A Journey Through Identity and Policy
Video Transcript
Christine Owen:Hello and welcome to another episode of Identiholics. Today, I have the Venable Jeremy Grant from the law firm Venable. He is a managing director and he does all things cyber security there. Thank you for joining us, Jeremy.
Jeremy Grant:
Thanks for having me. Excited to finally get to come on this podcast.
Christine Owen:
I know. I've had Jamie, who's one of your co-workers. I always like to start by asking what is it that you do as a managing director? I actually have always wondered that myself. All I know is you go and you speak a lot and then you ask me questions on panels. How did you end up at Venable as a managing director? Because you actually have, for those who don't know, a pretty long career in cybersecurity.
Jeremy Grant:
Yeah, I've got a weird resume. We'll get into that in a minute. So Venable is a law firm. I'm not a lawyer. I'm one of two managing directors in our cybersecurity services group, of which nobody's a lawyer other than... Actually we have two people with law degrees, one who doesn't practice. But the best way to think about Venable is we have got the largest and, I would argue as with many others, the best data security and privacy legal practice in the country.
And about 10 years ago, the chairman of that practice, who now is chairman of our firm, had I guess you'd call it a revelation that there's a lot of things that they get asked to do as attorneys because of their trusted relationships and companies with clients that sometimes go beyond what lawyers are trained in. And so had the vision of building, think of it as a boutique consulting practice that would sit alongside the lawyers that would complement their legal expertise with expertise in things like actual hands-on security, technology, policy, strategy. I do a lot of work in the strategy space, working with company clients, both on how to grow a product, how to take something to market, some work in the M&A space as well, helping investors understand different portions of the space. So we're about two dozen people, essentially this awesome little boutique consulting shop tucked inside the law firm. And my primary focus on, not exclusively with the work I do, is in digital identity. So that's Venable in a nutshell. Should I talk about how I got here?
Christine Owen:
Yeah. I actually think that your career path is an obvious career path, but you didn't start it in the beginning to be obvious to get to where you are. But it does make sense.
Jeremy Grant:
It makes sense in retrospect. I had no plan whatsoever. So I moved to DC after college in 1996, convinced I wanted to work in Congress doing science and tech policy. And through the black hole of all resumes in DC, the Senate Placement office ended up getting an awesome job doing just that with Chuck Robb was a Virginia Senator. And the thing that got me hired, there were a couple of things. I made a good joke in my cover letter, which helped me stand out among 400 applicants.
Christine Owen:
What was the joke? Now I really need to know. Do you remember it?
Jeremy Grant:
I do. The joke was, I think I was, I'm 21, I'm writing a letter trying to stand out and here's what I've done and here's what I've said. And I think at the end it was something of, "I'm hardworking, I'm passionate about policy. I want to do this, I want to do that. This is great about me. That's great. Some would say I'm an excellent dancer, but that is questionable." And what his legislative director told me when he interviewed me was, "I really appreciated that because I'm sitting here with this giant stack of resumes and everybody says the same thing and nobody's funny, and we need people who lighten things up a little in the office and laugh." So the joke got me at least a... This was a crazy process, getting into the Hill is competitive.
They had posted this position again, the Senate Placement office where resumes tend to go to die. I was told there were 430 applicants. Of those, they selected 21 to take a writing test because the job was legislative correspondent responding to constituent mail and calls for the senator on certain issues. And it's like an entry-level policy position. But 21 people who got a writing test, seven of them scored excellent, I was one. I went through the interview process and I was actually, I learned after they hired me a couple of years after, I was not their first choice. I was the number two choice. They first offered the job to a guy named Adrian Fenty who was just out of law school and later went on, so he was the mayor of D.C for years. But he turned them down, and then they came to the Jewish kid from Detroit, which was a little bit of an odd pick for a Virginia Senator office. My accent gave me away, particularly with calls from some southern parts of the state.
But the thing that actually got me hired beyond the joke and not being Adrian Fenty was Chuck Robb was very passionate about smart cards before anybody else in Congress knew what they were. He was essentially annoyed that when he had joined the Marine Corps in 1961, he was given this big stack of paper ID cards that were all single purpose and typed out. Wanted to get a meal on base, wanted to leave the base, wanted to drive a car on the base, wanted to check out a weapon. You get the sense. And then if you'd get promoted or transferred, you'd spend a week in line getting new paper cards. And he was very tech savvy. A lot of what you see in Northern Virginia today around the Dulles Toll Road goes back to some of the vision back when he was governor, throwing the Center for Innovative Technology up by Dulles Airport and trying to encourage economic development along the toll road.
And following smart card technology emerging from Europe. When he saw the technology in early 90s, a few years before I joined, he said, "That's it. We can put all of these cards onto one and just electronically update them when something changes." And we could encrypt this and use this as a tool to reinvent paper business processes so you could just tap in or different places that you would go. So very forward leaning. A little unusual for a senator. He had, I think, been subscribed to me as driving the staff a little crazy for a couple of years, trying to get DOD to do something with this. And so when I was in the interview, I was not interviewing for a tech position, it was dealing with health and education and labor issues. And I told the legislative director, "Sure, I can do this stuff. And my real passion is tech policy." He looks at me very funny because there's 400 applicants for this job who would be happy to do these issues that I wasn't that interested in?
