Better Business With Smooth and Secure Onboarding Processes
Unlock On-Demand Webinar
Video Transcript
Anne Bailey:
Hello and welcome to today's webinar. I'm really pleased to welcome you to our topic today. We're going to be looking at smooth and secure onboarding processes and how this can lead to better business. With me today, I have Mike Engle, he is the Chief Strategy Officer of 1Kosmos, and I'm Anne Bailey, I'm a senior analyst and research strategy director at KuppingerCole Analysts. I have a few notes for you before we get started with the webinar today. First is the audio control. You can relax. We are taking care of the audio from our side, so you are muted centrally. You don't need to worry about controlling this. But despite that, we do have a question and answer session. The way you can participate in that is by submitting your questions in the go-to webinar panel, you'll find a menu called questions. Send those in at any point during the presentations today.
I will receive those and I will moderate those at the end of the session. So please don't hesitate to send in your questions. In addition to that, we also have some polls scattered throughout the presentation. At various points, we'll request for your opinions, your experience, and you can submit those and we'll look at the results at the end of the session during the Q and A part. And finally, you will have access to this recording and to the slide decks that you see today. So those will be made available to you in the next days.
With that, back to our topic, looking at smooth onboarding processes, we want to build the foundation and bring you to some concrete solutions here. And so this will proceed as follows, I will open today with the foundation of what is behind a smooth onboarding process, at least from KuppingerCole's opinion. One very important part being identity verification and how this can be very seamlessly integrated in and I'll look at this from a few different points and then I'll hand it over to Mike and he'll take it on further. So with that, we're going to begin with a poll. You might have heard that we view identity verification as a very key part to smooth onboarding processes in a particular level of assurance.
And so I'd like to ask, have you personally used remote identity verification solution? Yes or no? I'll allow about 30 seconds for this. Let's continue. Thank you for your participation here and I'm going to begin the webinar probably with the most dense packed slide that you have to work through, but that means the worst is over at the beginning. What you're looking at here is what we call the KuppingerCole identity fabric. And in a moment, I'll get into why we call it that, but the message here behind is taking a step back from the onboarding processes is that digital identity is at the center of the people journey, the way that people pass through your organization to access digital services, to access legacy applications, to access infrastructure platforms backend, no matter who they are. If we're talking about consumers, customers, partners, workforce, you can see this list here along the left side of this diagram. Digital identity is the vehicle that allows them to move seamlessly through your organization.
Now, that can begin at onboarding, and that's where we use this diagram to hone in on what do we need out of an onboarding process. When digital identity is this vehicle that allows them to seamlessly pass through everything, we need a good quality of information coming in, something that we can make good decisions on, that we can use this high quality of information to inform our dynamic policy decisions, our access management decisions, things of this nature. And so using this idea of an identity fabric, something which is woven together to allow everybody, this list of people on the left to access everything, the services you see along the top, also the legacy applications you see along the bottom and all of these infrastructure aspects you see along the right side, everybody to access everything anytime from any device anywhere.
This is quite a feat and requires an interwoven highly connected fabric approach. We use this word very intentionally, but instead of focusing on the entire journey throughout the people's life cycles or these different roles, we're going to focus particularly on onboarding. How can we use onboarding to build a digital identity that is functional and can deliver these fabric aspects throughout the whole life cycle?
And that's what I'd like to bring us to the next concept. We're not talking about just any digital identity, any digital representation of identity attributes, but we need there to be a certain quality behind that. We need them to be verified, ideally reusable. But the problem is an identity verification step is absent for most digital identity solutions, and I can illustrate what I mean by that. If you think of onboarding in a digital way as an individual signing up for a new service, perhaps you're in an employee in a remote environment, partners at the lowest level of assurance, they're usually self attesting information. They're volunteering their name, their contact information and so on without verifying that in the background. Or at best, they're undergoing a one time verification.
But that one time verification is lacking a binding effect between those digital attributes and the person who is using them at a future point in time. And in an ideal world, those digital identity attributes would be useful more than just onboarding because there's plenty of examples of needed repeated access, employees are a great example where they may be accessing their business applications from several different devices, from several different locations, and we need a way to allow them to do that but still uphold these zero trust concepts, which you're likely familiar with. Never trust, always verify. So how can we enable our employees to do the work they need to do from the various locations or devices that they're using and still be sure that it's actually them? How can we have a verified reusable identity here?
The same question goes for bringing that confidence across perimeters. More and more we are working with partners and contractors, suppliers, freelancers, people who are known by their own organizations, but certainly there has to be a better way to onboard them without developing one off federation relationships. Finally, always important to remember, we're talking about identity verification here, really building up a close bind between the digital identity attributes and the real world person. But that information does not always need to be shared at that level of detail. Not every use case is going to require the highest level of assurance here. And so building in flexibility, the ability to know that information is correct without actually needing to share that information, that's a huge push for privacy here.
And so onto a practical question, how would an organization actually get to use a verified identity? Well, we as an analyst house, we love categories. We love breaking things down and building graphics like these. So quite happy that I get to share this with you, so you'll have to humor me. An organization could go for an option where they take identity proofing components, pieces of a puzzle to build a full identity proofing or identity verification solution. They could work with a vendor who specializes in document verification, for example. They could work with a vendor that specializes in biometric verification or one that does video verification, or moving one layer down, they could work with vendors that provided all that build a full identity vetting or proofing solution using many of these components, and the ones listed here are just a select few.
There are many different options that are used here, but we started off the conversation today talking about onboarding, and so that makes the next group of vendors quite interesting. We termed those full service providers. So not only are they providing a full identity vetting or verification solution here, but they're using that information to flow directly into onboarding, be it for consumers, for employees and workforce, for partners and contractors. What they're also increasingly doing is using this identity verification step to support later authentication often in the form of biometrics where as a returning user shares their biometric features, either a face or fingerprint, for example, as a single factor.
It's not simply presenting biometrics, but it's presenting biometrics that are matched against the template that was used during onboarding, which likely came from a government issue document. So not only is the user in possession of biometrics that describe the same person, but they describe the exact person who was verified at the time of onboarding, which flows into some great reuse cases. There are also additional services that are typically provided by these full service providers to become very interesting, things like fraud reduction, digital signatures, attribute verification orchestration. And so that leads us to our second poll question. Do you already have an approach for an automated verification solution for customer or consumer identities? And this is a simple yes or no answer here.
Again, we'll take 30 seconds here. All right, thank you, and we'll continue on again, looking at the different personas that you might need to be onboarding. I've just taken a select few. If you remember back to the very dense slide on the identity fabrics, there's a quite a long list of different personas that could include services, IOT and devices for example. But if we look at, for example, the internal workforce, B2B relationships and consumer relationships, onboarding has different implications for each of them, but it can be in all digital flow with increasing security benefits and usability benefits. If we look at the internal workforce use case, we've of course heard plenty about work from anywhere. But with that, we do really need to consider hiring from anywhere, and it may be more and more often that the hiring and onboarding processes could happen entirely remotely.
And so it becomes increasingly important to ensure the one that you've never met is actually the correct person, the person they claim to be, that matches their documents that they're presenting and that you're issuing credentials remotely to that same person that you intended to hire. And this opens some interesting opportunities then to employee held credentials. When we think about B2B relationships, this could be anything from partners, contractors, freelancers, and suppliers. They of course need to securely access the right resources for the right period of time, physically or remotely in a digital scenario. And it becomes increasingly important to improve the flexibility with user driven onboarding. We know user driven onboarding from the consumer use cases, but is that possible to use for B2B with the same level of confidence, moving away from manual, increasing the efficiency then and moving beyond the current efficiency of federated relationships. Need to be moving towards streamlined onboarding. Collecting other relevant credentials could also be a huge benefit here. Understanding really is the right person working on the right project and also looking at user held but issuer managed credentials in the scenario.
In consumer onboarding, there's been of course great focus on the usability here, but in particular industries, regulated industries, for example, the self-service still needs to uphold the right level of assurance here. So keeping the good actors in and keeping the bad actors out becomes very important here as well as deconstructing the user journey, and I'll get in a little more to what we mean by that phrase in a moment. And here is the final poll that I have for you. Do you see fraud detection as an important capability in an access management solution? Yes or no? This'll be nice to get your opinions before we head into a short discussion on fraud detection. So please take 30 seconds and answer this question.
