Discussion panel at the Consumer Identity World 2017 EU in Paris, France
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Discussion panel at the Consumer Identity World 2017 EU in Paris, France
Discussion panel at the Consumer Identity World 2017 EU in Paris, France
Well, why don't we go ahead and get started and maybe our other panelists will wander in. So when I go ahead and do a quick intro there. Sure. So hello everyone. I'm Pam Kain from me and is on cybersecurity consultancy. And we have offices in Phillip, Sweden Netex and Mt. Practice lead for consumer I am solutions. So we're basically designing, building deployment, operating the IM solutions for, for our customers.
And at the moment, we basically have many customers in finance retail e-commerce are very interested in improving the security and usability and interoperability with the mobile authentication and basically build building solutions with, with proven technologies like open connect and, and photo U two F. And one of the key aspects from, from our standpoint is, is also the secure enrollment of, of the mobile credentials.
So looking at the situation from, from Northern European perspective, like having either bank credentials or mobile operator issued mobile certificates, mobile connect or national E I D solutions to, to offer the, the kind of identity to use as a basis. And it also enables the know your customer type scenario where, where you get the attributes in a verified manner about user who's who's authenticating. So that's my, my background should be, it will be by the time you get it up there.
Hello, it's Jeff Mayard and I'm the CEO and founder of biometric signature ID we're based in Dallas, Texas. And what we have built and patented is sort of a biometric with a twist. Have all of you waved at me earlier today. Yeah.
Yeah, you did. Okay. So I'm not gonna have you guys wave it because I think you're, but basically what we've done is we've taken a typed password and replaced it with a bio code. It's like a password. And instead of typing it, you draw it in. So you draw it in with your finger and or you're holding onto a mouse or stylist on any device that accepts HTML five. And we've been tested. We were selected by the white house for theistic. We're one of the first five pilots selected by the national strategy for trusted identities in cyberspace.
So we worked with Microsoft and CA a couple of other great companies to try and find an answer to internet fraud and no mean, no mean feed. And we also sit on the Nassal committee for ID proofing and verification. That's part of the federal initiative to try and provide guidance to consumers and companies out there. So who do we sell to and how do we do it?
Basically, we've had hundreds and hundreds of installs and we use common markup language, standard protocols and, or do stuff with folks who have their own set. And it's an easy installation. And the way it works is like any other biometric, an individual has to go in and log in and they have to enroll and they enroll by creating what could be 2, 9 20, which could be your password and the length and the speed and the direction and the angle on how you create that is unique to each one of you.
That's why earlier today had everybody wave at me and said, how, how unique is every one of you with how you're creating your own body language? So we pick up on all of that. And certainly we have about 11 million uses in 95 odd countries. We've been approved by the D O D cuz we do a lot of service personnel in lots of different locations across the world.
I didn't realize that service guys didn't work 24 7, you know, but they only work a couple hours or what do you do rests the time you do a lot of courses and they're all online and in the states, this is a big problem because there's a lot of cheating going on. Haha. You didn't think so. Right? But it's a very robust market and the students don't have to show up at school anymore. They can take all their classes online. And for $30,000 a year, you can get somebody to do your own degree, get a degree. You don't have to stand and go anywhere.
So it's a big problem and it's about a 4 billion a year problem. And we're a market leader in that particular segment. We're also in healthcare financial services. And I'll talk a little bit later today about some of the use cases that we're involved in. Thank you. Thank you.
So I'm, I'm, I'm the late show. My name is Andrew Bell.
I'm, I'm not on that screen. I am a founder and CEO of IPRO. As those of you who participated in the previous panel will know IPRO is now becoming the world leader in cloud-based face verification for online authentication. So we authenticate remote users online and we do so in a way that is exceptionally usable because it's just your face. You look at the device, it looks back at you. You don't have to do anything. You can do it on any device that has a front facing camera and a front facing screen, but it's also extremely secure.
We, we are the only company in the world that has effectively cracked the problem of genuineness testing of making sure that you are actually authenticating a real face and not some clever physical or digital proximity or, or recording. And we're used by by banks and governments in various countries, both for authenticating online and also for identity proofing remotely where people authenticate to their own passport so that you can do an onboarding KYC in 30 seconds using untrusted hardware in an UN surveyed circumstance.
Bingo, you overcome the KYC at the onboarding phase and, and that's, you've got SU that the topic of the panel is something very dear to my heart, which is how on earth one integrates these solutions into eCommerce banking, another identity with dependent solutions. We we're London based in going about five years.
And, and I should disclose that one. I'm also one of the founders and now they chair of the MEF. Well welcome.
