm the handsome gentleman on your right. I'm the VP of Product Marketing here at 1Kosmos. The handsome gentleman on the left of that screen is Mike Engle. Mike, why don't you give us a little introduction of yourself?
Mike Engle:
Yeah. Handsome is not anywhere on my LinkedIn profile. We'll start there. But, yeah. I'm a security geek by trade. I grew up in the era of modems and hacking CompuServe, and made my way into Wall Street Cybersecurity. Did that for quite a while, and now I'm all identity all the time. So, enjoying this world and the difference that we can make in it.
Robert MacDonald:
Yeah. I mean, this world is certainly changing quickly. I've been in identity for a number of years as well, worked at a couple of different identity-based organizations. Where identity is going is certainly a vast departure from where it's been over the last 20 plus years. There's been a lot of stuff happening over the last little bit that's going to initiate some of that change. A lot of the phone scams that we've seen, like at MGM, and other identity-based attacks that are really tripping up majority of the US/Canadian population, I'm based in Canada, so majority of the population in general. Including help desk workers are getting tricked to reset credentials for people that actually aren't on the other end of that phone. There's social engineering attacks where people are getting tricked out of their online account of whatever that might be, and their account's getting taken over and they're losing money out of their bank accounts, all kinds of things going on. You and I are going to talk a little bit today about ways that you can use identity verification to prevent a lot of this stuff from happening, right?
Mike Engle:
Well, yes we are. Let's get started.
Robert MacDonald:
Let's do it.
Mike Engle:
Yeah. We're going to talk about three distinct functions that every IM program deals with every day. It's how do you get people into your system or change them to something better? We like to think of that as enroll, very simple. But simple in concept, but the way you do it varies. It's the number one question we have is, how do I deploy your tech without causing pain? We'll talk about that here today. But then at the time of enrollment, or maybe sometime later, what's really important is verifying the person that is at the other end of the connection. The example you gave, remote callers into a help desk, or an agent, a store associate and the frontline worker or in a factory that needs to prove who they are, or of course employees getting into the top secret critical systems or remote access, whatever it is.
This has been missing from authentication, period. It's time that it gets put together with the authentication process. We all know how to authenticate, we do it hundreds of times a day. Whether we're unlocking our iPhone or logging into your bank, you still have to prove who you are. Then maybe you could touch on what the industry thinks about all this stuff. There's all these little logos at the bottom here. What do they mean, Robert?
Robert MacDonald:
Well, they're certifications. There are ways in which you should be going about doing these things. There are guidelines that can help steer organizations, such as 1Kosmos and others, down the path to make sure that if you are doing verification or authentication or enrollment, that you're doing it in a way that meets market expectations and demands, right?
Mike Engle:
Yeah. We're going to dive deep into a couple of these. We're going to talk a lot about NIST, 800-63-3, about Kantara Certification, which is the non-profit that certifies that other standard. We're going to talk a lot about privacy too, because when you start doing this stuff and you start looking people in the face with a camera, you can raise a lot of eyebrows in legal, or your customers may not just like it unless you do it right. Really important topics, we'll be diving into all that here today. Let's do that though. Let's dive a bit into... I have to turn off my little screen-drawer here. Let's dive into those two standards that I mentioned first, NIST 800-63-3. I didn't know what a 63-3 was until probably 2018. I hadn't followed it that much, but it seems to be all everybody is talking about in the identity world, mainly in certain business verticals. If you talk to Joe Schmo user, they're not going to know what it is, but the people who architect these solutions definitely do. Robert, what is it that really comes to mind when you think of 63-3?
Robert MacDonald:
Again, I didn't know anything about it really until I started working here, to be honest with you, because the circles in which I played in weren't covered by the circle. It's really about, how do I make sure that the person that I'm proofing is the person that's being proofed at the end of the day? How do I make sure that I know that either my employee or my customer, their identity that they're presenting is them on the other side of that digital connection? Because we are doing these things remotely these days, we're not doing them in-person anymore.
Mike Engle:
That's right. There's different levels of this certification. Really today there's three levels, one, two, and three. One is meaningless, and there's going to be another change to that standard coming out soon. But when somebody is certified for this, it means that they've gone through a process. It's like you wouldn't want to use a product in your house that isn't certified for UL Labs electrical stuff. It could burn your house down. What if you implement an identity verification thing and it's not certified? It could burn your IM down. Maybe not quite the right analogy, but it is really important to have certifications. So, this standard has an A part of it, section A and a B section. The B section is authentication and it ties heavily into your dog, FIDO.
Robert MacDonald:
Yes.
Mike Engle:
Right, Robert?
Robert MacDonald:
That's right. FIDO, four legs. There are a couple of different ways you can certainly authenticate users, but after you did the identity proofing, how do you make sure that the person you proofed is now the person that is actually authenticating? Because as you and I know, based on the space that we play in, people share passwords all the time. Or they have their passwords phished and their MFA phished and then somebody else is in, and there's no way of proving that that user is who they claim to be through any part of the authentication step. But this certainly puts us down a path where we can prove the user is who they claim to be on the other side of that authentication, right?
Mike Engle:
Love it. Then there is a certification for this. You need to work with certified FIDO products, that is super important. Then when you start verifying the face of a person to these government documents, you need biometrics that are certified. One of the independent testing labs, very prominent, is called iBeta. So, these are some things you can look for in a product. Kantara, FIDO, and iBeta, when you put these together, we like to refer to them as Identity Based Authentication or IBA, and that is much better than HBA, which Robert, Pop Quiz, stands for?
Robert MacDonald:
Hope Based Authentication.
Mike Engle:
Good.
Robert MacDonald:
I wasn't prepared for that. But Hope Based Authentication, which a lot of authentication methods are based on.
Mike Engle:
That's right.
Robert MacDonald:
At the end of the day, right?
Mike Engle:
Yeah, it is. I hope that this is who they say they are, the password is them using it, the 2FA wasn't intercepted, et cetera, et cetera. There we go. Maureen, would you like to pop up our survey question so that we can just see what some people are thinking here? All right. What are you most eager to explore in this session today? Four questions popping up. I am not allowed to answer, so we'll give this a couple of seconds until people can answer. The questions are, instant document validation. This is typically hard to do. You have to go into person, or you're using a social security number instead so this gives you some great capabilities. Verifying remote callers, do you care about privacy? Some people don't really know it's a thing because they put their face all over videos like this today. Here I am putting my face out on YouTube again. Then the fourth option in the poll here is, how it can really improve the user experience and security at the same time. We'll talk about that. Thanks for that, Maureen. Okay. It seems that privacy is the number one-
Robert MacDonald:
Privacy is high. Yeah.
Mike Engle:
Yeah.
Robert MacDonald:
Interesting.
Mike Engle:
You start. Over to you.
Robert MacDonald:
In stack rank order here, we've got privacy and then instant state ID validation, then modern UX and remote caller verification. It's interesting, I don't know if we've ever put up a survey and privacy was top of the list.
Mike Engle:
Yeah. I think that it's making the circuit. You have the issue with deepfakes, which we'll talk about, and you have, "I don't want my face used against me in a court of law," which you could go make a deepfake for me right now and prove or disprove that I was somewhere. It's getting pretty scary. We'll talk about that as well. I mentioned the NIST 800-63-3 has several levels to it. This goes really way beyond just scanning a driver's license. If you've opened a bank account recently with a modern bank, I have to say that I guess the right way or I'll get in trouble, or like a Neobank or a recent Fintech. For example, go open a crypto account, they're going to scan your driver's license. I had to scan my driver's license recently to get a 2FA for my Ring doorbell. It said, "You have to do 2FA, but wait. We don't trust you so scan a driver's license." It's getting out there.
But scanning a driver's license is defeatable at some level, because the deepfakes are getting better. The face matching is only guaranteed to a certain level. When you combine that with other sources of truth, look the driver's license up in AMVA, which is the DMV aggregator. Or let's ask them for their social, which that's not very secure but when you start triangulating all of this data, now you have a much higher level of assurance. These extra controls are what will help mitigate your deepfake threats. So, go get Kantara certified or get a Kantara certified product. It's great. IAL1 is really weak. IAL2 is very strong. IAL3 is super strong, superior, and it really involves an in-person or supervised process. IAL2 is where the world is aiming to get that high level of assurance from a remote location, right?
Robert MacDonald:
Yeah, absolutely.
Mike Engle:
Okay. I'm going to pop up a little chart on this. When people ask me, "What is the difference between just scanning a driver's license and NIST 800-63-3 IAL2?" Now, this is an eye-popping chart. I know, the graphics are awesome.
Robert MacDonald:
It's a good one.
Mike Engle:
But it needs to be simple, because people, sometimes they don't even know what a NIST is. It's not the thing that my birds are sitting in out in a tree. Really, when you're scanning just a document, what are you doing? Well, you can check for fraud signals and is the picture in the right spot and is the font good? Is there a hologram? But like I said, deepfakes are going to get very good at defeating that. Typically when you're just doing this, you are not verifying the data on it. How do I know that Robert MacDonald lives in Beverly Hills?
Well, you have to go out and do some extra, what's called identity verification. Now, many legacy banks are just doing this, and that's really scary, because the bad guys have stolen all of our identity information. I recently opened up an account with a big retailer, and all I needed was my social. They sent me a text message. I think I had to type in my address, done. Now I have a debit card coming in the mail. So easy to defeat, but it is an important piece when it's combined. That's really what NIST 800=63-3 does, it combines these things together, and adds on an address of record. So, this is really important too. Something the NIST standard says is, "You have to reach out to the person, add an address of record," not just some phone number they gave you and say, "Yes. I contacted them at their proven phone number or at their proven address." It's another step. It's a hurdle. The bad guys are going to go to the legacy bank and not to your bank. Right?
Robert MacDonald:
Absolutely.
Mike Engle:
That's how I like to think about this.
Robert MacDonald:
I guess the key thing to remember there too is, Mike, is that not all platform vendors that deliver capabilities do all of these things. That's not to toot our own horn because we know that we do the bottom one. But you do have to be relatively careful and cognizant of what you're signing up for when you go down one of these roads.
Mike Engle:
That's right.
Robert MacDonald:
And risk that's associated with each one of those, by either doing or not doing some of those capabilities.
Mike Engle:
Right. It really comes down to risk and user experience. Two examples. I'm opening up an account to be able to pay my taxes, or get my tax refund sent to me. The government mandates this, this is really important, but let's say I'm a big retailer and I have somebody walking up to the counter and saying, "I am Robert MacDonald," and today the agent will... I have a real license here. I'm going to show it on live. Will say, "All right." They eyeball it and they look at it and they get hoodwinked every time because the agent, the cashier doesn't know how to validate a document. "Well, let's scan it." Pop up their little point of sale scanner and scan it, and now you've upped the bar quite a bit. But in that example, you don't even need this because you've let the agent just look at the photo and don't put the user through that eeriness of having to, "Here, look at the camera." So, it depends on the risk, the environment, and you need customizable journeys on this that we'll talk about here in just a minute as well.
Robert MacDonald:
Right on.
Mike Engle:
Cool. All right. Enough of that. Let's move on to the identity assurance piece of this. This is really in line with the risk level. So, what does it mean by identity affirmation here on the left, Robert?
Robert MacDonald:
Yeah. So, this falls very much in line with how Gartner is viewing this as well. But the affirmation side of it is, you're collecting information from the user, but it's providing a relatively low assurance that that user is present. So, a phone number, an email, social security number, none of those things are necessarily tied back to the actual user. Frankly, there's no photo on any of these. When we get into the proofing side, which we're going to get into here in a second, with these types of identities you're just proving that somebody's in possession of something. Not that it's actually the person that owns it, if that makes sense.
