Simplifying Workforce Onboarding and Identity Access Management
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
All right, well, let's get started here. We'll start slowly so we can give people a chance to get beyond their back-to-back meetings.
Thanks everybody for joining. We're here today to talk about new ways to onboard and authenticate our workforce, employees and contractors. My name is Mike Engle. I'm joined today by my colleague in the industry, Sam Tang. Sam, if you wouldn't mind saying hello and tell people a little bit about yourself.
Sam Tang:
I would consider myself as a friend, more than a colleague. But Mike, thank you. So thanks everyone for joining today and very excited. This is top of mind topic for both Mike and I. We've been working together for quite a bit of time, and I'm hoping that the audience will hear from us, some of the emerging trends, why we're pushing the boundaries around authentication authorization. So very excited. Thank you, Mike. Back to you.
Mike Engle:
Thanks. And as I mentioned, I'm Mike Engle, a co-founder and head of strategy here at 1Kosmos, and we'll get into the weeds a bit on what 1Kosmos does as we start to tell our story. And just quick icebreaker before we get started. Sam, maybe tell something a little bit about yourself, either maybe the last fun thing you did or the last couple years, one of your favorite trips you took or something.
Sam Tang:
No, thanks for that. And I have to say, I was going to talk about my Italian trip back in June. That was amazing. Lake Como and Venice and so forth, so forth. But actually what I want to brag about is the ability for me to actually do nothing for three days last week during July 4th break. And for the audience, think back, when was the last time you were able to actually say that you did nothing three days in a row at any time? So-
Mike Engle:
Amazing.
Sam Tang:
Very, very proud of myself for being able to do that.
Mike Engle:
Even when you go on vacation, you could be high-strung, you're running around, seeing all the sites and stuff. So there's something to be said about a good old-fashioned staycation, if you do it right. So yeah.
Sam Tang:
Especially the fact that I live in New York City.
Mike Engle:
Exactly. Well, good. Well, excellent. Well, we're going to talk today about the way we engage with our workers, our contractors, et cetera. And there's a number of challenges that we're going to address today. And really, the major, the root of the problem is experience. We're using technologies and methods sometimes that are stuck in the nineties. Things like email should not be a part of your conversation when you're onboarding and one time codes and things like this or stuff that we've been using since the nineties as well.
So we're going to talk about some different ways to do that. And not just about onboarding our new hires. And we all went through a revolution on how we did this after COVID and during COVID, of course, but then how we authenticate and engage with these people. Our employees have to log into their systems dozens of times a day or week. And so there's better ways to do this as well. And they can be done the same way at the same time. And it's really all about reducing risk while fixing a broken user experience.
And Sam, I know you've got gazillions of clients that you work with to solve these types of things. I'm sure you're seeing trends. I'm wondering if you could touch on some of the trends that are pushing the boundaries on how we onboard identities today and some of the things we could touch on there.
Sam Tang:
Thanks, Mike. So there's quite a few, but I'm going to pick on some of the more prominent trends that I'm seeing over the past couple years in terms of the space that we're in. So the first is, I think you mentioned that it's focused on workforce today, but it's really the solution and the approach that we take with IAM. What I'm seeing is that there's a convergence of B2E, B2C, and B2B requirements for IAM as well. What's that pushing a lot of our clients in thinking about how to organize and how to structure their support organization for IAM? So the solution that we really offer to our clients is it will satisfy the business models of B2E, B2B, and B2C as well.
The second thing is really, it's really emerging how the managed contractors and third party identities correctly with security, with compliance and so forth. And if you apply this technology of what we talked about today, it's going to allow you to simplify. One of the trends that we're seeing as well is combining physical security and also logical security, how to manage that access. And there's a buzzword, zero trust.
Trust is still going be pushed up the boundaries, but trust more importantly, it's not just about the identities, it's about the devices. It's about the assets that you're trying to gain access to. And the shift, culturally, of having a global set of services and global controls that we follow to regionalize controls, regionalize things that we have to do for authentication and for authorization, especially in the global footprint.
