Good morning, everybody glad you could make it this early. My name is Han KK. A lot of you may know me by my Twitter handle Han gay on Twitter. A lot of you may not know that I recently joined Unica as their CTO. And one of the reasons I joined them is that their mission of making, connecting safe by literally providing military grade security with consumer level experience really spoke to the heart of what I've been working on for many, many years, which is the idea of making security, human, and usable, both for our customers as well as the end users that they serve.
And that's really the focus of I talked today, which is how do we use identity to make security usable, and also serve the privacy needs of our customers? Because we're all familiar with this face. This is the face that most of the end users have the minute, our world, the world of security intrudes on their business transactions.
It's the world that it's the face that launched a thousand battles in boardrooms all across the world where chief security officers are pitted against chief digital officers arguing over this imaginary line of compromise between security and usability.
And the security officers would argue that because of usability concerns, that we're still stuck with usernames and passwords as our primary means of authentication. It's the reason why we throw in things like some, some social registration and maybe SMS based two factor authentication. And it's also the reason why credential compromise continues to be the single largest reason for breaches that organizations suffer. The recent Verizon DBI report showed that credential compromise is now responsible for 81% of breaches, which is up from 63% last year.
I believe on the other hand, the digital officers would argue that if the security officers had their way, every user would have to go to an obstacle course, provide a pint of blood and sing their school Anthem before they did any interaction with the business.
Their perspective is that any like the folks in galaxy quest, anytime you add security to the user experience, the user experience gets worse. And if you make security too hard, your users are gonna find a way to get around the security in the system or even worse.
They're just gonna stop using your bus service and take their business elsewhere. So let's look at a recent occurrence because this proves that usability is not just the concern of the digital officer. It's actually the concern of security officer, the Google docs attack that went viral last week, right?
Excuse me, in which this app that was posing as Google docs, tricked users into granting access, full access to their email and their contacts. Well, you know, it got resolved very quickly by, by Google and the damage actually wasn't too bad, quite honestly, but it all those breathless articles that followed and did the analysis on this really showed us two things.
First, there's still way too many people who believe that oth is an authentication standard. So we still have a lot of work to do to remind them that, you know, what is about authorization or authentication. The second is that us bad usability equals bad security. Or as I like to say, every time you introduce usability issue into your security, a security breach gets its swings. You could go with Eves less colorful or more useful description if you want.
But the idea is that anytime you introduce us usability issues, it's going to result in users, you know, failing, they're gonna have issues and you're gonna create some security vectors. So there's no no surprises for figuring out that I'm gonna say that identity is the key for this, at least because we're at the identity conference, European identity conference and not the European blockchain conference yet, I'm gonna say identity is the key, not blockchain, but identity is the key to marrying security and usability.
And it's because identity allows us to bridge those two worlds.
And the key to doing that is to make identity invisible instead of in your face, interrupts constant challenges and form after form, after form that the user has to deal with. We want, we want identity to retreat into the background. We want it to become invisible to the user, almost like magic. So speaking of magic, let's speak about Disney. The house of mouse has always been laser focused on customer experience, but as one of the biggest brands in the world that deals with parents and children, they're also maniacally focused on security and privacy needs. So how do they do this?
Well, let's take a look as a magic band. The magic band is a simple wireless R F I D, and radio emitting wristband that supports both contact and long range readers. And it's used by sold to appearance.
Parents go through very simple registration process where they, when a customer buys the magic band, they tie it to their cus their account and they get multiple magic bands, one for each member of the family and they bind, or as Disney calls it customize each of the bands to the individual members of the families.
And from the customer experience perspective, this really changes the equation for how people interact with the parks. It allows them to get into the park. If they bought, bought an admission ticket, or if they're an annual pass member, it gives them access to the fast pass lanes and allows them to get into the line at the appointed times. And only for the times that they have selected.
And pre-selected, it allows them to, you know, if you go to the park and they're taking all these photographs, it gets rid of the photo pass card that you have to collect from every single, every single photographer.
And instead it collects all the photographs, then you can access it and it's secured safely stored. It takes care of payments. You can use it for payments throughout the park. And it even allows parents to assign money to the kids with a, with a limit so that the kids spending is controlled very important.
When you're in the park with your kids, it allows some really magical experiences where you can go to a restaurant and order food, and the food will be brought to your table. Wherever you may be sitting, you don't have to do anything. And when kids go in, you know, Elsa, Mickey, whatever character will come up and greet them by name, which if you're a kid is an amazing experience, right? And if you happen to be staying at their hotels, there's even more benefits. You can get into your room with it.
You can charge stuff to your room without having to carry your wallet in, in, in the hotel.
And it even integrates with their bus service at the airport, at the airport, where you get picked up. And the fact that you've worded the bus immediately triggers the workflow as the hotel that allows them to put all the papers together and basically reduces the amount of time you spend in the check-in line. All of these things go towards making the customer experience magical and goes to their mission statement of removing all friction from the park experience.