And he goes, "By any chance what a smart card is." And I reached into my wallet and I pulled up my University of Michigan ID. Michigan was the very first campus to go to a smart card ID in 1995. They had hired Schlumberger, which then became eventually Gemalto, which I guess it's now part of Thales, to do what was the single stupidest smart card application I've still ever seen. And there's a lot of dumb smart card applications if you worked in this space for a long time. It replaced what had been an online debit card system based on magstripe tied to your student ID, which was great one because if you were privileged enough, your parents could put a couple hundred bucks in spending money on which mine were kind enough to do. You could pay all over campus different places with it. You just swipe in like a credit card.
And if you lost it, which people would do every two weeks, it was centralized. You go to the student office, get a new ID, you wouldn't lose your money. This was an offline stored value debit card system. The only way you could put money on it was to go to one location in campus and put a $50 bill into the machine. You couldn't take 20s or 10s. It had to be 50 bucks at a time. It would go on the chip card. If you lost it, you were out of luck. And the processing time. So I was a barista in the coffee shop and the student union, when somebody would come in and want to pay with this thing, it would take two and a half minutes for the thing to power up. And anyways, it was the worst thing.
So of course, I'm getting asked in the interview about smart cards, and I'm thinking to myself, "This is a really dumb technology." But the fact that I understood what it was got me hired. Four years later when I left the Hill, we had DOD had few smart cards and PKI together with some of the legislation that we put in place to strongly suggest if not require them to do it. And I've been stuck in this weird space ever since.
Christine Owen:
Yeah. And ironically, you're stuck in the government space for life too, because you started out in government. And PKI, you're never going to leave PKI either, because once they find out you know a little bit about PKI, you're done for, you have to always know PKI.
Jeremy Grant:
Well, next year could be the year of PKI. Let's not forget that. Or the year of the smart card. Maybe not.
Christine Owen:
This year is going to be the year of PKI is what you're saying? This year?
Jeremy Grant:
I don't think so, but we're figuring out how to use it in certain ways. We'll probably talk about things like MDLs and VCs and where that's helpful. But yeah, just to blow through other stuff. So my Hill origin story was an interesting one, and also just shows how totally random things are in a town like DC when you're getting your career started.
But after the Hill, I was bored with government and politics. I jumped to the industry side, spent about six years at a systems integrator that was doing a lot of the government's early smart card development and integration work. We did the first biometric fingerprint match on card, early federated identity efforts. This was all sort of pre-HSPD-12. And then that hit in the middle. So I got to learn tech. I learned how to build stuff, how to run a team and chase contracts. I then had a really weird offer to go to a Wall Street brokerage and be an investment analyst that was covering stocks in the identity in cyberspace. I knew nothing about finance. And their take was, yeah, it turns out that doesn't matter. All the other analysts who are out there who do know about finance just keep repeating what the CEOs say, which tends to be largely bullshit.
And so investors are wondering why they keep hearing about these giant contracts that are coming and they don't. There was a huge information arbitrage opportunity. So I spent three years as a sell-side analyst and learned finance, including taking level one of the CFA exam and somehow miraculously passing it. Tried to get out of identity for a couple years leading corporate development at a private equity-owned consulting firm that did acquisition and program support. Totally boring compared to identity, but they were really good at executing as opposed to everybody in identity where it's exciting, but nobody can execute. We can talk about that later. Not nobody, but-
Christine Owen:
I think some people can execute.
Jeremy Grant:
And anyways, I was very much enjoying my post-identity life, and then I started drinking with the wrong people in the Obama administration around this time in 2010 as they were getting ready to launch a little initiative called NSTIC, the National Strategy for Trusted Identities in Cyberspace. And what was a conversation around trying to pick my brain to get advice on how they should approach it led to, "Oh, actually you need to quit your industry job and come in and run this thing." And it was a chance to launch a startup in government, which you really don't get to do much. It was the Obama administration's first new cybersecurity program.
So took the plunge after some lengthy conversations with Mrs. Grant who had a two-year-old at home and another one in the oven asking, "Why are you going to take this big pay cut and travel more and what's in it for me?" But that was great. I was stationed day-to-day at NIST, helped build out the digital identity research and standards team there. We did a ton of pilots in the space because we were trying to catalyze the identity ecosystem. And since 2015, I've been consulting. So long-winded history, but yeah, weird resume that maybe makes sense in retrospect, but I had no idea what the plan was at the time.
Christine Owen:
Now, I know you brought it for show and tell, one of my favorite pictures of you that I use whenever I have to talk about smart cards, because it's just my favorite, is you holding up a smart card like, "This is the future," kind of way in your, I don't know, it was probably early 2000s hair cut or something.
Jeremy Grant:
Think it was. So I was at Maximus 01 to 06 and we were trying to do this thing. I'll hold it up and see if I can recreate the pose.
Christine Owen:
You have to make the little-
Jeremy Grant:
I'm an ex-badge. I don't think my camera's focusing on it well, but my hair was lush at the time. I'm turning 50 this year, I'm thinning a little bit. I had a great Jew-fro in my 20s and 30s. It was really rocking well in that picture. But yeah, we were trying to do, Selva says a single badge for logical and physical access, actually not for the government, but to corporate customers. And this was the idea, and I think it was Washington Tech Magazine wanted to do a story on the smart card of the future, and that was now you taunt me with that from time to time at conferences by throwing that picture up.
Christine Owen:
Honestly, I really do use it all the time because it's the only picture that has a smart card in it that I can ever find that's not like a cartoon smart card, but it's also just my favorite. So I always use it. And people who know you are like, "Did you get permission?" I said, "Yeah, I have forever permission. I asked a long time ago."