Okay, let's continue. As I said, we would take a very short time to bring up fraud reduction throughout onboarding, in particular use cases, particularly for consumer onboarding. Reducing fraud is a very high priority, particularly in financial industries and in other regulated use cases. What we found in our research is that the traditional space of fraud reduction solutions is actually coming nearer and nearer to identity verification solutions, which are being more often used and integrated into onboarding and identity lifecycle management. This can be quite interesting looking at those shared capabilities, including things like behavioral biometrics, credential intelligence, and using some typical KYC resources like sanctions, blacklists, for example. And so we see identity verification with its fraud reduction powers playing a larger role in onboarding scenarios.
Another aspect to consider is privacy, but also the increased flexibility that need to coexist with each other and this is where the term deconstructing the user journey comes up again. This is really all about embracing the right flow for onboarding and placing identity verification at the right point in that flow. Looking for things that can happen in parallel. For example, somebody going through an identity verification step while the registration form is being autopopulated from that verified information. In terms of privacy becomes very important to consider how that digital identity is being stored, whether it's being stored with the identity provider in the cloud and offering some very strong privacy benefits storing in a decentralized manner as well. With that, I'm going to wrap up and leave you with a few final thoughts.
Digital identities, we need to think of these as the vehicle or really the shaper of how people of all kinds move through your organization at all times from all devices. And that a verified identity is what can allow for the trust needed to use identities that are being issued elsewhere. And we recommend to take a privacy forward and a secure approach considering that for some use cases, reducing fraud is a top priority, but for all, a flexible and private verification is essential. With that, we've come to the end of my session and I'm very pleased to hand this over to Mike and he'll take it on further.
Mike Engle:
Thanks for having me here. I'm going to share kind of the current state and then the art of the possible here and what's actually possible today using current technologies. A lot of this is unscripted. I do a little bit of live demo and stuff in here, so apologies if Murphy's Law kicks in and hopefully there's no Murphys on the call and we'll see how things go here. But we've been struggling. We're going to focus on workforce today, but just about everything that we talk about when it comes to identity, can be applied to both workforce and customers, as you pointed out in your materials, Anne. At the end of the day, you need to prove who somebody is remotely, and you can't do that using 20 year old technology, one time codes or in person and so forth. You can't count on that anymore, like the pandemic has changed that, but it's been a long time coming anyway.
We need to deal with a flexible workforce and make the experience enjoyable for the hiring and for the authentication that comes downstream after that. And you think about the way we've been doing things since really forever, since we have computers, we've been spreading PII around in a way that's not very safe. We typically ask our new hires, contractors, employees to take pictures of their documents and then go to some portal, upload them or email them. I'm sure going back, it's really not much of a different process than it was when we had fax machines. Just it should give people the EB, GBs thinking about the way this data is spread around. We're going to focus on this today, pulling up your identity fabric, we're just going to zone in on two very specific pieces. There's a lot going on in an IAM infrastructure, but there's two missing components in most of them.
And they are a better way to onboard identities and then let those identities have access into the infrastructure. There's better ways to do things. I'm going to expand on these quite a bit. Just kind of double clicking on those two boxes. We need to identify an onboard. How do you know that Al here in this example is who they say they are? And not only from what they say self attested, but let's actually verify it, right? Let's get some proof and let's not leave it up to somebody who shouldn't be doing this for a living such as Sally and HR that needs to try to figure out if a driver's license is real. We're going to do it digitally and then we're going to give them a credential at the same time. How do you know that Al on day two or day 200 is still the one accessing your systems?
That's the burning question we're going to address here today using technology that's already in our hands and ready to go. The standards are there and I think the mindset is there for people to want to do this. What we're going to do is walk through, how do we know that Al is Al? How do we give Al a credential that's trusted, privacy preserving, reusable? Some of the other points that you brought up in your deck, and then let them have access into our operating systems, remote access, SSL, our PAM. That's kind of how it all ties together. What are we doing today? Well, we go through talent acquisition. We typically have online portals and some mechanisms, some workflows for that and then we give them an offer and then we have to get them into the system. So IGA processes, your account governance, account creation kicks in, accounts are created.
The line manager then has to get involved and typically call up and say, "Hey, employee, here is your credential." Then we give them some type of different mechanisms to access and then going on and on, they have to change passwords, they have to log in and you have to try to figure out how to get them into your systems or the way that's trusted without friction. And this is where it breaks down. And this is where we're seeing, we use the term fraud, but when it comes to employees and contractors, it's really about insider risk and that's what we're going to address here today in this discussion. Consumer versus employee, they have very different journeys, you just call them different things and the goals of the bad actors are a little bit different, right? On the consumer side, they're trying to steal money, on the inside, they're typically trying to steal secrets.
Let's walk through what happens today when we want to hire Peyton just went through talent acquisition, interviewed with two rock stars, interviewed with Sally. Sally doesn't like Peyton too much, but we get over the hurdle and our fourth subject matter expert, whatever it is, finishes the interview process and thumbs up, we have a signed offer and we're good to go. What do we do then? Well, we have to onboard them. As I mentioned, this is typically where things start to go south from a control perspective. You're usually manually creating an HR record. Let's go look at this form over here. Let's go look at the driver's license that was emailed into the system or uploaded to some portal, and then the IGA process goes on. We've got some good automation there. This space is maturing very nicely and the accounts are created. Now, how do we get Peyton access to the system?
Well, here's where Sally gets involved again, right? She's happy now that Peyton is joining the organization, what she's going to do is say, welcome a board and give Peyton a phone call. I've interviewed dozens of large organizations and this is still the pervasive method. Line manager calls up and says, "Hey, here's your username and password to get into remote access for your operating system." Now, what Peyton has to do is change that username and password, or not the username but the password. But then we have to give our second factor out. And if anybody on this call is not using a second factor, well, you should run and go get one. We all know that 2FA is super important, but you have to give that to them. And how do you typically do that? Well, you just give it to them, right? The possession is of really loosen all of this process.
Now we've got the MFA, and in theory, Peyton is the one that's accessing our single sign on portals or our operating systems. But what happens when Peyton wants to share that access with somebody else? That's what we're going to talk about next and how we fix it. So what could go wrong in this process? Well, on day one, when that credential is given out, they could loop in a bad actor and this is called proxy hiring, contractor jacking, there's a bunch of terms for it. There have been FBI warnings about this. There have been ISACs, right? Information sharing organizations that are putting out real warnings about this. It is happening. I saw no less than six articles on this in the past couple months from magazines like Business Insider. When you first get that credential, how do you know who's actually receiving it? What if my 2FA, which is typically on my phone or on some token is given to somebody else on day one?
How do you prove that? Or maybe I do have the 2FA in my pocket, but I'm giving the codes out one at a time. Hey, I need to get into the system, can you WhatsApp me the six digit code, right? The username and password, you just share that. There's some compensating controls we can do, but at the end of the day, we don't know who it is. On day two then, that second actor is the one logging in, logging in, logging in and you have no way of knowing it, right? Is it the person on the left or the person on the right? And so we have some ways that we can mitigate this. There is digital onboarding, it's coming of age. There's no less than a hundred vendors out there that do this for a living. And typically, they'll scan your government credentials and say, "Yes, that is the person," but we need to go a step further.
We need to give them a credential that goes along with that, that's reusable. This is a digital wallet, the wallet that we all have in our pocket or our purse. I want to be gender neutral on this, your credential sleeve, we'll call it, has a credential in it and there's a biometric on it that matches my face, and we can do this now digitally. So let's transform how we're doing that. And at the same time, we've got so many other digital tools at our disposal. We can verify the location. We've got GPS, we've got IP addresses, whatever, we can verify the phone number in real time with trusted authorities. And very important for remote called zero trust for identity is we can do real biometrics in a way that's safe and doesn't violate your Illinois laws or whatever it else it is in various countries and states.
The key is the user needs to be in control of this process for it to be trusted. Let's change how we do this. I'm going to show you a digital onboarding. Live ID is a form of real biometric that we'll be showing you here today. Verified to trusted citizen or resident identity in an automated work account enrollment process. We're going to get rid of that manual HR onboarding process. We're going to jumpstart or bootstrap the IGA process and give access without ever needing a username and a password. The flow for this is really straightforward. You'll go through talent acquisition and you'll engage with them using the same mechanism, their email, their phone number, and then we're going to issue them a credential on the fly. But they verified in real time with a very enjoyable and low friction experience. At the heart of this, as I mentioned, is a wallet.
There's two forms of wallets typically. There's ones that are in an app on a phone, and you have a very controlled experience. You're leveraging the secure aspects of the phone, the TPM and secure element, whatever you want to call it. There's also web-based wallets. You can also do this in a way where you don't have to have an app. We're going to be demonstrating the app-based version because that satisfies the needs for 90 x percent of employers. There are people either they give them a phone or they're willing to use their phone and we can handle those edge cases. But as part of this, the document verification that you mentioned Anne is very really important to have broad coverage globally, because we're hiring a global workforce.
