Fighting Fraud in Government Services with Digital Identity
Unlock On-Demand Webinar
Hello, and welcome to today's event, Fighting Fraud in Government Services with Digital Identity. I'm Deb Snyder, senior fellow for the Center for Digital Government and former CISO with the state of New York. I'm excited to serve as your moderator for today's event, and just want to say, thank you for joining us, I know we're in for an informative session over the next 60 minutes. But before we begin, a couple of brief housekeeping notes, a recording of the presentation will be emailed to all registrants within 48 hours. You can use the recording for your reference, or you can feel free to pass it along to your colleagues. To download a PDF of the slides for the presentation, simply click the webinar resources widget at the bottom of your console.
This webcast is designed to be interactive, you can participate in the Q&A with us by simply asking questions at any time during the presentation. You should see a Q&A box at the bottom left of your presentation screen. Please send in your questions as they come up throughout the presentation and we'll address as many as we can during the Q&A portion of our webinar today. Also, during today's webinar, you'll be able to connect with your peers via LinkedIn, Twitter and Facebook. Please join, using #govtechlive to connect with your peers across the government technology platform via Twitter. At the close of the webinar, we'll encourage you to complete a very brief survey about the presentation. We'd really like to hear what you think. If you're unable to stay with us for the entire webinar session, but you'd like to complete the survey as much as you can, just click the survey widget at the bottom of the screen to launch the survey, otherwise it pops right up for you once the webinar concludes.
At this time, we recommend you disable your popup blockers, and if you're experiencing any media players or have any other problems, please visit our webcast help guide, by clicking on the help button at the bottom of your console. All right, let's get started by introducing our guest speakers. We have Blair Cohen, founder of Authentic ID. We have Mike Engle, co-founder and CSO of 1Kosmos. And of course, Mark Weatherford, my colleague and a senior fellow with the Center for Digital Government. So I'd like to tell you a little bit about each one of these very expert gentlemen. Blair Cohen is an identity proofing expert and serial technology entrepreneur. His long history in the background screening industry showed him firsthand the ways in which identity authentication is broken and how much it costs companies and consumers alike. Driven by this experience, Blair has focused on developing a vastly improved method for authenticating identity.
This culminated in the creation of Authentic ID, a disruptive and transformational AI driven fraud prevention and identity technology company that reduces fraud costs 50 to 75% within 12 to 24 months, by authenticating identities with 99% plus accuracy in mere seconds. Mike Engle is a proven information technology executive leader and entrepreneur. He's an expert in information security, business development and product design development. He has experience running large teams and multimillion dollar projects for fortune 100 banks, as well as working with startups that need set direction and go from zero to one, as it's now commonly called. As head of InfoSec at Lehman Brothers, he was instrumental in designing and implementing the banks security program. As a co-founder of Bastille Networks, he helped raise over 40 million in venture capital, to create a powerhouse in the RF sector. Most recently he helped launch 1kosmos.com as co-founder, a next generation identity company that is changing the way people interact with digital systems and 141 ventures, 1414 ventures, excuse me, .com, a C round venture capital fund that focuses solely on digital identity.
And last, but certainly not least, Mark Weatherford. Mark's a globally recognized information security professional with vast experience at some of the world's largest public and private sector organizations. He was appointed as the first deputy under secretary for cybersecurity at DHS in the Obama administration, and he was chief information security officer for the state of Colorado and for the state of California, under Governor Arnold Schwarzenegger. Welcome, gentlemen, we're really glad to have all three of you here with us today.
Mike Engle:
Thanks, Deb, it's great to here.
Blair Cohen:
Thanks Deb.
Deb Snyder:
So let's just set the stage a little bit before we get started. Oh, and we have a great slide here that I wanted to mention before we talk about today's topic. There's some information on the slide for you about a few exciting webinars that are coming up, on topics of interest and industry events that are coming up in June. So take a look at that, of course you can download a copy of the presentation and this slide will be included for you. All right, so let's set the stage for what we're about to discuss, fraudulent tax returns and new cyber schemes to defraud state agencies of benefits and COVID relief funds, have pushed citizen identity fraud to new highs. As agencies have rushed to stem the tide with facial recognition, new privacy and efficacy concerns have surfaced alongside. So how can federal, state and local government agencies verify applicants, protect personal privacy, and authenticate logins to efficiently deliver services to qualified citizens?
Well, today we're going to get into that in more detail, we'll discuss the security, privacy, efficacy, and usability issues that are facing government agencies at all levels as they work to fight identity fraud. We'll take a closer look at how government agencies are transforming their operations, using new distributed digital identity solutions, to ensure much needed services reach the people they're intended to help. We'll explore how a new approach to multifactor authentication can eliminate one time codes, how to give constituents greater control over their personal information, without it residing in its central database. And we'll talk about how to overcome loopholes in first generation facial recognition systems and the benefits of using a distributed digital identity to create a portable digital wallet.