Yeah, I'm, I'm really interested in getting to the, the meat of what the panel's about here integrating with eCommerce earlier. I think we, I was trying to focus on the different biometric modalities, the hardware side, what you can do with it, what the ups and downs of each of the different forms are, but it's more than just fun technology to use, even though we did discuss that. Some people seem to like to use it just for the heck of it.
So how do we, how do companies, let's say who want to employ consumer identity management system leverage the, you know, mobile biometrics or mobile authentication, maybe the, the mobile push apps, you know, authorization, what are the, the best ways available today to integrate that with eCommerce and solutions? So I'll briefly just describe how often much painful reasoning we came up with it. The first is that any enterprise has to decide for itself who is the identity issuer. So there's a lot of movement about the creation of independent identity issuers.
The UK gov dot verify for example, is an independent identity issuer and the eCommerce providers effectively trust in that whole identity architecture, the same way they trust Facebook connect in our experience. Most eCommerce vendors of any large organization doesn't want to do that. They don't want to lose control of the, of the, of their own users. So they actually want to be their own identity, U their own identity issuers. They want to operate their own identity silo, and they want to use biometric authentication.
They want to use mobile authentication as purely that as an authentication method, not as part of a complete integrated identity package. Now that's, that's your choice. The way we integrate therefore, is we then design for privacy, which is really important. So the way that it works is that the use during enrollment, the enterprise passes, it gets to a point where they trust the user by whatever means that they choose. And then they pass the user across to us labeled with an anonymous serial number. We then do some magic.
We take, we take video of them. We flashlights at them.
We make a, we create a record, which is associated with that anonymous serial number. And we pass control back. We also have a conversation with the enterprise at the back end. We never trust. We never just trust stuff that communicates between us and the enterprise through the mobile device because that mobile device is uneven and unprotected and all sorts of bad things can happen on the way. So as well as the communication through the device, we also set up a, we also have a backend verification phase.
Then whenever the user comes back at a certain point, the enterprises app or their webpage passes controlled of the user to us locally marked with that anonymous serial number. Remember, we never know that customer actually is. We do our biometric authentication magic. We produce a result. We pass it back to the enterprises app or webpage. They then check the validity of that answer out of band guide means of a secure interface between us and them. Is it standardized? It guides it's about five API calls.
Integration normally takes about between one and two days, frankly, it's, it's faster to do an integration with IP. They would be to read a stand and it has the advantage of being simple and designed for privacy because we never ever know who the customer is, nor do we have any means of discovering who the customer is because all we ever gets our by associated with with completely opaque, serial. So we have the faces, but not the identities. The enterprise has the identities, but not the faces. It's a design purpose.
Yeah, I think this was a great example of, of how to integrate those options to, to the management and, and eCommerce and basically background that, that we are working with is that usually the, the customers have, have some existing access management solution in, in place. And, and they want to start building on that end on, on the existing user base. And what it basically starts with is, is the secure enrollment and the, the companies want to keep in mind the improvements that they want in the, in the usability and the security and the interoperability.
And I think it's, it's been pretty clear in, in the discussions that everybody wants to get rid of the, the passwords and to, to make the usability to, to a better level. And basically if, if you have the secure enrollment in place and after that, you start authenticating the, the end users. And actually the cases that, that we have, we have built have been built on standards like fighter U two F.
So for, and I welcome, for instance, they, they offer this white label, mobile authentication applications that, that you can plug into their access management solutions. So that's pretty straightforward, or you can build, build it using SDK so that after the secure enrollment you, for instance, generally the key pair in the, in the mobile application stored in the key chain protected with, with the device authentication of, of the mobile device and push the public key to the, the back end.
And then when you want to initiate authentication, it's basically a challenge response based based mechanism where you can either initiate the authentication by sending a push notification to the mobile device, or by for instance, scanning a QR code. We found the push notification to be, to be more, more user friendly end users. And what actually happens after that is that when you want to release the private key for signing the challenge from the device key chain, you need to, you need to provide the device authentication.
So it's usually the, the fingerprint in the iOS or this pattern in the Android or European code. So it, it has been kind the most straightforward way for us to, to rely on the device authentication capabilities, to get the, get the biometric functionalities integrated by just as well. We could have biometric capabilities from, from either of your solutions. And that's basically how, how we have working.
Can I just add something which I'd forgotten to mention in our integration with fork, we actually use push so that for drop process the identity, and then when it comes to the authentication, they use push notifications to start up. I prove on that, but users handset. So the person may be working at a future, which has no access, which has no camera or no right access to camera.
They get, they go through a certain process, push notification comes to their preregistered, personal handset. They then approve themselves on their handset. And that then commits that then allows for drop to complete the, the process.