Then the biometrics are a key enabler for this as well, they go hand in hand. One without the other really doesn't get you very far. Let's change this process. During the interview process, we can verify identity without having to have access to that data ourselves because we haven't hired Peyton here yet. Let the SMEs trust that this person is who they say they are, and then when we issue them the credential, it's something that we can trust and leverage for a better user experience. I am going to run through a short demo. The first thing I'm going to show is identity onboarding, where you launch an app and enroll your biometrics. This is, all right, wrong one.
As I mentioned, I'm doing this on the fly here. You're going to see me enrolling my identity into my own digital wallet. When this is launched, a key enabler for this is a private key, no pun intended. That is generated typically on the fly handed to the user, public key goes on a server, and then we'll enroll your touch ID, face ID, which we all use in love every day. But this doesn't prove identity. What does is a real biometric. This is the next step in the process is to prompt the user for their live selfie. Now, this live selfie needs to be verified. It needs to be pass all of the false acceptance and false rejection rates. So you need to pick one that is really trusted and there's lots of ways to do this. The government has gotten quite involved in this.
Then once that's done, that live ID is going to be used to onboard their government credentials. Let's continue the process here. Compared to taking a picture and emailing it, we can now leverage the 12 megapixel camera in our pocket, scan the front and the back of the document, verify it for fraudulent characteristics and match the photo in real time and it actually is this fast. I'm really good at it. I may be a little bit faster than your average Joe or Jane, but we can support even passports. Same process, use OCR, match the photo. And even in this example, read the NFC chip inside of a passport, which gives you a high quality photo, digitally signed from the issuing authority, typically an IKO authority. What just happened there? I onboarded my own identity into my own wallet, and this wallet is really an enabler.
And you're seeing traction where these types of wallets, there's a whole EU digital wallet effort that's going on. There's a dozen countries that have spun up these types of efforts as well. This is coming of mainstream and there's vendors like 1Kosmos that put this all into one package to create identity orchestration. Now, once that wallet has been created, it's now in the user's possession, the employer, the vendor should not have any access to this data yet. This is where I'm going to try to do something live here. Then we come to your HR onboarding portal. Sorry, yeah, click.
We're going to prompt the user to unlock the data from their wallet and transmit it directly into the HR system of choice to jumpstart that IGA process. What you'll see here is my phone, users screen on the left and my phone on the right, my wallet, and this wallet could be private labeled. It could be from a third trusted third party. As we mentioned, there's standards that allow interoperability here. That's really important. In the US, we have the NIST 800-63-3 standard, which proves that the remote identity meets certain criteria and we're going to be showing some authentication standards as well, so federated authentication protocols. But now the process for this is to ask the user to unlock that data, prove that it's them.
They will unlock the data from their wallet and my data has been transmitted directly into the HR system. Now, this is obviously a demo app. You wouldn't have to show this to the user and you do not have to capture the actual images, but sometimes you have a requirement to do that. The next step in the process is just to route it over to HR. HR would come and verify a couple fields, there's some stuff that's not on the driver's license, and then I'm going to jump over to show you how this process finishes. And the user would then continue their journey and receive a credential that they can log in automatically. Next step in the process, here we go. This is what I just went through, I transmitted, and the reason I'm showing a video for this is I don't want my private data to be shown. Now, the final step in this process is to send the user that digital credential, don't have the line manager call them up and give them a username and password on the phone. We can do this electronically.
Now, at this point, I'm sent a link that only I can open because it's tied back to the identity onboarding process. I click this link here, and now in this example, active directory credentials put directly into my wallet as well, alongside my identity, and that is it. I now have a strong identity with a credential to go along with it. Now, I'm going to come up to my first system, remote access or maybe I'm in the office and I need to log into a Windows workstation. You can do it the old way, username, password. But modern authentication systems can now be deployed in parallel where you give users option B until you can phase out the legacy stuff, because it's a long journey to get rid of the hundreds of places where we have passwords inside of our infrastructure.
Let's start with the low hanging fruit, remote access, operating systems and your SSO systems. If you put in a strong identity in front of them, you're getting rid of 80% of the credentials and the risk. Now, when Peyton comes to that first system and you want to verify it's them, ask them. In this example, you'll see that I have to prove my identity with biometrics before I'm allowed into the system. Undeniable proof that I am the user that joined the organization yesterday. This solves all kinds of zero trust challenges, proxy interviewing, contractor jacking, you can mitigate them. Now, you don't need to do that every time. Touch ID and face ID are very reliable and it's what 90% of organizations use today. You use that most of the time and then you can do things like this. Here in this example, when you lock the workstation on second time, you don't have to ask them for that real biometric every time, maybe do it on Mondays.
In this example, I've unlocked my workstation by sending a push message to my phone or watch and I'm staring at my applications there with the press of a button. We're transforming the way that we engage with users. And really, if you think about it, these two boxes that I had in blue in the beginning that I broke out of the KuppingerCole reference architecture, these two boxes here at the top are what are missing for most IAM architectures today. For both consumer and workforce, how do we onboard account identities digitally? It could be government identity, corporate identity, and jumpstart that process into our IGA systems. Then when we need to engage with the user, of course, you have to support all the legacy things. You're still going to have passwords, you have to handle password resets, and you can do that by asking them for proof of identity. It's a very trusted break glass process for one that once or twice a year they come to a system that hasn't been migrated to a passwordless experience, but that you saw me scanning a QR code.
That is a way to authenticate where it's user initiated, avoiding things like push attacks and it's phishing resistant as well. When you need real proof of user, you can do a voice or face. There's a bunch of options there that are built into our consumer grade hardware today. And of course, we can support the modern passwordless authentication protocols, web authn, et cetera. As that matures, there'll be more options there as well. And these then will feed down into your other systems which need a strong source of identity. That is the way we think about it and the way the world is starting to go. We're seeing this happen on both the consumer and the workforce side. Again, they shouldn't be separate types of efforts. You need to prove who a customer is for KYC or banking. You need to prove who a employee or a contractor is before you allow them to access the keys to the kingdom inside your infrastructure. With that, Anne, I'll hand it back over to you and looking forward to any questions that we can get into here with the audience.
Anne Bailey:
Great, thanks Mike. Thanks for walking us through those couple demos and getting a bit of clarity on what this onboarding process can look like, particularly for the workforce scenario. We do have a few questions from the audience. I'll put out another reminder. If you do have a question, use the go to webinar panel, submit that, and I'll be able to handle those now and get an answer from Mike while you've got him here live. The first question that we've got is centered on privacy and user is asking for a little more clarity on how a verifiable credential or this credential that you were talking about issuing really helps with privacy compliance.
Mike Engle:
Yeah, so the beauty of this architecture, not just ours, but what's have the way wallets and verifiable credentials are evolving is they are privacy preserving in that you will get your credential and that credential could be, I'm an employee for bank XYZ or whatever it is, or I went to a certain university or I have some type of a COVID vaccination. These are credentials that are issued and they're issued with something called zero knowledge proof, in that, I can present them to you without having to trust an intermediary.
It's privacy preserving and you don't have to see the original document, for example, COVID vaccination, you don't need to see my home address on there, my blood type or whatever it else might be on there, even the type of shot that I got and it just really comes down to a trusted yes or no that comes out of the system. And the example that's classic is I need to prove my age, so I can just ask the system to say, are you of age yes or no? You don't need to see my actual driver's license, which reveals way too much information to answer that question. It opens up a lot of doors for a privacy preserving trust to make it a lot easier to engage with people.
Anne Bailey:
That really opens it up to a flexibility in use cases as well. You're not always having to go through an onboarding process or a transaction with the highest level of assurance. You're able to pick and choose what you need to share, upholding those data minimization principles. So thanks for that explanation there, Mike. Next question is about using credentials that have been issued by a separate organization. Is it possible then if a customer's already been proved for an organization to leverage that proof that's been done by somebody else?
Mike Engle:
It is. Yeah, that's just like your wallet when you pull that credential out of it can be handed to 10 parties. You can do that now digitally as well. One of the hot topics or organizations putting a lot of effort into this are, for example, active directory is being used by probably nearly all of the Fortune 500. Inside of that, you could issue a credential that's trusted from your organization. I work again for Bank X, Bank X issues me a credential, and I can go share that with trusted parties without having to have each one of those parties establish a direct connection to set up federated logins. With the right network or consortiums, we're seeing the identities be able to be used over and over again. I know in Germany there's been a couple of consumer examples of this where your identity gets onboarded once and can be used between insurance companies or banks, et cetera.
