Webinar Recording

Better Business With Smooth and Secure Onboarding Processes


Log in and watch the full video!

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless and provides strong authentication, is essential.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Hello and welcome to today's webinar. I'm really pleased to welcome you to our topic. Today. We're going to be looking at smooth and secure onboarding processes and how this can lead to better business With me today I have Mike Engel. He is the Chief Strategy Officer of One Cosmos. And I'm Annie Bailey. I'm a senior Analyst and research Strategy director at KuppingerCole Analysts. I have a few notes for you before we get started with the webinar today. First is the audio control. You can relax. We are taking care of the audio from our side, so you are muted centrally and you don't need to worry about controlling this. But despite that, we do have a question and answer session. The way you can participate in that is by submitting your questions. In the go-to webinar panel, you'll find a menu called questions. Send those in at any point during the presentations today.
I will receive those and I will moderate those at the end of the session. So please don't hesitate to send in your questions. In addition to that, we also have some polls scattered throughout the presentation. So at various points, we'll request for your opinions, your experience, and you can submit those and we'll look at the results at the end of the session during the q and a part. And finally, you will have access to this recording and to the slide decks that you see today. So those will be made available to you in the next days.
And with that, back to our topic, looking at smooth onboarding processes, we want to build the foundation and bring you to some concrete solutions here. And so this will proceed as follows, I will open today with the foundation of what is behind a smooth onboarding process, at least from co Kohl's opinion. One very important part being identity verification and how this can be very seamlessly integrated in. And I'll look at this from a few different points and then I'll hand it over to Mike and he'll take it on further. So with that, we're gonna begin with a pull. You might have heard that we view identity verification as a very key part to smooth onboarding processes in a particular level of assurance.
And so I'd like to ask, have you personally used remote identity verification solution? Yes or no? I'll allow about 30 seconds for this. So let's continue. Thank you for your participation here. And I'm gonna begin the webinar probably with the most dense packed slide that you have to work through, but that means the worst is over at the beginning. What you're looking at here is what we call the Coer identity fabric. And in a moment I'll get into why we call it that, but the message here behind is taking a step back from the onboarding processes is that digital identity is at the center of the people journey. The way that people pass through your organization to access digital services, to access legacy applications, to access infrastructure platforms backend, no matter who they are. If we're talking about consumers, customers, partners, workforce, you can see this list here along the left side of this diagram. Digital identity is the vehicle that allows them to move seamlessly through your organization.
Now that can begin at onboarding, and that's where we use this diagram to hone in on what do we need out of an onboarding process when digital identity is this vehicle that allows them to seamlessly pass through everything we need a good quality of information coming in, something that we can make good decisions on, that we can use this high quality of information to inform our dynamic policy decisions or access management decisions, things of this nature. And so using this idea of an identity fabric, something which is woven together to allow everybody, this list of people on the left to access everything, the services you see along the top, also the legacy applications you see along the bottom and all of these infrastructure aspects you see along the right side, everybody to access everything anytime from any device anywhere. This is quite a feat and requires an interwoven, highly connected fabric approach. We use this word very intentionally, but instead of focusing on the entire journey throughout the people's life cycles or these different roles, we're gonna focus particularly on onboarding. How can we use onboarding to build a digital identity that is functional and can deliver these fabric aspects throughout the whole life cycle?
And that's what I'd like to bring us to the next concept. We're not talking about just any digital identity, any digital representation of identity attributes, but we need there to be a certain quality behind that. We need them to be verified, ideally reusable. But the problem is an identity verification step is absent for most digital identity solutions. And I can illustrate what I mean by that. If you think of onboarding in a digital way as an individual signing up for a new service, perhaps you're in an employee in a remote environment, partners at the lowest level of assurance, they're usually self attesting information. They're volunteering their name, their contact information and so on without verifying that in the background. Or at best, they're undergoing a one time verification.
But that one time verification is lacking a binding effect between those digital attributes and the person who is using them at a future point in time. And in an idea world, those digital identity attributes would be useful more than just onboarding because there's plenty of examples of needed. Repeated access employees are a great example where they may be accessing their business applications from several different devices from several different locations, and we need a way to allow them to do that, but still uphold these zero trust concepts, which you're likely familiar with. Never trust, always verify. So how can we enable our employees to do the work they need to do from the various locations or devices that they're using and still be sure that it's actually them? How can we have a verified reusable identity here? The same question for go goes for bringing that confidence across perimeters. More and more we are working with partners and contractors, suppliers, freelancers, people who are known by their own organizations, but certainly there has to be a better way to onboard them without developing one off federation relationships. And finally, always important to remember, we're talking about identity verification here, really building up a close bind between the digital identity attributes and the real world person. But that information does not always need to be shared at that level of detail. Not every use case is going to require the highest level of assurance here. And so building in flexibility, the ability to know that information is correct without actually needing to share that information, that's a huge push for privacy here.