Mike Engle:
Yeah, it does. Social login, it's okay for some things. But some of these are much stronger than the others. You have my phone number, I've had the same phone number for 30 years, and if I could prove possession of it that says something about me, it's pretty good. But to your point, somebody could have picked up my phone or swapped my SIM and now they're not matching it to my face. Right?
Robert MacDonald:
That's right.
Mike Engle:
Very important.
Robert MacDonald:
Then when you add those things into the proofing side, which you're going to cover here in a second, you talked about triangulation earlier, you talked about it here again. But that's where you really start to build a benefit of doing these steps, right?
Mike Engle:
That's right. Yeah. Going down the verification, we call this our identity pyramid. These are ways that organizations can verify identity and create what we call a reusable identity along the way. Here is where the internet has been since the internet has existed. You have an email address, maybe then you add, what? Just a credit card, and that's all you need in most... They're not low security because Amazon does care if there's fraud and Visa cares, but it doesn't prove identity at all. So, you try to add in all these fraud signals and figure it out without bothering the user. How's that going? What's the total in billions of fraud?
Robert MacDonald:
Fraud, and then technology layered on top of it. It's not just the fraud, it's all the technology you bought to try to catch it on top of it.
Mike Engle:
Exactly. You're looking behind the scenes, inferential. Then we start to add on all these other concepts that we've already mentioned. SIM binding is one that's unique to 1Kosmos. We can prove possession of the SIM in the phone, and we're doing this in international regions, even where they have two SIMs in a phone and you have to prove possession of it. It's a really nice factor. Then we go all the way down to a reusable identity, which we'll touch on here in just a minute. One of the most powerful user experience tools is something we call LiveID. We'll touch on that as well.
Robert MacDonald:
Yeah.
Mike Engle:
Excellent. How does it come together? In the first slide that we showed, you had three linking square links in a chain. Let's talk about how we create a reusable credential. We spoke at length about ID enrollment. How is it that we turn that into something that can be used over and over again?
Robert MacDonald:
That's the key thing here. Being able to take those steps, which typically organizations use and then they're a throwaway. It's a one and done. The cool thing with what we're talking about here and bringing it into authentication is that, here at 1Kosmos anyway, we're able to look back at that identity verification step and then use it to authenticate the user. By binding what we did at the proofing and verification stage, and then using it as the authentication method, I guess, if we look at LiveID, which we're going to show here in a minute, where we store a private key and the TPM of the device, which unlocks the user's identity credential of which then they're able to then utilize for authentication.
All backed with an immutable audit trail so we can track what users are doing. Or sorry, keep track of how users authenticated, but being able to leverage that step one and two there in this chart, where we use the enrollment and we use the verification, and then we bind it to the authentication with the private and public keys, is really where the power of a technology like what we bring here at 1Kosmos comes to light.
Mike Engle:
Yeah. That's right. Without enrolling, and authenticating without this, really is a weakness in our system that we communicate today and people should insist on it. Let's do that. Now, when you do these and we talk about issuance, then we can give the user a wallet. I just went through a proofing exercise, I scanned my face, my driver's license, my passport, whatever it is, and then I made sure that I linked it to the biometrics. These were tightly coupled. You had chain of custody of this experience in the same session. Great. Then we can now authenticate and know that it's that person every time.
We don't talk a lot about it too much, but under the hood of many well-built systems is a distributed ledger that has this chain of custody. If I can prove that at step one I was here, step two, I enrolled my biometrics, and then I'm using it, step three, four, five, each one of these can go back and verify, "Yep, this is still the same person that had that original exercise or credential under the hood." So, the term wallet or identity purse, I don't want to get in trouble with the gender police.
Robert MacDonald:
Satchel.
Mike Engle:
Your satchel. It is important. We all have wallets today. In fact, we probably have a dozen wallets on our phone. It just depends on what you define it. Do you have Apple Pay, Robert?
Robert MacDonald:
I do.
Mike Engle:
You have a wallet, right?
Robert MacDonald:
I do.
Mike Engle:
Do you have an app, a banking app?
Robert MacDonald:
I do.
Mike Engle:
That's a wallet, because you have a banking credential in there that's trusted by the bank. You can present it with face ID and there's no username and password. It's a digital signature flowing over the wire. You already have many wallets, but you don't have an identity wallet yet. Well, you do actually because you have the 1Kosmos wallet, but...
Robert MacDonald:
That is also true. Yeah. I guess one of the key things here, Mike, that we didn't really touch on the previous slides is that on that verification step, we're pulling that image off of the passport or driver's license like we have here, and we're comparing those images to a selfie that we capture, which is the reference biometric at the time of that identity proofing stage. We want to make sure that the images that we're pulling off those documents match the image that the user's providing at the time that that's all taking place. That's that reference biometric that we're talking about here. That's how we can do that chain of command that you mentioned a couple of seconds ago, is through that capability.
Mike Engle:
Right. Let's talk about why this is really cool, but also can be really hard. If you've been through some of these proofing exercises or you've gone to clear at the airport, or there's different ways to do it. Sometimes you have a camera shoved in your face and they're telling you to get precise and they're scanning your iris or whatever. But when you're at home, there's a lot of benefits to that. I can be sitting on my sofa watching Seinfeld and creating a bank account that's trusted. But the bad guys are taking advantage of this as well. Sometimes the user experience is terrible. What we've done, and it's been really well received by our customer, is deconstructed the entire identity verification and fraud detection to make it incredibly flexible. How, you ask? Well, let me tell you.
Image capture, it is an art. You use the camera. Yeah, that's great. That's the science. But you have different quality camera, different platforms. You have webcams. Doing that right is hard. We have multiple ways to capture an image, and then multiple ways to extract the data, multiple ways to check it for fraud, for liveness, for deepfakes, et cetera, et cetera. This is really important because as I mentioned before, you might want to skip the selfie part. Let's just do some fraud mitigation here and get the results because for whatever reason, this journey doesn't warrant an image capture of the face. But wait. Maybe you want to use a face out of your corporate photo database, your access control system, instead of the selfie. Can you inject another type of selfie into this process? Flexibility in this journey is really important. When you do this, it allows you to flip the script a bit. I was expecting some ohs and ahs on those graphics there.
Robert MacDonald:
I'm still waiting for it to finish. It's amazing.
Mike Engle:
It is breathtaking. But you have those capture and flexible options in the middle. Then now you can do all of your checks on the periphery on each of these steps inside. What have you seen from our customers in the field about the time to adoption for these types of concepts?
Robert MacDonald:
Yeah. It's interesting, because every customer is different, and the use cases that they have and what they're looking for, like you said, some don't want to do the selfie capture for whatever reason. But that flexibility, like you said, is pretty key. I mean, we've seen customers get stuff like this up off the ground in as little as two or three months for 24 million users. The flexibility of the platform and being able to customize the journey that goes along with it is really core to our platform and our platform's capabilities. It really doesn't take a whole lot of time, once you know what you're looking for or once you know what you want to deploy. Sometimes that's the trick. But, yeah. I mean, we've seen very, very quick turnaround and you've been part of some of those deals.
Mike Engle:
Yeah. No, we've dropped this into help desks in a couple of days.
Robert MacDonald:
Oh, the help desk one, yeah. I mean, we're going to talk about that in a minute. That's an instant on. Yeah. Like you said, that takes less than a week.
Mike Engle:
Well, yeah. You teed it up for me. We have to talk about it. Let's step through this. There may be a lot of steps here, but it's really simple, and we'll show a live demo of this in just a couple of seconds. Not a live demo, a demo demo. Live demos are scary on webinars. When somebody calls the help desk, what do people typically do today to verify that remote caller, Robert?
Robert MacDonald:
It's all knowledge-based, right? "Hey, Mike. Glad you called. I'd be happy to help you out. Can you tell me your mother's maiden name? How long have you been employed here? What's your social security number? What's the last four digits of your credit card number?" All kinds of things.
Mike Engle:
Exactly.
Robert MacDonald:
Right.
Mike Engle:
All of that has been stolen 10 times over at a minimum. It is really useless. So, what we will do is the help desk agent will simply click a link. They will engage with the remote employee or customer, get a text message, and they from there will complete the journey to a verification. The beauty of this is, it's really right here. It's just getting a link and then handing it over to the user and then getting it back. You don't have to integrate it. Of course you can. We've integrated with ServiceNow and other help desk platforms to make it really tight, so it's maybe on the user's customer profile and they click a button, it's automated. But it's not necessary. Should we show it?
Robert MacDonald:
Yeah, I think we should, because it's super exciting.
Mike Engle:
Yeah. Let's do that. So, this is-
Robert MacDonald:
Again, something that we see a lot of heartburn for, with some of our customers. There are people pounding down our door, because we can do these kinds of things now. MGM, it was really the linchpin that started the wave of customers looking for this technology.
Mike Engle:
That's right. Yeah. Let's let the tape roll here. This is a one minute video, and on the left you have the help desk agent who's handling the call from the person on the right. It really does speak for itself. This first step is just to authenticate as the help desk user, so it's an authorized system. We do that by tying into Active Directory, Azure AD Entra, and that should be really a click and go. Now we're sending the user a link that they can work with in their email or on their phone. This is really simple, it happens fast.
We do it by scanning the front, checking the integrity of the document. All the fraud signals are handled here in real time. Now we ask the user for the selfie. Again, this is optional, but you do want to do a selfie for a high risk call. That selfie is now matched to the credential here, again in real time. Now, the help desk agent doesn't need to see all of this data. They just need to know if it's okay. So, what comes back? Well, a green check mark is really all that they need.
Robert MacDonald:
That's important.
Mike Engle:
Their run book is very simple. That's why we can deploy this in one day. You can dial these knobs. Well, this is a systems administrator who's trying to get root access into some system or whatever. Let's dial it up for those users and maybe even put them through some other type of check, maybe a second credential. Because what they'll do is they'll call and say, "I lost my phone. I don't remember my employee ID. But listen, Bob, the boss is going to fire me if I don't get in and fix the whatever." So, it's all based on social engineering and pressure.
Robert MacDonald:
I guess one of the big things here too, Mike, now that I'm looking at the screen, is that there's no additional information about the user being shared with the help desk agent. Driver's license number hasn't been shared, address hasn't been shared, nothing's been shared. From a PII perspective, it's just a pass or fail and a name.
Mike Engle:
Exactly.
Robert MacDonald:
Yeah.
Mike Engle:
Exactly. But it is all available. If you do need to retain it for whatever purposes, either internal auditing-
Robert MacDonald:
ID purposes or whatever, yeah.
Mike Engle:
It is all available. In fact, these data retention requirements are really important. We do have all this data here, but again, green check marks sometimes is all you need. This stuff can be redacted based on how you want to configure the system. Of course, role-based access to this data isn't just as important, so you saw the view for the help desk admin. You can have the systems administrators or the fraud team or the risk team have access to this stuff differently. We do make the integration with the help desk software.
On the left, you might have something like this would be the input screen, or it would automatically fetch it from the customer database or the employee database, and then present with just buttons that you would send the user. Maybe your policy says you have to send it to an address of record, that doesn't work for, "I've lost my phone and I, for some reason, can't get to the AT&T store because..." I don't know what the reason would be, "I'm on an island." But there's lots of different ways that this cat can be skinned. Let's talk a little bit about... Don't have Tom Yum soup before webinar. About the privacy.
Robert MacDonald:
Spicy.