Jeremy Grant:
Well, they actually asked, but I think I saw it and I wasn't insulted, so that counted.
Christine Owen:
Oh, I definitely asked. I emailed you and I said, "I want to use this," so all right. But I really love that. The interesting thing is though, now we have smart cards. Smart cards are in the government. They're good. They're good for the purpose that they're used for. And then we also with a FIDO Alliance, which you work closely with. We are a member of FIDO Alliance and I'm pretty heavily involved in it as well. And so we're starting to see a very small, teeny tiny pickup in the use FIDO credentials, so in the use of passkeys in federal systems. But what we're actually seeing is internationally, we're seeing other governments really wholeheartedly adopt and embrace FIDO credentials for anything and everything because they recognize how good it is as a phishing resistant authenticator. So what do you think is one of the biggest barriers to getting a stronger FIDO adoption within the federal government, either for citizen B2G or even for not password passkey usage?
Jeremy Grant:
Yeah, I'd say I'd split the dilemma between enterprise use cases and then citizen facing use cases. So we're actually making good progress on the ladder. I think it was Login.gov and Yahoo Japan were the very first two large relying parties to implement FIDO too when the standards went through their evolution a few years ago. And you can use pass keys or a security key like a YubiKey at login today. And also with where we have alternatives to login with companies like One Cosmos and IDME and others. There's also support for FIDO there, although it tends to be an option, not a requirement. I think we're not quite at the point where we're truly replacing passwords and other legacy MFA quite yet. Still got some kinks to work out, but we're getting there. The enterprise side's been a little harder, I think in part...
So I talked before about my history on the Hill that we drove a legislative mandate for smart cards and PKI. It was a great accomplishment at the time in the 90s, but I've also said I'm atoning for that sin ever since. In that sometimes you don't want to mandate a certain technology because things evolve. And I think we're at an interesting point where, look, the vision of the common access card at the time, it was a world where you were coming to work every day and sitting down at a static desktop that was not going to move, had a big clunky screen, might have even been a green screen as opposed to full color. And the idea was, okay, I'm going to walk in, I'm going to check in with this badge and I'm going to put it into my computer and login securely, which was a great vision. And then it failed to anticipate laptops and tablets and smartphones and all of those things. And bluntly, the smart card form factor just was never really made for that world.
And we have been struggling since then, whether it's with things like derived credentials that are tied to PIV and CAC or alternative authenticators, like FIDO, how do we get away from what is now a 25-year-old platform in CAC and PIV? Really, this was architected in 99, 2000 in terms of what we were doing In its defense, it still works well for the things where it works. It's an amazing thing where these cards, you've got a few different vendors and they're all standardized and they're basically commodities so the government can get people to compete with them on price.
But we've been in this long cycle where in many places the idea was PIV or CAC or BAS. Oh, we'll log in with these exclusively, but we never have been able to because getting back to that point of we built this for a vision of people coming to static desktops, we thought the private sector was going to embrace this technology, and bluntly they didn't. And FIDO is really where they've gone. FIDO is where the big platforms are, it's where the big cloud providers are, it's where big online service are. For those who don't know FIDL, it's a lightweight form of PKI. Some would say it's PK without all the bullshit of the I. That makes it a lot easier to use, but still gives you all the security benefits of logging in with asymmetric public key cryptography.
And so I think where we're struggling a little in government is, you've invested so much in this platform of smart cards and PKI getting people to evolve to something new. They're a little nervous even though they've been told specifically in White House policy that they should be doing this. Also, just know raises questions around, okay, if I've got a smart card, this is my primary authenticator. Well, how do I manage multiple authenticators? If I've got this in a YubiKey and maybe an embedded platform authenticator, how are all of those things managed? And I think we're unfortunately struggling right now to get agencies to truly embrace and adopt modern approaches to authentication because they're still stuck with this platform that we've had for a very long time.
Christine Owen:
So I actually think pulling the thread on the management piece, you are seeing all of the agencies right now do a massive refresh on their CMSs. So their credential management services, a lot of these credential management services were created like 15, 20 plus years ago for specifically smart cards. It was created to create the CACs or the PIVs. Now because they're refreshing them, they're now thinking about things like, okay, I don't want to default into passwords if someone doesn't have their PIV or if they can't get it because they're in an area where we can't issue a PIV. So what do we do then? And I think that's where we're going to start seeing more of an uptick. So right now we've got state DHS, I think just went live with their CMS. If not, it's going live very quick, very soon this year. And then US Access is going to have a massive refresh. They're about to go to RFP for it.
So I think that that is where we're going to see it in the workforce as adoption. I do understand a lot of the feelings around the CAC or the PIV have certain attributes that you can't get them pass keys and therefore that's why we still need them. I actually think all of that makes a lot of sense. But I agree with you, it doesn't make sense to at least go fall back into pass keys instead of falling back into passwords.
Jeremy Grant:
Yeah, I think a challenge we've seen is, okay, we say PIV or BAS and then people are just using passwords or passwords for plus an SMS in some applications and agencies, which is really, really bad given what we know about the security threats these days.
Christine Owen:
Very bad.
Jeremy Grant:
But to your point about the US Access program, so US Access for those who don't know, it's a shared service. The general services administration runs so that all the civilian agencies can leverage the same contract vehicle to get people enrolled for PIV cards and get PIVs into their hands. And actually, it brings up, I think my detour into acquisition consulting for a couple of years before I came back into identity to run NSTIC. Acquisition is where policies often run into reality in government. So we'll have a policy that says you should do this, and then agencies have to figure out how do we buy it?