And so onto a practical question, how would an organization actually get to use a verified identity? Well, we as an Analyst house, we love categories. We love breaking things down and building graphics like these. So quite happy that I get to share this with you, so you'll have to humor me. An organization could go for an option where they take identity proofing components, pieces of a puzzle to build a full identity proofing or identity verification solution. They could work with a, with a vendor who specializes in document verification, for example, they could work with a vendor that specializes in biometric verification or one that does video verification or moving one layer down. They could work with vendors that provided all that build a full identity vetting or proofing solution using many of these components. And the ones listed here are just a select few. There are many different options that are used here, but we started off the conversation today talking about onboarding. And so that makes the next group of vendors quite interesting. We termed those full service providers. So not only are they providing a full identity vetting or verification solution here, but they're using that information to flow directly into onboarding, be it for consumers, for employees and workforce for partners and contractors.
What they're also increasingly doing is using this identity verification step to support later authentication often in the form of biometrics where as a returning user shares their biometric features, either a face or fingerprint, for example, as a single factor. It's not simply presenting biometrics, but it's presenting biometrics that are matched against the template that was used during onboarding, which likely came from a government issue document. So not only is the user in possession of biometrics that describe the same person, but they describe the exact person who was verified at the time of onboarding, which flows into some great reuse cases. There are also additional services that are typically provided by these full service providers to become very interesting. Things like fraud reduction, digital signatures, attribute verification orchestration.
And so that leads us to our second poll question. Do you already have an approach for an automated verification solution for customer or consumer identities? And this is a simple yes or no answer here. Again, we'll take 30 seconds here. All right, thank you. And we'll continue on again, looking at the different personas that you might need to be onboarding. I've just taken a select few. If you remember back to the very dense slide on the identity fabrics, there's a quite a long list of different personas that could include services, iot and devices for example. But if we look at, for example, the internal workforce, B2B relationships and consumer relationships, onboarding has different implications for each of them, but it can be in all digital flow with increasing security benefits and usability benefits. So if we look at the internal workforce use case, we've of course heard plenty about work from anywhere.
But with that, we do really need to consider hiring from anywhere. And it may be more and more often that the hiring and onboarding processes could happen entirely remotely. And so it becomes increasingly important to ensure the one that you've never met is actually the correct person, the person they claim to be that matches their documents that they're presenting and that you're issuing credentials remotely to that same person that you intended to hire. And this opens some interesting opportunities then to employee held credentials. When we think about B2B relationships, this could be anything from partners, contractors, freelancers, and suppliers. They of course need to securely access the right resources for the right period of time, physically or remotely in a digital scenario. And it becomes increasingly important to improve the flexibility with user-driven onboarding. We know user-driven onboarding from the consumer use cases, but is that possible to use for B2B with the same level of confidence moving away from manual, increasing the efficiency then and moving beyond the current efficiency of federated relationships need to be moving towards streamlined onboarding, Collecting other relevant credentials could also be of a huge benefit here. Understanding really is the right person working on the right project and also looking at user held, but issuer managed credentials in this scenario.
And consumer onboarding, there's been of course great focus on the usability here, but in particular industries, regulated industries, for example, the self-service still needs to uphold the right level of assurance here. So keeping the good actors in and keeping the bad actors out becomes very important here, as well as deconstructing the user journey. And I'll get in a little more to what we mean by that phrase in a moment. And here is the final poll that I have for you. Do you see fraud detection as an important capability and an access management solution? Yes or no? This'll be nice to get your opinions before we head into a short discussion on fraud detection. So please take 30 seconds and answer this question.
Okay, let's continue. As I said, we would take a very short time to bring up fraud reduction throughout onboarding, in particular use cases, particularly for consumer onboarding. Reducing fraud is a very high priority, particularly in financial industries and in other regulated use cases. What we found in our research is that the traditional space of fraud reduction solutions is actually coming nearer and nearer to identity verification solutions, which are being more often used and integrated into onboarding and identity life cycle management. This can be quite interesting looking at those shared ca capabilities, including things like behavioral biometrics, credential intelligence, and using some typical KYC resources like sanctions blacklists for example. And so we see identity verification with its fraud reduction powers playing a larger role in onboarding scenarios. Another aspect to consider consider is privacy, but also the increased flexibility that need to coexist with each other.