It's happening in the Nordic, it's happening in a bunch of places in Asia as well. That is the holy grail, onboard once. Even with the large banks today, they have to onboard their own users multiple times into different products, right? Checking account, mortgage, credit card, you have to prove your identity over and over again even inside some of these large organizations. There's a real opportunity just starting there where onboard my checking account and transmit that data over to the credit card department with the press of a button and be able to meet the compliance needs that they have.
Anne Bailey:
Yeah, thank you for that. Next question about the sorts of integrations that you already have in place. Are there integrations, for example, for Workday or for other major applications that many organizations use? What's some of those be?
Mike Engle:
Yeah, there are, so you'll find us in the marketplace for ALT zero or all the SSO providers, where with the press of a button, you can inject identity onboarding and passwordless authentication into those native systems. They do what they do really well, they have very good rules engines, they do single sign-on really well with SAML or OIDC. We can sit right on top, have a seamless way to onboard users like I showed you today, and let that flow down into the target system. We have about 150 plug-ins natively for different types of systems or support for those federated authentication protocols that I mentioned.
Anne Bailey:
Great. Great. Next question, going back to a statement that you had earlier in the presentation about touch ID and face ID doing a good job but it's not proving identity, but that live ID with 1Kosmos does. Can you go into why that is?
Mike Engle:
Yeah, I'm actually going to pull up my phone here and see what I'm going to show, but if you go look at your Android or your iOS device today, you'll see that it has something called, for example, an alternate appearance. What that means is you could add second face to a phone or a second thumbprint and Android support, 2, 3, 4 fingers. How do you know whose finger it is, right? It's not verified identity. It is linked back to the operating system of the phone, typically. My Apple ID has somebody's face on it. In order to do real identity, you need real biometrics, right? This face that you see right here has to be matched back to a source of truth.
That source of truth could be a corporate photo, in this side, the physical access control system or some LDAP system or a government credential. That is the only way to prove identity. My kids probably have their face or thumb on my phone, which means, if I don't use real biometrics, they could get into my online banking. I think I better check that after the call's done. But you get the idea that the devices biometrics are just a point in time somebody's face or finger was put onto that device and it's not verified. So there's a big difference between the two.
Anne Bailey:
Great, thanks for that. Another clarification then on the web flow for this as opposed to using a phone for login and authentication. For example, would doing this flow in a web browser mean that you would need a separate personal computer? Does this always accompany by your mobile device? How does this work?
Mike Engle:
The most common way is if you're on a web channel and you say, either I won't get an app or can't for some reason where you're doing it all in app. In app is a great experience. We know how powerful our phones are and how much you can control the experience. But in those other examples, you go to a web channel and you start the onboarding process and there's two options. You could invoke this webcam like you see here to capture biometrics and then use a custodian model where that data, you have to have a way to encrypt the data that you can engage with the user and store it centrally in a safe way.
Again, using public private key cryptography, and there's two ways to capture, as I mentioned, you can use the webcam or you could route it to a phone just to use its browser and camera without an app, and that's very common. The flow would be type in your phone number, your phone jingles, and you're just prompted through a Safari or a Chrome session where it says, okay, scan your driver's license and just let me take a selfie here with the native camera. That data then is routed back to the web process and finished. So that really covers a large number of different use cases that may have app challenges or sometimes it's illegal to force employees to go get an app now in certain places. So we can handle those with the different technologies.
Anne Bailey:
Then on top of that as a more concise clarification then, how do you log in if your mobile is not available, if it's broken, if it's lost, if it's at home, some of these other scenarios?
Mike Engle:
Our system supports nine different ways to authenticate somebody. The app that you saw me scanning a QR code, scanning my face, touch ID, face out of your live ID is the easiest and the most secure, but we also support FIDO authenticators. It could be a token, FIDO certified token or the native platform authenticators. That's your windows, hello, your max touch ID, face ID that's built in and that's built into nearly every commonly used operating system and browser today. The process would be sign up and set up a secondary form of authentication in case the primary goes offline, and then you can use that as part of a recovery mechanism in case you get a new phone and you have to restore your identity. There's a bunch of options to support that as well.
Anne Bailey:
Great. Perhaps a final question for this round, if you have any last minute questions, feel free to send them in, but is it possible to meet KYC and AML guidelines in this remote verification and authentication framework?
Mike Engle:
It is, yeah. Now, you see a lot of the newer FinTechs doing digital onboarding, little bit more flexible infrastructure for some of these younger companies. They'll walk you through a digital onboarding experience much like I showed you today and reach that high level of assurance to give you eIDAS significant or NIST 800-63-3 IAL2, for example, compared to the legacy way of give me some type of national ID number, social security number and ask some knowledge based questions called KBA, right? Knowledge-based authentication, also called known by anybody, right? KBA's alternate meaning. Yeah, it will strengthen the account at the beginning and give them that credential for that as well. As I mentioned, whether it's onboarding a new hire or a new banking customer, this is the future and it'll reduce a lot of fraud and insider threat risks.
Anne Bailey:
Great. Thank you for answering those questions, Mike. Thanks for our audience for asking so many very interesting, really relevant questions here. I would suggest that we switch over and take a look at the poll results before we wrap up for today. For our initial question on if people have already used such an identity verification solution, we've got 68% who answered yes, a 32% who answered no. We're seeing that these sorts of solutions are becoming more and more prominent, at least in the consumer side if we're using these personally, but we had some great examples of how this could be used in a workforce scenario as well.
Mike Engle:
Yeah, those are encouraging numbers, right? Seven out of 10 said they've done some type of remote identity verification, so maybe the time is now, right?
Anne Bailey:
Yeah. Yeah. Let's see. I can view the next slide. The next one, good. Yeah, so if you already have an approach to bringing in identity verification, some yes, 39% are answering yes, but 61% not yet. And so this is perhaps something to consider if they're already some pain points in the onboarding process for consumers, also for the workforce. This can be something to consider. Maybe you already have somebody to talk to about it for some more ideas.
Mike Engle:
Yeah, and it doesn't surprise me that we have a bunch of identity folks on this call, so many of them have tried it, but getting your organization to adopt it is of course a longer journey, but it's great. Again, four out of 10 are heading in the right direction. We're already there, I'm saying, and the other six out of 10 must be not far behind, hopefully.
Anne Bailey:
Great. Our final poll question, your view on fraud reduction, do you see this as an important part of an access management solution? Overwhelmingly, you answered yes. Mike, you did hint at that. We probably have a lot of identity folks here, so I'm glad this is on your radar, but there's obviously room in the conversation to talk about this if you have more questions, need to talk about your own experiences with deterring fraud.
Mike Engle:
Yeah, this is not surprising at all. It's like saying, do you like good things, right?
Anne Bailey:
Yeah.
Mike Engle:
Again, it's not just fraud, it is insider threat as well. They kind of detect and mitigate them in very similar ways.
Anne Bailey:
Absolutely, yes. Think about, that was a great way you described it, that the fraud just takes on a different form, has different incentives either after money or secrets. Great. With that, I'd like to offer a big thank you to all of you who were listening and asking questions. Also, Mike, who was answering questions. That was very enlightening along the way. A big thank you to all of you. If you're interested in more content like this, we do have a virtual event hosted by KuppingerCole happening on December 7th, happens to be on access management. If this is a topic which is interesting to you, we have a good collection of speakers from the industry, speakers who have recently implemented access management projects and analysts offering their perspective on this. Feel free to check that out. Or perhaps a little closer to today, November 8th through 10th, we do have a hybrid event that means it's happening on site in Berlin.
If you're nearby or would like an excuse to go to Berlin, check that out, or it's also happening online. You can tune in from anywhere, focusing on cybersecurity, the human factors, the mix of cloud and OT security and automation here. Finally, if you prefer reading, we do have a good collection of reports here that could expand your knowledge on this topic. As I said, you'll receive this slide deck or you'll have the opportunity to download it in the coming days, so you'll be able to take a look, should you be interested. We also host a variety of other services as well, research events and webinars. You've met us here and at Advisory. And with that, I thank you very much for your participation and I wish you a wonderful rest of your day.
Mike Engle:
Yeah, thank you everybody, and thanks for having me, Anne.
Anne Bailey:
Thank you.
Hello and welcome to today's webinar. I'm really pleased to welcome you to our topic today. We're going to be looking at smooth and secure onboarding processes and how this can lead to better business. With me today, I have Mike Engle, he is the Chief Strategy Officer of 1Kosmos, and I'm Anne Bailey, I'm a senior analyst and research strategy director at KuppingerCole Analysts. I have a few notes for you before we get started with the webinar today. First is the audio control. You can relax. We are taking care of the audio from our side, so you are muted centrally. You don't need to worry about controlling this. But despite that, we do have a question and answer session. The way you can participate in that is by submitting your questions in the go-to webinar panel, you'll find a menu called questions. Send those in at any point during the presentations today.