That's a lot of ground to cover, but before we get started, we have just a couple of quick polling questions, just to help us get a sense of our audience and the challenges that you're facing. So let's go to the first one. Does your organization have mature identity and access management, IAM processes in place? Yes, no, or I'm not quite sure. So Mark, while we wait for our audience to submit their responses, from your perspective, where do most organizations fall in terms of their maturity in IAM capabilities?
Mark Weatherford:
Well, actually, it's all over the map, and both at the state level or local level, I think the federal government is doing it a little bit better than the state locals are. But identity and access management has always been one of these things that wasn't really a priority, it was just kind of something that IT took care of and the CIO managed, and made sure it got done, but we have seen it become really this important thing, for a whole lot of reasons. Onboarding employees is often one of the biggest complaints because it takes too long and it's inefficient, it's often a manual process. So adding automated identity and access management solutions to that process, can really be helpful. And I think a lot of states and locals, they're coming along and it's getting a lot better, but there's a long way to go, there's no way to say, is everybody mature or everybody immature, it really is kind of all over the map.
Deb Snyder:
I would agree, that's been my experience in talking with organizations throughout the nation as well. Let's see where our audience falls. So it looks like the majority, or at least, well, almost neck and neck, it looks like around 38, 40% of our audience feels that they do not yet have mature identity and access management processes in place. And about the same amount are unsure and a little less, don't feel comfortable with the fact that they're there. So this is a very timely conversation that we're about to have. Let's take our second polling question. Is your organization using scanned, AKA digital documents and facial recognition as part of performing your identity proofing verification for new hires and/or citizens? Yes, no, we're considering, reviewing, planning, or we're unsure. So Mike, Blair, while our audience responds, what have been your experiences in working with clients?
Mike Engle:
Sure. Thanks. I've seen two different camps, so on new hires for contractors and employees, it's a bit of a greenfield out there. It seems that the process around what we have here in the US, I9 onboarding, is still pretty much the way it's been for 20 years. And you say digital, that can mean a lot of things, but they're still taking a picture of a driver's license, passport, et cetera, and emailing it to HR, which is wrong on many levels because there's so many better ways to do it today. But now we're starting to see a trend towards startups and even established companies provide digital ways to do that, where you're proving somebody's identity in real time, as part of that process. Blair, you've probably seen some similar results.
Blair Cohen:
Yeah, I would have to kind of concur with that. We don't see it so much with new hires just yet. I mean, we do have a fair amount of interest, but it's certainly mainstream when it comes to onboarding citizens to become customers for your enterprise. Five years ago, you really didn't see people offering that capability, today, it's pretty mainstream.
Deb Snyder:
I'll correct myself here because many states have this similar problem that New York State has, in terms of referring to citizens, where in fact many residents, people who are attending university or in the state for professional reasons, personal reasons, that are not citizens. So we'll use the word residents going forward, and thanks to the audience member who reminded me of that.
Deb Snyder:
So as we lead into the panel discussion, let's take a look at what our audience thinks in terms of last polling. All right. So it looks like most are not yet, but some are considering it, and some are actually starting to take a look at using facial recognition as part of their identity proofing. So that's encouraging, and I think that you'll agree, gentlemen, that makes today's discussion even more timely and helpful, given what we're going to talk about. All right, so before we jump right into some questions, let's just take a moment, I'd like to ask each of you to just take a moment to highlight your thoughts as to high level issues, challenges, pain points that you see organizations facing in this area. Mike, let's start to you and then we'll go to Mark and last but not least, certainly Blair.
Mike Engle:
Yeah. Sadly, it's just proving who somebody is remotely, and I know that's really broad, but there's a couple of indicators out there that we're still struggling with ways to do this. One is, I don't know what you all experienced, but I see a new website that is not like my bank with super secure stuff on the other side, asking me for a code out of my email or a text message. And I guess they're just trying to make things better, and the user experience, it seems to be heading in the wrong direction. And then second is for those institutions that do need a higher level of identity, open up a crypto account these days or go to a digital bank, and there's struggle with better ways to prove who you are for AML, KYC, Patriot Act type stuff. So the good news is I think COVID has really accelerated people looking into this and really starting to kick it around internally.
Deb Snyder:
Mark.
Mark Weatherford:
Yeah, I would say the same thing. I think there have been a couple of factors that, over the past couple of years, that have really kind of propelled the embracing of identity and access management. COVID certainly one of them, at the state and local level, well, even in the private sector, everybody went from coming into the office and accessing things one day to the next day, having to access everything remotely. And CIOs and CISOs globally we're faced with this really incredible challenge of how in the heck do we do this. And when you think of some of the very sensitive type of applications with privacy implications, it raised the bar on that a lot.
So that was one thing, I think one of the other ones and hopefully we can chat about it a little bit more, not to be political about this at all, but we saw what happened with voting during the last election, actually during the last two elections, and the trust in government has really taken a beating. And I think that trust piece is critical, I think we all believe that technology can solve that trust piece, but citizens, the government has a long way to go, I think, maybe to regain or to re-embrace that trust with citizens.
Deb Snyder:
Blair.