And this is where the term deconstructing the user journey comes up. Again, this is really all about embracing the right flow for onboarding and placing identity verification at the right point in that flow. Looking for things that can happen in parallel. For example, somebody going through an identity verification step while the registration form is being autopopulated from that verified information in terms of privacy becomes very important to consider how that digital identity is being stored, whether it's being stored with the identity provider in the cloud and offering some very strong privacy benefits is storing in a decentralized manner as well. So with that, I'm gonna wrap up and leave you with a few final thoughts.
Digital identities, we need to think of these as the vehicle or really the the shaper of how people of all kinds move through your organization at all times from all devices. And that a verified identity is what can allow for the trust needed to use identities that are being issued elsewhere. And we recommend to take a privacy forward and a secure approach considering that for some use cases, reducing fraud is a top priority, but for all a flexible and private verification is essential. With that, we've come to the end of my session and I'm very pleased to hand this over to Mike and he'll take it on further.
Thanks for having me here. I'm gonna share kind of the current state and then, and then the art of the possible here and what's actually possible today using current technologies. A lot of this is unscripted. I, I do a little bit of live demo and stuff in here, so apologies if Murphy's Law kicks in and hopefully there's no Murphy's on the call, but, and we'll see, see how things go here. But you know, we've been struggling, we're gonna focus on workforce today, but just about everything that we talk about when it comes to identity can be applied to both workforce and customers as, as you pointed out in in your materials, Annie. So at the end of the day, you need to prove who somebody is remotely. And you can't do that using 20 year old technology, right? One time codes or in person and so forth.
You can't count on that anymore, right? The pandemic has changed that, but it's been a long time coming anyway. And we need to deal with a flexible workforce and make the experience enjoyable for the hiring and for the authentication that comes downstream after that. And you think about the way we've been doing things since, you know, really forever, since we have computers, we've been spreading PII around in a way that's not very safe, right? We typically ask our new hires, contractors, employees to take pictures of their documents and then go to some Porwal, upload them or email them. I'm sure going back it's really not much of a different process than it was when we had fax machines, right? Just it should give people the EB gvs thinking about the way this data is spread around. So we're gonna focus on this today. You know, if pulling up your identity fabric, we're just gonna zone in on two very specific pieces, right?
There's a lot going on in an IAM infrastructure, but there's two missing components in most of them. And they are a better way to onboard identities and then let those identities have access into the infrastructure, right? There's better ways to do things. So I'm gonna expand on these quite a bit, just kind of double clicking on those two boxes. We need to identify an onboard. How do you know that Al here in this example is who they say they are. And not only from what they say self attested, but let's actually verify it, right? Let's get some proof and let's not leave it up to somebody who shouldn't be doing this for a living such as Sally and HR that needs to try to figure out if a driver's license is real, we're gonna do it digitally and then we're gonna give them a credential at the same time.
How do you know that Al on day two or day 200 is still the one accessing your systems, right? That's the burning question we're gonna address here today. Using technology that's already in our hands and ready to go, the standards are there and I think the mindset is there for people to want to do this. So what we're gonna do is walk through, how do we know that Al is al, How do we give al a credential that's trusted, privacy, preserving, reusable, right? Some of the other points that you brought up in your deck. And then let them have access into our operating systems, remote access, ssl, our pam, right? So that's, that's the kind of how it all ties together. So what are we doing today? Well, we go through talent acquisition, we typically have online portals and some mechanisms, some workflows for that.
And then we give them an offer and then we have to get them into the system. So IGA processes, right? Your, your account governance, account creation kicks in accounts are created. The line manager then has to get involved and typically call up and say, Hey employee, here is your credential. And then we give them some type of different mechanisms to access and then going on and on. They have to change passwords, they have to log in and they have to, you have to try to figure out how to get them into your systems or the way that's trusted without friction, right? And this is where it breaks down, and this is where we're seeing, you know, you use the term fraud, but when it comes to employees and contractors, it's really about insider risk. And that's what we're gonna address here today in this, in this discussion.