Yeah, I think that's great example of how to integrate your solution with the access management. And actually another use case that, that we have worked with with customers is the mobile side single sign on capability. So in the web and in the desktop, the single sign on has something that is been placed for, for quite a while now.
But when, for instance, for multiple mobile applications, like five or six within the same E system, and, and with, with the same identity provider, the situation has U usually been that you have to log into each one of those separately. And what we we've done is that we've used, we've be using the great work done by William Dennis, from Google, with the apple of SDK that Google has opensource for, for Android and iOS.
So it's basically an SDK, which you can use to integrate your mobile applications with open connect by the providers and have single sign on functionality between the mobile applications. So I can just tell you about three different types of use cases. So you get maybe an idea on how clients are looking for the future and trying to incorporate the mobile device.
So, first one is work we're doing with a multinational entity that deals with 14,000 banks worldwide, and they came to us and they said, we want you to do a one minute journey. I said, what? Pardon? And they said, yeah, we're concerned about our millennials and the fact that they have a lot of debit cards and they get into their accounts on a regular basis.
I said, well, like how regular? They said like three to five times a day. So they said two things that were kind of interesting to me.
They said, we, they do that because they want to check their balance. See whether they have enough beer for the night. I thought that was kind of hokey, but, and then two, they are checking about whether they have any money left and they're worried about security. So they called it the one minute journey. And what they wanted us to do was to provide an authentication capability where they could take five or six seconds to authenticate their identity and spend the rest of the time in their account, looking and perusing their account.
And, you know, we can, we can do that. Cuz our type of technology doesn't take, but five seconds to verify your identity, you have to have an initial enrollment.
Of course, every biometric that you'll hear of has to have a template to compare to. So that initial enrollment creates that template. And for us it takes somewhere between two and three minutes to create. And then thereafter, every time you challenge them on a verification challenge, then that takes somewhere around five seconds, depending on the complexity of their password.
The second use case that might be interesting is there's a lot of folks who are concerned about the validity of the document, whether or not it's a legit document, because if you're trying to provide a service or make a sale to somebody as an etailer, are you concerned that that's a legitimate document or is that person the same, the right rightful person?
So we created a system where you can take a look at somebody's photo ID, front and back and it's gotta match that's step number one, number two, they take a selfie against the photo ID and if that's a match, then they move on and they're able to then verify their identity, same case as what I just described in five seconds, then they move on and they can legitimately engage in eCommerce.
The third one was with one of the top five technology companies who wanted to find a way to engage their use some of their users in terms of being able to sign a document using the mobile device with one of their stylists pens. So their whole concept was if you're going to buy something of significance, maybe a dryer or whatever from the store, they wanted to make sure that you could sign a warranty and that you could maybe sign a contract right there and then using your mobile device.
So we, we created actually for them, a new product called bio name it who here knows of a product named DocuSign or e-sign of course. So what that does is it shows one thing it's not biometric, right. And why is it not a biometric? In most cases, anybody know? I said the metric where it's a little earlier, it's something to do with a template, right? No template. It's not biometric. So basically there's no template. Nobody's asking you to sign and create a template, enroll in anything. And then that's stored and you've gotta compare that to, with some of these signature products like that.
So what they do is they show something invaluable, which is called non-repudiation, which means I've left the mark. They don't know who that person is, but they know that there's a mark and that in some cases is enough to conduct eCommerce. So this particular product named called Biona is actually able to take your cursive signature and be able to validate that, verify that authenticate you again, you create a template and that's your signature and you're able to then put and actually use your signature. And then you also show non-repudiation.
So those are sort of three sort of use cases that we've been dealing with lately. Thank you. Do you see any differences, let's say between industries, healthcare, finance, retail, in how they're using these kinds of technologies or what transport methods are or modalities that they prefer? So what I'm seeing is that they have a little bit different approaches towards identity assurance that needs to be done in the initial enrollment. So obviously in the finance, you want to identify the individual as, as well as possible.
So in the Nordics and, and in Estonia, for instance, getting a average with national E IDs with bank credentials and with mobile operators, it's, it's pretty easy. So one of the aspects that, that you also brought up was that there's always people who don't necessarily have this online credential. So you have to rely on ID documents. And that's kind of a tricky area because you have to have a large database of different types of ID documents and how you actually validate them.
And, and what is the assurance level that you're looking for, whether it's enough to have a passport passport and just read the machine readable section of it, or would you actually have to do the, what you described having an Android and reading over the NFC, some of the, the passport information. So I think it, it boils down to the, the identity assurance. How well do you want to identify the, the individuals?