Mike Engle:
Yeah, exactly. Whew. In March of last year, the White House put out a paper about preserving privacy, yet still using data, which are contradictory. How do you get my face, use my face, but use my face only for good? Or my whatever data, either my biographic or biometric information. In this paper, I recommend everybody just Google the title of this paper, there's a link to it here. Maybe we should send this as a follow-up to folks on the call as part of the deck. But they talk about a couple of technologies that allow you to work with user data, yet keep not only yourself safe but their data safe as well. These technologies are what are called PETs and PPDSAs, because I always say there's not enough acronyms in IAM. We need more.
Robert MacDonald:
I agree.
Mike Engle:
Yeah. We need two FAM, FARBA, PTs, PPDSAs, we need all that stuff.
Robert MacDonald:
UEDA, all kinds of stuff. Yeah.
Mike Engle:
Yeah. HBA, IBA. SAML, OIDC. We could go on all day, right?
Robert MacDonald:
We can go on FIDO. Yeah.
Mike Engle:
All right. That's it. We ran out. There's no more left. What this means is I can work with the data, but you want to remove as much of it as you can. Minimize, reduce, least data necessary. Sometimes you can even work with the data without seeing it. Two technologies that allow this are something called homomorphic encryption and multi-party computing. these technologies of working with data while it stays encrypted, have been in practice and research for 20 years. But it's actually been made practical through commercial implementations like ours in the last couple of years. Really exciting stuff. It's one of those things again where you ask a traditional CISO or head of IAM or engineering, they'll have heard about it, but don't know how it applies. We basically are using this to work with faces in a way that keeps them encrypted. Really exciting stuff. It's basically the same as working with hashes instead of working with the real biometrics themselves.
Robert MacDonald:
Right. Yeah. I mean, these privacy laws have continued to evolve. It started, GDPR was really one of the first ones to kick that off. But as we move into digital identity wallets and biometrics, those laws have to continue to evolve to account for some of the things that we're doing. Because at the end of the day, whether intentionally or unintentionally, vendors can do bad things with data where they're selling it off to marketing agencies so we can get them to buy stuff, being a marketing guy. But this stuff is really, really important, since now that we're really starting to deal with faces and some of the things that you want to talk about here in a little bit with the deepfake technologies that are coming down.
Mike Engle:
Oh, yeah. Don't get me started on deepfakes, Robert, just don't.
Robert MacDonald:
Okay. Sorry.
Mike Engle:
Too late. Now you did it. Come on. We were like, we're ready to be done. Now we've got to talk about deepfakes.
Robert MacDonald:
Yeah. It's almost like I knew what the slides were.
Mike Engle:
Sounds like you read my mind. But, yeah. There's been celebrities that have had their likeness created many times now, Elon Musk, Tom Cruise, Taylor Swift. But these attacks are becoming real. People are opening accounts and stealing accounts and doing things, so we need to stay on top of it. We have a whole set of research around this, where you can generate the content and you can go ask Sora or these other open AI type tools, to make images now. Go to the website thispersondoesnotexist.com, and it'll make a fake face for you. You could use that for synthetic identities.
Some of the techniques that are used are to use a picture of a picture, and we can detect that with reflection and some other ways to see that it's not real physical media. What you'll see sometimes is the bad guys have this picture on the left, which is obviously a picture of a picture. This is a photo sitting on somebody's desk. You zoom in a little bit and it looks pretty good. It looks like they're holding a selfie. But what's missing from this are a whole bunch of signals, that if your software is implemented properly, can detect that this is a reproduction. So, we've implemented these at various parts in the squiggly line stack that we showed a couple of minutes ago.
Robert MacDonald:
Right on. Yeah. It's scary stuff.
Mike Engle:
Cat and mouse game. Yeah.
Robert MacDonald:
It's scary stuff. But knowing that there are people like us working on it, certainly makes me feel a little bit better about it.
Mike Engle:
Well, good. I don't want you losing sleep at night. There's a real busy diagram, but the concept here is, there's a couple of different types of attacks. There's where I'm just presenting a fake image or face or document, and you can just hold these up to a camera, you can inject stills, and there's a couple of different ways that the bad actors will try to attack and do this. The other is with injection. I'm working with you now and I'm becoming somebody else in real time, maybe even doing what they call active liveness and fooling the camera. "Turn your head left, turn your head right, stick out your tongue," that kind of thing. We're on top of this. This is evolving. I'd say we're implementing new methods in our stack every three to six months, just because of how quickly the space is evolving.
More to follow there. I think we'll wrap it up today with a little bit of our deepfake demo. For those that were at some of the recent shows, like FS-ISAC, I had this rolling at our booth. But this is me becoming Jude Law. It's really as simple as pressing a button in a piece of software now. You can see I'm doing it now, obviously my hair's not as cool as his, but that's me again, coming back to normal. Now I'm scrunchy faced Tom Cruise. But my favorite one is, I think I make a really good Jude Krasinski. Boom, there we are.
Robert MacDonald:
There he is. John.
Mike Engle:
Again, I have to figure out how to get that hair. Once I get that hair, you can guarantee that I'm opening up an account as John Krasinski, and I'm going to probably be on Amazon as Jack Ryan, so I'm just warning you right now.
Robert MacDonald:
Yep, yep, yep. I mean, listen, getting his paychecks would certainly go a long way to helping you towards retirement, but absolutely. I mean, that stuff is so... I mean, looking at it just from an outsider looking in, playing around with that stuff is pretty cool. But you just showed me one earlier before you even jumped on, where you took a picture of me and then you started to look like me a little bit, which is somewhat frightening.
Mike Engle:
Yeah. Because man.
Robert MacDonald:
It's proof that there is something lower than where you already are. Do you know what I mean? Anyway. No. But it's weird. It's crazy that the technology is where it is today. But again, it's just staying ahead of where these guys are, to making sure that we have technologies to make it too difficult for them to do.
Mike Engle:
That's right.
Robert MacDonald:
It's cool. Really, really, really cool demo.
Mike Engle:
Cool. In closing, I think we've got a couple of things coming up that we might want to tell people about.
Robert MacDonald:
Yeah. We do. We're going to be at RSA. You're going to be at RSA, correct?
Mike Engle:
That's right.
Robert MacDonald:
Yep. On our website, if you do want to meet with us at RSA, you can go to our website and you can put in a request to sit down and chat with Mike if you like. That's May 6th to 9th. For those of you that are on the phone, I'm sure that you knew that because RSA is a very big event, as we all know. May is a bit of a busy month for us. Then after RSA, we're at Identiverse, which is in Las Vegas this year. I think it was there last year as well. I'll also be there too. I think you'll be there as well, Mike. That's May 28th to the 31st. As well on our website, if you'd like to book a meeting with us and chat a little bit more about the technologies and some of the things maybe you saw today, or even just swing by the booth at Identiverse, we'd be more than happy to show you some of the technologies that we've got in place.
Mike Engle:
Well, that sounds great.
Robert MacDonald:
Yeah.
Mike Engle:
Well, I appreciate the audience in coming on joining us. Robert, thanks for helping me put this together today.
Robert MacDonald:
Yeah. Listen, I always like coming on with you, man. It's fun.
Mike Engle:
Yeah. We typically have one of these a month, so keep an eye on the website and social and we'll see you on the line.
Robert MacDonald:
Thanks again.
Mike Engle:
All right. Take care everybody.
Mike Engle
CSO
1Kosmos
Robert McDonald
VP, Product Marketing
1Kosmos
Phone scams, vishing and other identity-based attacks tricked around one-third of the US population in 2023, including help desk workers persuaded via social engineering to hand over network login credentials to criminals. Separately, flourishing “retail-cyberfraud” is ensuring merchants lose millions due to ship-to-store and rental desk scams.
The commonality in these attacks lies in “check the box” identity verification that can’t accurately differentiate between impostors and legitimate customers.
This webinar explores the security gap in identity and access management and explains how to close it on the fly and with minimal human oversight by using advanced artificial intelligence, biometrics with liveness detection, and user-managed encryption.
By watching, you will learn about the latest approach to reduce fraud risk without compromising user convenience as we discuss:
- Ways to instantly validate state IDs and Drivers Licenses without antiquated SMS codes or secret questions.
- How to verify remote callers into corporate and customer helpdesks.
- A privacy-by-design approach to protecting and storing PII data.
- A modern user experience that improves security, reduces risk and enhances user experiences.
Mike Engle
CSO
1Kosmos
Robert McDonald
VP, Product Marketing
1Kosmos
Video Transcript
Robert MacDonald:
Okay, everybody. Welcome to our webinar today. We're going to be talking about how to unlock the power of identity verification. My name's Robert MacDonald. I'm the handsome gentleman on your right. I'm the VP of Product Marketing here at 1Kosmos. The handsome gentleman on the left of that screen is Mike Engle. Mike, why don't you give us a little introduction of yourself?
Mike Engle:
Yeah. Handsome is not anywhere on my LinkedIn profile. We'll start there. But, yeah. I'm a security geek by trade. I grew up in the era of modems and hacking CompuServe, and made my way into Wall Street Cybersecurity. Did that for quite a while, and now I'm all identity all the time. So, enjoying this world and the difference that we can make in it.
Robert MacDonald:
Yeah. I mean, this world is certainly changing quickly. I've been in identity for a number of years as well, worked at a couple of different identity-based organizations. Where identity is going is certainly a vast departure from where it's been over the last 20 plus years. There's been a lot of stuff happening over the last little bit that's going to initiate some of that change. A lot of the phone scams that we've seen, like at MGM, and other identity-based attacks that are really tripping up majority of the US/Canadian population, I'm based in Canada, so majority of the population in general. Including help desk workers are getting tricked to reset credentials for people that actually aren't on the other end of that phone. There's social engineering attacks where people are getting tricked out of their online account of whatever that might be, and their account's getting taken over and they're losing money out of their bank accounts, all kinds of things going on. You and I are going to talk a little bit today about ways that you can use identity verification to prevent a lot of this stuff from happening, right?
Mike Engle:
Well, yes we are. Let's get started.
Robert MacDonald:
Let's do it.
Mike Engle:
Yeah. We're going to talk about three distinct functions that every IM program deals with every day. It's how do you get people into your system or change them to something better? We like to think of that as enroll, very simple. But simple in concept, but the way you do it varies. It's the number one question we have is, how do I deploy your tech without causing pain? We'll talk about that here today. But then at the time of enrollment, or maybe sometime later, what's really important is verifying the person that is at the other end of the connection. The example you gave, remote callers into a help desk, or an agent, a store associate and the frontline worker or in a factory that needs to prove who they are, or of course employees getting into the top secret critical systems or remote access, whatever it is.
This has been missing from authentication, period. It's time that it gets put together with the authentication process. We all know how to authenticate, we do it hundreds of times a day. Whether we're unlocking our iPhone or logging into your bank, you still have to prove who you are. Then maybe you could touch on what the industry thinks about all this stuff. There's all these little logos at the bottom here. What do they mean, Robert?
Robert MacDonald:
Well, they're certifications. There are ways in which you should be going about doing these things. There are guidelines that can help steer organizations, such as 1Kosmos and others, down the path to make sure that if you are doing verification or authentication or enrollment, that you're doing it in a way that meets market expectations and demands, right?
