Event Recording
Practicalities of Identity Proofing for Authentication
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Oh, I'm glad I can join. Even though I'm at the other side of the border in the Netherlands, I would've loved to be there meeting a lot of ity, but unfortunately that's not possible, but I am able to give my presentation. And what I wanted to share with you is some of the practicalities that we found on identity proofing and things you encounter when you move from a physical to a digital process there. However, before I go into the presentation, I wanna give a brief introduction of myself as introduced. I'm working at Rabobank, which is one of the three largest banks in the Netherlands. Up until 1st of April, I was indeed lead product manager, but now we, we changed the positions and roles. So at the moment, I'm the product owner for everything related to authentication for our workforce. And my second job that I'm working on is with the university of Liden, where I'm looking into the more academical aspects of digital identity and the ethics of it.
So the freedom of digital identity and the interesting part is that around this topic of identity proofing, these two things really blend well together. And what we do at Rabobank at the moment is looking at the authentication solution landscape that we're having. And that is under a continuous attack. There are also continuous developments in that area. So we also continually need to refu that landscape, the solutions that we have and whether they're still sufficient or not. And when you think about authentication, that's about access, making sure the right digital identity is getting given access to the network, the environment, the data, the applications, the, the cloud-based workloads, et cetera. But if you stop to think about it at the foundation of that whole digital access is the notion of identity. And what we've seen in, in practice already is that also the bad guys are targeting that at an increasingly level.
So initially a lot of the attacks were at the systems and the servers looking for the data, and we knew authentication was under a tech. I think that has spiked over the past couple of years. I've other presentations on topics like MFA bombing and those type of threats, but actually you can even bypass the authentication part, if you can hack the identity part. And that's where identity proofing comes into play. So thinking about this topic, it's a bit like following those digital bread crumbs. And when I was preparing, I was thinking, yeah, then, then you find the baker. Let's thinking about that any further, the analogy does not really work because if I buy a bread and I'm eating it and I leave bread crumbs, then you actually find the buyer, but maybe it's the consumer and it might even be a bot using a breadth.
So, so going to that source of digital access through the lines of digital identity is on the one hand, a nice conceptual exercise, but also as practical realities. So I wanna start off with that concept and then go into the practicalities of it and to illustrate that I'm gonna use this picture of a tree, it's a Duana Casta tree or elephant air tree. That's because the seed pots have the shape of, of what they think is an elephant air. And this grows in, in Northern parts of Latin America. And I'm using this because it kind of illustrates that these digital identities that we have are kind of the, the fruits of digital life or the, the digital benefits that we can think of. And they're quite a lot, they're personal, they're professional. And in various contexts, I can have these digital identities and they're always in relation in relation to other digital identities of others in relation to specific phone.
And there are some special ones that are even a bit more pervasive on, on the platform level. And as you can see, this three could also go for an apple tree because there is the apple hanging from one of the branches. All these digital identities can sometimes be trusted. Sometimes they're also not that trustworthy. So they're quite, quite weak a lot of the time. And that is because these digital identities are actually a representation of my physical identity. Now maybe for some in the personal area, the relation is not that important. But when I work at Rabobank, that relationship is actually quite important because Rabobank is a bank regulated organization. So they need to take care of some specific duties with regards to their personnel, their access and their digital identities. So this physical identity that I have with a national identity document or an identification document, like a passport, we are working on, on getting that into the digital realm as well.
So in the Netherlands, there are a few examples, like the day you have the bank ID in the Nordics, and actually a lot of countries are, are figuring this out because we have all these digital identities we have in most cases, a physical identity and a document. But the link between them is what carries the tree. And if we don't have the stem, if we don't have the trunk of the tree, then it will just be floating around and it will blowing away with the wind. So that's why this presentation is about this link from physical identity to digital identity in the context of an organization, employee relationship.