And of course lastly, most recently, AI, but more importantly, how do we take advantage of the AI to simplify the things we do in digital identity in IAM? So Mike, you and I, over the past three decades, we've seen trends come and go, but at the end of the day, if you look across the trends, there's two key things that we always focus on. You touched on one of those earlier, simplification and harmonization, and we're going to touch on both of those words quite a bit today. So back to you, Mike.
Mike Engle:
No, that's great. That's great. So let's ask the audience for a quick poll. And we have three questions that we'll be asking throughout today's webinar. And really, what is a number one priority? And it could be for you as a user or if you happen to own or manage some of this process, for you, as a deployer of these technologies.
So better experience, accuracy of the new hire, and we're going to talk about that next, and support for remote hiring and onboarding, which again, we all went through during COVID. So we'll just give this a couple seconds. I'm wondering, Sam, are you seeing any remnants of the practices we put in during COVID? Other than, traffic used to always be on a Friday where I live, now it's a Thursday because everybody works from home on Fridays, so seems to be-
Sam Tang:
Really, what I saw immediately when COVID hit is, obviously everybody experiences as well, remote workers, the support of remote workers. And so the anticipation of people working remotely was 10% to 20% at most before COVID. But when COVID hit, it was close to 100% and people were not really ready for it. And this is one of the reasons why we having this conversation today, is getting people ready for things that may happen that we don't anticipate.
Mike Engle:
No, that's great. That's great. So, the results are in here from the first poll, and it's a decent spread, but the majority is accuracy of the new hire, and we're really going to hit that hard here today. So let's jump into that. I have a couple of stats that I found that are pretty new and surprising, but that 5% of all new hires in the USA are fraudulent.
And the definition of fraudulent can be, you're not hiring the person you thought. That's the worst kind, because did you hire somebody who's there to steal secrets? But it's also people that just simply lie about their background and experience. And this research comes from the Ponemon Institute. So you think about it, that's 50 out of a thousand of your employees could either have lied or not be who they say they are. But the most common form, according to this study, is to gain access to sensitive information. A corporate espionage is a real thing.
I'm guessing, Sam, this is something that your clients worry about quite a bit.
Sam Tang:
Yep. And Mike, just something to add here is, what we typically do is we vet an identity, either it be an employee or contractor once, and then we assume that person that we just vetted is the same person two months from now, which is not the case. So that's why we need to look for a solution that allow us to do this continuously, not just one time vet.
Mike Engle:
That's right, getting to that real zero trust around identity. So, we'll be showing some examples of that here in just a minute. And of course, financial services are the most targeted industries followed by healthcare and technology.
So, I don't want to drown too much in stats, but the second and last one is the percentage of employees that hired somebody to do their work at least once. And I don't know if I'm guilty of this, but I've used services like Fiverr to have somebody make a graphic. Hopefully that doesn't count, but we've had clients, Fortune 500 clients that have caught their employees giving their credentials to a contractor in Eastern Europe because it's cheap and they get 30 hours of their week back. So if you can give your username, password in a one-time code away, you don't have zero trusts. And we call this collusion. So one of the things that we've built into our product is collusion proof authentication. How do you know, to your point earlier, I hired Sam Tang four years ago, but this is Sam Tang logging in tomorrow. So I think, this study here comes from the University of Maryland is pretty cool.
So, let's jump into some of the challenges. So we've all gone through hiring the old way, probably even the young kids on the call today. You go through talent acquisition, HR calls you up and says, "I need a copy of your government credentials." So what do you do? You take a picture, you email them. You used to have to go in person, but of course COVID changed all that. And then you're also worried about, is that person the same person that's emailing me the document? So HR may look at you in a camera maybe, or maybe they don't even bother doing that. They trust that it's the person that went through talent acquisition. So Sam, any challenges you've seen, some clients that you could share in this process?