Mike Engle:
Yeah. We're going to dive deep into a couple of these. We're going to talk a lot about NIST, 800-63-3, about Kantara Certification, which is the non-profit that certifies that other standard. We're going to talk a lot about privacy too, because when you start doing this stuff and you start looking people in the face with a camera, you can raise a lot of eyebrows in legal, or your customers may not just like it unless you do it right. Really important topics, we'll be diving into all that here today. Let's do that though. Let's dive a bit into... I have to turn off my little screen-drawer here. Let's dive into those two standards that I mentioned first, NIST 800-63-3. I didn't know what a 63-3 was until probably 2018. I hadn't followed it that much, but it seems to be all everybody is talking about in the identity world, mainly in certain business verticals. If you talk to Joe Schmo user, they're not going to know what it is, but the people who architect these solutions definitely do. Robert, what is it that really comes to mind when you think of 63-3?
Robert MacDonald:
Again, I didn't know anything about it really until I started working here, to be honest with you, because the circles in which I played in weren't covered by the circle. It's really about, how do I make sure that the person that I'm proofing is the person that's being proofed at the end of the day? How do I make sure that I know that either my employee or my customer, their identity that they're presenting is them on the other side of that digital connection? Because we are doing these things remotely these days, we're not doing them in-person anymore.
Mike Engle:
That's right. There's different levels of this certification. Really today there's three levels, one, two, and three. One is meaningless, and there's going to be another change to that standard coming out soon. But when somebody is certified for this, it means that they've gone through a process. It's like you wouldn't want to use a product in your house that isn't certified for UL Labs electrical stuff. It could burn your house down. What if you implement an identity verification thing and it's not certified? It could burn your IM down. Maybe not quite the right analogy, but it is really important to have certifications. So, this standard has an A part of it, section A and a B section. The B section is authentication and it ties heavily into your dog, FIDO.
Robert MacDonald:
Yes.
Mike Engle:
Right, Robert?
Robert MacDonald:
That's right. FIDO, four legs. There are a couple of different ways you can certainly authenticate users, but after you did the identity proofing, how do you make sure that the person you proofed is now the person that is actually authenticating? Because as you and I know, based on the space that we play in, people share passwords all the time. Or they have their passwords phished and their MFA phished and then somebody else is in, and there's no way of proving that that user is who they claim to be through any part of the authentication step. But this certainly puts us down a path where we can prove the user is who they claim to be on the other side of that authentication, right?
Mike Engle:
Love it. Then there is a certification for this. You need to work with certified FIDO products, that is super important. Then when you start verifying the face of a person to these government documents, you need biometrics that are certified. One of the independent testing labs, very prominent, is called iBeta. So, these are some things you can look for in a product. Kantara, FIDO, and iBeta, when you put these together, we like to refer to them as Identity Based Authentication or IBA, and that is much better than HBA, which Robert, Pop Quiz, stands for?
Robert MacDonald:
Hope Based Authentication.
Mike Engle:
Good.
Robert MacDonald:
I wasn't prepared for that. But Hope Based Authentication, which a lot of authentication methods are based on.
Mike Engle:
That's right.
Robert MacDonald:
At the end of the day, right?
Mike Engle:
Yeah, it is. I hope that this is who they say they are, the password is them using it, the 2FA wasn't intercepted, et cetera, et cetera. There we go. Maureen, would you like to pop up our survey question so that we can just see what some people are thinking here? All right. What are you most eager to explore in this session today? Four questions popping up. I am not allowed to answer, so we'll give this a couple of seconds until people can answer. The questions are, instant document validation. This is typically hard to do. You have to go into person, or you're using a social security number instead so this gives you some great capabilities. Verifying remote callers, do you care about privacy? Some people don't really know it's a thing because they put their face all over videos like this today. Here I am putting my face out on YouTube again. Then the fourth option in the poll here is, how it can really improve the user experience and security at the same time. We'll talk about that. Thanks for that, Maureen. Okay. It seems that privacy is the number one-
Robert MacDonald:
Privacy is high. Yeah.
Mike Engle:
Yeah.
Robert MacDonald:
Interesting.
Mike Engle:
You start. Over to you.
Robert MacDonald:
In stack rank order here, we've got privacy and then instant state ID validation, then modern UX and remote caller verification. It's interesting, I don't know if we've ever put up a survey and privacy was top of the list.
Mike Engle:
Yeah. I think that it's making the circuit. You have the issue with deepfakes, which we'll talk about, and you have, "I don't want my face used against me in a court of law," which you could go make a deepfake for me right now and prove or disprove that I was somewhere. It's getting pretty scary. We'll talk about that as well. I mentioned the NIST 800-63-3 has several levels to it. This goes really way beyond just scanning a driver's license. If you've opened a bank account recently with a modern bank, I have to say that I guess the right way or I'll get in trouble, or like a Neobank or a recent Fintech. For example, go open a crypto account, they're going to scan your driver's license. I had to scan my driver's license recently to get a 2FA for my Ring doorbell. It said, "You have to do 2FA, but wait. We don't trust you so scan a driver's license." It's getting out there.
But scanning a driver's license is defeatable at some level, because the deepfakes are getting better. The face matching is only guaranteed to a certain level. When you combine that with other sources of truth, look the driver's license up in AMVA, which is the DMV aggregator. Or let's ask them for their social, which that's not very secure but when you start triangulating all of this data, now you have a much higher level of assurance. These extra controls are what will help mitigate your deepfake threats. So, go get Kantara certified or get a Kantara certified product. It's great. IAL1 is really weak. IAL2 is very strong. IAL3 is super strong, superior, and it really involves an in-person or supervised process. IAL2 is where the world is aiming to get that high level of assurance from a remote location, right?
Robert MacDonald:
Yeah, absolutely.
Mike Engle:
Okay. I'm going to pop up a little chart on this. When people ask me, "What is the difference between just scanning a driver's license and NIST 800-63-3 IAL2?" Now, this is an eye-popping chart. I know, the graphics are awesome.
Robert MacDonald:
It's a good one.
Mike Engle:
But it needs to be simple, because people, sometimes they don't even know what a NIST is. It's not the thing that my birds are sitting in out in a tree. Really, when you're scanning just a document, what are you doing? Well, you can check for fraud signals and is the picture in the right spot and is the font good? Is there a hologram? But like I said, deepfakes are going to get very good at defeating that. Typically when you're just doing this, you are not verifying the data on it. How do I know that Robert MacDonald lives in Beverly Hills?
Well, you have to go out and do some extra, what's called identity verification. Now, many legacy banks are just doing this, and that's really scary, because the bad guys have stolen all of our identity information. I recently opened up an account with a big retailer, and all I needed was my social. They sent me a text message. I think I had to type in my address, done. Now I have a debit card coming in the mail. So easy to defeat, but it is an important piece when it's combined. That's really what NIST 800=63-3 does, it combines these things together, and adds on an address of record. So, this is really important too. Something the NIST standard says is, "You have to reach out to the person, add an address of record," not just some phone number they gave you and say, "Yes. I contacted them at their proven phone number or at their proven address." It's another step. It's a hurdle. The bad guys are going to go to the legacy bank and not to your bank. Right?
Robert MacDonald:
Absolutely.
Mike Engle:
That's how I like to think about this.
Robert MacDonald:
I guess the key thing to remember there too is, Mike, is that not all platform vendors that deliver capabilities do all of these things. That's not to toot our own horn because we know that we do the bottom one. But you do have to be relatively careful and cognizant of what you're signing up for when you go down one of these roads.
Mike Engle:
That's right.
Robert MacDonald:
And risk that's associated with each one of those, by either doing or not doing some of those capabilities.
Mike Engle:
Right. It really comes down to risk and user experience. Two examples. I'm opening up an account to be able to pay my taxes, or get my tax refund sent to me. The government mandates this, this is really important, but let's say I'm a big retailer and I have somebody walking up to the counter and saying, "I am Robert MacDonald," and today the agent will... I have a real license here. I'm going to show it on live. Will say, "All right." They eyeball it and they look at it and they get hoodwinked every time because the agent, the cashier doesn't know how to validate a document. "Well, let's scan it." Pop up their little point of sale scanner and scan it, and now you've upped the bar quite a bit. But in that example, you don't even need this because you've let the agent just look at the photo and don't put the user through that eeriness of having to, "Here, look at the camera." So, it depends on the risk, the environment, and you need customizable journeys on this that we'll talk about here in just a minute as well.
Robert MacDonald:
Right on.
Mike Engle:
Cool. All right. Enough of that. Let's move on to the identity assurance piece of this. This is really in line with the risk level. So, what does it mean by identity affirmation here on the left, Robert?
Robert MacDonald:
Yeah. So, this falls very much in line with how Gartner is viewing this as well. But the affirmation side of it is, you're collecting information from the user, but it's providing a relatively low assurance that that user is present. So, a phone number, an email, social security number, none of those things are necessarily tied back to the actual user. Frankly, there's no photo on any of these. When we get into the proofing side, which we're going to get into here in a second, with these types of identities you're just proving that somebody's in possession of something. Not that it's actually the person that owns it, if that makes sense.
Mike Engle:
Yeah, it does. Social login, it's okay for some things. But some of these are much stronger than the others. You have my phone number, I've had the same phone number for 30 years, and if I could prove possession of it that says something about me, it's pretty good. But to your point, somebody could have picked up my phone or swapped my SIM and now they're not matching it to my face. Right?
Robert MacDonald:
That's right.
Mike Engle:
Very important.
Robert MacDonald:
Then when you add those things into the proofing side, which you're going to cover here in a second, you talked about triangulation earlier, you talked about it here again. But that's where you really start to build a benefit of doing these steps, right?
Mike Engle:
That's right. Yeah. Going down the verification, we call this our identity pyramid. These are ways that organizations can verify identity and create what we call a reusable identity along the way. Here is where the internet has been since the internet has existed. You have an email address, maybe then you add, what? Just a credit card, and that's all you need in most... They're not low security because Amazon does care if there's fraud and Visa cares, but it doesn't prove identity at all. So, you try to add in all these fraud signals and figure it out without bothering the user. How's that going? What's the total in billions of fraud?
Robert MacDonald:
Fraud, and then technology layered on top of it. It's not just the fraud, it's all the technology you bought to try to catch it on top of it.
Mike Engle:
Exactly. You're looking behind the scenes, inferential. Then we start to add on all these other concepts that we've already mentioned. SIM binding is one that's unique to 1Kosmos. We can prove possession of the SIM in the phone, and we're doing this in international regions, even where they have two SIMs in a phone and you have to prove possession of it. It's a really nice factor. Then we go all the way down to a reusable identity, which we'll touch on here in just a minute. One of the most powerful user experience tools is something we call LiveID. We'll touch on that as well.
Robert MacDonald:
Yeah.
Mike Engle:
Excellent. How does it come together? In the first slide that we showed, you had three linking square links in a chain. Let's talk about how we create a reusable credential. We spoke at length about ID enrollment. How is it that we turn that into something that can be used over and over again?
Robert MacDonald:
That's the key thing here. Being able to take those steps, which typically organizations use and then they're a throwaway. It's a one and done. The cool thing with what we're talking about here and bringing it into authentication is that, here at 1Kosmos anyway, we're able to look back at that identity verification step and then use it to authenticate the user. By binding what we did at the proofing and verification stage, and then using it as the authentication method, I guess, if we look at LiveID, which we're going to show here in a minute, where we store a private key and the TPM of the device, which unlocks the user's identity credential of which then they're able to then utilize for authentication.
All backed with an immutable audit trail so we can track what users are doing. Or sorry, keep track of how users authenticated, but being able to leverage that step one and two there in this chart, where we use the enrollment and we use the verification, and then we bind it to the authentication with the private and public keys, is really where the power of a technology like what we bring here at 1Kosmos comes to light.