I will receive those and I will moderate those at the end of the session. So please don't hesitate to send in your questions. In addition to that, we also have some polls scattered throughout the presentation. At various points, we'll request for your opinions, your experience, and you can submit those and we'll look at the results at the end of the session during the Q and A part. And finally, you will have access to this recording and to the slide decks that you see today. So those will be made available to you in the next days.
With that, back to our topic, looking at smooth onboarding processes, we want to build the foundation and bring you to some concrete solutions here. And so this will proceed as follows, I will open today with the foundation of what is behind a smooth onboarding process, at least from KuppingerCole's opinion. One very important part being identity verification and how this can be very seamlessly integrated in and I'll look at this from a few different points and then I'll hand it over to Mike and he'll take it on further. So with that, we're going to begin with a poll. You might have heard that we view identity verification as a very key part to smooth onboarding processes in a particular level of assurance.
And so I'd like to ask, have you personally used remote identity verification solution? Yes or no? I'll allow about 30 seconds for this. Let's continue. Thank you for your participation here and I'm going to begin the webinar probably with the most dense packed slide that you have to work through, but that means the worst is over at the beginning. What you're looking at here is what we call the KuppingerCole identity fabric. And in a moment, I'll get into why we call it that, but the message here behind is taking a step back from the onboarding processes is that digital identity is at the center of the people journey, the way that people pass through your organization to access digital services, to access legacy applications, to access infrastructure platforms backend, no matter who they are. If we're talking about consumers, customers, partners, workforce, you can see this list here along the left side of this diagram. Digital identity is the vehicle that allows them to move seamlessly through your organization.
Now, that can begin at onboarding, and that's where we use this diagram to hone in on what do we need out of an onboarding process. When digital identity is this vehicle that allows them to seamlessly pass through everything, we need a good quality of information coming in, something that we can make good decisions on, that we can use this high quality of information to inform our dynamic policy decisions, our access management decisions, things of this nature. And so using this idea of an identity fabric, something which is woven together to allow everybody, this list of people on the left to access everything, the services you see along the top, also the legacy applications you see along the bottom and all of these infrastructure aspects you see along the right side, everybody to access everything anytime from any device anywhere.
This is quite a feat and requires an interwoven highly connected fabric approach. We use this word very intentionally, but instead of focusing on the entire journey throughout the people's life cycles or these different roles, we're going to focus particularly on onboarding. How can we use onboarding to build a digital identity that is functional and can deliver these fabric aspects throughout the whole life cycle?
And that's what I'd like to bring us to the next concept. We're not talking about just any digital identity, any digital representation of identity attributes, but we need there to be a certain quality behind that. We need them to be verified, ideally reusable. But the problem is an identity verification step is absent for most digital identity solutions, and I can illustrate what I mean by that. If you think of onboarding in a digital way as an individual signing up for a new service, perhaps you're in an employee in a remote environment, partners at the lowest level of assurance, they're usually self attesting information. They're volunteering their name, their contact information and so on without verifying that in the background. Or at best, they're undergoing a one time verification.
But that one time verification is lacking a binding effect between those digital attributes and the person who is using them at a future point in time. And in an ideal world, those digital identity attributes would be useful more than just onboarding because there's plenty of examples of needed repeated access, employees are a great example where they may be accessing their business applications from several different devices, from several different locations, and we need a way to allow them to do that but still uphold these zero trust concepts, which you're likely familiar with. Never trust, always verify. So how can we enable our employees to do the work they need to do from the various locations or devices that they're using and still be sure that it's actually them? How can we have a verified reusable identity here?
The same question goes for bringing that confidence across perimeters. More and more we are working with partners and contractors, suppliers, freelancers, people who are known by their own organizations, but certainly there has to be a better way to onboard them without developing one off federation relationships. Finally, always important to remember, we're talking about identity verification here, really building up a close bind between the digital identity attributes and the real world person. But that information does not always need to be shared at that level of detail. Not every use case is going to require the highest level of assurance here. And so building in flexibility, the ability to know that information is correct without actually needing to share that information, that's a huge push for privacy here.
And so onto a practical question, how would an organization actually get to use a verified identity? Well, we as an analyst house, we love categories. We love breaking things down and building graphics like these. So quite happy that I get to share this with you, so you'll have to humor me. An organization could go for an option where they take identity proofing components, pieces of a puzzle to build a full identity proofing or identity verification solution. They could work with a vendor who specializes in document verification, for example. They could work with a vendor that specializes in biometric verification or one that does video verification, or moving one layer down, they could work with vendors that provided all that build a full identity vetting or proofing solution using many of these components, and the ones listed here are just a select few.
There are many different options that are used here, but we started off the conversation today talking about onboarding, and so that makes the next group of vendors quite interesting. We termed those full service providers. So not only are they providing a full identity vetting or verification solution here, but they're using that information to flow directly into onboarding, be it for consumers, for employees and workforce, for partners and contractors. What they're also increasingly doing is using this identity verification step to support later authentication often in the form of biometrics where as a returning user shares their biometric features, either a face or fingerprint, for example, as a single factor.
It's not simply presenting biometrics, but it's presenting biometrics that are matched against the template that was used during onboarding, which likely came from a government issue document. So not only is the user in possession of biometrics that describe the same person, but they describe the exact person who was verified at the time of onboarding, which flows into some great reuse cases. There are also additional services that are typically provided by these full service providers to become very interesting, things like fraud reduction, digital signatures, attribute verification orchestration. And so that leads us to our second poll question. Do you already have an approach for an automated verification solution for customer or consumer identities? And this is a simple yes or no answer here.
Again, we'll take 30 seconds here. All right, thank you, and we'll continue on again, looking at the different personas that you might need to be onboarding. I've just taken a select few. If you remember back to the very dense slide on the identity fabrics, there's a quite a long list of different personas that could include services, IOT and devices for example. But if we look at, for example, the internal workforce, B2B relationships and consumer relationships, onboarding has different implications for each of them, but it can be in all digital flow with increasing security benefits and usability benefits. If we look at the internal workforce use case, we've of course heard plenty about work from anywhere. But with that, we do really need to consider hiring from anywhere, and it may be more and more often that the hiring and onboarding processes could happen entirely remotely.
And so it becomes increasingly important to ensure the one that you've never met is actually the correct person, the person they claim to be, that matches their documents that they're presenting and that you're issuing credentials remotely to that same person that you intended to hire. And this opens some interesting opportunities then to employee held credentials. When we think about B2B relationships, this could be anything from partners, contractors, freelancers, and suppliers. They of course need to securely access the right resources for the right period of time, physically or remotely in a digital scenario. And it becomes increasingly important to improve the flexibility with user driven onboarding. We know user driven onboarding from the consumer use cases, but is that possible to use for B2B with the same level of confidence, moving away from manual, increasing the efficiency then and moving beyond the current efficiency of federated relationships. Need to be moving towards streamlined onboarding. Collecting other relevant credentials could also be a huge benefit here. Understanding really is the right person working on the right project and also looking at user held but issuer managed credentials in the scenario.
In consumer onboarding, there's been of course great focus on the usability here, but in particular industries, regulated industries, for example, the self-service still needs to uphold the right level of assurance here. So keeping the good actors in and keeping the bad actors out becomes very important here as well as deconstructing the user journey, and I'll get in a little more to what we mean by that phrase in a moment. And here is the final poll that I have for you. Do you see fraud detection as an important capability in an access management solution? Yes or no? This'll be nice to get your opinions before we head into a short discussion on fraud detection. So please take 30 seconds and answer this question.
Okay, let's continue. As I said, we would take a very short time to bring up fraud reduction throughout onboarding, in particular use cases, particularly for consumer onboarding. Reducing fraud is a very high priority, particularly in financial industries and in other regulated use cases. What we found in our research is that the traditional space of fraud reduction solutions is actually coming nearer and nearer to identity verification solutions, which are being more often used and integrated into onboarding and identity lifecycle management. This can be quite interesting looking at those shared capabilities, including things like behavioral biometrics, credential intelligence, and using some typical KYC resources like sanctions, blacklists, for example. And so we see identity verification with its fraud reduction powers playing a larger role in onboarding scenarios.