Sam Tang:
As you mentioned, yes. Since you were addressing some of the younger audience members. So I would like to give a little bit of a history as to how the IM space even came to be. So if we took a step back with the three decades that, like Mike, I said, you and I have in this space. If you go way back in the late 90's, early 2000's, the start of our space is not at the point when it was not even called identity management. And for 20 years, if you take a look at what we did in IAM, it involved passwords, it involved credentials.
So really what you're seeing is that 30 years ago there was a lot of emphasis on maybe help desk, reduction of help desk, the management with password, password history, password complexity and so forth. But more importantly, if we had a solution that allow us to reduce the dependency on passwords, even if it's 80%, how much can we reduce from a management standpoint? How much can we improve from a security standpoint? There's quite a bit.
And the second is, the challenge is continuously the user experience, like you mentioned, but the user experience and everything that we do is not just about the end users. You need to do really take you look at the user journey as a whole to see how it impacts administrators, delegated administrators, end users, and people with elevated access, people with temporary access. So the user experience itself is very key. And the third I'll speak about is really how the business environment and cultural environments, external environment even changes to what we have to do in IAM, things like mergers and acquisitions or divestitures.
So how does that really impact the way that we handle IAM and how do we handle coexistence overall? And if we do, Mike, if you and I do our jobs correctly, what I'm hoping the audience will catch, what are our talk track and what we're presenting is really addressing all three challenges that we still see in the industry.
Mike Engle:
Exactly. It's migrated beyond so much account management right now. You have to actually know who it is and proof who they are and continuously authenticate them with that identity.
Sam Tang:
And credentials could be tokens, credentials could be a lot of things these days.
Mike Engle:
That's right. So we're talking about real identity here today because that's how the journey starts into an organization, is you have to fill out an I-9 form here in the US, you have to prove you can pay taxes. And that's where we can start to make a difference right out of the box. So talking a bit about identity enrollment and what it really means, we can do all this stuff digitally today and do it with a high degree of accuracy and still stop bad guys from bucking the system, if you will. And so, the top here in this first box, these technologies around identity proofing and identity verification are tried and true. You're seeing all kinds of service providers pop up, whether you're having wine delivered or you're verifying your identity on LinkedIn or trying to rent an Airbnb, they're now verifying your identity.
And yet organizations, companies are slow to embrace this. And I think that's going to change really fast, especially if you listen to the analysts and see where the energy's going in the industry in general. So what are the states of art here? Proofing. I am taking a picture of a government credential or maybe even using an electronic credential. In some other countries we can do that, where they have a digitized identity document. You're seeing driver's licenses get digitized here in the US, so there's hope. You got Apple Wallet and things like that that are looking very promising.
And then you have that data from a document and you verify it. I'll show a pyramid of how this process breaks out here in a second. But then take it a step further. I've just issued Sam Tang a credential, I'm verified his credential, and I can issue the authentication token at the same time. And that's this third box. So give the user a key and use that same biometric over and over again to get them into the system.
And think about the old way versus the new way. It really is an enabler. And this is what we call passwordless, at the end of the day. If you never had a password from day one, that's really the end goal for our new users. So let's pop in one more polling question, Maureen, if you could. We'll tee it up here. So real biometrics, we've talked about zero trust in identity. And Sam, I'm sure you're a believer in this, just because you're in the industry, but what are your thoughts on looking into the camera to prove who you are or using your voice and talking into a microphone? Do you have any objection to using this yourself?
Sam Tang:
No. If you follow what is going on in fear with some of the chatter around gen AI and the way that people can use deep fake and things like that. So what you're about to see today with Mike and some of the demos that you're going to see today, the way that you guys are verifying is very unique, and it's something that we're looking for, which is not more than just what I look like, but my gestures as well.