But it's also first and foremost, a security device because it's fundamentally doing access control, authentication and access control. And it's not just doing that at entry to the park, but throughout the day throughout all your experiences at the fast pass lane, cetera is doing identity and access control. It's also doing payment security, right?
The fact that it has location is an extremely important aspect of it.
When you consider how high risk and environment a Disney resort, as a packed resort with kids and parents going crazy, the location features allow you to locate lost kids, lost members of your family, right? It also allows Disney to track traffic flow and basically immediately analyze the traffic flows and see where go in and send in additional characters or set up events in order to redistribute the event flow so that you don't end up with congestion and issues that could model the park experience. And it even does step up authentication.
So when you're entering the park, you, in addition to the magic band, you have to either present an idea or do biometric. If you're doing payments, just having the magic band. And doesn't know if you have to actually enter a pass a pin number.
So there's a, there's a bunch of security features that go into the magic band as well.
Now, the technology that goes into this is not something that's gonna be very difficult for most of the folks in this room to figure out they fundamentally go and do all the, the five, a of identity management, right? Authentication, authorization, administration, analytics, and audit. But if you dissect and, you know, really examine what makes magic band so successful, it reveals what I call the four core principles of invisible identity. And those are understanding context, being adaptive, calm technology, and respect the user. So let's take a look at those.
I think in the identity community, we all in a same context to be all the information we know about the user, about the person, right? All their attributes, what their transaction history may have been behave, all the stuff that we sort of location and everything, what devices they're using, all the stuff that we kind of classify as user behavior now, but I'm gonna pause it.
That context actually needs to change a little bit from being focused on the user to being focused on the transaction.
So in addition to all that information about the user, we also need to look at the nature of the transaction. What is the risk profile of the transaction? How does that risk profile change based on whether the user, when you differ between users who do that transaction often versus users who do that transaction once in a while, understanding the nature of the transaction itself and making that subtle shift enables us to do a very important thing, which is change the idea of context from being something that typically only gets applied at the time of authentication.
The first time they use interacts with the service to something that is used throughout their flow, when interacting with the service, right? It's that subtle shift that allows to get this notion of continuous authentication and continuous risk management by shifting the focus from the user to the, to the transaction.
And that goes directly into the second aspect of being adaptive, being adapting is what allows us to do things like progressive profiling, where we only ask for information from the user when we absolutely need it, where we do things like just in time provisioning, where we use things like roles based policy controls, or contextual policy controls that are based on behavior and information that you've gathered through sort of your AI systems or analytic systems, et cetera.
The idea of being adaptive basically means that you get to this notion of only doing what you need to do when you need to do it, which minimizes this and alleviates this notion of, I need to gather all the information up front, cuz I never know when I'm gonna need it or what, what I'm gonna need it for being adaptive allows to be leaner and more agile in our process.
Calm technology is something that probably most people are not familiar with, but it's something that everybody should be.
I think we're all, you know, used to this idea that good user experience means that you wanna minimize the number of clicks that a user has, right. It has to go through, right? The number of interactions that has to go through what calm technology says is that you want to have the user experience, be the least intrusive on the user, requiring the least attention if you will.
And the idea is that by, by not taking the user out of their flow, that they're engaged in, you basically minimize the disruption to their flow and therefore minimize how they could get surprised, or they could have to think about what they're doing in a way that causes, in some cases, those security breaches to actually occur content imagine means that you use things like haptic feedback, for example, or you use subtle cues in order to guide the user through the process and guide them to making the right choices without having to have them read a screen or go through this ridiculous notion of, oh, I have to stop what I'm doing and go through a different app and do something else completely.
So this, I, I strongly encourage people to go and read up on calm technology, cause it really is a mind shift change in how you design user experiences. And the last one is obviously respect the user.
We, you know, we try to, we have to remember that at the end of the day, the user, when interacting with their service is trying to do almost all of the time trying to do what you want them to do. So let's not make security, something that's adversarial in nature, where we always treat the user with suspicion. And we always assume that they're a bad actor. Let's try and figure out how we can work with our users, with our end users, with the people that are on the other side of the line and make them part of the security process.
Again, if you start thinking of it from that perspective, how do we make them part of the security process, a partner in this flow, it actually will almost force you to rethink how you do your security.
And we've seen that a bunch of times we've seen that with you see that with the magic band place, where they leverage the emotional needs and the cognitive needs of the people, the parents in designing their flow and still manage to figure out, okay, so that's how they change it.
Now, Disney of course spent a billion dollars researching, designing, and figuring out the magic back experience. Most people here are not gonna be able to spend that kind of money. But if we look at identity technology today, we can see different ways in which we do that. The call center experience, we're all familiar with how bad call center experiences are, where people have to go through this inane list of security questions, lots of PI information being exchanged in order to just try to get the thing that they want done. Usually when they're in a hurry.
And, and oftentimes when they're in a position of stress, but if you use identity technology, we can change that, right? If there are apps are able to look at, if you just enhance your app to say, call me a button. And the fact that the app knows authentication status knows who the user is, can be leveraged. As part of that call center experience. You avoid all of that. You get a faster user experience with the end user, you get a happier response.
