Webinar Recording

A Customer-First Approach to Identity-Based Authentication

Log in and watch the full video!

Even though passwords can be compromised easily and are generally considered unsafe, they are still ubiquitous in a time when multi-factor authentication and biometrics are easily available. There’s little doubt that eliminating passwords improves security, but to effect fundamental change you must start with the customer experience and ask yourself where it’s possible to take it.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hi, welcome to today's webinar. I'm John Tolbert, lead analyst here at KuppingerCole and our topic today is "a customer-first approach to identity-based authentication". And I'm joined today by Mike Engle, a chief strategy officer at 1Kosmos. Welcome Mike. Thanks John. It's great to be here and welcome everyone. Thanks for joining us. So a little bit about our next upcoming event before we really dig in here, we have the cybersecurity leadership summit, which will be both hybrid and online and in Berlin in November 9th through the 11th. And we've got quite the agenda already. We have over 200 speakers lined up more than 500 delegates, 15 exhibitors and 90 sessions planned already. And there'll be lots of social events and unlimited networking opportunities. So again, that's November 9th through the 11th, our cybersecurity leadership summit, and hope you can join us.
So some logistic information before we began, we control the audio everybody's muted. So there's no need to mute or unmute yourself. We will be doing a couple of polls. So we'll pause for about 30 seconds so that you can answer the polls. And then we'll look at the results at the end. We'll also have Q and a at the end, and there's a, there's a blank in the go to webinar control panel where you can type in questions at any time. And then we will look at those and answer those themes. And then we will be recording the webinar and both the recording and the slides should be available in a day or two. So I'm going to start off and talk about, you know, authentication options, the different kinds of solutions, the need for higher identity assurance and identity proofing. And then I will turn it over to Mike. And like I said, we'll do Q and a at the end. So let's start with a poll. Has your organization stuff we're going to attack that was caused by breached passwords. We won't show any personal information, how it pertains, but just the yes-no and we'll do the percentage results at the end.
Okay. So about those password breaches and some authentication alternatives. So no doubt, you all keep up the news with the news and you've seen, you know, it seems like day after day, week after, week more and more data breaches. And you know, in what 85% of the cases it's caused by passwords that have been compromised. I mean, and these are happening all over the world to critical infrastructure, to vendors and the software supply chain, even security tools here are occasionally being victimized by this. So, you know, everything from, you know, the power grid, election infrastructure, all sorts of things. And in a passwords, we have been saying for many, many years, we need to get rid of them. The technology is available now, and many, many vendors and their customers are interested and willing to make the move to a stronger and yet passwordless alternatives. And I think that's a great thing.
So let's talk about the options, you know, KBA knowledge-based authentication the old security questions. You know, this is a terrible method. Let's just be honest. You know, it's not really suitable for authentication. You know, a lot of sites have used this historically for account recovery and that's, you know, that's even worse. A lot of the information that are asked in these questions is, you know, available online. You know, if it's your high school team name or a, you know, some of this information is so common, it really does not have any security value at all.
And, you know, year after year, you look at the various data breach reports. We see passwords, like I said, are responsible for, you know, 80, 85% of all the ways into a company to steal data. So passwords really, really needed to go away. Then we have SMS OTP, you know, getting texted the one-time password. That's probably the most common form that we see. And I think a lot of people have gotten used to that, but you know, there that that has its security problems too. It's susceptible to attacks, especially things like some swaps where you can redirect, you know, that OTP to another device all together. So SMS OTP really needs to be deprecated. And that leaves us with things like PKI certificates. You know, you can put a num browsers, you can use them with, you know, hardware, tokens or smart cards. And, you know, these, these are still great options for workforce use cases, but, you know, we don't really see it. And can't really anticipate that that is going to be a long-term solution for consumer facing businesses and use cases. So that leaves us with things like mobile apps, which, you know, do offer a higher degree of security than like SMS OTP if done properly and mobile biometrics. So this could be the built-in biometrics on phones, and there are a number of third party biometric vendors out there with really good products too.
So we can also do risk-based consumer authentication and here we're really considering four major categories of that need to be evaluated at transaction time. So first off you have the subject user, you know, you might want to find out what the identity assurance level is, you know, how well they were approved when the account was set up, you know, that may have information associated with it, like the email address, maybe a physical address, other linked accounts or, or linked devices. And if it's like a family situation, there may be delegations about who's who can use what device or you know, who has access to the account and with what level of authority device can be an interesting and useful factor in risk-based consumer authentication, you can look at the device type. You can look at the device fingerprint. And by this, we mean, you know, the set of attributes that makes the phone unique, not, not a fingerprint from your brand, the OSTP patch level, what apps the user may have installed.