Mike Engle:
Yeah. That's right. Without enrolling, and authenticating without this, really is a weakness in our system that we communicate today and people should insist on it. Let's do that. Now, when you do these and we talk about issuance, then we can give the user a wallet. I just went through a proofing exercise, I scanned my face, my driver's license, my passport, whatever it is, and then I made sure that I linked it to the biometrics. These were tightly coupled. You had chain of custody of this experience in the same session. Great. Then we can now authenticate and know that it's that person every time.
We don't talk a lot about it too much, but under the hood of many well-built systems is a distributed ledger that has this chain of custody. If I can prove that at step one I was here, step two, I enrolled my biometrics, and then I'm using it, step three, four, five, each one of these can go back and verify, "Yep, this is still the same person that had that original exercise or credential under the hood." So, the term wallet or identity purse, I don't want to get in trouble with the gender police.
Robert MacDonald:
Satchel.
Mike Engle:
Your satchel. It is important. We all have wallets today. In fact, we probably have a dozen wallets on our phone. It just depends on what you define it. Do you have Apple Pay, Robert?
Robert MacDonald:
I do.
Mike Engle:
You have a wallet, right?
Robert MacDonald:
I do.
Mike Engle:
Do you have an app, a banking app?
Robert MacDonald:
I do.
Mike Engle:
That's a wallet, because you have a banking credential in there that's trusted by the bank. You can present it with face ID and there's no username and password. It's a digital signature flowing over the wire. You already have many wallets, but you don't have an identity wallet yet. Well, you do actually because you have the 1Kosmos wallet, but...
Robert MacDonald:
That is also true. Yeah. I guess one of the key things here, Mike, that we didn't really touch on the previous slides is that on that verification step, we're pulling that image off of the passport or driver's license like we have here, and we're comparing those images to a selfie that we capture, which is the reference biometric at the time of that identity proofing stage. We want to make sure that the images that we're pulling off those documents match the image that the user's providing at the time that that's all taking place. That's that reference biometric that we're talking about here. That's how we can do that chain of command that you mentioned a couple of seconds ago, is through that capability.
Mike Engle:
Right. Let's talk about why this is really cool, but also can be really hard. If you've been through some of these proofing exercises or you've gone to clear at the airport, or there's different ways to do it. Sometimes you have a camera shoved in your face and they're telling you to get precise and they're scanning your iris or whatever. But when you're at home, there's a lot of benefits to that. I can be sitting on my sofa watching Seinfeld and creating a bank account that's trusted. But the bad guys are taking advantage of this as well. Sometimes the user experience is terrible. What we've done, and it's been really well received by our customer, is deconstructed the entire identity verification and fraud detection to make it incredibly flexible. How, you ask? Well, let me tell you.
Image capture, it is an art. You use the camera. Yeah, that's great. That's the science. But you have different quality camera, different platforms. You have webcams. Doing that right is hard. We have multiple ways to capture an image, and then multiple ways to extract the data, multiple ways to check it for fraud, for liveness, for deepfakes, et cetera, et cetera. This is really important because as I mentioned before, you might want to skip the selfie part. Let's just do some fraud mitigation here and get the results because for whatever reason, this journey doesn't warrant an image capture of the face. But wait. Maybe you want to use a face out of your corporate photo database, your access control system, instead of the selfie. Can you inject another type of selfie into this process? Flexibility in this journey is really important. When you do this, it allows you to flip the script a bit. I was expecting some ohs and ahs on those graphics there.
Robert MacDonald:
I'm still waiting for it to finish. It's amazing.
Mike Engle:
It is breathtaking. But you have those capture and flexible options in the middle. Then now you can do all of your checks on the periphery on each of these steps inside. What have you seen from our customers in the field about the time to adoption for these types of concepts?
Robert MacDonald:
Yeah. It's interesting, because every customer is different, and the use cases that they have and what they're looking for, like you said, some don't want to do the selfie capture for whatever reason. But that flexibility, like you said, is pretty key. I mean, we've seen customers get stuff like this up off the ground in as little as two or three months for 24 million users. The flexibility of the platform and being able to customize the journey that goes along with it is really core to our platform and our platform's capabilities. It really doesn't take a whole lot of time, once you know what you're looking for or once you know what you want to deploy. Sometimes that's the trick. But, yeah. I mean, we've seen very, very quick turnaround and you've been part of some of those deals.
Mike Engle:
Yeah. No, we've dropped this into help desks in a couple of days.
Robert MacDonald:
Oh, the help desk one, yeah. I mean, we're going to talk about that in a minute. That's an instant on. Yeah. Like you said, that takes less than a week.
Mike Engle:
Well, yeah. You teed it up for me. We have to talk about it. Let's step through this. There may be a lot of steps here, but it's really simple, and we'll show a live demo of this in just a couple of seconds. Not a live demo, a demo demo. Live demos are scary on webinars. When somebody calls the help desk, what do people typically do today to verify that remote caller, Robert?
Robert MacDonald:
It's all knowledge-based, right? "Hey, Mike. Glad you called. I'd be happy to help you out. Can you tell me your mother's maiden name? How long have you been employed here? What's your social security number? What's the last four digits of your credit card number?" All kinds of things.
Mike Engle:
Exactly.
Robert MacDonald:
Right.
Mike Engle:
All of that has been stolen 10 times over at a minimum. It is really useless. So, what we will do is the help desk agent will simply click a link. They will engage with the remote employee or customer, get a text message, and they from there will complete the journey to a verification. The beauty of this is, it's really right here. It's just getting a link and then handing it over to the user and then getting it back. You don't have to integrate it. Of course you can. We've integrated with ServiceNow and other help desk platforms to make it really tight, so it's maybe on the user's customer profile and they click a button, it's automated. But it's not necessary. Should we show it?
Robert MacDonald:
Yeah, I think we should, because it's super exciting.
Mike Engle:
Yeah. Let's do that. So, this is-
Robert MacDonald:
Again, something that we see a lot of heartburn for, with some of our customers. There are people pounding down our door, because we can do these kinds of things now. MGM, it was really the linchpin that started the wave of customers looking for this technology.
Mike Engle:
That's right. Yeah. Let's let the tape roll here. This is a one minute video, and on the left you have the help desk agent who's handling the call from the person on the right. It really does speak for itself. This first step is just to authenticate as the help desk user, so it's an authorized system. We do that by tying into Active Directory, Azure AD Entra, and that should be really a click and go. Now we're sending the user a link that they can work with in their email or on their phone. This is really simple, it happens fast.
We do it by scanning the front, checking the integrity of the document. All the fraud signals are handled here in real time. Now we ask the user for the selfie. Again, this is optional, but you do want to do a selfie for a high risk call. That selfie is now matched to the credential here, again in real time. Now, the help desk agent doesn't need to see all of this data. They just need to know if it's okay. So, what comes back? Well, a green check mark is really all that they need.
Robert MacDonald:
That's important.
Mike Engle:
Their run book is very simple. That's why we can deploy this in one day. You can dial these knobs. Well, this is a systems administrator who's trying to get root access into some system or whatever. Let's dial it up for those users and maybe even put them through some other type of check, maybe a second credential. Because what they'll do is they'll call and say, "I lost my phone. I don't remember my employee ID. But listen, Bob, the boss is going to fire me if I don't get in and fix the whatever." So, it's all based on social engineering and pressure.
Robert MacDonald:
I guess one of the big things here too, Mike, now that I'm looking at the screen, is that there's no additional information about the user being shared with the help desk agent. Driver's license number hasn't been shared, address hasn't been shared, nothing's been shared. From a PII perspective, it's just a pass or fail and a name.
Mike Engle:
Exactly.
Robert MacDonald:
Yeah.
Mike Engle:
Exactly. But it is all available. If you do need to retain it for whatever purposes, either internal auditing-
Robert MacDonald:
ID purposes or whatever, yeah.
Mike Engle:
It is all available. In fact, these data retention requirements are really important. We do have all this data here, but again, green check marks sometimes is all you need. This stuff can be redacted based on how you want to configure the system. Of course, role-based access to this data isn't just as important, so you saw the view for the help desk admin. You can have the systems administrators or the fraud team or the risk team have access to this stuff differently. We do make the integration with the help desk software.
On the left, you might have something like this would be the input screen, or it would automatically fetch it from the customer database or the employee database, and then present with just buttons that you would send the user. Maybe your policy says you have to send it to an address of record, that doesn't work for, "I've lost my phone and I, for some reason, can't get to the AT&T store because..." I don't know what the reason would be, "I'm on an island." But there's lots of different ways that this cat can be skinned. Let's talk a little bit about... Don't have Tom Yum soup before webinar. About the privacy.
Robert MacDonald:
Spicy.
Mike Engle:
Yeah, exactly. Whew. In March of last year, the White House put out a paper about preserving privacy, yet still using data, which are contradictory. How do you get my face, use my face, but use my face only for good? Or my whatever data, either my biographic or biometric information. In this paper, I recommend everybody just Google the title of this paper, there's a link to it here. Maybe we should send this as a follow-up to folks on the call as part of the deck. But they talk about a couple of technologies that allow you to work with user data, yet keep not only yourself safe but their data safe as well. These technologies are what are called PETs and PPDSAs, because I always say there's not enough acronyms in IAM. We need more.
Robert MacDonald:
I agree.
Mike Engle:
Yeah. We need two FAM, FARBA, PTs, PPDSAs, we need all that stuff.
Robert MacDonald:
UEDA, all kinds of stuff. Yeah.
Mike Engle:
Yeah. HBA, IBA. SAML, OIDC. We could go on all day, right?
Robert MacDonald:
We can go on FIDO. Yeah.
Mike Engle:
All right. That's it. We ran out. There's no more left. What this means is I can work with the data, but you want to remove as much of it as you can. Minimize, reduce, least data necessary. Sometimes you can even work with the data without seeing it. Two technologies that allow this are something called homomorphic encryption and multi-party computing. these technologies of working with data while it stays encrypted, have been in practice and research for 20 years. But it's actually been made practical through commercial implementations like ours in the last couple of years. Really exciting stuff. It's one of those things again where you ask a traditional CISO or head of IAM or engineering, they'll have heard about it, but don't know how it applies. We basically are using this to work with faces in a way that keeps them encrypted. Really exciting stuff. It's basically the same as working with hashes instead of working with the real biometrics themselves.
Robert MacDonald:
Right. Yeah. I mean, these privacy laws have continued to evolve. It started, GDPR was really one of the first ones to kick that off. But as we move into digital identity wallets and biometrics, those laws have to continue to evolve to account for some of the things that we're doing. Because at the end of the day, whether intentionally or unintentionally, vendors can do bad things with data where they're selling it off to marketing agencies so we can get them to buy stuff, being a marketing guy. But this stuff is really, really important, since now that we're really starting to deal with faces and some of the things that you want to talk about here in a little bit with the deepfake technologies that are coming down.
Mike Engle:
Oh, yeah. Don't get me started on deepfakes, Robert, just don't.
Robert MacDonald:
Okay. Sorry.
Mike Engle:
Too late. Now you did it. Come on. We were like, we're ready to be done. Now we've got to talk about deepfakes.
Robert MacDonald:
Yeah. It's almost like I knew what the slides were.
Mike Engle:
Sounds like you read my mind. But, yeah. There's been celebrities that have had their likeness created many times now, Elon Musk, Tom Cruise, Taylor Swift. But these attacks are becoming real. People are opening accounts and stealing accounts and doing things, so we need to stay on top of it. We have a whole set of research around this, where you can generate the content and you can go ask Sora or these other open AI type tools, to make images now. Go to the website thispersondoesnotexist.com, and it'll make a fake face for you. You could use that for synthetic identities.