Blair Cohen:
Deb, I have to apologize, I did not hear the question. My internet's a little bit shaky in this hotel room that I just got to. Can you restate it?
Deb Snyder:
Quite all right. Thank you again for joining us. So just take a couple minutes and maybe give us your thoughts as to the high level challenges that you see organizations facing.
Blair Cohen:
Oh goodness, there are many. I mean, first of all, we're kind of changing the ice age here, the identity proofing part, which if we're going to use biometrics and trust biometrics in the future, it's imperative that you get the identity proofing part right. And unfortunately, too many organizations are still using old fashioned techniques and tools to do that. They're using data, name, address, date of birth, social security number, knowledge based authentication questions, but that just doesn't make sense anymore. All of our data's been breached so many times, we need to come up with factors for people to be able to prove their identity that are much more difficult for counterfeiters and bad actors to get their hands on. Data's easy, something that you physically own and control, like your government issued identity document, much more difficult, impersonating you from a facial recognition or a biometric standpoint, also much more difficult. So I would encourage companies to look at 2022 technology to improve.
Deb Snyder:
Thanks for all those comments, gentlemen. Let's jump into our panel discussion, if we will. Mike, I'd like to start with you and I know you have a few slides, so go ahead and give me prompts and we'll advance through those, but give us a little background on 1Kosmos and what you've been working on.
Mike Engle:
Yeah, yeah, I'd love to. So our goal is to get people into their services in a better way, and so as I mentioned, we've all been struggling with usernames, passwords, lack of identity, and the bad guys seem to find an easier way to log in than we do. So we have three distinct offerings, we can verify anybody's identity remotely, and that's document verification, biometrics, things like that, or simply onboard an existing account, and then take that account and apply it to any of your workforce or your customer facing systems, constituent, citizen, whatever it is. And we do it in a way that doesn't require usernames, passwords, so you're actually authenticating with what we call identity based authentication, rather than secrets and anything that's knowledge based. And to do that, we have a couple of industry standards that we've embodied in the platform.
If you could just advance. The basic functions we do are enroll, verify, store and authenticate. And we're going to talk about all these things here today as a group, how do you enroll a resident into a government service and provide them services, without letting the bad guys in? And then verification of course, is right up Blair's alley, and we're going to really get into the weeds there. There's a lot of caveats to how you verify, there's decisioning bias, there is equality, inclusion, those types of things that hopefully we'll touch on. And when you use biometrics, how do you do it in a way that maintains privacy? So we have all kinds of blowups in the government where either people didn't know it was happening, or databases have been leaked, and if your face or your fingerprints or whatever, get out there, it's a big deal.
And then as I mentioned as well, how do you get into systems over and over again with identity, instead of what I like to call is stupid human tricks. Don't ask me what my shoe size was when I was six, or if I owned a Ford Pinto in 1984, which I did by the way. And just one more slide, if you could, just to really set the stage for, you can build this all out, it's like three, four more clicks. Really the enrolling, authenticating and verifying, and finally storage of all this, so under the hood with one more click, you'll see that we've got two kind of emerging technologies that we love to talk about with our forward looking customers and partners, and that's decentralized identity and verifiable credentials.
So imagine if one government agency were to enroll you and you could use it across any other government agency, or even in a commercial property, that's where the future of identity is going and what we have built into the hood, it's what separates us from just a company that would authenticate you, for example. So we're super excited about these standards, and we're not the only one, there's lots of tech companies now that are moving down this path with us. So thanks for asking, and I'm looking forward to talking about these things with everybody.
Deb Snyder:
Thank you, Mike, what I'd like to do is stay with you and just continue along that same line. So what are some of the trends that you're seeing in terms of identity management and validating identity, and then Mark, coming to you, what's changed when you consider past limitations and where things stand now?
Mike Engle:
Yes, yes. That's not me by the way. So the trends are moving away from KBA, this is one big trend, knowledge based authentication, or knowledge based answers, they're still very pervasive out there. I just opened up a rewards account and to validate something, I don't know, I was linking a bank account, they asked me those types of questions. What kind of car did you own? And as Blair mentioned, they've been hacked and stolen. So one of the trends I am seeing, which is super exciting, is just a very easy, user friendly way to pop up and present a government credential. So one trend is to do what's called document verification. Today, we all have, not all, but at least 80 plus percent of users have a very powerful smartphone with a high res camera. So we're seeing the leveraging of this as an enabler remotely, to do things that in the past required cameras or in person hardware or in person biometrics.
So that's super exciting, and then also the adoption of passwordless technologies is starting to get popular. I was on a call with a government systems integrator today, and he told me that he's been implementing what's called FIDO web authentication, WebAuthn, which means your browser would pop up and say, would you like to go passwordless? And I was, again, really excited to hear him say that he's actually doing this in practice, because that is one of the future ways that we'll engage with services as well. So I'll take a breath there.
Deb Snyder:
And Mark, what are seeing in terms of what's changed?