Hasn't been jail broken or rooted. And then often you can add a behavioral biometrics, you know, which is you're measuring how a user interacts with the device, like with a phone, it could be gyroscope information, touch, screen pressure with, with a computer, you know, keystrokes and how you use a mouse. The network component is useful as well. You know, it's not just IP address, but many wifi hotspot history where it's been used and what mobile networks commonly has been found on. And then lastly, we have user behavioral analysis. This can include, you know, like geolocation travel, impossible travel. And if it's, you know, a financial transaction, you can look at things like, is this a paid to them? Funds have been transferred before? Is it a new page? Does this fit within the pattern of normal user behavior? Does the amount look normal time and date for the transaction?
And does this make sense in the historical context? So all of these things are really good things that can help, you know, mitigate the need to have an explicit authentication of them on the part of the consumer every time they want to interact with the site, you know, and this is largely relevant to the enterprise, their workforce authentication, or B to B to C use cases too. Here we have same four categories, user device network, and a UBA, but maybe some of the attributes might be different. Like in the case of the user, you know, you have an issue credential, you know, you may users have probably been assigned roles. They probably have group attributes that allow them access, you know, authorize them to specific kinds of files, applications in other resources on the device side, you know, it's a controlled environment. They probably have endpoint protection clients on their machines, a unified endpoint management clients on their machines. On the network side, there may be VPN information, you know, different, different set of IPS than, than the normal external IPS. And then for UBA, things like which files or other resources applications do they normally access. So you see, there are some similarities between the categories, just some of the attributes can change, but you know, risk-based authentication at the enterprise level can follow, you know, similar tactics.
So a little bit about Fido authentication. Fido is a standard it's been around for probably seven or eight years now, a 5 0 2 is the latest iteration of that standard. And it really bridges the gap between mobile and web original Fido head, you know, the, the mobile UAF and YouTube, the hard token components to add 500 to kind of brings those together and makes it easier to use to bridge. Like I said, from the mobile device to the web users can register and authenticate using their mobile devices. And, you know, you can turn the phone into the second factor. You know, you can get a code, you can use the application and then the phone can be your second factor to authenticate you to your laptop or other computing device. So it's, it's beginning to have really good uptake. I mean, Microsoft supports windows 10 and hello, Google has an Android seven plus Samsung has a find out by a metric certification and they asked him a series of phones and now really all the major browsers, their support web authen in the browser, and looking at the final certified site, there have been more than 800 authenticators and servers certified against YouTube UAF and the two Dato specifications.
And they have additional certifications for security, you know, using things like global platforms, secure elements or the trusted execution environment. And they also have an, a biometric certification, which is great in that it can help provide some objectivity and looking at, you know, the false acceptance rate, false rejection rate for biometric authenticators. So that I think is a very, very useful thing to have.
So moving on to identity proofing, what is identity proofing? I like these definitions by a NIST that come out of two different documents, but verifying the claim that identity of an applicant by authenticating the identity source documents and the process by which a parental service provider collects validates and verifies information about a person. So it really is about matching, you know, the claimant to whatever documentation they have that can help prove that that's who they are. You know, at 863, there's three calls out three different levels of identity assurance level one is the lowest. There's no real requirement to link the identity to any specific real life person. So any attributes you get from that, you know, should be treated that way. It's just self-assertive, you know, no, no real assurance there. Level two takes it up. You need some evidence that the real world person is associated with the digital identity that's being requested the credential in an introduces the need for either remote or some sort of physically present identity proofing level three, physical require presence is required.
And you have to have trained representatives, you know, by the credential service provider. I see there's was a draft out there for 63 dash four, and it may allow some remote supervised video options. Now in the EU, we have EDI devs and they have remote ID proofing guidelines that were published back in March, and they have three levels too. And there they're somewhat similar at the low level a self-registration in a webpage, no real identity verification. You can use username and password, you know, again, no real assurance that the information that is provided at registration time is all that accurate. And then the middle layer is substantial. Enrollment is performed by providing some verified identity information and then authenticating with both the username password and another TPU sent to the applicant's mobile phone. And then you can do what they call a remote automatic. And I'll get into that in a minute app based and video identification options on the high side of EDI test levels of assurance, we have in-person verification using a smart card or national ID card.
And there are now remote options that includes some software based applications. And then maybe on a phone for example, and video sessions as well. So how remote automatic identity verification happens? We'll look at the happy path, assuming that, you know, we're going to go through a flow in this works. So user applies for credential. They download a remote identity verification app. This is an application that's been by, you know, I am than I am vendor or someone who's in the space that they can also provide an SDK so that a customer can take the STK, write their own app and use all the backend services to do the remote identity verification. Then as part of the process, you can take a selfie. The app needs to be able to perform live in this detection to ensure that, you know, users not holding up a picture to a phone or something else like that, you know, it's looking to make sure that that user is actually present. And then the app can be used to scan ID documents, both using OCR, optical character recognition, looking at the text, let's say, on a passport and a NFC to read the chip, and then assuming all this goes well, then the credential credential can be issued.