Some of the techniques that are used are to use a picture of a picture, and we can detect that with reflection and some other ways to see that it's not real physical media. What you'll see sometimes is the bad guys have this picture on the left, which is obviously a picture of a picture. This is a photo sitting on somebody's desk. You zoom in a little bit and it looks pretty good. It looks like they're holding a selfie. But what's missing from this are a whole bunch of signals, that if your software is implemented properly, can detect that this is a reproduction. So, we've implemented these at various parts in the squiggly line stack that we showed a couple of minutes ago.
Robert MacDonald:
Right on. Yeah. It's scary stuff.
Mike Engle:
Cat and mouse game. Yeah.
Robert MacDonald:
It's scary stuff. But knowing that there are people like us working on it, certainly makes me feel a little bit better about it.
Mike Engle:
Well, good. I don't want you losing sleep at night. There's a real busy diagram, but the concept here is, there's a couple of different types of attacks. There's where I'm just presenting a fake image or face or document, and you can just hold these up to a camera, you can inject stills, and there's a couple of different ways that the bad actors will try to attack and do this. The other is with injection. I'm working with you now and I'm becoming somebody else in real time, maybe even doing what they call active liveness and fooling the camera. "Turn your head left, turn your head right, stick out your tongue," that kind of thing. We're on top of this. This is evolving. I'd say we're implementing new methods in our stack every three to six months, just because of how quickly the space is evolving.
More to follow there. I think we'll wrap it up today with a little bit of our deepfake demo. For those that were at some of the recent shows, like FS-ISAC, I had this rolling at our booth. But this is me becoming Jude Law. It's really as simple as pressing a button in a piece of software now. You can see I'm doing it now, obviously my hair's not as cool as his, but that's me again, coming back to normal. Now I'm scrunchy faced Tom Cruise. But my favorite one is, I think I make a really good Jude Krasinski. Boom, there we are.
Robert MacDonald:
There he is. John.
Mike Engle:
Again, I have to figure out how to get that hair. Once I get that hair, you can guarantee that I'm opening up an account as John Krasinski, and I'm going to probably be on Amazon as Jack Ryan, so I'm just warning you right now.
Robert MacDonald:
Yep, yep, yep. I mean, listen, getting his paychecks would certainly go a long way to helping you towards retirement, but absolutely. I mean, that stuff is so... I mean, looking at it just from an outsider looking in, playing around with that stuff is pretty cool. But you just showed me one earlier before you even jumped on, where you took a picture of me and then you started to look like me a little bit, which is somewhat frightening.
Mike Engle:
Yeah. Because man.
Robert MacDonald:
It's proof that there is something lower than where you already are. Do you know what I mean? Anyway. No. But it's weird. It's crazy that the technology is where it is today. But again, it's just staying ahead of where these guys are, to making sure that we have technologies to make it too difficult for them to do.
Mike Engle:
That's right.
Robert MacDonald:
It's cool. Really, really, really cool demo.
Mike Engle:
Cool. In closing, I think we've got a couple of things coming up that we might want to tell people about.
Robert MacDonald:
Yeah. We do. We're going to be at RSA. You're going to be at RSA, correct?
Mike Engle:
That's right.
Robert MacDonald:
Yep. On our website, if you do want to meet with us at RSA, you can go to our website and you can put in a request to sit down and chat with Mike if you like. That's May 6th to 9th. For those of you that are on the phone, I'm sure that you knew that because RSA is a very big event, as we all know. May is a bit of a busy month for us. Then after RSA, we're at Identiverse, which is in Las Vegas this year. I think it was there last year as well. I'll also be there too. I think you'll be there as well, Mike. That's May 28th to the 31st. As well on our website, if you'd like to book a meeting with us and chat a little bit more about the technologies and some of the things maybe you saw today, or even just swing by the booth at Identiverse, we'd be more than happy to show you some of the technologies that we've got in place.
Mike Engle:
Well, that sounds great.
Robert MacDonald:
Yeah.
Mike Engle:
Well, I appreciate the audience in coming on joining us. Robert, thanks for helping me put this together today.
Robert MacDonald:
Yeah. Listen, I always like coming on with you, man. It's fun.
Mike Engle:
Yeah. We typically have one of these a month, so keep an eye on the website and social and we'll see you on the line.
Robert MacDonald:
Thanks again.
Mike Engle:
All right. Take care everybody.
Okay, everybody. Welcome to our webinar today. We're going to be talking about how to unlock the power of identity verification. My name's Robert MacDonald. I'm the handsome gentleman on your right. I'm the VP of Product Marketing here at 1Kosmos. The handsome gentleman on the left of that screen is Mike Engle. Mike, why don't you give us a little introduction of yourself?
Mike Engle:
Yeah. Handsome is not anywhere on my LinkedIn profile. We'll start there. But, yeah. I'm a security geek by trade. I grew up in the era of modems and hacking CompuServe, and made my way into Wall Street Cybersecurity. Did that for quite a while, and now I'm all identity all the time. So, enjoying this world and the difference that we can make in it.
Robert MacDonald:
Yeah. I mean, this world is certainly changing quickly. I've been in identity for a number of years as well, worked at a couple of different identity-based organizations. Where identity is going is certainly a vast departure from where it's been over the last 20 plus years. There's been a lot of stuff happening over the last little bit that's going to initiate some of that change. A lot of the phone scams that we've seen, like at MGM, and other identity-based attacks that are really tripping up majority of the US/Canadian population, I'm based in Canada, so majority of the population in general. Including help desk workers are getting tricked to reset credentials for people that actually aren't on the other end of that phone. There's social engineering attacks where people are getting tricked out of their online account of whatever that might be, and their account's getting taken over and they're losing money out of their bank accounts, all kinds of things going on. You and I are going to talk a little bit today about ways that you can use identity verification to prevent a lot of this stuff from happening, right?
Mike Engle:
Well, yes we are. Let's get started.
Robert MacDonald:
Let's do it.
Mike Engle:
Yeah. We're going to talk about three distinct functions that every IM program deals with every day. It's how do you get people into your system or change them to something better? We like to think of that as enroll, very simple. But simple in concept, but the way you do it varies. It's the number one question we have is, how do I deploy your tech without causing pain? We'll talk about that here today. But then at the time of enrollment, or maybe sometime later, what's really important is verifying the person that is at the other end of the connection. The example you gave, remote callers into a help desk, or an agent, a store associate and the frontline worker or in a factory that needs to prove who they are, or of course employees getting into the top secret critical systems or remote access, whatever it is.
This has been missing from authentication, period. It's time that it gets put together with the authentication process. We all know how to authenticate, we do it hundreds of times a day. Whether we're unlocking our iPhone or logging into your bank, you still have to prove who you are. Then maybe you could touch on what the industry thinks about all this stuff. There's all these little logos at the bottom here. What do they mean, Robert?
Robert MacDonald:
Well, they're certifications. There are ways in which you should be going about doing these things. There are guidelines that can help steer organizations, such as 1Kosmos and others, down the path to make sure that if you are doing verification or authentication or enrollment, that you're doing it in a way that meets market expectations and demands, right?
Mike Engle:
Yeah. We're going to dive deep into a couple of these. We're going to talk a lot about NIST, 800-63-3, about Kantara Certification, which is the non-profit that certifies that other standard. We're going to talk a lot about privacy too, because when you start doing this stuff and you start looking people in the face with a camera, you can raise a lot of eyebrows in legal, or your customers may not just like it unless you do it right. Really important topics, we'll be diving into all that here today. Let's do that though. Let's dive a bit into... I have to turn off my little screen-drawer here. Let's dive into those two standards that I mentioned first, NIST 800-63-3. I didn't know what a 63-3 was until probably 2018. I hadn't followed it that much, but it seems to be all everybody is talking about in the identity world, mainly in certain business verticals. If you talk to Joe Schmo user, they're not going to know what it is, but the people who architect these solutions definitely do. Robert, what is it that really comes to mind when you think of 63-3?
Robert MacDonald:
Again, I didn't know anything about it really until I started working here, to be honest with you, because the circles in which I played in weren't covered by the circle. It's really about, how do I make sure that the person that I'm proofing is the person that's being proofed at the end of the day? How do I make sure that I know that either my employee or my customer, their identity that they're presenting is them on the other side of that digital connection? Because we are doing these things remotely these days, we're not doing them in-person anymore.
Mike Engle:
That's right. There's different levels of this certification. Really today there's three levels, one, two, and three. One is meaningless, and there's going to be another change to that standard coming out soon. But when somebody is certified for this, it means that they've gone through a process. It's like you wouldn't want to use a product in your house that isn't certified for UL Labs electrical stuff. It could burn your house down. What if you implement an identity verification thing and it's not certified? It could burn your IM down. Maybe not quite the right analogy, but it is really important to have certifications. So, this standard has an A part of it, section A and a B section. The B section is authentication and it ties heavily into your dog, FIDO.
Robert MacDonald:
Yes.
Mike Engle:
Right, Robert?
Robert MacDonald:
That's right. FIDO, four legs. There are a couple of different ways you can certainly authenticate users, but after you did the identity proofing, how do you make sure that the person you proofed is now the person that is actually authenticating? Because as you and I know, based on the space that we play in, people share passwords all the time. Or they have their passwords phished and their MFA phished and then somebody else is in, and there's no way of proving that that user is who they claim to be through any part of the authentication step. But this certainly puts us down a path where we can prove the user is who they claim to be on the other side of that authentication, right?
Mike Engle:
Love it. Then there is a certification for this. You need to work with certified FIDO products, that is super important. Then when you start verifying the face of a person to these government documents, you need biometrics that are certified. One of the independent testing labs, very prominent, is called iBeta. So, these are some things you can look for in a product. Kantara, FIDO, and iBeta, when you put these together, we like to refer to them as Identity Based Authentication or IBA, and that is much better than HBA, which Robert, Pop Quiz, stands for?
Robert MacDonald:
Hope Based Authentication.
Mike Engle:
Good.
Robert MacDonald:
I wasn't prepared for that. But Hope Based Authentication, which a lot of authentication methods are based on.
Mike Engle:
That's right.
Robert MacDonald:
At the end of the day, right?
Mike Engle:
Yeah, it is. I hope that this is who they say they are, the password is them using it, the 2FA wasn't intercepted, et cetera, et cetera. There we go. Maureen, would you like to pop up our survey question so that we can just see what some people are thinking here? All right. What are you most eager to explore in this session today? Four questions popping up. I am not allowed to answer, so we'll give this a couple of seconds until people can answer. The questions are, instant document validation. This is typically hard to do. You have to go into person, or you're using a social security number instead so this gives you some great capabilities. Verifying remote callers, do you care about privacy? Some people don't really know it's a thing because they put their face all over videos like this today. Here I am putting my face out on YouTube again. Then the fourth option in the poll here is, how it can really improve the user experience and security at the same time. We'll talk about that. Thanks for that, Maureen. Okay. It seems that privacy is the number one-
Robert MacDonald:
Privacy is high. Yeah.
Mike Engle:
Yeah.
Robert MacDonald:
Interesting.
Mike Engle:
You start. Over to you.
Robert MacDonald:
In stack rank order here, we've got privacy and then instant state ID validation, then modern UX and remote caller verification. It's interesting, I don't know if we've ever put up a survey and privacy was top of the list.
