The Business Challenge
1Kosmos BlockID Customer is designed for a customer’s identity to be enrolled once and then used across multiple web properties in a single organization or even cross-organization.
This enables companies to support a customer as their business, product lines and the customer relationship evolves over time.
For example, customers may have a savings account, auto loan, mortgage, brokerage account and IRA at a full services financial services company. They wouldn’t want to enroll multiple times, and with 1Kosmos they would not need to.
Let’s say the financial services company acquired or partnered with a tax service or provider of managed retirement services. The same identity could be used multiple times within an organization or even across various organizations to deliver online services.
The BlockID Advantage
FIDO2 and NIST 800-63-3 certifications provide the highest level of digital biometric identity and authentication assurance with superior interoperability
In an approach truly suited to the times, we use the Trusted Platform Module / Secure Enclave of a device (what you have) and a live biometric (what you are) to perform next generation multi-factor authentication. In terminology familiar for Strong Customer Authentication, the device becomes the “possession element” and the biometric the “inherence element”.
The off line equivalent would be presenting yourself and a credential such as a driver’s license for identification. For the online word, the device simply stands in as the license, and the biometric as you.
Because our platform is FIDO2 and NIST 800-63-3 certified, it provides certified identity assurance level 2 (IAL2) and certified authentication assurance level 2 (AAL2) and offers a high degree of interoperability via API / SDK.
Our solutions integrate easily with just about any operating system, SSO gateway or web-enabled system, enabling organizations to go passwordless with flexible levels of identity assurance on any target system and eliminate the need for 3rd party 2FA, one-time codes, and other external authentication systems / devices.
The result is a highly flexible, modular, and reusable identity without vendor lock-in.
One reusable identity serves as a digital wallet supplying credentials needed to support multiple accounts and services
In real life, an individual is of course a singular entity, but tends to have multiple business relationships that transcend their personal and professional life. When we apply this abstract to the online world, the identity remains a singular entity, but the association of that identity/credential with the various online services can be described as a persona. And just as in the offline world, one digital identity can have multiple personas.
With 1Kosmos BlockID Customer, there is no practical limit the the number of personas or accounts a user can have. Users can be enabled on any number of accounts — the platform binds their biometric to a FIDO2 certified credential, providing access to multiple accounts via one consistent experience.
This is especially useful for administrators and organizations that have gone through mergers and acquisitions and need to support customers across multiple business units. Security keys can be “pushed to the edges”, meaning there is no need to reconfigure existing applications.
Privacy by design secures personal information under user control and eliminates threat of data breach
During enrollment, information collected from scanned credentials is encrypted and stored in a distributed ledger to the W3C DID standard, accessible only via a FIDO2 certified private-public key pair.
The private key is secured in the TPM / Secure Enclave of a device and under sole control by the user via their live biometric selfie. The corresponding public key is stored on 1Kosmos Cloud infrastructure built on a distributed ledger.
Without the private key, the data cannot be decrypted. There is no central authority overseeing data access other than the user in possession of the private key.
Data is only transmitted after user consent is given. This happens via an explicit permission request and confirmation via the mobile app.
Since there is no user store and no centralized storage of user information, there is no honey pot of personally identifiable Information to secure against the threat of data breach.