Consumer versus employee, they have very different journeys. You just call them different things and the, the goals of the bad actors are a little bit different, right? On the consumer side, they're trying to steal money on the inside, they're typically trying to steal secrets. So let's walk through what happens today when we wanna hire Peyton, right? Just went through talent acquisition, interviewed with two rock stars, interviewed with Sally. Sally doesn't like Peyton too much, but we get over the hurdle and our fourth subject matter expert, whatever it is, inter finishes the interview process and thumbs up, right? We have a signed offer and we're good to go. What do we do then? Well, we have to onboard them, as I mentioned, this is typically where things start to go south from a control perspective. So you're usually manually creating an HR record, right? Let's go look at this form over here.
Let's go look at the, the driver's license that was emailed into the system or uploaded to some Porwal and then the IGA process goes on. We've got some good automation there, right? This space is, is maturing very nicely and the accounts are created. Now how do we get Peyton access to the system? Well, here's where Sally gets involved again, right? She's happy Now that Peyton is, is joining the organization, what she's gonna do is say, welcome a board and give Peyton a phone call. And this I, I've interviewed dozens of of large organizations and this is still the pervasive method. Line manager calls up and says, Hey, here's your username and password to get into remote access or your operating system. Now what Payton has to do is change that username password, or not the username but the password. But then we have to give our second factor out.
And if anybody on this call is not using a second factor, well you should run and go get one, right? We all know that two FA is super important, but you have to give that to them. And how do you typically do that? Well, you just give it to 'em, right? The possession is of really loosen all of this process, right? So now we've got the mfa and in theory Peyton is the one that's accessing our single sign on portals or our our operating systems. But what happens when Peyton wants to share that access with somebody else? That's what we're gonna talk about next and how we fix it. So what could go wrong in this process? Well, on day one, when that credential is given out, they could loop in a bad actor. And this is called proxy hiring contractor jacking, There's a bunch of terms for it.
There have been FBI warnings about this. There have been ISACs, right? Information sharing organizations that are putting out real warnings about this. It is happening. I saw no less than six articles on this in the past couple months for magazines like Business Insider. So when you first get that credential, how do you know who's actually receiving it? What if my two fa, which is typically on my phone or on some token is given to somebody else on day one, right? How do you prove that? Or maybe I do have the two A in my pocket, but I'm giving the codes out one at a time. Hey, I need to get into the system. Can you WhatsApp me the six digit code, right? The username and password, you just share that there's some compensating controls we can do, but at the end of the day we don't know who it is.
So on day two then that second actor is the one logging in, logging in, logging in. And you have no way of knowing it, right? Is it the person on the left or the person on the right? And so we have some ways that we can mitigate this. There is digital onboarding, right? It's coming of age. There's no less than a hundred vendors out there that do this for a living. And typically they'll scan your, your government credentials and say, yes, that is the person, but we need to go a step further. We need to give them a credential that goes along with that. That's reusable. This is a digital wallet, the wallet that we all have in our pocket or our purse, right? I want to be gender neutral on this, right? Your credential sleeve, we'll call it has a credential in it and there's a biometric on it that matches my face.
And we can do this now digitally. So let's transform how, how we're doing that. And at the same time, we've got so many other digital tools at our disposal, we can verify the location, right? We've got gps, we've got IP addresses, whatever we can verify the phone number right? In real time with trusted authorities. And very important for remote called zero trust for identity is we can do real biometrics in a way that's safe and doesn't violate, you know, your Illinois laws or whatever it else. It is in various countries and states, right? And the key is the user needs to be in control of this process for it to be trusted. So let's change how we do this. I'm gonna show you a digital onboarding live ID is our form of real biometric that we'll be showing you here today. Verified to trusted citizen or resident identity and an automated Workday work account enrollment process, right?
So we're gonna get rid of that manual HR onboarding process. We're gonna jumpstart or bootstrap the IGA process and give access without ever needing a username and a password. So the flow for this is really straightforward. You'll go through talent acquisition and you'll engage with them using the same mechanism, their email, their phone number, and then we're gonna issue them a credential on, on the fly. So, but they verified in real time with a very enjoyable and low-friction experience. So at the heart of this, as I mentioned, is a wallet. There's two forms of wallets typically there's ones that are in an app on a phone and you have a very controlled experience. You're leveraging the secure aspects of the phone, the tpm, the secure element, whatever you wanna call it. There's also web-based wallets, right? So you can also do this in a way where you don't have to have an app.
