Multi-factor Authentication
Join Robert MacDonald and Javed S. for a live IBA Friday session!
IBA Friday 4/22/2022 from 1Kosmos on Vimeo.
Video Transcript
Javed:Okay. I think that's the cue. That is the cue.
Robert:
Step one. Recording.
Javed:
No, no, no. Step one is recording, and you're live.
Robert:
No, there's no live, again.
Javed:
I know.
Robert:
She's hilarious.
Javed:
I'm just saying.
Robert:
What's the plan for the weekend?
Javed:
Oh, just heal the back fully, relax, don't go golfing, don't make that mistake.
Robert:
Yep, yep, yep. Good call. We can't even go golfing here yet. It's snowed here on Monday.
Javed:
Again?
Robert:
Again. Yeah. Not happy about that. It's been a really, really, really cold spring, even by Canadian standards.
Javed:
Yeah.
Robert:
It's annoying.
Javed:
It's been a log tail for winter, I imagine.
Robert:
Yeah. Yeah. It's been really long. Well, this meeting's being live-streamed, it says.
Javed:
Okay, nice.
Robert:
So what do you think?
Javed:
Be live. Come on. You already know.
Robert:
I should turn my Slack on so Maureen can tell us whether or not we're live. I'll send her a note.
Javed:
I get it.
Robert:
This is the best part, right? This is why people dial in.
Javed:
Always full hours thinking we're not live. You're always live at this point.
Robert:
No, we're live. She said we're live. So we're live. All right, so we're live. Yay. Hi everybody. Welcome back to our IBA Friday. We've had a relatively long break since our last IBA Friday, and we apologize for that. But we've done a lot of things since that break. We've had spring breaks, we've had bad backs.
Javed:
Yes. Both of us share that, unfortunately.
Robert:
Both of us. Yeah. So Javed's back is not very good. I'm sitting in a recliner right now with ice on mine. So Javed, the only thing that means, I think, is that we're getting old.
Javed:
Yeah, that's true.
Robert:
That's true, right?
Javed:
Steer away from that topic please.
Robert:
Yeah, the gray is kind of the dead giveaway.
Javed:
I don't even wear the cap.
Robert:
Yeah. And then the cap, by the way, for those of you that are not aware, this is a Montreal Expos baseball hat, and they are now the Washington Capitals... Or sorry, Washington... What's the Washington baseball team? I don't remember. Capitals is hockey. That's where my mind is.
Javed:
IBA Fridays for you.
Robert:
IBA Friday.
Javed:
Robert forgets his local team.
Robert:
I had too many IPAs today. Yes, I agree. All right. So listen, we have had a lot of things go on. I've got something that I want to show everybody because I thought it was kind of fun. So let me share my screen. Share screen. And let's do this one. Share. Can you see my screen?
Javed:
Yes.
Robert:
All right. So IBA Friday. There's been a lot, I said earlier, there's been a lot that's been going on. And one of those things is, is Javed and I actually got to see each other in person. So there's a live version of our little cartoon characters. So that was my first trip in over two years because of COVID, and it was good. The whole team got together. We had an IPA during dinner, so we thought it'd be fun to take that picture. We're a good-looking group. Would you not agree?
Javed:
Totally agree. That was good. Good to catch up. Obviously, it was-
Robert:
It was good. It was good. It was good.
Javed:
Strange times. Rarely get to see the people you work with on a daily basis.
Robert:
Yeah, it's weird. I mean, we are a remote based company, and it's good to finally see what people actually look like, not through a Zoom call. How tall is somebody? How short is somebody? I'm shorter than everybody I met.
Javed:
You're not sharing again. Just so you know, you're not sharing. You stopped sharing.
Robert:
Yeah, I know. I know. I know. I know.
Javed:
You did on purpose. Yeah.
Robert:
All right. So today, multifactor authentication, we want to talk about that a little bit because it's a hot topic. All of our customers are obviously coming to us looking for ways to solve that problem. And there are lots of ways to solve that problem. You and I come from backgrounds with many different organizations that have offered these technologies, and I think you would agree that there are good ways of doing multifactor authentication, and there are bad ways of doing multifactor authentication.
Javed:
Yeah. I mean, for me, it simply can't be just about the factor. I mean, it's okay to use the acronym MFA and have it stand for something. But that something could vary depending on who you ask. For somebody, it's just, "Just get me the damn push notification so I may get in." It's the narrative. You have to build towards that zero trust narrative, depending on the use case. Ultimately you're looking to just make the journey a little bit more safer. So for us, it's less about the factor, more about the journey. That's all I'm going to say.
Robert:
Yep, absolutely. Yeah. And we've got... When we look at our platform, and obviously that's what we're going to do because that's what we have, we consolidate many different form factors into our platform because customers have either different needs, different risk profiles, or whatever, that they need to meet. So would you not agree that the journey that you just mentioned would be different for customers versus citizens versus employees? Right.
Javed:
Yeah, absolutely. Not only it will be different for sure, but even within workforce, for example, you will have so many new answers based on which type of a regulatory environment you find yourself journeying through the use case. So being able to put that together itself is... Normally folks don't think of the MFA product scope or envelope to include construction of that journey, building of that journey, and adjusting that journey based on the environment you find yourself in.