Mark Weatherford:
Yeah. So interestingly, a trend, the real ID Act was passed in 2005 and anybody that has followed this, and again, I know that Deb, you had to deal with this a state CISO, I know that I did, we were panic stricken at first, thinking how in the world are we going to roll out a solution to all of our citizens so they can do this, so they can be able to utilize the services that the real ID Act requires. Well, as everybody knows, that deadline's been pushed out and pushed out and pushed out and pushed out, and now the government says, okay, we're not kidding this time, it's May 3rd, 2023. And you're going to have to have your real ID credentials at that point, in order to fly and to do a variety of different federal facilities. So that's maybe an analog kind of a trend that we see happening.
But I think one of the other trends is around government standards, so NIST 800-63 establishes standards around digital identity proofing, to combat identity theft and online fraud and stuff. And so I think and I'm sure that Mike has a lot of thoughts on NIST 800-63, but these standards probably more than anything else, are really about establishing trust and trust in government, which as I mentioned, I think has kind of taken a hit. So I think the trend the government is saying, hey, we really think, as Mike said, a single ID card to be able to do a variety, maybe not to do everything, but we have to get away from this manual process of, I often ask people how many different applications do you use that require sign on privileges? And the number varies from 10 to 300.
And I really cringe when they pull out that little sheet of paper that has all of their accounts and passwords on it. But really, that's where, as an information security guy, that's what makes me weep because we're still doing these manual processes when there's technologies, like what Mike is talking about here, that can remedy a lot of this. And not only does it make it better for the consumer and the citizen, it makes it much, much more secure, and me, as a CISO, gives me a little bit more confidence that we're doing the right thing for our citizens.
Deb Snyder:
Thanks, Mark, I agree. A single digital identity and credential will bolster trust in government, if it's implemented correctly. So speaking of implementation, Blair, how important is getting that first step, identity proofing right, what are the challenges there?
Blair Cohen:
Oh, that's crucial. I mean, without that, exactly what Mike is depicting on this slide will exist, and that's formerly known as a catfisher. That's somebody that presents themselves online as somebody that they really aren't in person. So that can happen all day long if we don't modernize our identity proofing capabilities. Mark, we'll see about real ID, that's interesting. They also said that was going to happen back in 2013, and we mean it this time for real. We're actually supporting the state of California today, that would allow a citizen or a constituent, I think we've been corrected on what to call those folks, the ability to apply for the real ID, the DMVs were closed for a while, which hampered their ability to issue those. You can now do all of that online, do it remotely, submit your government issued ID, along with the corresponding birth certificate, social security card, we handle all the data extraction and validation of that.
So maybe we can get there, Mark, we'll see on that one. I would concur though, in terms of getting this right up front, the government's kind of onto something here. When you start looking at 800-63-3, it's a multi-pronged approach, and there's a variety of different ways to achieve that confidence level. It's not just document authentication, it's not just email validation, there's a variety of different ways to get there, and layering together all of these different technologies is going to give us a really good chance to get it right up front.
Deb Snyder:
So Blair, you talked a little bit about the value of that single trusted, and portable identity, what are the primary benefits of organizations moving in this direction? Mike, I'd like to hear from you too on that.
Blair Cohen:
I'll go first on that one, Mike, if you don't mind. So what we're seeing is just much better customer service because of fraud, the identification process, when you interact with an enterprise, takes too long, it's too full of friction, they ask you too many silly questions, ask you to provide too much data, and that's super costly. One of our customers gets over 20 million calls a month in their call center, and it takes them an average of a minute and 17 seconds to be able to validate your identity, just to proceed with what you called for. With the use of biometrics and a platform like the 1Kosmos platform, now we can trust that biometric, they could offer simply their face, we would know with authority that it was really Mike transacting with us, in just less than a second's time. So that is certainly a trend that I see continuing.
Mike Engle:
Yeah, there's two aspects, one is for an organization that you continuously go to. So when you log into your bank today, you typically have an app that's trusted and gets you in with face ID and it's a delightful experience, until you get a new phone and then things might fall apart, or if you try doing it on a web browser. And so you're seeing, when you say portable, a way for you to actually keep possession of something that's like an identity, almost like you could pull out the real ID out of your pocket and present it to the bank or to a government service without having any friction. And so you're seeing that within individual organizations, I am seeing more and more uses of technologies to make that much easier, account recovery's a huge problem maybe we'll touch on.
But then something I know we're going to talk about in a few minutes, on another slide, is the ability of truly making it portable, then cross company, cross agency, even cross country. As I mentioned on my four pillars slide, that's the future and where it's going. So imagine if you could prove yourself once and use it anywhere digitally, much like you do with your physical credentials, you have typically two types, your state or local or national ID, and then there's international passports. So we'll see these things coming together soon.
Deb Snyder:
Any thoughts on that Mark, from you, terms of the value?
Mark Weatherford:
Yeah. I mean, again, I approach everything through a security lens, so any way that we can automate and make identity more efficient for users and citizens and constituents, is better for everybody. I mean, that's less I have to worry about, that's fewer security incidents I have to worry about. I thought of something a second ago when Mike was talking, if you, as an employee, your drive to work, say you drive 20 or 30 miles to work and you forget your badge, you will probably just go on into work and say, I'll get a temporary badge today. But if we have digitized our identities and we have these on our phones and you get to work and you forgot your phone, guess what?