We're gonna be demonstrating the app-based version because that satisfies the needs for 90 x percent of employers, right? They're, they're people, either they give 'em a phone or they're willing to use their phone and we can handle those edge cases. But as part of this, the document verification that you mentioned, Ann is very, really important to have broad coverage globally, right? Cuz we're hiring a global workforce. And then the biometrics are a key enabler for this as well. They go hand in hand. One without the other really doesn't get you very far. So let's change this process. During the interview process we can verify identity without having to have access to that data ourselves. Cause we haven't hired Peyton here yet. Let the SMEs trust that this person is who they say they are. And then when we issue them the credential, it's something that we can trust and leverage for a better user experience. So I am going to run through a short demo. The first thing I'm gonna show is identity onboarding, where you launch an app and enroll your biometrics. So this is, sorry, wrong one.
As I mentioned, I'm kind of doing this on the fly here. You're gonna see me enrolling my identity into my own digital wallet. So when this is launched, a key enabler for this is a private key, no pun intended. That is generated typically on the fly handed to the user. Public key goes on a server, and then we'll enroll your touch id face id, which we all use in love every day. But this doesn't prove identity. What does is a real biometric, right? So this is the next step in the process is to prompt the user for their live selfie. Now this live selfie needs to be verified, it needs to be pass all of the false acceptance and false rejection rates, right? So you need to pick one that is really trusted and there's lots of ways to do this. The government has gotten quite involved in this.
And then once that's done, that live ID is gonna be used to onboard their government credentials. So continue the process here compared to taking a picture and emailing it. We can now leverage the 12 megapixel camera in our pocket, scan the front and the back of the document, verify it for fraudulent characteristics and match the photo in real time. And it actually is this fast. I'm really good at it. So you know, I may be a little bit faster than your average Joe or Jane, but we can support even passports. Same process, use ocr, match the photo. And even in this example, read the NFC chip inside of a passport, which gives you a high quality photo digitally signed from the issuing authority, typically an IKO authority. So what just happened there? I onboarded my own identity into my own wallet. And this wallet is really an enabler.
And you're seeing traction where these types of wallets, like there's a whole EU digital wallet effort that's going on. There's a dozen countries that have spun up these types of efforts as well. So this is coming of mainstream and there's vendors like one cosmos that put this all into one package to create identity orchestration. Now, once that wallet has been created, it's now in the user's possession. The employer, right? The vendor should not have any access to this data yet. This is where I'm gonna try to do something live here. So then we come to your HR onboarding Porwal, sorry, yeah. Click.
And we're gonna prompt the user to unlock the data from their wallet and transmit it directly into the HR system of choice to jumpstart that IGA process. So what you'll see here is my phone on users screen on the left and my phone on the right, my wallet. And this wallet could be private labeled, it could be from a third trusted third party. As we mentioned, there's standards that allow interoperability here. That's really important in the US we have the NIST 863 dash three standard, which is proves that the remote identity meets certain criteria and we're gonna be showing some authentication standards as well, right? So federated authentication protocols. But now the process for this is to ask the user to unlock that data, prove that it's them, right? So they will unlock the data from their wallet and my data has been transmitted directly into the HR system. Now this is a obviously a demo app. You wouldn't have to show this to the user and you do not have to capture the actual images, but sometimes you have a requirement to do that. The next step in the process is just to route it over to hr. HR would come and verify a couple fields, right? There's some stuff that's not on the driver's license. And then I'm gonna jump over to show you how this process finishes.
And the user would then continue their journey and receive a credential that they can log in automatically. All right? So next step in the process. Here we go. Right? So this is what I just went through. I transmitted, and the reason I'm showing a video for this is I don't want my private data to be shown. So now the final step in this process, the, is to send the user that digital credential, don't have the line manager call them up and and give them a username and password on the phone. We can do this electronically. So now at this point, I'm sent a link that only I can open because it's tied back to the identity onboarding process. I click this link here and now my, in this example, active directory credentials put directly into my wallet as well, alongside my identity.
And that is it. So I now have a strong identity with a credential to go along with it. And so now I'm, I'm gonna come up to my first system remote access, or maybe I'm in the office and I need to log into a Windows workstation. So you can do it the old way, username, password. But modern authentication systems can now be deployed in parallel where you give users option B until you can phase out the legacy stuff, right? Cuz it's a long journey to get rid of the hundreds of places where we have passwords inside of our infrastructure. So let's start with the low hanging fruit, remote access operating systems and your SSO systems, if you put in a strong identity in front of them, you're getting rid of 80% of the credentials and the risk. So now when Peyton comes to that first system and you want to verify it's them, ask them.