But that is very much a part of what we have to think about. As a team, you and I, we have to think about that. We can't just throw out a push notification, and someone receives it on their Apple Watch, and yeah, that's it, that works. That works in Singapore, that works in Europe. Not exactly. You got to be a bit more relevant about the regulatory surface you're hitting and offer at least something on the control plane, on the admin control plane, for example, to go to customize that, right?
Robert:
Right. Right. Yeah. I mean, I shouldn't say a lot of customers, but some customers we've spoken to over our many years of experience do multifactor authentication just to check the box.
Javed:
Just check the box.
Robert:
Just check the box. Regulatory guys said I got to have multifactor authentication, so I do. And in some cases... There's been many instances that if you go check the interwebs, where push notifications have been hijacked or whatever. So just the fact that you have it put into place doesn't necessarily mean that you're any more secure than you were before having it in place.
Javed:
Yeah. The user experience and the implications of the journey are an afterthought if the approach by the company was simply to, "Hey, let's just check this box. This is what everyone's doing, so should we." Right?
Robert:
Right. That's right. So actually, I'm going to do the demo today. So let's just talk about that for a second. I know. I know. But looking at our app, because I can't show everything because I don't have Phyto tokens and all that kind of stuff, we have a couple slides I just want to throw together just to talk about the different ways in which we can authenticate a user.
And we've gone through some of this stuff with our IBA Fridays in the past, like the fact that we can do offline authentication, airplane mode type of a scenario as well. But when you get into biometrics, we've shown Live ID and the real biometric that we deliver with that. There's Touch ID and Face ID that we can leverage to get into the app or into applications if that's the way the customer wants to go in terms of how they deliver their multifactor authentication.
And then we've got push to mobile, so a tap authentication. We've got the real biometrics, the Live ID that I talked about earlier. We've got legacy support for 2FA and Yubikeys. We can do the QR scan, which can then take you to either a Touch, or Face ID, or our Live ID. And then we also have the one-time password. So depending upon where the customer wants to go within our app, we've got lots of different options.
And some of those options are better than others, more secure than others. Obviously the Live ID is the best, most secure way to go, because your face essentially becomes that authentication method. But depending upon where the customer is within their journey, we've at least given them some flexibility to use what they have while they make the transition to something more secure, right?
Javed:
Yeah. And I think of this as like an assembly line of fail-safe things you deploy. If your biometrics is not working, whatever, you have that backup username plus OTP for your offline access, for example, right?
Robert:
That's right. All right. So what I wanted to do, and as the marketing guy, this can be tricky, is just to illustrate the different ways in which we can easily do or provide some authentication methods. So the first one is... And I'm going to unlock my phone here. Let's see if this works. Look at that. Very good. And I'll go to our app. So we have a couple of different ways that we can authenticate. So what I'm doing here is, if you look in the URL, I'm basically logging in through an incognito window, into our email. So the first way we can go about doing that is just by scanning the QR code. And again, on the app, you press the QR, scan it, away you go. It's then going to ask me, "Do you want to connect?" You say yes, and you're in, right? So that's one way you can go for email.
Javed:
Hide your email. Hide your email.
Robert:
Hide my email? Yeah. There's nothing... All it is is you telling me how bad of a PMM I am. So if we do it again... Oh sorry. Hang on one sec. I got to remember what it is. Mail.com. Go back and do it again. I'll close this one. Oh, I'm already logged in. See what happens when you get a marketing guy to do it? Let's try it again.
Javed:
Too many windows, Robert.
Robert:
I know, right? That's the beauty of working in a browser all the time. Is that going to load? Okay, very good. So the other way that we can go about doing this is by entering a username. Now, I'm going to enter my username here, which is first name and last name, right? And let's say the customer doesn't want to use an app, because what I just showed was an app. So we can do a password with a one-time password code. We can do a push notification. But there's another one down bottom here, which is the security key. Now I've got a MacBook Air, and I think you have one as well. And our MacBook Airs have the little fingerprint reader on it. Now, if you also had a Windows device which had those types of fingerprint readers on them, we could also leverage that as the authenticator, right?
Javed:
Yeah. We integrate with... Yeah. You're able to use Windows Hello, for example, right?
Robert:
Yeah, that's right. So by selecting that, I can either enter in the password, if I had that or knew what that was. I mean, our big thing is that you're never going to know what that is. But all I have to do is put my fingerprint reader on my laptop here, and I'm in. So it works the exact same way, but you get a very different experience, right?
Javed:
Yeah. So you must have registered the platform authenticator, which happens to be obviously equivalent of the Touch ID, the fingerprint reader, of FIDO security key, so to speak. This kind of terminology is fixed in the industry. The security key would've been the Yubikey, the Touch ID is actually a platform authenticator, that kind of thing. So as long as you registered one, you're able to get in using either.
Robert:
And that's with WebAuthn that we do that, right?
Javed:
Yeah, that's right.