And I actually think there's an opportunity here right now where as great as OMB Memo 2209 was from a couple of years ago, the Zero Trust strategy, which said, you must use phishing resistant authentication, and if it's not the PIV, you should use FIDO. It has never been backed up with an acquisition strategy to actually help agencies acquire those phishing resistant authenticators like Yubikeys or passkeys or other things that are out there. And so my observation has been, and I know you look at a lot of agencies as well, things are actually moving a little slow on that front and where agencies are buying something, they got to go off and negotiate it on their own and choose things on their own. And maybe they're only buying a couple thousand users at a time and they're not getting bulk pricing. Think about if you could do a government-wide buy efficient resistant authenticators and have a mix of different things.
So could we staple alternative authenticators, say onto US access alongside the PIV card at least is an option. This would make things really easy for agencies because they could acquire things up front when you're provisioning everything for a new employee, you'd be getting volume pricing and it all would be sort of picked out and certified by the government. So I think there's an opportunity there if you really want to sort focus on making sure that zero trust memos actually implemented properly and quickly and cheaply. To leverage something like US access, you could also do this through DHS's CDM vehicle, which buys massive quantities, again, of critical software and cybersecurity for different agencies and gets the benefit of volume pricing. So I'd love to see something go forward on that side. I think it could really help Jumpstart progress.
Christine Owen:
Yeah, well, the draft RFPs that had come out of that office a couple times did emphasize using alternate form factors. It didn't explicitly state passkeys, but when that's the only game in town that you can actually use, that's what it is. So basically it emphasized the fact that it would have to be able to manage more than just a PIV, which I think is really good because they service 124 agencies, so they have the large chunk of the government that isn't doing it themselves, which of course is DOD, DHS and, what is the other one? It's Department of State. So I think that's pretty awesome.
The one thing though that we hear a lot, I hear from in FIDO, in my work with FIDO, the excuse I hear a lot is, well, we don't have policies to back this up or we don't have a strategy to back this up. Now you and I definitely do not agree that that is the case because we've read these memos and we understand what was going on behind the scenes. And also with this guidance, we also know what they're doing. But when it comes to an overarching strategy, I do think that they're right in that the government's really lacking a digital strategy to be able to say, listen, we understand, we told you back in the earlier 2000s that you have to use PIV with HSP 12, and now we're also asking you to figure out how to not go default to passwords. So how do you think that that should be outlined for the government?
Jeremy Grant:
I feel like it's been pretty clear. And sometimes when I hear agencies say that they're not sure if they're allowed to do something or they haven't been told what to do, you have a White House memo that in very plain language said, you will do this and you can use something different and it's fine. And when it came to synced pass keys, NIST came out with a supplement a few months ago and was very blunt. Sometimes when I hear that people say they're not sure what they're supposed to do or if they're allowed to do it, I have questions. Now that said, create a policy which says what you can and can't do or shall or shall not do. We've got that very clear. Funding, and then the acquisition strategy for how to actually get it out there now, how to manage and support it, those are all other things that you really need to do in an agency.
I will say there's always a gap between, so 2022, the White House put out the Zero Trust strategy because the way agency budget cycles run, it wasn't until its most recent budget for FY24 that agencies actually started to align their budget request to support that strategy. They did that in 22 and 23, and then in 24 you're now starting to see some of that zero trust money flow to agencies, which is good, not enough bluntly. And again, to my point, if every agency has to figure out their own acquisition strategy, well that's really time-consuming and resource intensive for them. And it also means the pool of vendors that are supporting this are responding to 20 RFPs that are all small instead of a couple that are large. So I have always been a big fan of shared services and bulk purchasing because rather than require somebody who's in a CIO shop to try and figure out yet another acquisition for the year, you can just shift stuff to a shared service and it makes things a lot easier. And it's cheaper. So work to do there.
Christine Owen:
So the other hat that you have besides FIDO is also the Better Identity Coalition where you really, I would say you align with financial institutions. So you're working to help financial institutions and others who are in the coalition, and you're working with the government and you're trying to get the government to understand requirements in what I would argue is the most protected industry right now. As in they have done, it used to be the federal government was advanced in cybersecurity. The federal government is advanced based on other industries, but I think that the financial institutions have really figured out how to do it well. So let's talk about that. What are your biggest initiatives?
Jeremy Grant:
Yeah, well, it's a better identity coalition. So we're heavy in financial services, both banks and as well as fintechs. But the real way to frame it is, we are the voice of what the buyers need in this space. It was launched after the Equifax breach in 2017 when there were a lot of policy questions around the impact of that breach on identity, both tied to all the SSNs that were compromised, but also Equifax and their competitors are basically how you would remotely identity proof somebody leveraging knowledge base verification if you were applying for credit somewhere. And so when there were some ideas that were out there, for example, Congressman proposed the bill, "Hey, let's ban the credit bureaus from using the SSN for any identity purposes." And I'm like, you think that sounds good in the wake of the headlines, but that would crater the economy in 36 hours because the SSN is really essential to the economy in that if I apply for credit somewhere and I say, "Yo, I'm Jeremy Grant, can I borrow 50 grand or get a credit card?"