Mike Engle:
Yeah. I think that it's making the circuit. You have the issue with deepfakes, which we'll talk about, and you have, "I don't want my face used against me in a court of law," which you could go make a deepfake for me right now and prove or disprove that I was somewhere. It's getting pretty scary. We'll talk about that as well. I mentioned the NIST 800-63-3 has several levels to it. This goes really way beyond just scanning a driver's license. If you've opened a bank account recently with a modern bank, I have to say that I guess the right way or I'll get in trouble, or like a Neobank or a recent Fintech. For example, go open a crypto account, they're going to scan your driver's license. I had to scan my driver's license recently to get a 2FA for my Ring doorbell. It said, "You have to do 2FA, but wait. We don't trust you so scan a driver's license." It's getting out there.
But scanning a driver's license is defeatable at some level, because the deepfakes are getting better. The face matching is only guaranteed to a certain level. When you combine that with other sources of truth, look the driver's license up in AMVA, which is the DMV aggregator. Or let's ask them for their social, which that's not very secure but when you start triangulating all of this data, now you have a much higher level of assurance. These extra controls are what will help mitigate your deepfake threats. So, go get Kantara certified or get a Kantara certified product. It's great. IAL1 is really weak. IAL2 is very strong. IAL3 is super strong, superior, and it really involves an in-person or supervised process. IAL2 is where the world is aiming to get that high level of assurance from a remote location, right?
Robert MacDonald:
Yeah, absolutely.
Mike Engle:
Okay. I'm going to pop up a little chart on this. When people ask me, "What is the difference between just scanning a driver's license and NIST 800-63-3 IAL2?" Now, this is an eye-popping chart. I know, the graphics are awesome.
Robert MacDonald:
It's a good one.
Mike Engle:
But it needs to be simple, because people, sometimes they don't even know what a NIST is. It's not the thing that my birds are sitting in out in a tree. Really, when you're scanning just a document, what are you doing? Well, you can check for fraud signals and is the picture in the right spot and is the font good? Is there a hologram? But like I said, deepfakes are going to get very good at defeating that. Typically when you're just doing this, you are not verifying the data on it. How do I know that Robert MacDonald lives in Beverly Hills?
Well, you have to go out and do some extra, what's called identity verification. Now, many legacy banks are just doing this, and that's really scary, because the bad guys have stolen all of our identity information. I recently opened up an account with a big retailer, and all I needed was my social. They sent me a text message. I think I had to type in my address, done. Now I have a debit card coming in the mail. So easy to defeat, but it is an important piece when it's combined. That's really what NIST 800=63-3 does, it combines these things together, and adds on an address of record. So, this is really important too. Something the NIST standard says is, "You have to reach out to the person, add an address of record," not just some phone number they gave you and say, "Yes. I contacted them at their proven phone number or at their proven address." It's another step. It's a hurdle. The bad guys are going to go to the legacy bank and not to your bank. Right?
Robert MacDonald:
Absolutely.
Mike Engle:
That's how I like to think about this.
Robert MacDonald:
I guess the key thing to remember there too is, Mike, is that not all platform vendors that deliver capabilities do all of these things. That's not to toot our own horn because we know that we do the bottom one. But you do have to be relatively careful and cognizant of what you're signing up for when you go down one of these roads.
Mike Engle:
That's right.
Robert MacDonald:
And risk that's associated with each one of those, by either doing or not doing some of those capabilities.
Mike Engle:
Right. It really comes down to risk and user experience. Two examples. I'm opening up an account to be able to pay my taxes, or get my tax refund sent to me. The government mandates this, this is really important, but let's say I'm a big retailer and I have somebody walking up to the counter and saying, "I am Robert MacDonald," and today the agent will... I have a real license here. I'm going to show it on live. Will say, "All right." They eyeball it and they look at it and they get hoodwinked every time because the agent, the cashier doesn't know how to validate a document. "Well, let's scan it." Pop up their little point of sale scanner and scan it, and now you've upped the bar quite a bit. But in that example, you don't even need this because you've let the agent just look at the photo and don't put the user through that eeriness of having to, "Here, look at the camera." So, it depends on the risk, the environment, and you need customizable journeys on this that we'll talk about here in just a minute as well.
Robert MacDonald:
Right on.
Mike Engle:
Cool. All right. Enough of that. Let's move on to the identity assurance piece of this. This is really in line with the risk level. So, what does it mean by identity affirmation here on the left, Robert?
Robert MacDonald:
Yeah. So, this falls very much in line with how Gartner is viewing this as well. But the affirmation side of it is, you're collecting information from the user, but it's providing a relatively low assurance that that user is present. So, a phone number, an email, social security number, none of those things are necessarily tied back to the actual user. Frankly, there's no photo on any of these. When we get into the proofing side, which we're going to get into here in a second, with these types of identities you're just proving that somebody's in possession of something. Not that it's actually the person that owns it, if that makes sense.
Mike Engle:
Yeah, it does. Social login, it's okay for some things. But some of these are much stronger than the others. You have my phone number, I've had the same phone number for 30 years, and if I could prove possession of it that says something about me, it's pretty good. But to your point, somebody could have picked up my phone or swapped my SIM and now they're not matching it to my face. Right?
Robert MacDonald:
That's right.
Mike Engle:
Very important.
Robert MacDonald:
Then when you add those things into the proofing side, which you're going to cover here in a second, you talked about triangulation earlier, you talked about it here again. But that's where you really start to build a benefit of doing these steps, right?
Mike Engle:
That's right. Yeah. Going down the verification, we call this our identity pyramid. These are ways that organizations can verify identity and create what we call a reusable identity along the way. Here is where the internet has been since the internet has existed. You have an email address, maybe then you add, what? Just a credit card, and that's all you need in most... They're not low security because Amazon does care if there's fraud and Visa cares, but it doesn't prove identity at all. So, you try to add in all these fraud signals and figure it out without bothering the user. How's that going? What's the total in billions of fraud?
Robert MacDonald:
Fraud, and then technology layered on top of it. It's not just the fraud, it's all the technology you bought to try to catch it on top of it.
Mike Engle:
Exactly. You're looking behind the scenes, inferential. Then we start to add on all these other concepts that we've already mentioned. SIM binding is one that's unique to 1Kosmos. We can prove possession of the SIM in the phone, and we're doing this in international regions, even where they have two SIMs in a phone and you have to prove possession of it. It's a really nice factor. Then we go all the way down to a reusable identity, which we'll touch on here in just a minute. One of the most powerful user experience tools is something we call LiveID. We'll touch on that as well.
Robert MacDonald:
Yeah.
Mike Engle:
Excellent. How does it come together? In the first slide that we showed, you had three linking square links in a chain. Let's talk about how we create a reusable credential. We spoke at length about ID enrollment. How is it that we turn that into something that can be used over and over again?
Robert MacDonald:
That's the key thing here. Being able to take those steps, which typically organizations use and then they're a throwaway. It's a one and done. The cool thing with what we're talking about here and bringing it into authentication is that, here at 1Kosmos anyway, we're able to look back at that identity verification step and then use it to authenticate the user. By binding what we did at the proofing and verification stage, and then using it as the authentication method, I guess, if we look at LiveID, which we're going to show here in a minute, where we store a private key and the TPM of the device, which unlocks the user's identity credential of which then they're able to then utilize for authentication.
All backed with an immutable audit trail so we can track what users are doing. Or sorry, keep track of how users authenticated, but being able to leverage that step one and two there in this chart, where we use the enrollment and we use the verification, and then we bind it to the authentication with the private and public keys, is really where the power of a technology like what we bring here at 1Kosmos comes to light.
Mike Engle:
Yeah. That's right. Without enrolling, and authenticating without this, really is a weakness in our system that we communicate today and people should insist on it. Let's do that. Now, when you do these and we talk about issuance, then we can give the user a wallet. I just went through a proofing exercise, I scanned my face, my driver's license, my passport, whatever it is, and then I made sure that I linked it to the biometrics. These were tightly coupled. You had chain of custody of this experience in the same session. Great. Then we can now authenticate and know that it's that person every time.
We don't talk a lot about it too much, but under the hood of many well-built systems is a distributed ledger that has this chain of custody. If I can prove that at step one I was here, step two, I enrolled my biometrics, and then I'm using it, step three, four, five, each one of these can go back and verify, "Yep, this is still the same person that had that original exercise or credential under the hood." So, the term wallet or identity purse, I don't want to get in trouble with the gender police.
Robert MacDonald:
Satchel.
Mike Engle:
Your satchel. It is important. We all have wallets today. In fact, we probably have a dozen wallets on our phone. It just depends on what you define it. Do you have Apple Pay, Robert?
Robert MacDonald:
I do.
Mike Engle:
You have a wallet, right?
Robert MacDonald:
I do.
Mike Engle:
Do you have an app, a banking app?
Robert MacDonald:
I do.
Mike Engle:
That's a wallet, because you have a banking credential in there that's trusted by the bank. You can present it with face ID and there's no username and password. It's a digital signature flowing over the wire. You already have many wallets, but you don't have an identity wallet yet. Well, you do actually because you have the 1Kosmos wallet, but...
Robert MacDonald:
That is also true. Yeah. I guess one of the key things here, Mike, that we didn't really touch on the previous slides is that on that verification step, we're pulling that image off of the passport or driver's license like we have here, and we're comparing those images to a selfie that we capture, which is the reference biometric at the time of that identity proofing stage. We want to make sure that the images that we're pulling off those documents match the image that the user's providing at the time that that's all taking place. That's that reference biometric that we're talking about here. That's how we can do that chain of command that you mentioned a couple of seconds ago, is through that capability.
Mike Engle:
Right. Let's talk about why this is really cool, but also can be really hard. If you've been through some of these proofing exercises or you've gone to clear at the airport, or there's different ways to do it. Sometimes you have a camera shoved in your face and they're telling you to get precise and they're scanning your iris or whatever. But when you're at home, there's a lot of benefits to that. I can be sitting on my sofa watching Seinfeld and creating a bank account that's trusted. But the bad guys are taking advantage of this as well. Sometimes the user experience is terrible. What we've done, and it's been really well received by our customer, is deconstructed the entire identity verification and fraud detection to make it incredibly flexible. How, you ask? Well, let me tell you.
Image capture, it is an art. You use the camera. Yeah, that's great. That's the science. But you have different quality camera, different platforms. You have webcams. Doing that right is hard. We have multiple ways to capture an image, and then multiple ways to extract the data, multiple ways to check it for fraud, for liveness, for deepfakes, et cetera, et cetera. This is really important because as I mentioned before, you might want to skip the selfie part. Let's just do some fraud mitigation here and get the results because for whatever reason, this journey doesn't warrant an image capture of the face. But wait. Maybe you want to use a face out of your corporate photo database, your access control system, instead of the selfie. Can you inject another type of selfie into this process? Flexibility in this journey is really important. When you do this, it allows you to flip the script a bit. I was expecting some ohs and ahs on those graphics there.
Robert MacDonald:
I'm still waiting for it to finish. It's amazing.
Mike Engle:
It is breathtaking. But you have those capture and flexible options in the middle. Then now you can do all of your checks on the periphery on each of these steps inside. What have you seen from our customers in the field about the time to adoption for these types of concepts?
Robert MacDonald:
Yeah. It's interesting, because every customer is different, and the use cases that they have and what they're looking for, like you said, some don't want to do the selfie capture for whatever reason. But that flexibility, like you said, is pretty key. I mean, we've seen customers get stuff like this up off the ground in as little as two or three months for 24 million users. The flexibility of the platform and being able to customize the journey that goes along with it is really core to our platform and our platform's capabilities. It really doesn't take a whole lot of time, once you know what you're looking for or once you know what you want to deploy. Sometimes that's the trick. But, yeah. I mean, we've seen very, very quick turnaround and you've been part of some of those deals.
Mike Engle:
Yeah. No, we've dropped this into help desks in a couple of days.