Robert:
Yeah. Cool. All right. So the other one I wanted to quickly show, just from an experience standpoint, was the way in which we authenticate our users into our DevX platform, which I think is kind of unique. And again, looking at user journeys and as customers capture customers, they want to lower friction, lower barriers of entry, but still make sure that the user coming in is who maybe you thought they were, right?
Javed:
Yeah. It depends on what are you looking to do. If you're a developer looking to explore the 1Kosmos platform API, what it looks like, how you can accomplish all your use cases, you don't want to be encumbered with too much upfront. You just want to just get in, evaluate, and have fun. So simple, magic link based user registration and magic link based authentication. Again, for the demographic, for the persona, what works better is what we offer, right?
Robert:
That's right. So we're just going to show how that works. So from a developer's standpoint, you can try for free. So when you click on that, it's going to ask for your email address. So I'll do my email address, so now everybody can email me.
Javed:
This is assuming you've never registered before.
Robert:
I have. I have. I have. So I'll see... It might already tell me that I already have an account. Oh look, the email already exists. I already did. So what would happen if you're new, you would do that. But because I've already done it, I'll click sign in.
Javed:
Yeah, if you hadn't done it, you could just have clicked on sign up, which is no different than signing in. Just need your email. Don't need anything more about you.
Robert:
So what we'll do is we'll do the... Make sure I spell my name right. Right? So I'm going to log in with email. So it's going to ask me to check my email because a magic link was just sent to me. So I'm going to go back, I've already logged into my email. Hopefully I'll get the email. There it is. So log in.
Javed:
Login to developer.
Robert:
So again, the link will expire in 20 minutes. So why are we doing that, Javed?
Javed:
Well, this is kind of a friendlier use case, because the developer use case, so we could have this expire much, much later. But just don't want folks obviously hanging onto links for too long. It's not a great security practice to have magic links that never expire. Again, depends on the use case and depends on the user persona you're targeting. This one is a bit more relaxed, so low friction, higher experience, speed to dashboards sort of thing. But from an admin control plane, for example, if someone is a help desk, you definitely want to make sure that you're not letting that linger around too long.
Robert:
Yeah, for sure.
Javed:
It's configurable. That's the point. And the platform is configurable.
Robert:
Yeah. Yeah, yeah. That's the best part. So what happened here is, like you were saying, I entered in my email, it sent me a magic link, and now I'm logged into the backend of the developer platform where I can go in and find out where my tenant is and get-
Javed:
Oh yeah, your license key. You have everything here you need to initialize the API. Initialize the SDK, rather, I should say, which offers you an ability to just do the prep work for calling the other APIs in one go, right?
Robert:
Right. Right. Yeah. So I mean, the idea there is that obviously we need to set that up for the developer when they come in. We need to start that session. The way we do that, again, it's just part of that user journey that we're able to do that with the magic link. So it'd be no different than if you had a different kind of customer engagement, you wanted low friction, just to make sure it is Rob, and you're verifying that based on the fact that if you sent an email to them, you're assuming that they have access to that email, and away you go. Low risk. Not a whole lot can go wrong.
Javed:
Yeah, absolutely.
Robert:
It still provides a good experience and a secure environment.
Javed:
Yeah. And because it's a platform offering for different user personas to come bring their own use cases, develop their own journeys, simply having a magic link verified for login is just baseline. It's just par for the course. Both golfers, you and I, right? Par for the course. But you're able to have augmentation of that baseline journey by adding in something like a face likeness, if you were in a workforce setting.
So you can just stack these things up. People talk about having a single factor or a multifactor. It's no different from really constructing your journey using the kind of friction you want to put in place. So again, back to the original point of think about the journey and think about the security narrative versus just a factor here or there.
Robert:
Yeah. I mean, listen. There are some organizations out there that say that they have multifactor, but really it's just a second factor. It's a username and password and something else.
Javed:
Second factor, exactly.
Robert:
They're not able to stack some of these things along based on risk profiles and stuff like that. So they're limited in terms of the journey that you could even provide from a security standpoint, where obviously, with something like our technology, you not limited in that case.
Javed:
Yeah, it's always about the what else. What if my biometric is not working? Then what is my offline causeway? What's my spill stream there? How do I still get access while maintaining at least a certain level above threshold of security posture? And making sure that all of that is auditable as well. I think that's the difference between a spot play from a startup's perspective and a platform approach. The platform will think about those alternatives.
It will build those spillover channels, it will build that offline access for you, and let someone configure that based on who you are, where you are, what's your entitlement. So there's so much more to MFA than just the factor. The interoperability is there, the construction of the use case, the adjustment of it, and offering a control plane where you manage all of that stuff for all of your users. So again, product guy, right? So it's not just like press button, you're done. It's not that. It's more.
Robert:
Yeah, absolutely. All right. Listen, that was good. That was a good chat. I'm sure we're going to talk more about MFA over the next coming IBAs for sure. But thanks for talking to us about multifactor authentication. And if anybody has any questions, you saw my email address, be more than happy to answer any questions you might have. But until next time, cheers, and we'll talk to you again.
Javed:
Take care guys. See you. Bye.