The first question the banks have is going to their vendors, "There's about 300 Jeremy Grants. Which one is this?" "Oh, the one with that SSN?" Great, now we can figure out which one you are and start to go through the next round of identity proofing and evaluating whether you're credit worthy here. Get rid of the SSN, it is the only ubiquitous identifier we have, and society literally can't function without it. So I think between that and just questions around what people were already seeing as cracks in the KBV ecosystem. A lot of questions from banks, fintechs. On the health side, CVS Health was one of our founders and is still a very active member. Tech and Telecom as well. We have some vendors at the table too. They tend to, I often point out, be second class citizens because we're not advocating for what they want primarily. But if things align with the buyers, that's fine.
But we really are trying to focus on the policy layer around saying, here's what government actually needs to do to make identity work better. If there is a consistent message that's in, we published our original policy blueprint, a better identity in America, a blueprint for policymakers about six years ago. It is industry collectively saying, government, we need you to help. We are reliant on an ecosystem of vendors who are trying to guess what at the end of the day only the government knows. And some of those vendors do it quite well, a lot of them don't. But government at the end of the day, is the only nationally recognized authoritative issuer of identity. Of course, we don't have a national ID card in the US. That role that they have is spread between federal, state and local officials.
So look, I was born in Oakland County, Michigan. That's where my birth certificates from. I live in DC, the DMV gives me a driver's license. At the federal level, I get an SSN as an identifier, I have a passport, I have a global entry card. All of those are pieces of paper or plastic. I can go into a bank in person or a government agency or a hospital and use it to prove who I am. And then when we go online, there's no digital counterparts there. There's a gap between the physical and the digital form factors. And we are at a point now where we're seeing adversaries exploit that gap to the tune of hundreds of billions of dollars a year in cyber crime and fraud. Hundreds of millions of Americans have been victimized. The government's got to step in and help.
And so we've been very vocal in advocating for the government to take a more proactive role in closing that gap, coming up with digital counterparts to credentials like mobile driver's licenses, just setting up absolute validation services that agencies with the consumer's consent can ping and see, "Hey, does this name and SSN and date of birth match what's in the SSA records?" Because everybody else is just trying to guess what only the SSA knows. It has been slow-going, but I think we've actually made progress in a bunch of areas. And I don't know, let's see what the rest of the year pretends. We might yet see some more progress coming forward.
Christine Owen:
So you brought up SSNs and there was a really big spillage of SSNs recently. I think everyone's SSN was spilled at this point. Do you think that that's going to have any effect on digital identities moving forward?
Jeremy Grant:
So we were actually talking about this in our coalition call last week. One of the things that I think we're pleased about is that compared to when the Equifax breach happened seven years ago, the reaction this time has been more muted. And I honestly think it's been muted in part because some of the advocacy work that we've done in government and on the Hill and with the press on this issue of the danger of SSNs being compromised. A point we made in the original blueprint and in some congressional hearings back in 2017 was, identifiers don't need to be secret.
Our problem from a security perspective is that we keep building identity systems that pretend that the SSN has security value, that pretend that it's a secret because we were giving guidance to people for years, never share your SSN and don't carry your card in your wallet because if it's stolen, wow, now you're hosed. Except you have to give this number out like eight times a year because you're alive. And the whole economy functions on having an identifier that can figure out which Jeremy Grant or which Christine Owens is which, and there's a lot of people with our names.
So the point we made is, in other countries the identifier is published publicly or I have other identifiers that are public. My email, my Twitter handle, my phone number, fact that they're not secret isn't an issue. Where we've gone wrong with SSNs is using them as authenticators, pretending that they're secrets. And so if you call your bank and the bank says, oh, Christine, what's the last four of your social? And you tell them, they go, "Wow, you know the last four of Christine's own social, you must be Christine." Well, that hasn't been true for a long time. We've had so many data breaches that the SSN is not a secret, and the real thing we need to do is not replace it or restrict it, but just realize that the world has shifted and we need to build security systems that don't pretend that knowledge of an SSN means anything.
So in that regard, there was an article in the Washington Post earlier this week where there was some security and identity theft efforts. It basically said, "Yeah, it's not good, but you should probably assume your SSN was already out there, so who cares?" I think a problem we have, not just in identity but broader cybersecurity, is we spend a lot of time in some communities fighting the last war and aren't able to look forward to where threats actually are and where they're going. And so I think a lot of the advice that we see after breaches is garbage, because not to be too negative, you have well-meaning reporters and advocates who think they're helping people. But when people tell you that the thing to do after a breach is go change all your passwords and make sure they're long and strong and unique, come on.
Christine Owen:
You're never going to get back into your system.
Jeremy Grant:
No. And nobody's brute forcing passwords these days. They're phishing you. So you can have a thirty-character password and you will be tricked into phishing, typing it in perfectly to be phished, and then they will trick you into handing over the one-time passcode that's good for 30 seconds. That is that second factor on top. That's where threats are going today. That's where they are. These attacks have become very cheap and scalable. So we should be telling people, use pass keys, not change your passwords or lock down your SSN. These things are just like, they might've been good advice 10 or 15 years ago. Let's stop giving people that advice and move on.
There's three things I tell people with what you can do to protect your identity. One, I do say use a password manager because that at least can give you long strong passwords. Second, turn on MFA and everything, preferably if you can pair a YubiKey with it, do that. Third, call the credit bureaus and put a credit freeze in place. That way if somebody has your information, they cannot open credit unless you unlock things. And the credit freeze, I think more than anything else is what's going to stop your identity from actually being stolen. Well, it might be stolen, but being used for nefarious purposes. And those three things which are easy, I think do a lot more than a lot of this other crap advice we give people.