And in that context, this is the simple context that I always draw when we're discussing this internally, it's important to distinguish that there's a user that comes to the office every day. While nowadays, sometimes the past couple of years, he's been sitting at home in the epic like me, and he opens his laptop and he accesses applications and data to, to work with. And in terms of what happens there, you see that the authentication and I was able to follow part of the previous conversation on continuous authentication. You see that authentication is quite heavily in the picture at the moment, because if you can bypass the authentication, it doesn't really matter where, where the access is granted or not, because you can authenticate as this user. There's also a lot of developments in this area, continuous authentication, risk-based authentication, strong multifactor indeed just mentioned in the final Alliance, the, the, some of the big tech platforms are, are joining forces there.
So that's a good development because with strong authentication, you can also get more assured login and protection of your data. But if you don't want to bypass the authentication, you need to look at the identity proofing because that's where the tree starts to grow. That's where the roots go into the ground. That's where the connection is to actually knowing who is authenticating towards your data, applications and systems. So it is proving in our case starts off. When somebody joins the joints, the bank as a, a new hire, join our staff. And within our HR administration, this person is registered based on his contract and he gets in the, in the directory. And that can be a Workday type of solution to list all the employees. And from that administration, this employee starts with the, the identity proofing, because we wanna give him an authentication means an authentication solution that he or she can use to log him and do whatever this employee needs to do on a daily basis.
So the identity proofing starts off with an invitation to this person. We ask our employees to come into the office, bring their identification documents, and at the office, this document gets verified. So we know for sure that it's an actual passport, not a fake one or an actual driver's license. And then we match this person with the documents usually based on biometrics. And so the picture of your image in this case, and implicitly in the physical process, the life finish check is done. So we notice this person is breathing he's alive by matching the person. We also know that he's not holding a picture in front of his face of the person in the document, and that gives a result. And based on that result, we know that this is actually person a and not person B. And that goes back into the issuing of authentication means where the identity gets matched.
And if this person who is actually person a is also in our HR administration, then we initially bind and register an authentication solution. So this is the kind of the conceptual steps that we go through when somebody is onboarded signed a contract and a month or two months later is asked to come into the office to get initialized for their digital identity and that digital identity then results in an account and authentication solution connected to that account and the accounts connected to his HR administration. And with that, the next step obviously would be to step into authorization management and get the right business roles, the right authorizations, but that's something for a different topic, different presentation.
So to make it a little bit more clear, what happens there is they, we send out the invitation by email. People come in with a passport and they come into our office where there's a guard at the desk, and he has some readers to validate the document validity, but also to issue authentication means. And this guard does the verification of the document, the matching of the person and that's green or a red result. And then this guard also verifies matches the identity to our administration and gives the person a thing which can be a token or a smart cart or an approval button in the step to install an app on your phone, for example. And that gets registered in the directory. So this is the, the physical identity proofing process.
And the interesting thing here is that this, this works for years already. I recognized the, this process mostly because I also went through it over five years ago already. And there was one thing that I noticed there. And this morning I was at the, the guard, the physical security desk to, to check some things. And I found out that they still had this one. And this is one of these practical things that you don't really read up in the books. And if I would've been in the room with you guys, I would've asked a couple of people. Do you have any idea what it is and specifically what these awkward things are, but because I'm not in the room, I'm gonna give it away immediately. This is the, the number keypad extension. So basically use B connected device that extends your number keypad. And why is that necessary?
What is it used for during the initialization phase of a smart card in this case? So if you use a smart card for authentication, it needs to be protected by a pin and the user can select his own pin, but it's very cumbersome to move the keyboard back and forth between the desk and the person. So there's this non log extension that goes to the new employee. And when the smart card is initialized, they have the new employee submit your pin. You can select one yourself. Of course, there's some minimum criteria and you need to enter it twice. And what happened in the past that they used an application there, and it was an application that responded to the enter button. So what happened in that case that the user needs to enter the first pin, then the guards need needed to move the blinking cursor to the second box for the second time entering the same pin.