You're going to go home and get your phone because our phones are that important to us today, and there's so much more on that phone, that from a security value perspective, that helps us to actually confirm who we're talking to, confirm that we are who we say we are, as we're logging into applications, and even from a physical security perspective, as you're logging in, walking into your building, you're being identified. So I think the value of a single trusted identity, and I know people still freak out a little bit about it when they think of a universal ID that has all information about it on it, but I think we're certainly headed in that direction. There are still some security concerns and rightfully so, we have to continue to solve those, but man, the value of that is just profound.
Deb Snyder:
I agree. And you gentlemen made such wonderful points, convenient, frictionless user experience, simple user onboarding. Mark, the point that you made about employees and actually making sure that you know who's entering your buildings. Residents being able to prove their online identity. During COVID, we saw the distribution of benefits and agencies spending billions in funds to provide funding to people that shouldn't have received. So I mean, that would significantly, I think, help to reduce fraud and also provide secure access to online services. So let's look into the future a little bit, all of these factors open up tremendous opportunity to leverage digital identities in ways that we haven't seen done before. Can you give us some examples, Mike, and then Mark, if you have any, in terms of the players that you see being in the position to make that happen?
Mike Engle:
Yeah, I see it as there being three players that can stand up identity anchors, a way for you to prove who you are. Of course, there's the government, they do that for us today in the physical world. When you go through the airport, you present your government ID, you get pulled over, the state trooper, not that I've ever been pulled over, but the state trooper wants to see your driver's license, state issued document. And so how do you get the government to do this? Well, they're trying hard, in our country, because there's so many agencies that provide services and they're very disjointed, it's difficult, but look overseas in some of the smaller countries like the Nordics, and Singapore and South Korea, there's been government sponsored identity efforts, where they've come and said ... or Estonia, is like the hallmark, have been doing it for so many years, back with the PKI based effort, here's a credential, and here's how you can use it then to get into any service.
So which agency's going to step up and do that here? They're all talking, not all, but many of them are talking about it. And I think we'll touch on that possibly a little later as well. The other two entities are banks and telcos. So nearly everybody has a bank account and nearly everybody has a telco account, whether it's a phone, and those are kind of anchored sources of truth about you as well. So if I can prove that I have a Bank of America account to my utility provider, they'll trust that a lot more than if I say I'm going to pay cash or trust me, I'll send you a check.
So the banks have a very strong source of identity about you, and lastly, like as mentioned, telco, I've had the same phone number for 20 years, I've been paying the same bill for 20 years and we've seen telco led efforts globally. As I mentioned, South Korea with something they call SK pass, was a combination of telco and governments coming together to form a trusted digital identity fabric. So those three, I think, really, and they're starting to talk about it globally.
Deb Snyder:
Mark, what do you think?
Mark Weatherford:
I agree 100% with what Blair just said, but I think government certainly has to be the leader here and whether it's state and local governments implementing solutions, or probably more importantly, if it's the federal government implementing policies that require certain things. Again, I'm not holding my breath on the real ID Act, but this will make a huge difference, if citizens know that they can't get on an airplane or they know that they can't access certain federal facilities or certain federal programs without a real ID Act, it's going to create an impetus to get that done. So I really think and I'm not overly fond of too much regulation and too much compliance, but again, the federal government really, federal and state government, the federal government can really, I think, push this forward with legislation and regulation that says, hey it's 2023, it's not 1973.
And the world has changed, everything we do requires an identity today, let's move forward on automating some of these technical solutions that we have today, that may just be a little bit painful or just be a little bit inconvenient. And as we've said in the security business for a long time, security doesn't mean that it has to be convenient. In fact, sometimes security is a little bit painful. We try not to make it that way, but to solve the identity crisis, if you will, is going to require the federal government to get behind that. And certainly telcos and banks and healthcare, and some of the other sectors will have a role, but I really think the federal government can be the primary driver on that.
Deb Snyder:
What resonated with me, Mark and Mike, on what you said, is that the technology has evolved, it's matured to the point where it's now possible. Whereas Mark, you mentioned when you and I were both in that CISO seat, that it was like, how, the big question was how do we make that happen? But I think that I'm encouraged by where the technology is today. So Blair, let's turn to you for a moment, let's talk about stopping fraud. What are some of the issues regarding fraud and effective strategies and stopping it, that these approaches make possible?
Blair Cohen:
Gosh, it's a really, really tough problem to solve and certainly to stop, Deb. As I alluded to earlier, data on all of us is out there, it's very inexpensive, if not free, you don't even have to dig for it these days. You can get what's called fulls, which is your name, address, date of birth, social security number, I mean, all the details that you're going to be asked from any entity, somewhere between four and $8, if you want to buy them. So stopping fraud is a super big challenge. One of the ways to start, I mean, with every digital identity, we're really starting with imaging your physical identity card. And not all document authentication vendors out there, and there are a number of them today, six years ago, there were two or three of us, today there are 20 or 30 different companies that say they do document authentication, but not all of those companies are created equal.