Christine Owen:
Yeah, I agree. I also think, quite frankly, using pass keys is a really important thing to educate the general population on. And I am so nerdy that if I'm waiting in line, someone goes, "Oh, what do you do?" And then I basically explain what I do and say, "I help with the adoption of pass keys," and I explain what a pass key is. Most people actually know what it's. Maybe they know what it is as Apple keychain or whatever, but almost everyone knows that you can use your face or your fingerprint to log into your application on your phone and you can get in and you don't have to remember a password. And by golly, they all love it. They all want that more and more and more.
So what I think is really important for those relying parties out there to understand is, there's actually a strong desire, especially of the younger generations, but even the older generations, they open up their phone with the face so they understand that they can do that anywhere else, and they're excited to do that because I know I can't remember my passwords. I'm constantly just resetting them. And I know that that's not the greatest. I have a password manager too, but it's not good. It doesn't work out right now as well as it should.
Jeremy Grant:
And I think it's interesting. I felt like somebody on LinkedIn a couple months ago was like, "Pass keys are a failure. It was announced two years ago, and where are we today?" And I'm like, "Do you know what the adoption curve is for new technology? Do you know what percentage of the public still thinks if you go passwordless you're less secure, because we rolled into their head for years that they need these long complicated passwords?" Now, I will say on the implementation side, I still think we have some work to do on the user experience side. In fact, one of the great things that FIDO Alliance is doing right now is investing a ton of resources in UX research to try and figure out how to make it easier.
And look, we went through this last night in my house. So my wife is a newly minted DC public school teacher teaching second grade. She's setting up her Amazon wishlist of stuff she wants for the classroom that the PTA parents might go in and get. Because I have everything locked down, but we have a common Amazon Prime account. Of course, I've got mine locked down with right now, it's an OTP on an app. She has to call me for the OTP. And then they did a miraculous thing. They said, oh, do you want to set up a passkey? And she knows what one is? She's like, yes, I can go passwordless. And then that ran into something in the configuration of her Windows laptop, doesn't know what the pin is, and won't let her reset it to unlock the... Anyways, it ended up being a half an hour of absolute frustration, and she does not have the passwordless experience she wants.
We're going to get that fixed in the next couple of years. But it is a new thing. And because you're dealing with so many devices that all have different capabilities. Again, she's got a laptop with no face or finger, that you end up just a lot of user experiences dependent in device you're on. And I think it's going to take some time to get people to sort of grok the idea of what you do on your iPhone with Face ID might be different than a Windows laptop that has no biometric and how those experiences are going to work. But I'm really bullish about it. It's the only way to really kill the password and replace it with something that is much, much better.
Christine Owen:
Yeah, no, I totally agree. I do agree. Getting to currently the registration process of passkey is hard. I think the other issue that we are seeing is that within an organization, they might have multiple touch points with the customer, and some of those are still only password based, and there's reasons behind that based on how they decided to design the... It's a low risk environment, they designed it that way, it's totally fine. But now they need to go back and change that to really change the experience. But we're also seeing in the industry massive wildfire adoption.
Great example is Target. I went online, I went to buy something in Target online, and they were like, "Do you want to add a Passkey to your account?" And they're really pushing it, and I think it's good that they are, because that's such an easy way to be able for an end user to keep buying from there. I think that a lot of the organizations are seeing, especially if they're retail, it's so much easier to buy with your face than it is to actually put in a password or reset the password. Then you're just going to abandon the cart. But if you say, "Hey, use your face and buy it," I'll do it.
Jeremy Grant:
Yeah, consumer space, it works really great. Enterprise actually, people originally were skeptical of, wait, I'm going to sync keys. Well, if you pair it with MDM and some other controls, it's actually a really good solution. We do see, getting back to being in a law firm, sometimes we have clients who are like, "Oh, I'd like to go passwordless, but I've got all these third party vendor clauses that say I have to have 16 character passwords in place. And what do we do?" And the answer generally is you have to go back to your suppliers and tell them that they need to update this outdated crap and point to things like NIST for why that's a good idea. But again, this is where I think passwords are going to have a long tail is. And look, we're both in security for a long time. Compliance is great until it's not, when it's locking you into a outdated, less secure technology than what you can do today.
Christine Owen:
Yeah, exactly. When we met, I was trying to get agencies to actually issue PIV cards and then let alone use it. There was an incident that sped the usage of the PIVs. But yeah, it is really interesting how long adoption does take. I will say I feel like, and maybe it's just because I haven't been working with FIDO for more than four years, I think, but I feel like the adoption has been really fast and in more widespread than I expected. Well, actually pass keys were announced what, two years ago at RSA? Yeah, I think-
Jeremy Grant:
Back then it was an intent by the platforms to do this.
Christine Owen:
Exactly, exactly.
Jeremy Grant:
And then they had to figure out how to build it and implement, and now they're rolling features out and there's more coming. So I actually think when you look at the number of major brands who have embraced this and consumers are starting to get it, this is happening really, really fast. FIDO Alliance was only created in 2013, and we've gone through two churns on the standard cycles and now gone through this. This is happening very, very quickly and efficiently compared to what you normally see with adoption of new technology. Particularly when you have to deal with so many different players in the ecosystem with different platforms and chip makers and other things. I think it's a tremendous success story even if we're not quite where we want to be yet.
Christine Owen:
Yeah, I agree. And I honestly think to those who are the haters out there about pass keys, because it's not a 100% perfect, you got to get to 80% and then we can figure out the edge use cases. But let's just get to the 80 so that we can have a stronger protection for our end users and for the organizations. So I love it. I love those naysayers who say, "Oh, it's just not good enough yet." Well, it continues to iterate, so it'll get to what you want eventually.