So let's deconstruct the user journey a little bit here, you know, in light of this. And, you know, I'm bringing this up into two major categories, I'm going to call it financial and nonfinancial. So on the first instance here with nonfinancial, you know, a user approaches a site with a device, they can either register by typing in the information they can use autofill from the browser, but, you know, that's, that's often pretty messy. If you've ever, you know, sends a package somewhere, you wind up with, you know, more addresses saved an auto fill, and you ever need a lot of CIM vendors have the notion of what the called progressive profiling. So you can like maybe collect email address at the beginning, and then you get to know the user more through subsequent interactions on the site, and then decentralized identities. You know, you're essentially counting on somebody else.
Who's issued the credential and done some of the identity proofing upfront and be able to federate that. So, and then the device that the user brings to the registration event can be associated with that. So this information can be used by the CIM system that the customer, you know, they're probably using it for marketing analytics, assuming consent has been captured properly. And then, you know, ID proofing, you know, might be optional in some cases like this. Again, it depends on the nature of the use case, but on the financial side, most everything you see here is the same, but you know, there's going to be a need for strong identity assurance in most cases. So the user approaches, you know, either an online banking site or uses the mobile app, they associate the device, they type in the information or get the account created. The difference here before it can be used for transaction processing or used within the CIM system is you're going to have to do ID proofing because it's required for anti money laundering and know your customer regulations. So does this work looking again at, you know, how AI does discussed options for, you know, video identification, you could do a web session with a trained representative of the bank. You know, in this example, you can do the selfie match, the OCR and NFC document verification through the remote identity verification app. These are ways that you can satisfy that legal requirements and increase identity assurance for these kinds of use cases.
And, you know, to kind of put all this together, you know, we've been doing research on fraud, reduction technologies, identity, proofing, and vetting. I call out as, you know, a, a number one, one of the best ways to reduce account takeover fraud, synthetic fraud, you know, along with things like Prudential intelligence device intelligence, that user behavioral analysis that also gets factored into risk-based authentication decisions, as well as behavioral biometrics and then bot intelligence and bot management, you know, there are good bots that help get business done on the web. And there are bad bots that do bad things like credential stuffing attacks. So you need to be able to include that as part of an overall fraud reduction strategy, but identity proofing of that, you know, I think are, are really some of the, the first things that you need to think about for reducing fraud overall. And of course, it's very important for identity assurance loans. So let's take our second poll here. Has anybody ever used a remote identity verification app? And you'll pop up with a yes-no blank and we'll give you a few seconds to enter information. They're really curious to see if, if these have become this comment as I think they're starting to.
Okay. And we'll take a look at the results of both of these at the end of the webinar here. So my last point is on the consumerization of it. What do we mean by this specifically the consumerization of enterprise it, but, you know, we're, we may be employees, but we're also consumers. We have multiple facets to our lives. So as a consumer, we know what we like in terms of interactions with websites. And we also know what we don't like. You know, most of us prefer mobile based authenticators and biometrics for the convenience of it, it's much better than remembering, you know, a hundred or 150 passwords and having to change them. And, you know, if it's an infrequently used account and, you know, a lot of people just use the once a year account recovery mechanism. So, you know, we know that there are ways that, or, you know, some, some consumer facing businesses are getting it right.
So we want those, you know, more user-friendly experiences when we're logging into work. And, you know, on the plus side for the enterprise, administrators is that these fraud reduction techniques we're talking about that get used in consumer authentication scenarios are very useful. And in doing risk-based authentication for enterprise workforce logins too, and that remote identity verification app that we're talking about, well, it's working just fine for him onboarding new employees. I mean, this has been going on a lot throughout the band then making me, I know a lot of people have started new jobs, never been to the office, but they've used a remote identity verification app. And, you know, it can even be used for INI and other kinds of work eligibility requirement verification. So, you know, in addition to being a good way to do increased identity assurance for consumer use cases, remote onboarding for employees through these remote identity proofing apps are, is really going to be the way forward. I think so with that, I'd like to turn it over to Mike Engle from 1Kosmos,
Okay, let's get going. I'm covering a lot of the same topics as John, just with a kind of some real world applications that I'll be getting into. And I just wanted to go over a couple of things like John had some housekeeping I do as well. First is everybody really in the world is able to go try a lot of what I'll be showing you here today. Just go to our website, you'll see a button that says experienced block ID, and it'll walk you through getting the app and performing a password list experience. It'll take you like two minutes and you can even go a step further after that. You'll be, see a subsequent screen that allows you to perform some identity proofing and perform a secondary action after that. So it's a lot of fun. It's safe. Nothing is stored in our website and allow you to play around with it and do some of the things that I'll be doing here today. So check it out. I'd love your feedback on it.