For the most part, the vast majority of them are really just imaging IDs, extracting data from the documents, perhaps validating the data from the document, extracting the face from the document and using that face for future re-authentication events. That doesn't stop fraud. You really have to interrogate the document and examine it forensically. Our team has deep domain expertise in working with critical infrastructure, customs and border protection. We actually created the technology, if you're going through the airports recently, and if you had your ID scanned, that's our old legacy technology. So you've got to get that part right, if we get that part wrong, pretty much everything else is simple to beat. I love Mike's angle here on bank signals, pretty sticky, pretty solid, the bank knows a lot about you. They had to go through a lot of rigor in order to open that bank account for you, they had to go through an entire KYC process.
Telecommunications companies, a lot lower bar, they don't necessarily have to go through KYC in order to give you a phone, in fact, most of them don't. However, the amount of rich data that they have on a consumer is pretty incredible. I mean, we know all your GPS coordinates, we know [inaudible 00:39:49], we know the last porting event, we know if you paid your bills on time. So when you start putting those types of signals together, Blair says he's Blair, his ID says he's Blair, Wells Fargo says he's had this bank account for 20 years, and AT&T says he's had this phone for 20 years, that's pretty solid. When we start seeing bank accounts that were opened up three days ago, or new cell phones that were issued yesterday, or identity documents that aren't going through a lot of rigorous examination to make sure that they're real, because they're pretty easy to get valid templates of real identity documents out there, so use somebody strong in that regard as well.
I'm just going to add one more point. We had a seminar last week and something surprising to me, over the past year, 80% of the fraud has been performed by synthetic identities, an astounding number, it's never been that high before. And if you put all of these signals together, we can stop the synthetics from proliferating.
Deb Snyder:
Right up front, yeah, stop it before it happens. So thank you Blair, for all of those points, you delved into it quite deeply. Mike, what are some of the challenges with the approach that Blair talked about, any good alternatives or suggestions there?
Mike Engle:
Yeah. I mean, one of the key enablers is biometrics, because it's the one thing that if done right, the bad guys have the highest challenge in getting. So you're seeing things like deep fakes, they can make Tom Cruise or President Obama look and say things, that's getting pretty realistic, but that's some serious technology and it's going to be a bit of a cat and mouse game. In reality, if I have my face here, my Windows Hello, or my touch ID face ID, are pretty secure, so being able to do them remotely is now something we can look forward to. Imagine just walking up to your computer, scanning your face, and all of a sudden you're looking at your IRS data or your social security, whatever it is.
It should be that easy, however, we've seen some explosions in the last two or three months, with some of the federal civilian agencies and their use of biometrics because there was not enough disclosure. People didn't really know how the faces are being used, so we don't want to get into a Minority Report situation, where just because my face is in a system somewhere, gives another agency the right to use it. I'm kind of relating it to what happened in one of the California jurisdictions, where somebody's DNA was used in a case to help them, and then later they committed a crime 10 years ago, and that same DNA happened to be in a database, they're like, "Wait a minute, that's you?" So we have to avoid that, and there's ways to do it, there's ways to do it where the users in control of the biometric and your privacy policies are very clearly disclosed and everybody's comfortable with how you're doing it.
Deb Snyder:
So Mark, you've mentioned standards, I want to go back to that. What basic constructs do government leaders need to understand and consider, to feel more confident in transitioning to these new strategies?
Mark Weatherford:
Well, it's a great question and when we think about government leaders, most of them, they're not technical at all. So the challenge is to be able to tell the story about some very sophisticated technology that gives them confidence that we are moving this ball in the right direction. That's why I'm just such a huge fan of NIST and what NIST has done, and they have stayed agnostic from the perspective of technology, they've stayed agnostic from the perspective of politics and they are really just about creating these standards that become universal. I mean, you look at a number of the NIST security standards, are basically they're the de facto security standards globally now, look at the CSF and 800-53, et cetera, etcetera.
So I think the NIST construct of creating trust for government leaders and for all of us to say that we do believe in NIST, that we do believe in their legitimacy, that we can talk to our government leaders and help them to understand, because our government leaders, they need us to help them oftentimes to understand a lot of these very technical things. I want to bring up FIDO, but actually, I don't know, near as much about FIDO as Mike does, so I'd like to turn over to him because I think FIDO is a really important piece of this as well.
Mike Engle:
Yeah, actually, there's a piece of FIDO technology that was called out in President Biden's executive order, around identity and trust, I think it was back in June of last year, and it's the WebAuthn. So what they said is federal agencies need to do multifactor authentication and move towards zero trust. And so the one standard, it's a nonprofit called FIDO, fast identity online, defines how you can do an authentication without a username and password, their goal is to get rid of the passwords. And for those tech geeks out there that watch the news rags, back on May 5th, they made a big announcement that says FIDO now has this new way to make your FIDO even more usable than it was before, by having it travel with you and be used cross different devices. We don't have time to get into the weeds on it, but that FIDO standard, along with the NIST identity proofing standard, really go hand in hand together, prove who you are, and then use that identity over and over again. So it's really like peanut butter and jelly, if you're into that kind of thing.