Jeremy Grant:
Well, there's a theme I've been emphasizing a lot over the last year, which is, perfect does not exist in identity, but I'm really enamored with new solutions that suck less. And because, let's face it, there's a lot of solutions, particularly on the security side, but also, for ID verification, just like the experiences we put consumers through that suck. They always have sucked, but it's been the best that anybody could come up with. And so if we can not solve every problem, but just come up with some new things that suck less hopefully materially than the legacy tools that they're replacing, that's really helpful.
It's one of the things that drove me crazy a couple of years ago with some of the controversy around the use of selfie match technology in government agencies for ID proofing was, so you have activists that are out there that are flagging that some of the algorithms for face are biased, which some are and some aren't. Let's differentiate. It's not like the whole technology sucks. We do want to get people to those in that quadrant of really accurate and really equitable. But if the fallback is that you're then going back to relying on credit data, well, that doesn't work for a whole part of the population either. I've said this a number of times, if I'm a 19-year-old person of color who has no credit history, but I do have a smartphone and the driver's license, those selfie match tools give me a path to prove who I am, why I would probably fail if I was just relying on some of these legacy tools.
And so I do think that the topic of inclusion and equity and bias, nothing is a zero-sum game, but there are some things that suck less for people than others. And this gets also to a point that I think you and I talked about a little offline, which is the importance of offering people choices and how they prove who they are and authenticate. Because there isn't a silver bullet, not yet, where one solution's going to work for everybody. But if there's three paths I can go down, odds are pretty good that one of them is going to work for me. And that's not to say that's the ideal state of where we need to end up in this space in 20 years, but I'm really interested in new tools that suck less and create new pathways for people to get through a transaction that maybe they would not be able to using the technology from three or five years ago.
Christine Owen:
And exactly. And on top of that, a lot of companies out there, including ours, are popping up and they're creating digital identity wallets. We call them verifiable credentials because built in WCC standards. But the reality is that there's going to be, this is how technology works. You have a period of time where there is a lot of different companies that are out there that all are offering something similar like a digital identity wallet. Some of them are standardized and some of them are not. If you have the standardized ones, they start collapsing and then you end up where you only have a couple of providers. But the reality is that I as a citizen should not have to have five different wallets because I have one for healthcare, I have one for financial, I have one for whatever, and then I have one for government.
Government should be able to accept if that organization goes through the rigor standards, which GSA is creating with their SIN process and also Contara making sure that it's NIST 800-63. Those are the ways to make sure that they're standardized enough for the government. And then on top of that, you can add HHS, XMS, which is essentially a rehash of something that you created Jeremy back in the day because you were a visionary before your time. But it's a very simple way to allow end users to choose either which product they want and/or to allow them to say, "Oh, well, I already have this one wallet. Why don't I just bring it with me?" But I don't know, we'll see what ends up happening with them.
Jeremy Grant:
Yeah, I think we're still in early days in the wallet space. I think what's happening in wallets is really interesting. I think people are just starting to figure things out. It's been interesting in Europe for example, where they have an actual EU-wide strategy to create EU digital identity wallets that could be used both for identity but to carry payment credentials and health information and academic credentials. Bluntly, I think it's a little loftier than what we would want in the US in terms of the role of the government. I think the government's role is identity. That's an inherently governmental role. Do I want the government to issue me a wallet that I carry my payment credentials? But Europe's going to Europe. But what's been interesting there is getting back to the question of what is the role of government, and I'm going to go off on a bit of a tangent.
There's been a lot of concerns among big private firms about a provision in that new regulation that would require private firms to accept the EU digital identity wallet credentials to log into their company because you're now basically tying your customers to a state issued credential, which there's some baggage that comes with that from a whole bunch of purposes. One of the things they proposed about 10 days ago in their draft regulations was actually you should be able to use pseudonymous authenticators using web authentication, using the pass key standard, which is really interesting because now you're leveraging something that has already been developed rather than creating something new and maybe coming up with a good middle ground politically that okay, you can log in with your wallet, but the RP does not necessarily have to deal with government issued key material. They might just create a passkey and you'll carry it in your wallet. In fact, I think some of the EU digital wallets wound up being passkey providers, which is really interesting.
Christine Owen:
So I actually think that that's the way that we should be going. So I think the problem is that people who are thinking about a digital wallet, they think that you have to have everything in it, like you said, and they also think that because identity is tied into that wallet, that automatically is a credential. And what they're forgetting is explicitly in NIST, identity and credentials are pulled apart. So a wallet has your driver's license in it essentially. If you think about your wallet, you have your driver's license, which quite frankly, we do also use as credentials sometimes, but whatever. Let's just call it an identity piece though. And then you also need something else to be able to say, oh, this identity is tied to this credential and this credential should be used. I think that you can easily have multiple credentials within a wallet.
Quite frankly, that's something that I see a lot as multiple personas within a wallet, and then they work to different organizations. But using a passkey as the credential that is bound to the wallet, I think is the right and only way to do it because you don't want to give away too much information from the wallet, and the passkey continues to be privacy preserving, and you can bind multiple passkeys to that identity so you don't always know. For example, if you wanted to stay anonymous, you wouldn't know that Belgium created this passkey for me. You would know that my work organization that happens to be headquartered in France created it for me. So that's a much different way to go.