What, what was really fascinating I found is not so much difference between sectors. Although there are a diff there is a, there is a difference in sectors because the truth is that although the banks are really expert in authentication and they have a very good, they have extremely high levels of technical and, and technical capability and risk analysis. The truth is that they factored in maybe 1% of fraud into their business model. So they can kind of tolerate that.
Whereas the healthcare industry can't really say, oh, well, if we only lose 1% of our health records to, to mal factors, that's okay, isn't it? No, it's not. So there are significant differences between sectors. What we found is dramatic differences between countries that when we deal with, when we deal with countries, such as Brazil, South Africa, their level of sensitivity to sophisticated frauds is orders of magnitude greater than it is in Western countries. And I think the reason is that the gains to be made from fraud are so great in these poor countries.
So when we go through security due diligence testing, these countries, the level of sophistication is absolutely is deeply impressive. The idea optical document capture, as, as you've just described, is quite commonly used in Northern Europe. When we talk to other countries about this, they fall about laughing. There are shops in Sao Palo, where you can go to have whatever passport you want made up while you wait, you know, this isn't Photoshop, this is all this, this is with LA. This is with engraved lamination complete on it.
So the kinds of things that work that people are, there are kinds of risks that people are willing to accept in Europe, get laughed out of court in the rougher parts of the world. And that actually makes it makes them interesting laboratories for the future because they are just as sensitive to the user experience.
They're just as sensitive fact in some cases more so because people maybe aren't quite as literate in some, some of their customers aren't quite as literate as, as you might expect as, as they are in STO F maybe that's, that's where Paul Manafort that all his passport, but so they're very sensitive to use expense, but they also have a really high sensitivity to, to security risks that normally people maybe are, are willing to look.
I think it just, just me to add one thing on that if I could, and, and I call it assurance levels and what we find even within the same client, they'll have a different need depending on the subpopulation that they're dealing with. It's not all the same congruous population. And for example, in the description, I just gave you in terms of the looking at fake IDs or not, we have some clients that want to do it virtually with a sorry, with a virtual agent.
So what we'll do is we'll redirect them, they'll connect with a virtual agent who will then assess that government issued ID, you know, in a virtual way. And there's somebody live there to talk them through the rest of it. So just again, what we find is assurance levels. Some people are saying for that particular use indication, we're fine with that, but we need to step it up. We need to step it up. And this is the whole concept of step up therapy. Can I just say we have these conversations as well, and they're absolutely hilarious.
And the reason is so a lot of, a lot of organizations say, well, we're happy to deal with automated, automated face checking in the first instance, but then we want to step up to human beings. Unfortunately, there's an academic study that was done by the university of new south Wales. A number of years ago, it's very famous. It's published on the plus, which looked at the face matching performance of skilled experience, passport offices under benign conditions and no time pressure.
And they found that if that these guys who were real had 10 years experience when presented with a selfie and a photograph false, had false accept of 10.4%, when the person turned up in, when, when they had a person in physically in front of them comparing against the passport photo, then their fault accept rate went up to 15%. A machine has a false accept rate. That is about that is below not 0.1%. So a machine is approximately of the order of a hundred times more reliable than a human being. So when people say, well, we want to step up and check with a human being.
The only effect of this, the only effect is to measure the performance of the human checker. Excellent.
One, we've got time for a question or two. Hi, thank you. I'm Martin with pity. I had a quick question of something that is on the tie on this slide that we haven't touched at all in that panel, which is very interesting. You mentioned a couple vendors. I was looking at e-commerce Europe figures. And one of the big drivers right now of e-commerce is actually adoption of native app to go online shopping. In other words, not on your computer, but, and not, you know, popping up from the native app to an authentication method to go back to your native app native app.
So the question for you guys is, you know, what's your stance with regards to stay native in the app and the eCommerce app you're working on rather than so using SDKs and things like that. That's our standard method.
That's, that's the standard method. Since the eCommerce vendor is the identity issuer. The idea of popping them out to a separate map makes absolutely no sense at all. So where there's a native app, we automatically assume, and actually propose that they embed our SDK inside their apps remain a completely, a completely fluid native and fully integrated experience. Why would we do anything else?
Yeah, well, we have also been building browser based flows for the authentication with the app SDK and, and opend correct. So we're hosting the, the authentication functionalities from the identity provider and it's, it's actually using the safari view controller for the iOS and, and the custom terms for the, for the Android.
And, and it's, it's playing really pretty well. When, when you make the authentication pages responsive in the server identity, it actually provides a little bit more information for the end user of what's happening compared to the previous way of incorporating the, the authentication functionalities from the identity provider, by using web view where you basically the touch control of where the information was loaded. And thank you to the panel where break time, we're living into our final break of the day. So thanks for your participation. And we'll be back at four 40.