Deb Snyder:
Peanut butter and jelly with great benefits for users, customers, and government alike, right?
Mike Engle:
That's right.
Deb Snyder:
All right, Blair, let's come back to you for a moment. You talked about identity equity and avoiding decision bias, and I want to come back to that. Concerns as to accuracy, equity, privacy, proper use of biometrics seem to be top of mind for many people, what are your thoughts on those issues?
Blair Cohen:
Well, as they should be. We work with regulated industries, big enterprises that have model governance teams, and they need to be darn certain that they're treating everybody, giving every single constituent an equal chance to retain services from that enterprise. There's been a lot of bad press out there about some of the biometric modalities, and quite honestly, some of the modalities aren't quite ready for prime time, but specifically there's been a lot of bad press around facial recognition. And while it's true that there are some poor algorithms that don't perform well on different genders, different age groups, different ethnicities, the very latest NIST report came out January 24th this year, shows very little variance in the top performers. So male, female, young, old, dark skin, white skin, they almost perform, all the top performing algorithms are almost exactly on that zero line, there just isn't, what do they call it? Gosh.
Deb Snyder:
Great variance or deviation across the-
Blair Cohen:
There isn't bias, they call it something else at NIST. But anyway, it doesn't really exist with the top performing algorithms today. And I see another question here that was asking about telcos and banks. Everybody has an identity document and expects to offer that in the course of trying to become a new customer, and everybody has a biometric, everybody has a face or a voice, whereas not everybody knows the answer to all of the knowledge based authentication questions, nor do we know what questions to ask everybody for knowledge based authentication. So I think it's kind of shifted and gone the other way, some of the new technologies are allowing more inclusion.
Mike Engle:
Yeah. We have a great question there about poor, disenfranchised, and that is a goal of many of the agencies now that are trying to digitize, is how do you do it in a way it's fair? What if I don't have a smartphone, which there's a population of people that don't, you can't leave them out of the process completely. It may be a little harder for them, but you have to be able to provide them services.
Deb Snyder:
Yeah, you still have to allow alternatives so that you don't create barriers or impediments to get benefits or to get access and so on and so forth, so I would agree with that. So Mark, let's shift gears a bit, let's turn back to IAM and the connection, foundational connection of trust to zero trust. How do you see the current federal administration impacting IAM practices, with the push towards implementation of zero trust, how do digital identities and those identity validation strategies that we've talked about, help with the challenges that agencies are going to face in terms of opportunities for accelerating adoption?
Mark Weatherford:
Well, I feel like I'm in the position here of supporting the government in everything I'm talking about today, but I do think again, not just the current administration, but even previous administrations, they've been moving forward, glacially in some cases, but they've been moving forward on upping the ante on IAM. And Mike mentioned it earlier, President Biden's executive order of May of last year, called out very specifically that zero trust was going to be the future of if you want to do business with the government, you had to have zero trust solutions, and the federal agencies were going to be implementing zero trust across the board. And that's happening today, again probably not as fast as some of us would like to see it, but the federal government really is not standing by. We have finally, I think, we really have, we're seeing a ground swell of opportunity by having the right people in place in the government that are pushing some of these initiatives.
You look at what Chris Inglis is doing as a federal cyber coordinator, he just talked yesterday or couple days ago about a national cyber security policy. And IAM is part of that, it has to be part of that. So I think zero trust is going to be key to the future, IAM is absolutely connected at the hip with zero trust. And I think the federal government really is becoming perhaps the biggest cheerleader for not just cybersecurity in general, but even some of these individual components like IAM and zero trust.
Deb Snyder:
Thanks, Mark. All right, we have a couple more questions in our panel discussion, and then I want to grab a couple of questions from our audience. So Mike, what about the movement that we're already seeing, I think you've mentioned it, Blair's mentioned it, towards consolidated digital identities, and you even mentioned passwordless authentication being used in some capacities. So what are some of the other ways that organizations are using these new ways of validating?
Mike Engle:
Yeah, the two standards I mentioned in the beginning, really set the stage stage for what's called decentralized identity, or some people call it self-sovereign identity, which puts the user in control of the identity. So the old model of decentralized authority, and we've all seen login with Google or login with Facebook, and that got popular for a bit then everybody's like, "Wait a minute, I give them enough as it is now, I don't trust them." So you never see login with Google to get into your bank, first of all, the bank wouldn't allow it either. So these decentralized technologies are starting to get more popular for a couple reasons, is they work, under the hood there's something called the trust over IP, which is like, think about it as DNS, but for identity.