Another aspect to consider is privacy, but also the increased flexibility that need to coexist with each other and this is where the term deconstructing the user journey comes up again. This is really all about embracing the right flow for onboarding and placing identity verification at the right point in that flow. Looking for things that can happen in parallel. For example, somebody going through an identity verification step while the registration form is being autopopulated from that verified information. In terms of privacy becomes very important to consider how that digital identity is being stored, whether it's being stored with the identity provider in the cloud and offering some very strong privacy benefits storing in a decentralized manner as well. With that, I'm going to wrap up and leave you with a few final thoughts.
Digital identities, we need to think of these as the vehicle or really the shaper of how people of all kinds move through your organization at all times from all devices. And that a verified identity is what can allow for the trust needed to use identities that are being issued elsewhere. And we recommend to take a privacy forward and a secure approach considering that for some use cases, reducing fraud is a top priority, but for all, a flexible and private verification is essential. With that, we've come to the end of my session and I'm very pleased to hand this over to Mike and he'll take it on further.
Mike Engle:
Thanks for having me here. I'm going to share kind of the current state and then the art of the possible here and what's actually possible today using current technologies. A lot of this is unscripted. I do a little bit of live demo and stuff in here, so apologies if Murphy's Law kicks in and hopefully there's no Murphys on the call and we'll see how things go here. But we've been struggling. We're going to focus on workforce today, but just about everything that we talk about when it comes to identity, can be applied to both workforce and customers, as you pointed out in your materials, Anne. At the end of the day, you need to prove who somebody is remotely, and you can't do that using 20 year old technology, one time codes or in person and so forth. You can't count on that anymore, like the pandemic has changed that, but it's been a long time coming anyway.
We need to deal with a flexible workforce and make the experience enjoyable for the hiring and for the authentication that comes downstream after that. And you think about the way we've been doing things since really forever, since we have computers, we've been spreading PII around in a way that's not very safe. We typically ask our new hires, contractors, employees to take pictures of their documents and then go to some portal, upload them or email them. I'm sure going back, it's really not much of a different process than it was when we had fax machines. Just it should give people the EB, GBs thinking about the way this data is spread around. We're going to focus on this today, pulling up your identity fabric, we're just going to zone in on two very specific pieces. There's a lot going on in an IAM infrastructure, but there's two missing components in most of them.
And they are a better way to onboard identities and then let those identities have access into the infrastructure. There's better ways to do things. I'm going to expand on these quite a bit. Just kind of double clicking on those two boxes. We need to identify an onboard. How do you know that Al here in this example is who they say they are? And not only from what they say self attested, but let's actually verify it, right? Let's get some proof and let's not leave it up to somebody who shouldn't be doing this for a living such as Sally and HR that needs to try to figure out if a driver's license is real. We're going to do it digitally and then we're going to give them a credential at the same time. How do you know that Al on day two or day 200 is still the one accessing your systems?
That's the burning question we're going to address here today using technology that's already in our hands and ready to go. The standards are there and I think the mindset is there for people to want to do this. What we're going to do is walk through, how do we know that Al is Al? How do we give Al a credential that's trusted, privacy preserving, reusable? Some of the other points that you brought up in your deck, and then let them have access into our operating systems, remote access, SSL, our PAM. That's kind of how it all ties together. What are we doing today? Well, we go through talent acquisition. We typically have online portals and some mechanisms, some workflows for that and then we give them an offer and then we have to get them into the system. So IGA processes, your account governance, account creation kicks in, accounts are created.
The line manager then has to get involved and typically call up and say, "Hey, employee, here is your credential." Then we give them some type of different mechanisms to access and then going on and on, they have to change passwords, they have to log in and you have to try to figure out how to get them into your systems or the way that's trusted without friction. And this is where it breaks down. And this is where we're seeing, we use the term fraud, but when it comes to employees and contractors, it's really about insider risk and that's what we're going to address here today in this discussion. Consumer versus employee, they have very different journeys, you just call them different things and the goals of the bad actors are a little bit different, right? On the consumer side, they're trying to steal money, on the inside, they're typically trying to steal secrets.
Let's walk through what happens today when we want to hire Peyton just went through talent acquisition, interviewed with two rock stars, interviewed with Sally. Sally doesn't like Peyton too much, but we get over the hurdle and our fourth subject matter expert, whatever it is, finishes the interview process and thumbs up, we have a signed offer and we're good to go. What do we do then? Well, we have to onboard them. As I mentioned, this is typically where things start to go south from a control perspective. You're usually manually creating an HR record. Let's go look at this form over here. Let's go look at the driver's license that was emailed into the system or uploaded to some portal, and then the IGA process goes on. We've got some good automation there. This space is maturing very nicely and the accounts are created. Now, how do we get Peyton access to the system?
Well, here's where Sally gets involved again, right? She's happy now that Peyton is joining the organization, what she's going to do is say, welcome a board and give Peyton a phone call. I've interviewed dozens of large organizations and this is still the pervasive method. Line manager calls up and says, "Hey, here's your username and password to get into remote access for your operating system." Now, what Peyton has to do is change that username and password, or not the username but the password. But then we have to give our second factor out. And if anybody on this call is not using a second factor, well, you should run and go get one. We all know that 2FA is super important, but you have to give that to them. And how do you typically do that? Well, you just give it to them, right? The possession is of really loosen all of this process.
Now we've got the MFA, and in theory, Peyton is the one that's accessing our single sign on portals or our operating systems. But what happens when Peyton wants to share that access with somebody else? That's what we're going to talk about next and how we fix it. So what could go wrong in this process? Well, on day one, when that credential is given out, they could loop in a bad actor and this is called proxy hiring, contractor jacking, there's a bunch of terms for it. There have been FBI warnings about this. There have been ISACs, right? Information sharing organizations that are putting out real warnings about this. It is happening. I saw no less than six articles on this in the past couple months from magazines like Business Insider. When you first get that credential, how do you know who's actually receiving it? What if my 2FA, which is typically on my phone or on some token is given to somebody else on day one?
How do you prove that? Or maybe I do have the 2FA in my pocket, but I'm giving the codes out one at a time. Hey, I need to get into the system, can you WhatsApp me the six digit code, right? The username and password, you just share that. There's some compensating controls we can do, but at the end of the day, we don't know who it is. On day two then, that second actor is the one logging in, logging in, logging in and you have no way of knowing it, right? Is it the person on the left or the person on the right? And so we have some ways that we can mitigate this. There is digital onboarding, it's coming of age. There's no less than a hundred vendors out there that do this for a living. And typically, they'll scan your government credentials and say, "Yes, that is the person," but we need to go a step further.
We need to give them a credential that goes along with that, that's reusable. This is a digital wallet, the wallet that we all have in our pocket or our purse. I want to be gender neutral on this, your credential sleeve, we'll call it, has a credential in it and there's a biometric on it that matches my face, and we can do this now digitally. So let's transform how we're doing that. And at the same time, we've got so many other digital tools at our disposal. We can verify the location. We've got GPS, we've got IP addresses, whatever, we can verify the phone number in real time with trusted authorities. And very important for remote called zero trust for identity is we can do real biometrics in a way that's safe and doesn't violate your Illinois laws or whatever it else it is in various countries and states.
The key is the user needs to be in control of this process for it to be trusted. Let's change how we do this. I'm going to show you a digital onboarding. Live ID is a form of real biometric that we'll be showing you here today. Verified to trusted citizen or resident identity in an automated work account enrollment process. We're going to get rid of that manual HR onboarding process. We're going to jumpstart or bootstrap the IGA process and give access without ever needing a username and a password. The flow for this is really straightforward. You'll go through talent acquisition and you'll engage with them using the same mechanism, their email, their phone number, and then we're going to issue them a credential on the fly. But they verified in real time with a very enjoyable and low friction experience. At the heart of this, as I mentioned, is a wallet.
There's two forms of wallets typically. There's ones that are in an app on a phone, and you have a very controlled experience. You're leveraging the secure aspects of the phone, the TPM and secure element, whatever you want to call it. There's also web-based wallets. You can also do this in a way where you don't have to have an app. We're going to be demonstrating the app-based version because that satisfies the needs for 90 x percent of employers. There are people either they give them a phone or they're willing to use their phone and we can handle those edge cases. But as part of this, the document verification that you mentioned Anne is very really important to have broad coverage globally, because we're hiring a global workforce.
Then the biometrics are a key enabler for this as well, they go hand in hand. One without the other really doesn't get you very far. Let's change this process. During the interview process, we can verify identity without having to have access to that data ourselves because we haven't hired Peyton here yet. Let the SMEs trust that this person is who they say they are, and then when we issue them the credential, it's something that we can trust and leverage for a better user experience. I am going to run through a short demo. The first thing I'm going to show is identity onboarding, where you launch an app and enroll your biometrics. This is, all right, wrong one.