But a lot of users just hit the enter button because they thought I need to enter it twice. Number one, enter twice enter. But every enter meant that the application would move onto the next screen and would give an error message because the second field would be empty, then they needed to restart the whole process again. And what they found out in practice is that you can still tell people not to push that enter button, not to hit that button. Also not to hit the double zero button because it's a lock pad extension also used for cashiers. Yeah. So Euro figures ending at.zero zero is where the double zero button is, is available. So they decided to remove these buttons as physically as possible from this device to make sure that a, they don't need to give the user the instruction, not to use these buttons, but also to avoid any problems by users who are still hitting these buttons.
And that is because this is a process that at the first and the 15th of the month has a peak load and then needing to spend 30 seconds or a minute on, on restarting. A pin entry process is really, is really cumbersome in that process and, and, and really gives delays. So, so this is one thing that I wouldn't have thought of it develops in practice. You find it in practice, and then you think about, okay, so how are we gonna digitize that? Is that application still moving to the next screen upon enter? Or did we change that already? But the, the digitization of this process is then the next topic of thing. And if, if we talk about digitization of these type of processes, they're typically the promises that, well, if we can do this digitally, then somebody does not need to come into the office.
They can do it from the couch at home. And that also means that in the office, we don't need a lot of security guards who know how to check a document who can initialize an authentication solution. So that's also a benefit there. Another benefit is that this person at home can do this at nine in the evening, where if you need to come into the office, that's during office hours. So there's more flexibility there. And if it goes well, it's super fast, you can use your mobile for it. And of course, talking about the HR administration before relying on the entries of personnel, there, there's the promise also that we can integrate that we can even improve the employee experience there by registering initially doing all your job application interviews, getting the job, signing the contract identity, proving for authentications solutions, and then logging in is almost fully pleasant, digital employee experience.
And that is something that's that we're actually in the midst of. So looking at this process again, if we are doing digital, now we see that the part that we are looking at now is to have the digital version of this guard at the desk, with the readers, the, the new employee still needs to be contacted somehow. So they're being invited to start the onboarding, the identity proofing, they still need that passport or an identity document, but it's now supported by either a, a Porwal or a third party or a combination of it. Sorry. And that means that through this ordination of a Porwal together with a third party, this user starts up, the process uses an and if she enabled smartphone to read his identity document, or at least that's the case in the Netherlands, then with that, he can take a selfie to do the liveliness check, because that is something that happened implicitly in the physical process. But we now need to Ize that to make sure that it's a proper document, that the person matches the document and that the person is actually alive and not the, the picture from the person that matches the document. And then that can be then taken further in that process to match that again, automated against the HR registration, ask the user to install an app on his phone, or insert a device for local initialization. The thing that I mentioned before, and then that gets registered.
There are however, quite some practicalities that come into play here. So this, this would be the happy flow. And it's an addition to the physical process. So some of the practical questions that I wanted to share with you that we ran into, and some of them we've already been able to answer, not all of them, but the sex, for example, the, the first one, similar as to initializing an authentication solution in this, the basic question is how do you get started without having any shared secrets? How do you share a secret? So in this case, how do we invite this employee to start this process? And is that something that, for example, HR has registered during the hiring process, can we reuse that information of this person? Another one is the type of passports. And also this morning I asked, you know, what, what happens if, if I have a dual nationality, for example, and I, I get hired based on my, I don't know, German national ID document, but I also have a Dutch national ID document. And I bring that to the office. And I actually said, well, that's can happen. Actually, the, the, the global coverage of passports is one challenge, all the different identification documents globally, and another challenge, sorry,
Kind of running over quite a lot. Check. Can I please ask you to wrap up?
Yeah, sure. Please. Well, I'm then I'm not gonna go through all of the practical questions, but you need to think about devices. Non-digital enabled employees, how to build this process. Also make sure that the fallback is in place. And there are some other questions. Well, the why blockchain, I will skip that one because I understood if you had some blockchain sessions yesterday as well. And I think it's good to be aware that this it's another channel. It does not cover every use case. So you still need the physical backup. It has the personal data aspect. So be very cautious about how you treat that the third parties, I didn't go into detail there, but it's, it's good to select them wisely. And it's also, if you go fully digital and do not have a physical backup, you're gonna exclude people. So it's also about inclusivity. So with that, I was open to questions, but I can understand that if I ran overtime, then it's probably good to wrap up. Yeah.