So when you type in an address today into your browser, it's an easy way to go find the remote computer and get there. And you'll be able to do that with identity soon, where if you need to get somebody's identity and prove who they are, it'll be out there in a registry that's safe, privacy preserving, and these technologies are allowing it. So we're a member of a bunch of the industry organizations that are trying to further decentralized identity, for example, and it's what a lot of the other country efforts that I mentioned are doing behind the scenes as well. So more to follow on that, and there's no shortage of industry events and things like that, that talk about these as well.
Just real quick, the other thing that's really accelerated is, whether you like them or not are, NFTs, and there's this whole craze and the bit of the NFT bubble, but under the hood, that's a decentralized technology and decentralized finance has gotten really popular. So it's a movement and identity will be needed for those technologies to mature, and it's up to us to provide that foundation to be able to do that.
Deb Snyder:
So we're getting close to the end of our time, and I want to take a couple of audience questions, but let's just ask each of you, if you could, just to summarize kind of some of your final thoughts regarding kind of getting started, where every organization can start to pick up the pieces, and how government agencies can begin to get their arms around this. Mike, let's start with you.
Mike Engle:
Yeah, I think there's an old saying that some motivational person said that really stuck with me. I don't remember the person, but I remember the phrase and it's beginning is half done. You think about that project you have to start, and I talk to CISOs every week and I ask them if they've tried putting a form of identity onboarding or modern authentication onto any of their systems yet, and they're like, "No, it's on our to-do list." Well, if you're not doing it, the bad guys have a bigger chance of taking advantage.
So there's a lot of ways to put this stuff in parallel to what you're doing today. Run one employee or one new contractor or customer through an identity onboarding experience, do some AB testing. Same thing for authentication, log in the old way here, username, password two FA, stupid human tricks, or come over here on the right and do WebAuthn, or log in with QR code or something along those lines. It's not hard to do, and you can do it in a phased way, so you get your feet wet with the technology, human aspects of it, which is where things typically go wrong, it's not the technology, it's how do you get people to trust and like and adopt it? So my experience has been those that just will try it with 10 of their IT employees or friendly customers, will really get a jump forward on their competition, or just to make what they do better.
Deb Snyder:
Blair.
Blair Cohen:
Reusable identity is here to stay, whether you call that decentralized identity, verifiable credentials, self-sovereign identity, FIDO, the ability to reuse your identity and role once, reuse it over and over and over and over again is here to say. Don't wait, get started now, don't worry about picking a standard. The time is now, your customers want it and it will save you a gazillion dollars.
Deb Snyder:
And Mark.
Mark Weatherford:
Yeah, so the Verizon data breach investigations report came out today and it's always kind of the annual, everybody reads it because it's kind of humorous in some respect, but one of the things that stuck and I've just barely glanced over it, but 82% of breaches, of security breaches involved a human element. And it didn't go into how much of that was the result of fraud and identity, but I'll bet it was a lot. And the second thing that I would say, and again, just putting my security guys hat on, we always have to remember that the bad guys have a vote. So bad guys are absolutely trying to figure out how they can circumvent everything that it is we're trying to do. So building the appropriate controls around this technology is really, really, really important, because the bad guys are continually trying to subvert all of the good things that we're doing and the good things that Mike is doing at 1Kosmos, so we just have to remember that.
Deb Snyder:
Thank you, Mike, Mark, and Blair. Many of you have asked about getting copies of today's presentation, and the thing I want to remind you is that within the next 48 hours, Government Technology will provide to all attendees, a link to the recording for your reference, and you can also share that with your colleagues. So we are at the end of our time, I want to be respectful of our one hour commitment, we're going to wrap it up here, but in closing, I would just like to thank all three of our presenters, Mike, Mark, Blair, for your presence here, for the insights you've shared and your expertise. And also of course, a very special thank you to our sponsor and partner at 1Kosmos and Authentic ID, for enabling us to bring this extremely worthwhile discussion to our audience. And last but not least, thanks to our audience for joining us today, we look forward to seeing you soon at another Government Technology event. Stay safe and have a great rest of your day.
Mike Engle:
Thank you, Deb. That was fun.
Mark Weatherford:
Thank you.
Blair Cohen:
Thank you.
Unlock to learn:
- How IAL2 / AAL2 verify citizen ID remotely when applicants enroll and at every login
- The new approach to multi-factor authentication that eliminates one-time codes
- How to give citizens control over their personal information without it residing in a central database
- How to overcome loopholes in first-generation facial recognition systems
- The benefits of using distributed digital identity to create a portable digital wallet
Fraudulent tax returns and new cyber schemes to defraud state agencies of COVID relief funds have pushed citizen identity fraud to new highs. But as federal agencies rushed to stem the tide with facial recognition, new privacy and efficacy concerns have surfaced. How can federal, state and local government agencies verify applicants, protect personal privacy, and authenticate logins to efficiently deliver services to qualified citizens?
In this webinar, we took a close look at the problem of citizen identity fraud. We discussed the security, privacy, efficacy and usability issues facing government agencies at all levels. And, we took a close look at how many government agencies are transforming operations using new distributed digital identity solutions to ensure much needed services reach the people they were intended to help.