As I mentioned, I'm doing this on the fly here. You're going to see me enrolling my identity into my own digital wallet. When this is launched, a key enabler for this is a private key, no pun intended. That is generated typically on the fly handed to the user, public key goes on a server, and then we'll enroll your touch ID, face ID, which we all use in love every day. But this doesn't prove identity. What does is a real biometric. This is the next step in the process is to prompt the user for their live selfie. Now, this live selfie needs to be verified. It needs to be pass all of the false acceptance and false rejection rates. So you need to pick one that is really trusted and there's lots of ways to do this. The government has gotten quite involved in this.
Then once that's done, that live ID is going to be used to onboard their government credentials. Let's continue the process here. Compared to taking a picture and emailing it, we can now leverage the 12 megapixel camera in our pocket, scan the front and the back of the document, verify it for fraudulent characteristics and match the photo in real time and it actually is this fast. I'm really good at it. I may be a little bit faster than your average Joe or Jane, but we can support even passports. Same process, use OCR, match the photo. And even in this example, read the NFC chip inside of a passport, which gives you a high quality photo, digitally signed from the issuing authority, typically an IKO authority. What just happened there? I onboarded my own identity into my own wallet, and this wallet is really an enabler.
And you're seeing traction where these types of wallets, there's a whole EU digital wallet effort that's going on. There's a dozen countries that have spun up these types of efforts as well. This is coming of mainstream and there's vendors like 1Kosmos that put this all into one package to create identity orchestration. Now, once that wallet has been created, it's now in the user's possession, the employer, the vendor should not have any access to this data yet. This is where I'm going to try to do something live here. Then we come to your HR onboarding portal. Sorry, yeah, click.
We're going to prompt the user to unlock the data from their wallet and transmit it directly into the HR system of choice to jumpstart that IGA process. What you'll see here is my phone, users screen on the left and my phone on the right, my wallet, and this wallet could be private labeled. It could be from a third trusted third party. As we mentioned, there's standards that allow interoperability here. That's really important. In the US, we have the NIST 800-63-3 standard, which proves that the remote identity meets certain criteria and we're going to be showing some authentication standards as well, so federated authentication protocols. But now the process for this is to ask the user to unlock that data, prove that it's them.
They will unlock the data from their wallet and my data has been transmitted directly into the HR system. Now, this is obviously a demo app. You wouldn't have to show this to the user and you do not have to capture the actual images, but sometimes you have a requirement to do that. The next step in the process is just to route it over to HR. HR would come and verify a couple fields, there's some stuff that's not on the driver's license, and then I'm going to jump over to show you how this process finishes. And the user would then continue their journey and receive a credential that they can log in automatically. Next step in the process, here we go. This is what I just went through, I transmitted, and the reason I'm showing a video for this is I don't want my private data to be shown. Now, the final step in this process is to send the user that digital credential, don't have the line manager call them up and give them a username and password on the phone. We can do this electronically.
Now, at this point, I'm sent a link that only I can open because it's tied back to the identity onboarding process. I click this link here, and now in this example, active directory credentials put directly into my wallet as well, alongside my identity, and that is it. I now have a strong identity with a credential to go along with it. Now, I'm going to come up to my first system, remote access or maybe I'm in the office and I need to log into a Windows workstation. You can do it the old way, username, password. But modern authentication systems can now be deployed in parallel where you give users option B until you can phase out the legacy stuff, because it's a long journey to get rid of the hundreds of places where we have passwords inside of our infrastructure.
Let's start with the low hanging fruit, remote access, operating systems and your SSO systems. If you put in a strong identity in front of them, you're getting rid of 80% of the credentials and the risk. Now, when Peyton comes to that first system and you want to verify it's them, ask them. In this example, you'll see that I have to prove my identity with biometrics before I'm allowed into the system. Undeniable proof that I am the user that joined the organization yesterday. This solves all kinds of zero trust challenges, proxy interviewing, contractor jacking, you can mitigate them. Now, you don't need to do that every time. Touch ID and face ID are very reliable and it's what 90% of organizations use today. You use that most of the time and then you can do things like this. Here in this example, when you lock the workstation on second time, you don't have to ask them for that real biometric every time, maybe do it on Mondays.
In this example, I've unlocked my workstation by sending a push message to my phone or watch and I'm staring at my applications there with the press of a button. We're transforming the way that we engage with users. And really, if you think about it, these two boxes that I had in blue in the beginning that I broke out of the KuppingerCole reference architecture, these two boxes here at the top are what are missing for most IAM architectures today. For both consumer and workforce, how do we onboard account identities digitally? It could be government identity, corporate identity, and jumpstart that process into our IGA systems. Then when we need to engage with the user, of course, you have to support all the legacy things. You're still going to have passwords, you have to handle password resets, and you can do that by asking them for proof of identity. It's a very trusted break glass process for one that once or twice a year they come to a system that hasn't been migrated to a passwordless experience, but that you saw me scanning a QR code.
That is a way to authenticate where it's user initiated, avoiding things like push attacks and it's phishing resistant as well. When you need real proof of user, you can do a voice or face. There's a bunch of options there that are built into our consumer grade hardware today. And of course, we can support the modern passwordless authentication protocols, web authn, et cetera. As that matures, there'll be more options there as well. And these then will feed down into your other systems which need a strong source of identity. That is the way we think about it and the way the world is starting to go. We're seeing this happen on both the consumer and the workforce side. Again, they shouldn't be separate types of efforts. You need to prove who a customer is for KYC or banking. You need to prove who a employee or a contractor is before you allow them to access the keys to the kingdom inside your infrastructure. With that, Anne, I'll hand it back over to you and looking forward to any questions that we can get into here with the audience.
Anne Bailey:
Great, thanks Mike. Thanks for walking us through those couple demos and getting a bit of clarity on what this onboarding process can look like, particularly for the workforce scenario. We do have a few questions from the audience. I'll put out another reminder. If you do have a question, use the go to webinar panel, submit that, and I'll be able to handle those now and get an answer from Mike while you've got him here live. The first question that we've got is centered on privacy and user is asking for a little more clarity on how a verifiable credential or this credential that you were talking about issuing really helps with privacy compliance.
Mike Engle:
Yeah, so the beauty of this architecture, not just ours, but what's have the way wallets and verifiable credentials are evolving is they are privacy preserving in that you will get your credential and that credential could be, I'm an employee for bank XYZ or whatever it is, or I went to a certain university or I have some type of a COVID vaccination. These are credentials that are issued and they're issued with something called zero knowledge proof, in that, I can present them to you without having to trust an intermediary.
It's privacy preserving and you don't have to see the original document, for example, COVID vaccination, you don't need to see my home address on there, my blood type or whatever it else might be on there, even the type of shot that I got and it just really comes down to a trusted yes or no that comes out of the system. And the example that's classic is I need to prove my age, so I can just ask the system to say, are you of age yes or no? You don't need to see my actual driver's license, which reveals way too much information to answer that question. It opens up a lot of doors for a privacy preserving trust to make it a lot easier to engage with people.
Anne Bailey:
That really opens it up to a flexibility in use cases as well. You're not always having to go through an onboarding process or a transaction with the highest level of assurance. You're able to pick and choose what you need to share, upholding those data minimization principles. So thanks for that explanation there, Mike. Next question is about using credentials that have been issued by a separate organization. Is it possible then if a customer's already been proved for an organization to leverage that proof that's been done by somebody else?
Mike Engle:
It is. Yeah, that's just like your wallet when you pull that credential out of it can be handed to 10 parties. You can do that now digitally as well. One of the hot topics or organizations putting a lot of effort into this are, for example, active directory is being used by probably nearly all of the Fortune 500. Inside of that, you could issue a credential that's trusted from your organization. I work again for Bank X, Bank X issues me a credential, and I can go share that with trusted parties without having to have each one of those parties establish a direct connection to set up federated logins. With the right network or consortiums, we're seeing the identities be able to be used over and over again. I know in Germany there's been a couple of consumer examples of this where your identity gets onboarded once and can be used between insurance companies or banks, et cetera.
It's happening in the Nordic, it's happening in a bunch of places in Asia as well. That is the holy grail, onboard once. Even with the large banks today, they have to onboard their own users multiple times into different products, right? Checking account, mortgage, credit card, you have to prove your identity over and over again even inside some of these large organizations. There's a real opportunity just starting there where onboard my checking account and transmit that data over to the credit card department with the press of a button and be able to meet the compliance needs that they have.
Anne Bailey:
Yeah, thank you for that. Next question about the sorts of integrations that you already have in place. Are there integrations, for example, for Workday or for other major applications that many organizations use? What's some of those be?