All right? So in this example you'll see that I have to prove my identity with biometrics before I'm allowed into the system. Undeniable proof that I am the user that joined the organization yesterday. So this solves all kinds of zero trust challenges, proxy interviewing, contractor jacking, right? You can mitigate them. Now you don't need to do that every time. Touch ID and face ID are very reliable and it's what 90% of organizations use today. So you use that most of the time. And then you can do things like this. So here in this example, when you lock the workstation on second time, you don't have to ask them for that real biometric every time. Maybe do it on Mondays, right? In this example, I've unlocked my workstation by sending a push message to my phone or watch and I'm staring at my applications there with the press of a button.
So we're tr transforming the way that we engage with users. And really if you think about it, these two boxes that I had in blue in the beginning that I broke out of the KuppingerCole reference architecture, these two boxes here at the top are what are missing for most IAM architectures today for both consumer and workforce, right? How do we onboard account identities digitally, right? It could be government identity, corporate identity, and jumpstart that process into our IGA systems. And then when we need to engage with the user, of course you have to support all the legacy things. You're still gonna have passwords, you have to handle password resets. And you can do that by asking them for proof of identity, right? You do. It's a very trusted break glass process for one that once or twice a year they come to a system that hasn't been migrated to a passwordless experience, but that you saw me scanning a QR code.
That is a way to authenticate where it's user initiated. Avoiding things like push attacks and it's phishing resistant as well. And when you need real proof of user, you can do voice or face, right? There's a bunch of options there that are built into our consumer grade hardware today. And of course we can support the modern passwordless authentication protocols, web A, et cetera. As that matures, there'll be more options there as well. And these then will feed down into your other systems which need a strong source of identity, right? So that is the way we think about it and the way the world is starting to go. We're seeing this happen on both the consumer and the workforce side. And again, they shouldn't be separate types of of efforts. You need to prove who a customer is for KYC or banking. You need to prove who an A employee or a contractor is before you allow them to access the keys to the kingdom inside your infrastructure. So with that Annie, I'll hand it back over to you and looking forward to any questions that we can get into here with the audience.
Great, thanks Mike. Thanks for walking us through those couple demos and getting, yeah, getting a bit of clarity on what this onboarding process can look like, particularly for the the workforce scenario. So we do have a few questions from the audience. I'll put out another reminder. If you do have a question, use the go-to webinar panel, submit that and I'll be able to handle those now and get an answer from Mike while you've got 'em here live. So the first question that we've got is entered on privacy. And these are as asking for a little more clarity on how a verifiable credential or this, this credential that you were talking about issuing really helps with privacy compliance.
Yeah, so the beauty of this architecture, not just ours, but what's have the way wallets and verifiable credentials are evolving is they are privacy preserving in that you will get your credential and that credential could be, I'm an employee for bank XYZ or whatever it is, or I went to a certain university or I have a, you know, some type of like a COVID vaccination, right? These are credentials that are issued and they're issued with something called zero knowledge proof in that I can present them to you without having to trust an intermediary, right? So it's privacy preserving and you don't, you don't have to see the original document, for example, Covid vaccination, you don't need to see my home address on there, my blood type or whatever it else might be on there. Even the type of of shot that I got. And it just really comes down to a trusted yes or no that comes out of the system. And the example that's classic is I need to prove my age. So I can just ask the system to say, are you of a yes or no? You don't need to see my actual driver's license. Which reveals way too much information to answer that question. So it, it opens up a lot of doors for privacy, preserving trust, you know, to, to make it a lot easier to engage with people.
And that really opens it up to a flexibility in use cases as well. You're not always having to go through an onboarding process or a transaction with the highest level of assurance. You're able to pick and choose what you need to share. Yeah, upholding those, those data minimization principles. So thanks for that explanation there Mike. Next question is about using credentials that have been issued by a separate organization. So is it possible then to, if a, if a customer's already been proved for an organization to leverage that proof that's been done by somebody else?
It is. Yeah. That's just like your wallet when you pull that credential out of it can be handed to 10 parties. You can do that now digitally as well. So one of the hot topics or or organizations putting a lot of effort into this are, for example, active directory is being used by probably nearly all of the Fortune 500. And inside of that you could issue a credential that's trusted from your organization. So I work again for Bank X, Bank X issues me a credential and I can go share that with trusted parties without having to have each one of those parties establish direct, direct connection, right? To set up federated logins and with the right network or consortiums, we're seeing the identities be able to be used over and over again, right? So I, I know in Germany there's been a couple of of consumer examples of this where your identity gets onboarded once and can be used between insurance companies or banks, et cetera.