We're also giving away a $50,000 software package. So with that, basically there's a, a random attendee from this webinar will be selected. And if they are our picks and they give consent, they accept their award, et cetera. Then we'll be able to, to work with them, to get this package started very quickly. All right, so more to follow let's jump in. I don't want to spend too much time on statistics about what's been going on in the industry. There's just so many out there, but John covered some of these, right? It's all over the headlines, but there's some really new, useful ones that came out. You might be able to use them in your discussions with management or a part of your budget and justifications for the program here. These are statistics from the latest Verizon data breach investigations report. If you haven't seen it, it's like 115 pages long.
It gets into every nuance of cybersecurity and breaches. And I picked a couple of stats that are really relevant for this call. That you'll appreciate. The first one on the left is the fact that social engineering is the way that bad guys are getting credentials from people. And it makes sense. Cause humans, as you can see in the top, right, are the weakest link in any system, 85% of breaches involve the human element. A third of those involves or two thirds of those involve credentials. Of course, we're here to talk about that today. And we all know how bad ransomware has gotten. It's very public and in everybody's face today. So if your C-suite is not, you know, dialed into this, they will be soon, especially even the board of directors now are engaged in these discussions and just showing how these statistics impact from a real business perspective.
Right? So check out these numbers on the left, the range of business email compromise, or BEC goes up to almost a million dollars, right? For one business, email compromise. And the average being around a hundred thousand each and ransomware goes up to 1.1 million. So those are, you know, a large sampling here on the right. This is from the Lockton group of cyber insurance experts. These are truly staggering numbers, right? $5 million, average business interruption from Lancet ransomware because of credentials, right? So I'm not trying to fear uncertainty and doubt anybody here. We get enough of that, but these are real meaningful statistics to help justify our actions, to deploy programs like what I'll be showing you here today. So talking about customer engagement, John really touched on this quite a bit, and I really enjoyed his, you know, knocking off of the secrets and some of the other legacy factors, right?
We're still doing this today, filling out forms to FFA. I can't believe how many websites are just moving to email and text codes now. Right? It's, it's disturbing for fun. I went and signed up for a United airlines account last week and I grabbed this screen. Like John said, they are forcing me to pick five secret questions. Right? What was your shoe size when you were 12? This was my favorite one. What, when you were young, what did you want to be when you grew up and check out some of these answers as truly precious, right? How many people wanted to be a clown when they grew up? Right. I wanted to be a rocket scientist. They didn't have that on the dropdown. So I had to move on to another question right on the workforce side, it's just as bad companies are still requiring longer and more complex passwords in case the hash get stolen.
This is from Microsoft's July active directory documentation, right on the website. And this just causes employees to get frustrated, right? We added a new button here on the authentication options and all they do is increment a number on the end of their existing password, right? The credential has to go and, and Fido is the path towards that, that I'll be talking about. So John spoke a lot about NIST 863, 3. He also spoke about Fido. I'm going to show how putting them together is the right way to deal with customers and employees, right? So on the identity proofing side, I'm not going to belabor this too much because John really got into how that works. I all right. That's the identity assurance level that he touched on, goes from range one to range three, you need multiple documents and you need real biometrics to do it.
And real biometrics is the key here. Now when combined with Fido authentication, it's a match made in heaven. Now you can prove who the person is, a strong proofed identity, and without then requiring a username and password for them to access your systems in the future. And once they've enrolled with a high assurance level, you issue them the keys to prove that they had those credentials, they perform Fido authentication. There's no longer any passwords in the process, but you can do it from day one. And with this real biometric, you're getting something that you call identity based authentication. It's one of the principles of zero trust. I can prove cryptographically and with biometrics who you are every time you log into a windows workstation into a financial services website, by combining these two standards and then key to this as any platform that you adopt, it needs to be certified. There's two key starter certifications here. The Kantar initiatives certifies your NIST process and the Fido Alliance certifies your Fido authentication, right? You need a Fido to certified product, for example.
So unfortunately identity proofing and user authentication have been siloed activities and continue to be for a lot of organizations. If you do not take a holistic view of these activities, you're introducing avoidable technical debt to your operation and your I platform, right? So an entire industry has popped up that do just this thing on the left, scan a document, take a selfie. After that, they throw it away. Now it's up to the authentication system to figure out who it is. And conversely, if you're just using a, a password list tool or a to F a tool you're not leveraging the approved identity. And the way we do this is with cryptographic wallets, public private key pairs combined with biometrics. So the combination of these standards can revolutionize both workforce and IAM functions. So when do you do it right? You don't want to scan everybody's driver's license when they come and access your systems, right?