I'm sorry. Thanks very much. Hang bye. Bye.
So the freedom of digital identity and the interesting part is that around this topic of identity proofing, these two things really blend well together. And what we do at Rabobank at the moment is looking at the authentication solution landscape that we're having. And that is under a continuous attack. There are also continuous developments in that area. So we also continually need to refu that landscape, the solutions that we have and whether they're still sufficient or not. And when you think about authentication, that's about access, making sure the right digital identity is getting given access to the network, the environment, the data, the applications, the, the cloud-based workloads, et cetera. But if you stop to think about it at the foundation of that whole digital access is the notion of identity. And what we've seen in, in practice already is that also the bad guys are targeting that at an increasingly level.
So initially a lot of the attacks were at the systems and the servers looking for the data, and we knew authentication was under a tech. I think that has spiked over the past couple of years. I've other presentations on topics like MFA bombing and those type of threats, but actually you can even bypass the authentication part, if you can hack the identity part. And that's where identity proofing comes into play. So thinking about this topic, it's a bit like following those digital bread crumbs. And when I was preparing, I was thinking, yeah, then, then you find the baker. Let's thinking about that any further, the analogy does not really work because if I buy a bread and I'm eating it and I leave bread crumbs, then you actually find the buyer, but maybe it's the consumer and it might even be a bot using a breadth.
So, so going to that source of digital access through the lines of digital identity is on the one hand, a nice conceptual exercise, but also as practical realities. So I wanna start off with that concept and then go into the practicalities of it and to illustrate that I'm gonna use this picture of a tree, it's a Duana Casta tree or elephant air tree. That's because the seed pots have the shape of, of what they think is an elephant air. And this grows in, in Northern parts of Latin America. And I'm using this because it kind of illustrates that these digital identities that we have are kind of the, the fruits of digital life or the, the digital benefits that we can think of. And they're quite a lot, they're personal, they're professional. And in various contexts, I can have these digital identities and they're always in relation in relation to other digital identities of others in relation to specific phone.
And there are some special ones that are even a bit more pervasive on, on the platform level. And as you can see, this three could also go for an apple tree because there is the apple hanging from one of the branches. All these digital identities can sometimes be trusted. Sometimes they're also not that trustworthy. So they're quite, quite weak a lot of the time. And that is because these digital identities are actually a representation of my physical identity. Now maybe for some in the personal area, the relation is not that important. But when I work at Rabobank, that relationship is actually quite important because Rabobank is a bank regulated organization. So they need to take care of some specific duties with regards to their personnel, their access and their digital identities. So this physical identity that I have with a national identity document or an identification document, like a passport, we are working on, on getting that into the digital realm as well.
So in the Netherlands, there are a few examples, like the day you have the bank ID in the Nordics, and actually a lot of countries are, are figuring this out because we have all these digital identities we have in most cases, a physical identity and a document. But the link between them is what carries the tree. And if we don't have the stem, if we don't have the trunk of the tree, then it will just be floating around and it will blowing away with the wind. So that's why this presentation is about this link from physical identity to digital identity in the context of an organization, employee relationship.
And in that context, this is the simple context that I always draw when we're discussing this internally, it's important to distinguish that there's a user that comes to the office every day. While nowadays, sometimes the past couple of years, he's been sitting at home in the epic like me, and he opens his laptop and he accesses applications and data to, to work with. And in terms of what happens there, you see that the authentication and I was able to follow part of the previous conversation on continuous authentication. You see that authentication is quite heavily in the picture at the moment, because if you can bypass the authentication, it doesn't really matter where, where the access is granted or not, because you can authenticate as this user. There's also a lot of developments in this area, continuous authentication, risk-based authentication, strong multifactor indeed just mentioned in the final Alliance, the, the, some of the big tech platforms are, are joining forces there.