Mike Engle:
Yeah, there are, so you'll find us in the marketplace for ALT zero or all the SSO providers, where with the press of a button, you can inject identity onboarding and passwordless authentication into those native systems. They do what they do really well, they have very good rules engines, they do single sign-on really well with SAML or OIDC. We can sit right on top, have a seamless way to onboard users like I showed you today, and let that flow down into the target system. We have about 150 plug-ins natively for different types of systems or support for those federated authentication protocols that I mentioned.
Anne Bailey:
Great. Great. Next question, going back to a statement that you had earlier in the presentation about touch ID and face ID doing a good job but it's not proving identity, but that live ID with 1Kosmos does. Can you go into why that is?
Mike Engle:
Yeah, I'm actually going to pull up my phone here and see what I'm going to show, but if you go look at your Android or your iOS device today, you'll see that it has something called, for example, an alternate appearance. What that means is you could add second face to a phone or a second thumbprint and Android support, 2, 3, 4 fingers. How do you know whose finger it is, right? It's not verified identity. It is linked back to the operating system of the phone, typically. My Apple ID has somebody's face on it. In order to do real identity, you need real biometrics, right? This face that you see right here has to be matched back to a source of truth.
That source of truth could be a corporate photo, in this side, the physical access control system or some LDAP system or a government credential. That is the only way to prove identity. My kids probably have their face or thumb on my phone, which means, if I don't use real biometrics, they could get into my online banking. I think I better check that after the call's done. But you get the idea that the devices biometrics are just a point in time somebody's face or finger was put onto that device and it's not verified. So there's a big difference between the two.
Anne Bailey:
Great, thanks for that. Another clarification then on the web flow for this as opposed to using a phone for login and authentication. For example, would doing this flow in a web browser mean that you would need a separate personal computer? Does this always accompany by your mobile device? How does this work?
Mike Engle:
The most common way is if you're on a web channel and you say, either I won't get an app or can't for some reason where you're doing it all in app. In app is a great experience. We know how powerful our phones are and how much you can control the experience. But in those other examples, you go to a web channel and you start the onboarding process and there's two options. You could invoke this webcam like you see here to capture biometrics and then use a custodian model where that data, you have to have a way to encrypt the data that you can engage with the user and store it centrally in a safe way.
Again, using public private key cryptography, and there's two ways to capture, as I mentioned, you can use the webcam or you could route it to a phone just to use its browser and camera without an app, and that's very common. The flow would be type in your phone number, your phone jingles, and you're just prompted through a Safari or a Chrome session where it says, okay, scan your driver's license and just let me take a selfie here with the native camera. That data then is routed back to the web process and finished. So that really covers a large number of different use cases that may have app challenges or sometimes it's illegal to force employees to go get an app now in certain places. So we can handle those with the different technologies.
Anne Bailey:
Then on top of that as a more concise clarification then, how do you log in if your mobile is not available, if it's broken, if it's lost, if it's at home, some of these other scenarios?
Mike Engle:
Our system supports nine different ways to authenticate somebody. The app that you saw me scanning a QR code, scanning my face, touch ID, face out of your live ID is the easiest and the most secure, but we also support FIDO authenticators. It could be a token, FIDO certified token or the native platform authenticators. That's your windows, hello, your max touch ID, face ID that's built in and that's built into nearly every commonly used operating system and browser today. The process would be sign up and set up a secondary form of authentication in case the primary goes offline, and then you can use that as part of a recovery mechanism in case you get a new phone and you have to restore your identity. There's a bunch of options to support that as well.
Anne Bailey:
Great. Perhaps a final question for this round, if you have any last minute questions, feel free to send them in, but is it possible to meet KYC and AML guidelines in this remote verification and authentication framework?
Mike Engle:
It is, yeah. Now, you see a lot of the newer FinTechs doing digital onboarding, little bit more flexible infrastructure for some of these younger companies. They'll walk you through a digital onboarding experience much like I showed you today and reach that high level of assurance to give you eIDAS significant or NIST 800-63-3 IAL2, for example, compared to the legacy way of give me some type of national ID number, social security number and ask some knowledge based questions called KBA, right? Knowledge-based authentication, also called known by anybody, right? KBA's alternate meaning. Yeah, it will strengthen the account at the beginning and give them that credential for that as well. As I mentioned, whether it's onboarding a new hire or a new banking customer, this is the future and it'll reduce a lot of fraud and insider threat risks.
Anne Bailey:
Great. Thank you for answering those questions, Mike. Thanks for our audience for asking so many very interesting, really relevant questions here. I would suggest that we switch over and take a look at the poll results before we wrap up for today. For our initial question on if people have already used such an identity verification solution, we've got 68% who answered yes, a 32% who answered no. We're seeing that these sorts of solutions are becoming more and more prominent, at least in the consumer side if we're using these personally, but we had some great examples of how this could be used in a workforce scenario as well.
Mike Engle:
Yeah, those are encouraging numbers, right? Seven out of 10 said they've done some type of remote identity verification, so maybe the time is now, right?
Anne Bailey:
Yeah. Yeah. Let's see. I can view the next slide. The next one, good. Yeah, so if you already have an approach to bringing in identity verification, some yes, 39% are answering yes, but 61% not yet. And so this is perhaps something to consider if they're already some pain points in the onboarding process for consumers, also for the workforce. This can be something to consider. Maybe you already have somebody to talk to about it for some more ideas.
Mike Engle:
Yeah, and it doesn't surprise me that we have a bunch of identity folks on this call, so many of them have tried it, but getting your organization to adopt it is of course a longer journey, but it's great. Again, four out of 10 are heading in the right direction. We're already there, I'm saying, and the other six out of 10 must be not far behind, hopefully.
Anne Bailey:
Great. Our final poll question, your view on fraud reduction, do you see this as an important part of an access management solution? Overwhelmingly, you answered yes. Mike, you did hint at that. We probably have a lot of identity folks here, so I'm glad this is on your radar, but there's obviously room in the conversation to talk about this if you have more questions, need to talk about your own experiences with deterring fraud.
Mike Engle:
Yeah, this is not surprising at all. It's like saying, do you like good things, right?
Anne Bailey:
Yeah.
Mike Engle:
Again, it's not just fraud, it is insider threat as well. They kind of detect and mitigate them in very similar ways.
Anne Bailey:
Absolutely, yes. Think about, that was a great way you described it, that the fraud just takes on a different form, has different incentives either after money or secrets. Great. With that, I'd like to offer a big thank you to all of you who were listening and asking questions. Also, Mike, who was answering questions. That was very enlightening along the way. A big thank you to all of you. If you're interested in more content like this, we do have a virtual event hosted by KuppingerCole happening on December 7th, happens to be on access management. If this is a topic which is interesting to you, we have a good collection of speakers from the industry, speakers who have recently implemented access management projects and analysts offering their perspective on this. Feel free to check that out. Or perhaps a little closer to today, November 8th through 10th, we do have a hybrid event that means it's happening on site in Berlin.
If you're nearby or would like an excuse to go to Berlin, check that out, or it's also happening online. You can tune in from anywhere, focusing on cybersecurity, the human factors, the mix of cloud and OT security and automation here. Finally, if you prefer reading, we do have a good collection of reports here that could expand your knowledge on this topic. As I said, you'll receive this slide deck or you'll have the opportunity to download it in the coming days, so you'll be able to take a look, should you be interested. We also host a variety of other services as well, research events and webinars. You've met us here and at Advisory. And with that, I thank you very much for your participation and I wish you a wonderful rest of your day.
Mike Engle:
Yeah, thank you everybody, and thanks for having me, Anne.
Anne Bailey:
Thank you.
Mike Engle
CSO
1Kosmos
Anne Bailey
Senior Analyst
KuppingerCole
Watch this webinar to:
- Find out how to engage with new hires after the recruitment process.
- Discover the business value of identity verification.
- Understand the importance of maintaining privacy and how to achieve it.
- Learn how to automate onboarding while maintaining necessary assurance levels.
- Find out how to get new starters up and running from day one.
- Get an overview of the 1Kosmos BlockID Platform.
Learn from identity experts at KuppingerCole Analysts and 1Kosmos as they discuss the need to modernize onboarding, eliminate identity fraud, reduce operating costs, and mitigate regulatory compliance risk. They also discuss how to address these challenges with self-enrollment using a combination of government issued IDs and credentials from telcos and banks.
Mike Engle, Chief Strategy Officer for 1Kosmos describes how to automate and remotely onboard users and contractors with the appropriate identity and authentication assurance levels. He also explains how to bind verified identities with user accounts to eliminate traditional credentials and meet first stage use cases.