They'll run away. Your employees will revolt. You've already proved them. You've already proved millions of financial accounts, employer accounts, government accounts, right? So for this population, we put them through a binding process instead of a proofing process. In essence, you're trading in their legacy, credential their password to FAA, whatever for a passwordless experience, when it's time, you proof them again, right? Documents expire. Maybe there's a super high secure transaction. You're like, I know this person gave me a driver's license five years ago, but let me do it. And you can do it in line. You can do it with a rich app experience, right? It doesn't have to be a burden. So with a single process, you can bind their existing account via by scanning a QR code, or just clicking a link. They're issued a private key, enrolled their biometrics, and they're done. However, for new employees or high value customers, you guide them through a self enrollment process.
You do this day one because you have to do it anyway. For financial accounts, you have to do it for AML KYC for employees and contractors. Sometimes you have to prove who they are so you can pay taxes. So do it right. Proof them digitally trade in their, their documents for a certificate and let them be passwordless from day one. They never need to know their username and password. So in that proofing, John's already covered this again, I'm not going to drill into this too much, but there are a couple of things you can do. So when you leverage the modern capabilities of your smartphones and computers, this onboarding process takes minutes. Instead of days everything's captured in real time, the attributes are extracted and stored into a digital wallet protected with that private key that I'm going to mention probably about a dozen times, including scanning that NFC chip to get very high quality data.
So within seconds, these documents are verified. The user's identity is mashed via a live selfie and that same live selfie. The one that often gets thrown away for proofing now becomes a strong authenticator, right? So you can feed this information directly into your IAM system for either a customer or an employee account. Best of all, if you're using a mobile app and have that rich relationship with the phone, you can get their location, verify their phone number in real time, get session attributes, et cetera, right? And we don't treat employees and customers in the real world any differently. This process applies to any type of end-user. Now there's two ways you can handle your users, your end users today. You can do it with an app and you can do it without an app. And John touched on this as well. Obviously, if you can drive your users to use their own app or your customer app, I mean, you'll have a much richer experience control of the session.
You can work with the camera very specifically, but not all services have their own app, right? There's literally millions of websites out there that engage with the users via browser only. So for both of these populations, with an app and without an app, you can still go passwordless thanks to the Fibo Fido web authen standard that I'll be showing you here. So real quickly with an app based digital wallet, you can guide the user step-by-step to either enroll their identity and be past release from day one, or do that linking that I mentioned before with the press of a button and a single click operation. So the way this works is the user's issued a private key. This is transparent to the user and they enroll their biometrics. The most common type of biometrics would be your touch ID, face ID and whatever they call it and all the different Android worlds.
But one of the advantages of having an app is you can use the camera and the microphone to do real face and voice matching. And this can be linked back to that NIST enrolled digital identity. The use of a, of a live biometric has to be done properly. That must be secured properly. This is where we at 1Kosmos use a private blockchain, keep that image completely encrypted and in control of the user at all times, they will present it to you and, and unlock it and share it with you when it's time. It's a real game changer. And one of the key benefits of combining the proofing and the off together, if the user has a smartwatch to you have a very rich experience with it, where at the tap of a button, you can authorize transactions depending on the value. And lastly, there's no need for any organization to develop all of these features, themselves, ID proofing, Fido servers, et cetera. They've already been done by companies like 1Kosmos with one lightweight SDK, instead of API APIs. All these features can be embedded in a single experience or presented as a turnkey application. So let the developers develop their business apps and let the identity enrollment and the authentication happen with this adopted framework.
So that's the app experience. And what do you do when you can't force your users to download an app? This is where Fido web authen comes into play. So this lets you leverage your device's native biometrics, right? It doesn't matter if it's a Mac or windows, laptop, or a Chromebook or a mobile phone with safari Firefox or Chrome. And that will store the private key. That becomes almost like the app itself. And it also uses the same. The devices built in biometrics to authorize transactions. The alternative without this technology is to send them a code, right? 20 year old technology, right? So we, we use touch ID and face ID to unlock our phones 50 times a day. We've been doing it for years. Users are now trusting it. They like it. So why not use it for a rich web experience? So now in one platform you have something, you have a private key stored in TPM, very safe and something. You are your device biometrics, right? And the password list industry is at an inflection point. This is starting to get into a lot of customers websites now. And again, just like embedding ID proofing and passwordless into your existing app. You can leverage these features very easily by adopting the right Fido. Two provider take all the burden off of the it and the development teams to do this right? So Fido certified developer first to make sure that you're picking the right vendor here.