It's happening in the Nordic, it's happening in a bunch of places in Asia as well. So that is the, the holy grail onboard once even with the large banks today, they have to onboard their own users multiple times into different products, right? Checking account, mortgage, credit card, you have to prove your identity over and over again. Even inside some of these large organizations. There's a real opportunity just starting there where onboard my checking account and transmit that data over to the credit card department with the press of a button, right? And and be able to meet the compliance needs that they have.
Yeah, thank you for that. Next question about the sorts of integrations that you already have in place. Are there integrations, for example, for Workday or for other major applications that that many organizations use? What and what which some of those be?
Yeah, there are. So you'll find us in the marketplace for, you know, all zero or all the SSO providers, right? Where with the press of a button you can inject identity onboarding and pass for this authentication into those native systems, right? Cause they do what they do really well. They have, you know, very good rules engines, they do single sign-on really well with SAML or or O idc. So we can sit right on top, have a seamless way to onboard users like I showed you today, and let that flow down into the target system. So we have a about 150 plug-ins natively for different types of systems or support for those federated authentication protocols that I mentioned.
Great, great. Next question. Going back to a statement that you had earlier in the presentation about touch ID and face ID doing a good job, but it's not proving identity, but that live ID with one cost most does. Can you go into why that is?
Yeah, if you, if you look at your, I'm actually gonna pull up my phone here and see what I'm gonna show, but if you go look at your Android or your iOS device today, you'll see that it has something called, for example, an alternate appearance. And what that means is you could add second face to a phone or a second thumbprint and Android support, 2, 3, 4 fingers. How do you know whose finger it is, right? It's not verified identity, it is linked back to the operating system of the phone. Typically my Apple ID has somebody's face on it. So in order to do real identity, you need real biometrics, right? This face that you see right here has to be matched back to a source of truth. That source of truth could be a corporate photo in inside the physical access control system or some LDAP system or a government credential. That is the only way to prove identity. My kids probably have their face or thumb on my phone, which means they, if I don't use real biometrics, they could get into my online banking. I think I better check that after the call's done. But you get the idea that the devices biometrics are just a point in time. Somebody's face or finger was put onto that device and it's not verified. So there's a big difference between the two.
Great, thanks for that. And another clarification then on the web flow for this, as opposed to using a phone for login and authentication, for example, would doing this flow in a web browser mean that you would need a separate personal computer? Does this always accompany by your mobile device? How does this work?
The most common way is you, if you're on a web channel and you say you I I won't get an app or can't for some reason, right? Where you're doing it all in app. In app is a great experience. We know how powerful our phones are and how much you can control the experience. But in those other examples, you go to a web channel and you start the onboarding process and there's two options. You could invoke this webcam like you see here to capture biometrics and then you a custodian model where that data, you have to have a way to encrypt the data that you can engage with the user and store it centrally in a safe way. So you again, using public private key cryptography and there's two ways to capture, as I mentioned, you can use the webcam or you could route it to a phone just to use its browser and camera without an app.
And that's very common. So the flow would be type in your phone number, your phone jingles, and you're just prompted through a safari or a chrome session where it says, okay, scan your driver's license and just let me take a selfie here with the native camera. That data then is routed back to the web process and finished. So that really covers a large number of, of different use cases that may have app challenges or you know, sometimes it's illegal to force employees to go get an app now in certain places. So we can handle those with the different technologies.
And then on top of that, as a, as a more concise clarification then how do you log in if your mobile's not available, if it's broken, if it's lost, if it's at home, some of these other scenarios.
Yeah. So our system supports nine different ways to authenticate somebody. The app that you saw me scanning, a QR code scanning my face touch ID face outta your live ID is the easiest and the most secure. But we also support Fido authenticators, so it could be a token Fido certified token or the native platform authenticators. So that's your windows, hello your max touch id, face ID that's built in. And that's built into nearly every commonly used operating system and browser today. So the process would be sign up and set up a secondary form of authentication in case the primary goes offline and then you can use that as part of a recovery mechanism in case you get a new phone and you have to restore your identity. So there's, there's a bunch of options to support that as well.
Great. And perhaps a final question for this round, if you have any last minute questions, feel free to send them in, but is it possible to meet KYC and AML guidelines in this remote verification and authentication framework?