So that's a good development because with strong authentication, you can also get more assured login and protection of your data. But if you don't want to bypass the authentication, you need to look at the identity proofing because that's where the tree starts to grow. That's where the roots go into the ground. That's where the connection is to actually knowing who is authenticating towards your data, applications and systems. So it is proving in our case starts off. When somebody joins the joints, the bank as a, a new hire, join our staff. And within our HR administration, this person is registered based on his contract and he gets in the, in the directory. And that can be a Workday type of solution to list all the employees. And from that administration, this employee starts with the, the identity proofing, because we wanna give him an authentication means an authentication solution that he or she can use to log him and do whatever this employee needs to do on a daily basis.
So the identity proofing starts off with an invitation to this person. We ask our employees to come into the office, bring their identification documents, and at the office, this document gets verified. So we know for sure that it's an actual passport, not a fake one or an actual driver's license. And then we match this person with the documents usually based on biometrics. And so the picture of your image in this case, and implicitly in the physical process, the life finish check is done. So we notice this person is breathing he's alive by matching the person. We also know that he's not holding a picture in front of his face of the person in the document, and that gives a result. And based on that result, we know that this is actually person a and not person B. And that goes back into the issuing of authentication means where the identity gets matched.
And if this person who is actually person a is also in our HR administration, then we initially bind and register an authentication solution. So this is the kind of the conceptual steps that we go through when somebody is onboarded signed a contract and a month or two months later is asked to come into the office to get initialized for their digital identity and that digital identity then results in an account and authentication solution connected to that account and the accounts connected to his HR administration. And with that, the next step obviously would be to step into authorization management and get the right business roles, the right authorizations, but that's something for a different topic, different presentation.
So to make it a little bit more clear, what happens there is they, we send out the invitation by email. People come in with a passport and they come into our office where there's a guard at the desk, and he has some readers to validate the document validity, but also to issue authentication means. And this guard does the verification of the document, the matching of the person and that's green or a red result. And then this guard also verifies matches the identity to our administration and gives the person a thing which can be a token or a smart cart or an approval button in the step to install an app on your phone, for example. And that gets registered in the directory. So this is the, the physical identity proofing process.
And the interesting thing here is that this, this works for years already. I recognized the, this process mostly because I also went through it over five years ago already. And there was one thing that I noticed there. And this morning I was at the, the guard, the physical security desk to, to check some things. And I found out that they still had this one. And this is one of these practical things that you don't really read up in the books. And if I would've been in the room with you guys, I would've asked a couple of people. Do you have any idea what it is and specifically what these awkward things are, but because I'm not in the room, I'm gonna give it away immediately. This is the, the number keypad extension. So basically use B connected device that extends your number keypad. And why is that necessary?
What is it used for during the initialization phase of a smart card in this case? So if you use a smart card for authentication, it needs to be protected by a pin and the user can select his own pin, but it's very cumbersome to move the keyboard back and forth between the desk and the person. So there's this non log extension that goes to the new employee. And when the smart card is initialized, they have the new employee submit your pin. You can select one yourself. Of course, there's some minimum criteria and you need to enter it twice. And what happened in the past that they used an application there, and it was an application that responded to the enter button. So what happened in that case that the user needs to enter the first pin, then the guards need needed to move the blinking cursor to the second box for the second time entering the same pin.
But a lot of users just hit the enter button because they thought I need to enter it twice. Number one, enter twice enter. But every enter meant that the application would move onto the next screen and would give an error message because the second field would be empty, then they needed to restart the whole process again. And what they found out in practice is that you can still tell people not to push that enter button, not to hit that button. Also not to hit the double zero button because it's a lock pad extension also used for cashiers. Yeah. So Euro figures ending at.zero zero is where the double zero button is, is available. So they decided to remove these buttons as physically as possible from this device to make sure that a, they don't need to give the user the instruction, not to use these buttons, but also to avoid any problems by users who are still hitting these buttons.