So John went through that kind of waterflow. I'm going to show you a little more simple version of that. That really dumbs it down to its least common denominator parts. And I'll be showing you this via a video I recorded this morning. The enrollment experience is really simple. The user accesses, the system, just like they do today. They're going to log in, right? It's the only way they can get in today. Username password to FAA, et cetera, the app, if they have one or the native computer, right? The windows or whatever will prompt the user to go passwordless of course they say, yes, they enroll their biometrics via the built-in system. And that's it. They're now enrolled in passwordless. They have the two factors. If the user was previously proofed, if you did that prior in their journey, they've now inherited that proof status, right?
And again, you can prove them again when the time is right, when things expire there's a lot of reverification needed in some countries or for certain financial types of accounts using this experience is really straight forward. An app experience is as simple as scanning a QR code on the screen. We're seeing some forward-leaning banks do this. You're even seeing it in places. Like if you log into Amazon on your Roku, scan a QR code from the Amazon app, the Amazon app trusts that you are who you are and it makes this so simple. So you'll scan the app. You'll perform by a metrics, either touch ID live or live idea, real biometrics. And you're in, in one second, right on the non app experience, it's similar. You prompt them the device biometrics pop-up this is native windows, hello example, here on the, on the left or on the right. You can see how by scanning that QR code safari pops up and takes over from there and allows you to go forward without passwords.
All right. So let me show you how this works. Yeah. And I've learned when and where to do live demos. So this is not the time, but again, a lot of this can be done on our website. So we'd be happy to show you how all this works at your leisure. So I'm going to go through a binding process on both windows workstation and on safari, on iOS. So we'll start here by entering a username and a password. Now you could go on and do to FFA. You have to verify them, right? If you're not doing two FFA, you're asking for trouble, let's convert this credential into a passwordless experience. So they are asked and they say, yes. Now there's two options here. You can say, and you'll guide them depending on the platform that they're logging in. From in this example, we give both options.
So let's click on register. This device is biometrics. I'm on a windows workstation. You see, this is my windows. Hello, popping up, right. Almost jumping through the browser in my face and saying, scan your face or your finger. My face ID kicks in. I say, okay, private keys and stored in the TPM of my windows workstation. And I've linked with my biometrics. It's done. It took two seconds. Now the log on experience is very simple, simply type in a username. And you can even avoid that. If there's a cookie on the machine and click login again, the window's biometrics pops up here. You can see, I have four types of biometrics in my windows machine. I've got face fingerprint, a YubiKey and a pin. I'm going back to face. I'm staring at my financial application, right? It took one second. Did not have a password.
This is available for billions of users today and just rounding out and showing you what the experience would be like if they're using their mobile as the web authenticator, again, type in the username and password for one last time, authenticate them and exchange that for our web authentic experience. So this time I'm going to launch the camera on the right, not an app dramatic pause for effect, okay. Scan this. And now you see safari popping up at the top, right? You've seen how QR codes work, right? Everybody in the pandemic is scan the QR code menu, right? I say, okay, safari takes over, engages with the user to a store, the private key base ID with the press of the button. My two credentials are stored my private key, my biometrics, and linked back to this service logging in just as easy username, scan the QR code passwordless and you're staring at the application and you're done, right? So again, there's some mechanics to this, right? How you walk the users through the journey is up to you, but lots of key handling the biometrics, the linking be done by these systems that now do it very well.
Now for a rich app experience. It is a little bit different. You don't have to worry about the device biometrics popping up. As I mentioned on our website, you can actually get to this demo yourself. So a consumer experience or workforce experience are as simple as a pop-up my phone here scanning a QR code right now. This'll be me doing my live ID to get into this website. I said, it wouldn't do a live demo, but I did it anyway. And now I'm staring at my workforce applications, the exact same process, the exact same key cryptography and biometrics work just fine for your customer experiences as well. All right. So that's the end of my demo. I will simply wrap up with two things. There's a couple of differences when you use an app based versus Atlas. And I figured I'd sum them up here.
When you're in app, you can do real biometrics. You can engage directly with the camera and the microphone in a very easy way, giving you a super high level of security for when you need it. It's perfect for verifying that the contractor you hired is the contractor that's sitting in that seat on day two. It was a huge problem with contractor jacking, right? An app allows you to do that. It also allows you to do some key backup and recovery. There's a tofu issue with some experiences trust on first use. When you're using an app, you can avoid that as well. Right? Apolis allows for these three very important things as well. And finally, right. KuppingerCole has something. They call their identity fabric. It's a wonderful, full, comprehensive diagram that shows all the moving parts in an IAM stack, we're gonna work with cooping or call.
