Vlog: Appless Authentication

Rohan Pinto

1Kosmos CTO, Rohan Pinto, and CMO, Michael Cichon, discuss appless authentication in this recent vlog.

Michael Cichon:
All right, welcome Rohan Pinto, chief technology officer at 1Kosmos. It’s great to have you back. I appreciate you taking time.

Rohan Pinto:
Thank you, Michael.

Michael Cichon:
You want to talk about app-less authentication today, but before we jump into that, I’d like to take a step back and just talk about the ways that users authenticate today remotely. Can you just touch on that first?

Rohan Pinto:
Okay, excellent. Thank you, Michael. Thank you for having me back. Now, it’s been defacto standards for a very, very long time that people have been used to using user IDs and passwords, but when it comes up to remote connections or VPNs, a simple username and password wouldn’t suffice, and people wanted to have some kind of strong authentication and they would supplement that with MFA’s like a security token, a one-time token, sometimes wire SMS, or via email. And that’s the best the industry has come up with so far in order to be able to secure remote access within an enterprise. And that’s been the way it is for, I would say over 10 years.

Michael Cichon:
Right, so then we moved to biometric authentication.

Rohan Pinto:
Correct.

Michael Cichon:
And the different ways of biometric authentication are what?

Rohan Pinto:
Right. So then came biometrics, right? So the first biometrics that people would adopt was the fingerprint. And it all started with Apple launching its Touch ID on its mobile device. And then you have laptops that actually had biometric devices embedded onto them. So the first biometric that people tried to adopt is the fingerprint user fingerprint to unlock and authenticate into a system. And later on, as things advanced or progress, people started using things like Face ID to authenticate as well. But the problem with that approach is that both with Touch ID, or Face ID, or fingerprint, or face is that there’s absolutely no assurance that the person who’s authenticating on the other end of the line is the person who you intend to let into your platform or into your system. So while biometrics were being adopted, there always was a challenge of actually associating the biometrics with the actual person who’s trying to authenticate into the platform.

Michael Cichon:
Okay. So then how do we solve for that?

Rohan Pinto:
So what’s very important to understand when it comes up to using biometrics is that you cannot just hope that the biometrics that are registered belong to the person. You need to have some valid proof, some valid assurance that the biometrics actually belong to the person that you’re letting onto your platform. For example, on my phone, I’ve got my fingerprint enrolled, I’ve got my kids’ fingerprints enrolled. So now if my kid uses my fingerprint, her fingerprint to access any platform, the system might think that it is me trying to authenticate, but it’s not me. So the way one could solve it as by actually binding identity to the biometrics where you actually let a person walk through a certain series of processes or steps and prove himself, or rather verify that his identity is actually his and then associate biometrics with that identity.

Rohan Pinto:
There is also something called his Live ID, like at 1Kosmos, while we do support fingerprint and face ID, we have got something called his Live ID where we actually detect that the person is a real person. We do a whole bunch of depth calculations on the face to ensure that the nose and the ears are not on the same plane. We do a little bit of math. We’ve got a bit of AI guarded things that ensure that it’s a real 3D person and not a recording of another video or not a photograph that is being used to mimic a person. And these biometrics are actually bound to a verified identity that is registered on the platform, which now gives us the assurance that the person authenticating is really Rohan Pinto and not somebody else altogether.

Michael Cichon:
Okay. So now we have essentially a live selfie that kind of defeats facial spoofing. We have this live, let’s call it a Live ID bound to an identity. And we then have a mobile application that you use to basically do this live metric, and then authenticate. But we’re now introducing app-less authentication. So what does that mean?

Rohan Pinto:
So when it comes up to, when we are talking about app-less authentication is that people have got a lot of apps on their phone. There are tons of apps. And people find it sometimes difficult to pull out a phone, authenticate to the phone, then search for the app that they need, launch the app, authenticate into the app, and then use that app to authenticate onto a system made web or an IOT device.

Rohan Pinto:
Now, what app-less authentication brings into the picture is that you use your normal phone’s camera to let’s say, scan a QR code on a website. And it launches the web app on the browser of the phone itself. Today, the phone browsers do have access to the camera and to the device biometrics, and with technologies like FIDO2, because FIDO2 is built into iOS and Android devices. So we leverage FIDO2 capabilities that are on the device to actually authenticate the user and bind that particular user to an identity that’s stored in the platform before letting him into the platform. So the whole app-less experience makes it very seamless. It’s zero footprint, there’s zero code, there’s zero apps that need to be deployed and the user can use his real device to authenticate into a system and services.

Michael Cichon:
It sounds very futuristic. No application on the phone, I’m just scanning a QR code with the phone camera, it’s accessing the browser and it’s performing a black box magic is what it sounds like. Does this work on all devices, on all phones, or just special phones?

Rohan Pinto:
It actually works on all phones that are, I would say manufactured after 2008. There are some legacy phones where FIDO2 is not enabled on the device. So yes, the industry is moving forwards in terms of FIDO2 adoption as well. So as the industry adopts more of those standards, Apple has already adopted it, Google has already adopted it. I mean, all devices today do have FIDO2 capabilities. But yes, if you’re looking at devices that were manufactured, let’s say before 2005, it might not have FIDO2 capabilities, but you still have the ability of authenticating using something called as Live ID, which is not really FIDO2 based strong authentication, it’s Live ID based authentication. But the actual value prop is when you add Live ID to FIDO.

Michael Cichon:
Got it. Okay. All right, so when is this capability available?

Rohan Pinto:
It’s… Sorry. Did you say when or where?

Michael Cichon:
When.

Rohan Pinto:
Okay, so this capability is available on our platform today and it’s not just us. There are a lot of other vendors out there as well that do offer FIDO2 capabilities, and app-less authentication and the systems and things. But the differentiator between our app-less experience and the others is that it’s not just a FIDO token or authenticating a token. We actually bind that particular FIDO token to a verified identity, so the system that you’re accessing is not just secured using strong authentication, it’s secured using a combination of strong authentication plus a verified identity.

Michael Cichon:
It’s pretty amazing technology, Rohan. You seem to have outdone yourself once again. Is there anything to add before we wrap this up?

Rohan Pinto:
Well, I mean, FIDO is growing. The industry is adopting it, but while organizations are adopting the standards, it’s always important to remember that we do not want to authenticate a “token” because the token can be any token. What’s very important for us to remember is that that strong authentication mechanism that you have, be it a FIDO key, a USB key, be it an app-less experience on your phone, you need to have the assurance that that particular token is bound to a real verified individual before you let that individual access your systems because you, what you’re trying to protect is not the access point. What you’re trying to actually protect is your data. It’s the systems, and the data, and the assets that you have within an organization. So if you don’t guard your front door and you do not know that it is actually Rohan Pinto that’s trying to log into the system, but rather a token, you are exposing your assets and your data out to breaches. So it is really important to ensure that with strong authentication, you also verify real identities before letting them onto your platform.

Michael Cichon:
That’s really amazing. You know, we’ve heard for a while that identity is becoming the new security perimeter. This sounds like it is finally the ushering in of identity into the perimeter. So congratulations on the new capability. Really a pleasure talking today. I appreciate you taking time.

Rohan Pinto:
Excellent. Thank you, Michael. It was a pleasure talking to you as well.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Rohan Pinto

Co-founder of 1Kosmos

Rohan is the co-founder of 1Kosmos. He is a go-to security and identity management expert and the founder of several businesses that have made considerable advancements in blockchain and identity management.