And that is because this is a process that at the first and the 15th of the month has a peak load and then needing to spend 30 seconds or a minute on, on restarting. A pin entry process is really, is really cumbersome in that process and, and, and really gives delays. So, so this is one thing that I wouldn't have thought of it develops in practice. You find it in practice, and then you think about, okay, so how are we gonna digitize that? Is that application still moving to the next screen upon enter? Or did we change that already? But the, the digitization of this process is then the next topic of thing. And if, if we talk about digitization of these type of processes, they're typically the promises that, well, if we can do this digitally, then somebody does not need to come into the office.
They can do it from the couch at home. And that also means that in the office, we don't need a lot of security guards who know how to check a document who can initialize an authentication solution. So that's also a benefit there. Another benefit is that this person at home can do this at nine in the evening, where if you need to come into the office, that's during office hours. So there's more flexibility there. And if it goes well, it's super fast, you can use your mobile for it. And of course, talking about the HR administration before relying on the entries of personnel, there, there's the promise also that we can integrate that we can even improve the employee experience there by registering initially doing all your job application interviews, getting the job, signing the contract identity, proving for authentications solutions, and then logging in is almost fully pleasant, digital employee experience.
And that is something that's that we're actually in the midst of. So looking at this process again, if we are doing digital, now we see that the part that we are looking at now is to have the digital version of this guard at the desk, with the readers, the, the new employee still needs to be contacted somehow. So they're being invited to start the onboarding, the identity proofing, they still need that passport or an identity document, but it's now supported by either a, a Porwal or a third party or a combination of it. Sorry. And that means that through this ordination of a Porwal together with a third party, this user starts up, the process uses an and if she enabled smartphone to read his identity document, or at least that's the case in the Netherlands, then with that, he can take a selfie to do the liveliness check, because that is something that happened implicitly in the physical process. But we now need to Ize that to make sure that it's a proper document, that the person matches the document and that the person is actually alive and not the, the picture from the person that matches the document. And then that can be then taken further in that process to match that again, automated against the HR registration, ask the user to install an app on his phone, or insert a device for local initialization. The thing that I mentioned before, and then that gets registered.
There are however, quite some practicalities that come into play here. So this, this would be the happy flow. And it's an addition to the physical process. So some of the practical questions that I wanted to share with you that we ran into, and some of them we've already been able to answer, not all of them, but the sex, for example, the, the first one, similar as to initializing an authentication solution in this, the basic question is how do you get started without having any shared secrets? How do you share a secret? So in this case, how do we invite this employee to start this process? And is that something that, for example, HR has registered during the hiring process, can we reuse that information of this person? Another one is the type of passports. And also this morning I asked, you know, what, what happens if, if I have a dual nationality, for example, and I, I get hired based on my, I don't know, German national ID document, but I also have a Dutch national ID document. And I bring that to the office. And I actually said, well, that's can happen. Actually, the, the, the global coverage of passports is one challenge, all the different identification documents globally, and another challenge, sorry,
Kind of running over quite a lot. Check. Can I please ask you to wrap up?
Yeah, sure. Please. Well, I'm then I'm not gonna go through all of the practical questions, but you need to think about devices. Non-digital enabled employees, how to build this process. Also make sure that the fallback is in place. And there are some other questions. Well, the why blockchain, I will skip that one because I understood if you had some blockchain sessions yesterday as well. And I think it's good to be aware that this it's another channel. It does not cover every use case. So you still need the physical backup. It has the personal data aspect. So be very cautious about how you treat that the third parties, I didn't go into detail there, but it's, it's good to select them wisely. And it's also, if you go fully digital and do not have a physical backup, you're gonna exclude people. So it's also about inclusivity. So with that, I was open to questions, but I can understand that if I ran overtime, then it's probably good to wrap up. Yeah.
I'm sorry. Thanks very much. Hang bye. Bye.
Stay Connected
Related Videos
How can we help you