You can use a lot of the data, the telemetry data that's available, insurance companies can use the fact that, you know, most accidents, car accidents happen within a certain distance from, from the house. And that's important telemetry information that you can use when trying to authenticate a user and verify their claims. Online banking, online banking is still extremely frustrating. Usually it's still, it's used just to username and password.
Maybe some device fingerprinting, browser fingerprinting, and some backend analytics, but most users still very frustrated when the minute most we just heard yesterday, I think that within PST two, there's still debating when two factor authentication should be used because of the usability concerns, but we have all this rich sensor information, biometrics location, et cetera. That's available to us in our mobile apps. Why are we not using that? There's we have compute power in the device. We can use all of that to change that in, in very significant ways.
If you think about the enterprise context where you have workers sitting at the desk and you know, single sign on has been a great help in alleviating a big part of the burden that and that the enterprise workers have when they log into systems, but it tends to miss context, right? Has the user walk stepped up and walked away from their desk?
What did they shift from? Just emailed to something that's a highly sensitive application.
You, the process still is this, you know, okay, now I have to go through a different kind of authentication, maybe different username passwords, but we can do better. Right? Look at something like the NII band, the NII band uses contact biometrics, and you can use that to figure out whether they stepped away from the desk. If they're changing context to, from a, from a low risk to a high risk transaction, you can do step up authentication in real time, again, improve the workers' life. Now as a word about privacy, right?
When you think about privacy, a lot of that stuff about invisible identity relies on a lot of backend data gathering that you're using you using all this information. That's very sensitive about the user.
So it, you know, as a privacy one, it gives me a little bit of the he so think about that, right?
That all that stuff is gonna get used. But the pragmatist in me realize that that's not a box. We can close again. We are gonna be using all of that. So we do need to, we have a responsibility to figure out how to use that. So that goes back to the idea of respect the user that we need to have privacy by design incorporate into our flows, right?
From the very beginning, we need to think about consent mechanisms in terms of how we use, how we appropriately get consent from the, from the end user, not in the way that the Google docs thing did it, where the user has no idea what's going on, but better ways of expressing consent ID. A, the emergence of ID a I argue is actually a good thing for privacy because the ID players are big.
If, if the amount of money and what they can do in securing the data and using the data correctly is way better than most organizations are able to do.
Maybe not banks, but from almost everybody else, IDAs is really a better choice because as Ian would say, you don't want to be a toxic waste farmer. You don't want to be collecting all this information that you is fundamentally not crucial to your business. You'd much rather use an expert at securing that data and using that data to help you facilitate your transactions.
And the last thing I would argue is that privacy is really gonna get help by this revolution that's happening. That's we are on the cusp. It's something that we're working on at UN end, which is the fact that all this mobile device power that we now have allows us to actually shift from the compute center for all that data based biometrics and the analytics. And instead of aggregating that data on a server rate needs to be analyzed, and it becomes a big breach vector that, you know, it's an attractive target for hackers, do all of that on the device itself.
All of that stuff can go down to the device level and you really use the power of the device and all that it offers in order to do all of this really strong, invisible identity based functionality without actually having to send it to a server without having to be concerned about all the privacy concerns.
So I would end with, by making the point that as Morpheus was saying, invi ID is all around us, but by leveraging the fact that ID is all around us, we're going to be able to create a world where security and usability will be partners and will be, you can get great security and great usability at the same time, rather than having them be adversaries. So with that, thank you very much. And I'll take questions.
Thank you, Han we have a short question.
What context information can you use?
So, I mean, in the case of, like I said, context needs to shift from just being about identity, which usually is about, you know, who the, who the identity is, attributes, telemetry data like sensor data, like location, biometrics, behavior analytics. That's one part of it. But I think what we don't do as much of is focusing on the transaction piece and really looking at, okay, how often does this transaction get used?
If it's, you know, almost all the users use that transaction most of the time versus there's a few users that use that transaction a lot, but others that don't understand those risk profiles. And then using that information in designing what security is appropriate for that kind of a transaction. That's the kind of contextual information you need. It's not just data you can gather from your sensors, but it's also data that you gather by analyzing the transaction system.
So that's, we don't really do that much of the second one.
And that's what I believe we need to do a lot more of because then you'll right size, your security. You'll make sure that the security or applying for those transactions is the appropriate level. Because fundamentally user, our people are very intuitive, right? They don't, you know, mix and match different things. They have a very keen sense of whether they're okay with the kind of security you're offering for the transaction they they're going through and they try to match it as well. So you are looking at it from a security wrong perspective and saying, well, this transaction is high risk.
And so therefore I need to have these three factors, but the person's looking at it. This is something I do on my daily life. I don't need three factors for this. The security's too difficult. So you have to match it with their expectation as well. And in terms of what they perceive the risk is. So that's what I mean. Thank you very much. Thank you. Thank.