They don't know it yet to embed identity proofing and passwordless as its own discreet engine combined into that identity fabric. All right. So let's ask a user who they are. Let's onboard them for whatever experience is needed, and let's get rid of passwords as part of that. It's a service that should flow through every downstream application and then let your SSO gateways, your Azure ads for drops, pings, Optus, et cetera, go do what they do. They do SSL. Let's let your applications not worry about the authentication anymore and come in with true proofed ILT to identity. And finally, and then back over to you, John, we do have one other webinar coming up in a few weeks. It's a more of a focus on passwordless experience, linked back to how it's being embraced in the industry. So you'll see some more real world examples of this, and we'll be doing this with the IOT group. All right. So I thank everyone for their time. I think we're going to get into Q and a with, with John. Now, if anybody has questions, hopefully you've been putting them into the Chat
We get into the Q and a, why don't we take a look at our poll results. So has your organization suffered an attack that was caused by password breaches? 24% have said yes. 76% said no.
And that's a lot of people that would even admit that. So that's, that's still a scary number in my opinion.
Yeah. Okay. Next, have you used a remote identity verification? I have a yes. 72%. Wow. That's a, that's even better than I thought, you know, 28%. So that's a, that's very interesting. Cool. I guess if we, I I'd like to even drill down and can't really do it now, the drill down and figure out, is it a workforce or consumer use cases for which you've done that?
Yeah. I mean, anybody joining a company today, they would be in that bucket, but I'm not many companies are doing a digital yet for workforce, but it's definitely a it's required on the, on the customer side. So you're seeing a lot of it there, especially with crypto accounts. Right. They're they're getting a hit from every direction for this.
Yeah. Okay. Well, let's launch into the question. So first question says I'm experiencing MFA and passwordless authentication vendor fatigue. They all seem to offer similar things. What makes 1Kosmos stand up?
Yeah, no, that's a great question. The, the passwordless bandwagon is definitely full of a lot of people. These days, a lot of companies, there's four things that I'll mention that makes us unique. One is we're the only company that's combined strong identity proofing into the same platform. The only one we're the only one that's can Terra certified for identity proofing, right? That is the international body for certification and Fido certified together. Right? So as I mentioned, you have these silos popping up and there's a thousand of them over here in passwordless only, and there's dozens over here and identity proofing only they need to be put together. It's not just us saying that it's the industry it's analysts. So that's one reason. The second is that use of live ID that you saw. That's not just passwordless tricks. That is proving the identity that I enrolled two weeks ago.
When I, when I installed that app, that is a unique differentiator. You will not find others doing that. Of those thousand. There might be five to do that. And then you have to ask, where are they storing that live by a metric? If it's in the phone, only you lose the phone it's gone. And if it's not, if it's stored in a centralized database, that's not using blockchain for encryption private blockchain, then how who's protecting that. Right? So the second big differentiator as well, and the blockchain itself is the third, right? It provides an immutable log and an audit trail. And the fourth is just that we're incredibly developer friendly. We're very open, right. Go to any of the competitors websites and see if you can do a live demo, see if their API and SDK documents are online on their website. They're probably not.
Yeah, that sounds good. I'm thinking about passwordless. Would you hear that a lot? You know, in many cases it becomes password fewer. I would say, you know, you, you enter it fewer times where there's still an underlying password credential that needs to be eventually gotten rid of next question is for non-AP experience users. What are some of the recovery options? Let's say the individual's computer is stolen and can't be recovered.
Yeah, there, that is a challenge with web authen. And the Fido Alliance is working towards just like I said, in my last response, introducing identity to the passwordless experience. So once you do that, there might be a mechanism where that can, where you can have key recovery as part of a web authentic experience, but you might have to fall back to other mechanisms in that scenario. So I don't know, John, if you've seen any elegant ways to handle that in a web authentic channel,
You know, there's, I guess there's no perfect solution. There's always, you know, multiple devices, multiple accounts that can be linked. There's always a potential for a weak link in that chain. But yeah, there are, there are better approaches than others in this space. Let's see. Good questions coming in, keep them coming, feel free to type them in that, go to webinar questions, blank. Next door. It is. Do you see 1Kosmos entering the world of self-sovereign identity with other verifiable credentials?
Yeah, that's something I didn't touch on just for the sake of time, but, and that's really another big differentiator of our platform is it is built on W3C, verifiable credentials, and decentralized identity under the hood. And we're members of the trust over IP foundation, which is, is part of the Linux foundation. And we're very actively participate in all those standards. So when identity gets to that next stage of its evolution, identity becomes your own, and it can go cross industry, cross country, right? W3C, verifiable credentials are used for COVID vaccinations, education degrees, proof of employer, right. That stuff is built into the platform today. And it can be exposed when you're ready. So let's say your bank one, and you have a B2B relationship bank, two for custodial accounts or something. Don't go set up some heavy federated login instead use a verifiable credentials so they can prove who they are to each other. It is the future of identity, according to a lot of people and we are ready for it. So again, standards, platform, et cetera, come into play for that.
Okay. What are the ways an app can be delivered to employees and customers for passwordless authentication?