Robert MacDonald:
Oh, the help desk one, yeah. I mean, we're going to talk about that in a minute. That's an instant on. Yeah. Like you said, that takes less than a week.
Mike Engle:
Well, yeah. You teed it up for me. We have to talk about it. Let's step through this. There may be a lot of steps here, but it's really simple, and we'll show a live demo of this in just a couple of seconds. Not a live demo, a demo demo. Live demos are scary on webinars. When somebody calls the help desk, what do people typically do today to verify that remote caller, Robert?
Robert MacDonald:
It's all knowledge-based, right? "Hey, Mike. Glad you called. I'd be happy to help you out. Can you tell me your mother's maiden name? How long have you been employed here? What's your social security number? What's the last four digits of your credit card number?" All kinds of things.
Mike Engle:
Exactly.
Robert MacDonald:
Right.
Mike Engle:
All of that has been stolen 10 times over at a minimum. It is really useless. So, what we will do is the help desk agent will simply click a link. They will engage with the remote employee or customer, get a text message, and they from there will complete the journey to a verification. The beauty of this is, it's really right here. It's just getting a link and then handing it over to the user and then getting it back. You don't have to integrate it. Of course you can. We've integrated with ServiceNow and other help desk platforms to make it really tight, so it's maybe on the user's customer profile and they click a button, it's automated. But it's not necessary. Should we show it?
Robert MacDonald:
Yeah, I think we should, because it's super exciting.
Mike Engle:
Yeah. Let's do that. So, this is-
Robert MacDonald:
Again, something that we see a lot of heartburn for, with some of our customers. There are people pounding down our door, because we can do these kinds of things now. MGM, it was really the linchpin that started the wave of customers looking for this technology.
Mike Engle:
That's right. Yeah. Let's let the tape roll here. This is a one minute video, and on the left you have the help desk agent who's handling the call from the person on the right. It really does speak for itself. This first step is just to authenticate as the help desk user, so it's an authorized system. We do that by tying into Active Directory, Azure AD Entra, and that should be really a click and go. Now we're sending the user a link that they can work with in their email or on their phone. This is really simple, it happens fast.
We do it by scanning the front, checking the integrity of the document. All the fraud signals are handled here in real time. Now we ask the user for the selfie. Again, this is optional, but you do want to do a selfie for a high risk call. That selfie is now matched to the credential here, again in real time. Now, the help desk agent doesn't need to see all of this data. They just need to know if it's okay. So, what comes back? Well, a green check mark is really all that they need.
Robert MacDonald:
That's important.
Mike Engle:
Their run book is very simple. That's why we can deploy this in one day. You can dial these knobs. Well, this is a systems administrator who's trying to get root access into some system or whatever. Let's dial it up for those users and maybe even put them through some other type of check, maybe a second credential. Because what they'll do is they'll call and say, "I lost my phone. I don't remember my employee ID. But listen, Bob, the boss is going to fire me if I don't get in and fix the whatever." So, it's all based on social engineering and pressure.
Robert MacDonald:
I guess one of the big things here too, Mike, now that I'm looking at the screen, is that there's no additional information about the user being shared with the help desk agent. Driver's license number hasn't been shared, address hasn't been shared, nothing's been shared. From a PII perspective, it's just a pass or fail and a name.
Mike Engle:
Exactly.
Robert MacDonald:
Yeah.
Mike Engle:
Exactly. But it is all available. If you do need to retain it for whatever purposes, either internal auditing-
Robert MacDonald:
ID purposes or whatever, yeah.
Mike Engle:
It is all available. In fact, these data retention requirements are really important. We do have all this data here, but again, green check marks sometimes is all you need. This stuff can be redacted based on how you want to configure the system. Of course, role-based access to this data isn't just as important, so you saw the view for the help desk admin. You can have the systems administrators or the fraud team or the risk team have access to this stuff differently. We do make the integration with the help desk software.
On the left, you might have something like this would be the input screen, or it would automatically fetch it from the customer database or the employee database, and then present with just buttons that you would send the user. Maybe your policy says you have to send it to an address of record, that doesn't work for, "I've lost my phone and I, for some reason, can't get to the AT&T store because..." I don't know what the reason would be, "I'm on an island." But there's lots of different ways that this cat can be skinned. Let's talk a little bit about... Don't have Tom Yum soup before webinar. About the privacy.
Robert MacDonald:
Spicy.
Mike Engle:
Yeah, exactly. Whew. In March of last year, the White House put out a paper about preserving privacy, yet still using data, which are contradictory. How do you get my face, use my face, but use my face only for good? Or my whatever data, either my biographic or biometric information. In this paper, I recommend everybody just Google the title of this paper, there's a link to it here. Maybe we should send this as a follow-up to folks on the call as part of the deck. But they talk about a couple of technologies that allow you to work with user data, yet keep not only yourself safe but their data safe as well. These technologies are what are called PETs and PPDSAs, because I always say there's not enough acronyms in IAM. We need more.
Robert MacDonald:
I agree.
Mike Engle:
Yeah. We need two FAM, FARBA, PTs, PPDSAs, we need all that stuff.
Robert MacDonald:
UEDA, all kinds of stuff. Yeah.
Mike Engle:
Yeah. HBA, IBA. SAML, OIDC. We could go on all day, right?
Robert MacDonald:
We can go on FIDO. Yeah.
Mike Engle:
All right. That's it. We ran out. There's no more left. What this means is I can work with the data, but you want to remove as much of it as you can. Minimize, reduce, least data necessary. Sometimes you can even work with the data without seeing it. Two technologies that allow this are something called homomorphic encryption and multi-party computing. these technologies of working with data while it stays encrypted, have been in practice and research for 20 years. But it's actually been made practical through commercial implementations like ours in the last couple of years. Really exciting stuff. It's one of those things again where you ask a traditional CISO or head of IAM or engineering, they'll have heard about it, but don't know how it applies. We basically are using this to work with faces in a way that keeps them encrypted. Really exciting stuff. It's basically the same as working with hashes instead of working with the real biometrics themselves.
Robert MacDonald:
Right. Yeah. I mean, these privacy laws have continued to evolve. It started, GDPR was really one of the first ones to kick that off. But as we move into digital identity wallets and biometrics, those laws have to continue to evolve to account for some of the things that we're doing. Because at the end of the day, whether intentionally or unintentionally, vendors can do bad things with data where they're selling it off to marketing agencies so we can get them to buy stuff, being a marketing guy. But this stuff is really, really important, since now that we're really starting to deal with faces and some of the things that you want to talk about here in a little bit with the deepfake technologies that are coming down.
Mike Engle:
Oh, yeah. Don't get me started on deepfakes, Robert, just don't.
Robert MacDonald:
Okay. Sorry.
Mike Engle:
Too late. Now you did it. Come on. We were like, we're ready to be done. Now we've got to talk about deepfakes.
Robert MacDonald:
Yeah. It's almost like I knew what the slides were.
Mike Engle:
Sounds like you read my mind. But, yeah. There's been celebrities that have had their likeness created many times now, Elon Musk, Tom Cruise, Taylor Swift. But these attacks are becoming real. People are opening accounts and stealing accounts and doing things, so we need to stay on top of it. We have a whole set of research around this, where you can generate the content and you can go ask Sora or these other open AI type tools, to make images now. Go to the website thispersondoesnotexist.com, and it'll make a fake face for you. You could use that for synthetic identities.
Some of the techniques that are used are to use a picture of a picture, and we can detect that with reflection and some other ways to see that it's not real physical media. What you'll see sometimes is the bad guys have this picture on the left, which is obviously a picture of a picture. This is a photo sitting on somebody's desk. You zoom in a little bit and it looks pretty good. It looks like they're holding a selfie. But what's missing from this are a whole bunch of signals, that if your software is implemented properly, can detect that this is a reproduction. So, we've implemented these at various parts in the squiggly line stack that we showed a couple of minutes ago.
Robert MacDonald:
Right on. Yeah. It's scary stuff.
Mike Engle:
Cat and mouse game. Yeah.
Robert MacDonald:
It's scary stuff. But knowing that there are people like us working on it, certainly makes me feel a little bit better about it.
Mike Engle:
Well, good. I don't want you losing sleep at night. There's a real busy diagram, but the concept here is, there's a couple of different types of attacks. There's where I'm just presenting a fake image or face or document, and you can just hold these up to a camera, you can inject stills, and there's a couple of different ways that the bad actors will try to attack and do this. The other is with injection. I'm working with you now and I'm becoming somebody else in real time, maybe even doing what they call active liveness and fooling the camera. "Turn your head left, turn your head right, stick out your tongue," that kind of thing. We're on top of this. This is evolving. I'd say we're implementing new methods in our stack every three to six months, just because of how quickly the space is evolving.
More to follow there. I think we'll wrap it up today with a little bit of our deepfake demo. For those that were at some of the recent shows, like FS-ISAC, I had this rolling at our booth. But this is me becoming Jude Law. It's really as simple as pressing a button in a piece of software now. You can see I'm doing it now, obviously my hair's not as cool as his, but that's me again, coming back to normal. Now I'm scrunchy faced Tom Cruise. But my favorite one is, I think I make a really good Jude Krasinski. Boom, there we are.
Robert MacDonald:
There he is. John.
Mike Engle:
Again, I have to figure out how to get that hair. Once I get that hair, you can guarantee that I'm opening up an account as John Krasinski, and I'm going to probably be on Amazon as Jack Ryan, so I'm just warning you right now.
Robert MacDonald:
Yep, yep, yep. I mean, listen, getting his paychecks would certainly go a long way to helping you towards retirement, but absolutely. I mean, that stuff is so... I mean, looking at it just from an outsider looking in, playing around with that stuff is pretty cool. But you just showed me one earlier before you even jumped on, where you took a picture of me and then you started to look like me a little bit, which is somewhat frightening.
Mike Engle:
Yeah. Because man.
Robert MacDonald:
It's proof that there is something lower than where you already are. Do you know what I mean? Anyway. No. But it's weird. It's crazy that the technology is where it is today. But again, it's just staying ahead of where these guys are, to making sure that we have technologies to make it too difficult for them to do.
Mike Engle:
That's right.
Robert MacDonald:
It's cool. Really, really, really cool demo.
Mike Engle:
Cool. In closing, I think we've got a couple of things coming up that we might want to tell people about.
Robert MacDonald:
Yeah. We do. We're going to be at RSA. You're going to be at RSA, correct?
Mike Engle:
That's right.
Robert MacDonald:
Yep. On our website, if you do want to meet with us at RSA, you can go to our website and you can put in a request to sit down and chat with Mike if you like. That's May 6th to 9th. For those of you that are on the phone, I'm sure that you knew that because RSA is a very big event, as we all know. May is a bit of a busy month for us. Then after RSA, we're at Identiverse, which is in Las Vegas this year. I think it was there last year as well. I'll also be there too. I think you'll be there as well, Mike. That's May 28th to the 31st. As well on our website, if you'd like to book a meeting with us and chat a little bit more about the technologies and some of the things maybe you saw today, or even just swing by the booth at Identiverse, we'd be more than happy to show you some of the technologies that we've got in place.
Mike Engle:
Well, that sounds great.
Robert MacDonald:
Yeah.
Mike Engle:
Well, I appreciate the audience in coming on joining us. Robert, thanks for helping me put this together today.
Robert MacDonald:
Yeah. Listen, I always like coming on with you, man. It's fun.
Mike Engle:
Yeah. We typically have one of these a month, so keep an eye on the website and social and we'll see you on the line.
Robert MacDonald:
Thanks again.
Mike Engle:
All right. Take care everybody.