Jeremy Grant:
Yeah, I think that's a good approach on these things. And again, this is, I think just an example of where we are still working through these issues in a way that it's going to take a little bit more time, but it seems like, I don't know, for a few years of the hype with self-sovereign identity, I think people realize, okay, that's not exactly going to happen. You're not going to be declaring your, seceding know yourself a new name. Then you could do that, but nobody's going to care. I think as we've now shifted to more constructive approaches around decentralized identity, verifiable credentials, wallets, people are starting to get it figured out. In fact, this is where I, somebody who's often a little, how would I say it, like-
Christine Owen:
Skeptical.
Jeremy Grant:
Pessimistic sometimes about some of where we're going. I am getting a little optimistic that we're at least starting to get people to get some of this now, perhaps in a way that they haven't. So maybe we're going [inaudible 00:51:56].
Christine Owen:
Yeah, I really think in four to six years is going to blow up, I do. I have yet to read the draft four of 63-3, but my assumption is that there's a lot more discussion on verifiable credentials and MDLs, which is very exciting. I'm sure they will get a lot of comments from me once I read it, but I think it's really exciting because I think that there is a path to be able to use verifiable credentials, reuse them to be able to prove your identity in other organizations. And quite frankly, I'm tired of entering my address every time I want to buy a Roth issue. I probably should create an account with them. I buy too many of them, but if I didn't, I would prefer my verifiable credential to just send that information over so it pre-populates.
Jeremy Grant:
I think in this side too, for those, this might be a small sub-segment of the listeners of this podcast, but for those who track this guidance and digital identity, 800-63C has always been sort of the forgotten redheaded stepchild that's out there. Nobody reads it. People read identity proofing, people read authentication, and then C was federation and assertions, nobody looks at it now. 800-63C is the big sexy because this is where they put everything around mobile driver's licenses and verifiable credentials. So now you got more reading to do, another couple hundred pages.
Christine Owen:
Yeah, no, it's true. Finally, we red-headed stepchildren are coming to light. It's our time to shine. No, but you're exactly right, because I have talked to other vendors about if someone has a digital wallet with you and they want to end up in our system for whatever reason, how are we going to share that information? And not many vendors have thought about that. Vendors in this space, in our space are going to have to come together eventually and figure out how to do it so that users can have choice. We're not there today. Hopefully we'll be there in six to 12 months, but I think we're going to slowly get there. So I think it's about time to go, but the one thing that I did want to know is, can you talk about the origin story of your shirt, which is I have two of them now. It's my favorite shirt.
Jeremy Grant:
All right. So you can see it says, "Things that are not easy: Being Green Pimpin, and getting to IAL2." So the origin story actually I think involved you.
Christine Owen:
Yes, it did.
Jeremy Grant:
We were sitting about a year ago up at NIST in a workshop on the previous draft of 800-63, their digital identity guidelines. And for the last two years, I mentioned before this controversy around face and selfie match, DC has been rocked by, oh my god, can we get to IAL2? And there was a massive inspector general report from the General Services Administration that said Login.gov was claiming to be IAL2, but in fact they weren't and they were misleading customers. And everybody's like, well, but IAL2 is very hard. And so I was thinking about, because I tend to still focus a lot on pop culture, it's hard to get to IL two. It's not easy. Then I was thinking about Kermit the Frog. It's not easy being green. I was thinking about Big Daddy Kane, Pimpin ain't easy. And I think I type this up on my phone and shared it to you, and you're like, "You have to make that shirt."
I have found as I wear it, there is a definite Venn diagram of people who understand Kermit and people who understand Big Daddy Kane and then people who understand NIST IAL2. But I will say I've been pleased that while I was poking fun at Login, Hannah Kim, who's the new director of Login.gov, has one of these shirts now.
Christine Owen:
Oh good.
Jeremy Grant:
I think they appreciate the journey they've been on. And speaking of the Venn diagram at the Fed ID forum two months ago in Baltimore, I was at a dinner at Morton's.
Christine Owen:
Oh yes, I crashed that dinner.
Jeremy Grant:
That's right. Big chunky steaks. And I'm wearing this shirt and our waitress says to me, "I like your shirt." And I said, "Thanks." But then I'm thinking like, do you know what this means? You're a waitress at a steak house. She used to work at ID.me.
Christine Owen:
Oh my gosh.
Jeremy Grant:
She was one of their trusted referees during the pandemic when there was a surge of applications.
Christine Owen:
Oh, that's so funny.
Jeremy Grant:
And so I'm like, wow, we're really, yeah. So this world perhaps is a little bigger than we think it is sometimes, but yes.
Christine Owen:
It is definitely bigger. That's why I'm telling you. People in the real world, when we leave our little bubble of identity, they actually understand Baskeys and they want it. It's just getting reliable parties to give it to them. No, but I think that's great. I actually, I like to educate. So I do agree that it's hard to get to IAL2. I do also think that when you talk to NIST, you learn more about how they want it to be a risk-based approach. And basically every organization needs to determine how to get there, which is why it's hard because vendors can't give a standardized way. You have to work with the organization to do it the way that they want. And in that regard, I think it does make it harder.
But I also think it's great because some organizations have way more stringent risk tolerance. A great example of that is IRS. Whereas other organizations don't need as much information, so they would ask for less attribute collection, which is exactly what you need to do to stay privacy preserving. So it's wonderful.
Yeah. Well, thank you so much, Jeremy. I really appreciated this and I enjoyed... I always enjoyed talking to you, so it was a lot of fun.
Jeremy Grant:
Good fun. Thanks for inviting me on. Appreciate it.