Yeah. Well, it's made so easy today by the app stores, right? So the experience you'll see on the live 1Kosmos page, it's just go get it from the store one-click installed and done user self enrolls. It's verified behind the scenes. So that's the easiest way you can have your employees, contractors, or customers do it that way. If you have an existing app already, you're doing an app update and just putting the SDK in there that now handles the public private key cryptography, the authentication, the biometrics, if you need them, et cetera. So that's transparent to the user. They'll just get the features and you have to enable them with the press of a button. And also any ad can be delivered in an employer setting via the MDM, right. Their mobile device management. So you can push the app down to them that way. That's very common.
Yeah. And I have stores provide some security with the application scanning and in acceptances, I think that's, that's a little bit more trust story than just downloading an app from another source. Let's see the next one. How do you handle account recovery?
Yeah, we, we, we touched on that on the web authen side, right? And it's, there's not a strong solution there in the industry. Right. Cause that's a standards base. So you really can't move out of the box too much on that. But in an app experience, we do have a wallet recovery that involves a standard called BIP 39. It's the same standard that is used to backup and recover your crypto wallets. So if you've ever done that experience 12 word pneumonic phrase, for example, that can be backed up and stored a number of different ways. So that's the most common type that we also have some experience with multi-party computing to recover your private key and, and some ways to use your biometrics as a recovery mechanism as well. So a lot of options there, especially when you get into more of an app experience,
How does this get applied to dozens of systems that employees use such as OSS privileged account management systems?
Yeah, that's, that's a great question because in a, in a enterprise, right, this isn't really a problem for, for customer customer has one or two places they log in. So you handle them those two ways on the enterprise, you need plugins, you need connectors and adapters. Many of them can be handled via federated authentication protocols. So SAML OITC, for example, where they, 1Kosmos becomes the IDP and gives a trusted proof digital identity into those systems. So that's just a configuration takes an hour or two setting up secrets, whatever to do that assertion and then connectors into non-standard systems, windows, Mac, Unix, et cetera. There's a lightweight plugin that goes in there. And that enables QR code, push messages, et cetera, to work with the press of a button as well. And then there's custom adapters for lots of systems that, that need that. So remote access systems like Citrix and Zscaler, et cetera, it's a simple integration. We're in a lot of the, the marketplaces for connectors into your Optos, all zeros CyberArk's et cetera as well. So we've made that we've reduced the friction to go password lists across those dozens or hundreds of systems, really to handle any situation.
And one more question here, how many countries does the identity proofing work in and what types of documents does it support?
Yeah, that's, that's always the question, you know, can you scan a news Pakistan document? Yes or no? Right. But now we have a very robust document scanning engine. We have coverage for over 150 countries and the documents I have is very country by country, right? So for example, in the Dominican Republic, we will scan the it's called the national identity card. It's not a driver's license. The U S the standards are obviously driver's license, which varies across 50 states and passports. So it varies country to country. The other thing is when that process goes badly, right? Sometimes you can't scan a document for some reason, it's an old photo or your documents mutilated. We have something called agent assisted. So in that scenario, we can route the session to a live agent in a certified data center, and they can take over and give that kind of white glove approach to make sure that user gets onboarded properly.
Yep. That sounds great. You know, there are many different document types. There's, you know, CAO, non ICA, old passports, there's the EITI standard. And like you said, there's lots of different things in the U S and it's kind of a very fragmented thing. We've we see that there are in many cases, countries specific identity proofing the service providers, and yeah, rolling those up into, you know, like a, a much larger CIM service is something that's can be very useful for companies that are dealing with consumers or employees from multiple countries, multiple regions around the world. Even that's a, it's a complex thing that would be great if it could be simplified that I don't see any easy ways for particular piece of it for the near future. What was that I'd like to thank everyone for attending and thanks for your participation on the polls and questions, and thanks to Mike and 1Kosmos for helping out here. Any final comments while
No, no, thanks for having me on. I enjoyed it. Our, our, our entire world is on our website. We don't hold anything back, so please check us out and thanks for your time as well, John, and let's do it again soon. Great.
Sounds good. Well, thanks again, everyone. Have a good rest of your day. Take care.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #153: Passwordless and Biometrics - Balancing UX with Security and Privacy

Alejandro and Matthias continue their conversation about passwordless authentication. This time, the topic is the use of biometrics (and possible security and privacy concerns related to their use) as an authentication factor.

Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but…

Analyst Chat

Analyst Chat #148: How to Improve Security with Passwordless Authentication

"Passwordless authentication" has become a popular and catchy term recently. It comes with the promise of getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure. Research analyst Alejandro…

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Fixing the Way the World Logs In

Passwords are quickly and easily compromised, they are costly and difficult to manage, and they result in poor user experiences. Many organizations are looking for alternatives, but find it challenging to identify appropriate passwordless and phishing resistant authentication solutions that…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00