It is, yeah. It's, it's now you see a lot of the newer fintechs doing digital onboarding, the, you know, little bit more flexible infrastructure for some of these younger companies. So they'll walk you through a digital onboarding experience, much like I showed you today and reach that high level of assurance to give you, you know, E I D A S significant or nty hundred 63 dash three i L two for example, compared to the legacy way of give me some type of national ID number, social security number and ask some knowledge based questions called kba, right? Knowledge-based authentication, also called known by anybody, right? KBA is an alternate meeting. So yeah, it will strengthen the account at the beginning and give them that credential for that as well. So as I mentioned, whether it's onboarding a new hire or a new banking customer, this is the the future and it'll reduce a lot of fraud and insider threat risks.
Great. Thank you for answering those questions Mike. Thanks for our audience for asking. So many very interesting, really relevant questions here. And I would suggest that we switch over and take a look at the poll results before we wrap up for today. So for our initial question on if people have already used such an identity verification solution, we've got 68% who answered yes, a 32% who answered no. So we're seeing that these sorts of solutions are becoming more and more prominent, at least in the consumer side if we're using these personally. But we had some great examples of how this could be used in, in a workforce scenario as well.
Yeah, these are, those are encouraging numbers, right? Seven out of 10 said they've done some type of remote identity verification, so maybe the time is now, right?
Yeah, yeah. So let's see where I can view the next slide. The next one, good. Yeah, so if you already have an approach to bringing in identity verification, some yes, 39% are answering yes, but 61% not yet. And so this is perhaps something to consider if they're already some pain points in the onboarding process for consumers, also for the workforce, this can be something to consider. Maybe you already have somebody to talk to about it for some more ideas.
Yeah, and it doesn't surprise me that we have a bunch of identity folks on this call. So many of them have tried it, but you know, getting your organization to adopt it is of course a longer journey. So, but it's great. Again, four outta 10 are heading in the right direction. So we're already there I'm saying. And the other six outta 10 must be not far behind hopefully.
Great. And our final poll question, your view on fraud reduction, do you see this as an important part of an access management solution? Overwhelmingly, you answered yes Mike, you did hint at that. We probably have a lot of identity folks here, so I'm glad this is on your radar, but there's obviously room in the conversation to talk about this if you have more questions, need to talk about your own experiences with deter fraud.
Yeah, this is not surprising at all. It's like saying, you know, do you like good things, right? It's,
Yeah,
And again, it's not just fraud, it is insider threat as well. They, they kind of detect and mitigate them in very similar ways. So
Absolutely, yes. Think about, that was a great way you described it, that the, the fraud just takes on a different form, has different incentives, you know, either after money or secrets. Great. With that, I'd like to offer a big thank you to all of you who were listening and answering questions, asking questions. Also, Mike, who was answering questions that was very enlightening along the way. So a big thank you to all of you. If you're interested in more content like this, we do have a virtual event hosted by KuppingerCole happening on December 7th. Happens to be on access management. So if this is a topic which is interesting to you, we have a good collection of speakers from the industry, speakers who have recently implemented access management projects and analysts offering their perspective on this. So feel free to check that out or perhaps a little closer to today, November 8th through 10th, we do have a hybrid event that means it's happening on site in Berlin.
So if you're nearby or would like an excuse to go to Berlin, check that out. Or it's also happening online. You can tune in from anywhere focusing on cybersecurity, the human factors, the mix of cloud and ot, security and automation here. And finally, if you prefer reading, we do have a good collection of reports here that could expand your knowledge on this topic. As I said, you'll receive this slide deck or you'll have the opportunity to download it in the coming days. So you'll be able to take a look should you be interested. We also host a variety of other services as well, research events and webinars. You've met us here in an advisory. And with that, I thank you very much for your participation and I wish you a wonderful rest of your day.
Yeah, thank you everybody and thanks for having me, Annie.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but…

Analyst Chat

Analyst Chat #148: How to Improve Security with Passwordless Authentication

"Passwordless authentication" has become a popular and catchy term recently. It comes with the promise of getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure. Research analyst Alejandro…

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Analyst Chat

Analyst Chat #146: Do You Still Need a VPN?

Virtual Private Networks (VPNs) are increasingly being promoted as an essential security tool for end users. This is not about the traditional access to corporate resources from insecure environments, but rather about privacy and security protection, but also about concealing one's actual…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00