So, the speed I turn to the right, or the way I smile, the way I sound, tell me to speak my certain name, in a certain speed. Those are the things that only I know and I am. So that's what you're going to find today, is that just because password authentication is more than just being able to just take a look at your eye or your face, but more about gesture and also who you really are.
Mike Engle:
And the reason that we asked this question, this is, just seeing the results here. 80% of our respondents said they would consider making their contractors... We kept it into a specific bucket, but having their contractors use their face to log in. If you don't want to do it, don't work here. But I think people are getting more comfortable with it.
And Illinois, you have some pretty draconian rules around privacy, but it's just what you want to prevent is can Sam Tang's photo be used for other purposes other than that onboarding or authentication? If the answer is no, then you can trust it. And so you have privacy disclosures. How many times have you looked into a camera or had your face caught on camera walking down the streets of your city, Sam, right? It's like it's time to not be afraid of it, but to do it responsibly.
Sam Tang:
This aligns with one of the trends that we're seeing earlier when I mentioned the physical, the conversions of physical and logical access. That's very important.
Mike Engle:
Just put your face onto the turnstile and you're in the building. Why not?
So let's walk through the digital onboarding process. It's really straightforward. I had this covered in the last slide, but it's as simple as scanning your documents that get verified in real time and then it's transmitted into the onboarding system. Along the way, if you want, you can verify the person's location. And if they have to come into the office, I don't see why they wouldn't mind temporarily sharing the location, that they're at home. That you're developing a sense of trust with the employee. So ask them for the location. This can all be done inside of the app, phone numbers can be verified, et cetera.
And when it's done right, this can all be in control by the user. So if you think about the wallet that you have or your purse for women, I don't want to be gender biased here. You keep credentials in there and they're in your control. And you can now do this digitally as well. And the state of the art here has really advanced. So I'm just popping up about a dozen different security features that can be checked on standard documents. So there's nuances in how the fonts and the print and the photo layout and looking for glare. All these things are evolving pretty much weekly where the bad guys are trying to do certain things, the good guys are learning how to detect those bad things, et cetera.
And so, we're seeing a much higher accuracy rate. And people will say, well, Mike, well the bad guys could, insert bad thing here, but they can also do that to the HR person who's not qualified to look for it. So I guarantee you that my technology and my high-res 13 megapixel camera is going to do a better job than the HR rep. So let's again embrace this and not be afraid of it. I'm sure your clients are in tune with this type of stuff, Sam, right?
Sam Tang:
Yeah. I'll give the audience an example of what the importance of what Mike is talking about here, is really going back to what I said about the physical security is, what one of the requirements when COVID just happened is the ability for us to detect who the person is that's walking around the hospitals, going from floor to floor, room to room. How do we guarantee that the person who they say and they, they be accessing those locations? think about the sensitivity aspect of that.
So what we're talking about here, just application of that is endless. How about, what if we were able to actually use this technology also in front of schools, in front of hospitals, in front of manufacturing? So it's really, if you think about the application of this, it's really anywhere that you need to verify succinctly that a hundred percent the person is who they say and should they be there where they're at currently today?
Mike Engle:
Let's double click on that, because perfect segue. It's as if we've rehearsed this or something, which
Sam Tang:
Which we did not, Mike, actually.
Mike Engle:
We didn't. No, no. It was just, making it happen here. So verified identity, I mentioned two distinct categories, ID proofing and then ID verification, but it actually can go much deeper. There's a lot of devil in the details in doing this stuff. And so I'm just going to step through this pyramid quickly. Every website, whether it's Amazon, CDW, Macy's, will verify phone number and email. It's kind of the table stakes today.
As you're doing that, you can actually start to build some trust in that phone number, in that email. So, have I seen it before? Has my provider seen it? Does it have a risk score associated with it? But it doesn't verify identity that well, it's a starting point, just because I type in a phone number. And then we have something we call sim binding. If you think about any time you type in your phone number and you get a six digit code, that helps that you are in possession, potentially in possession, but those six digit codes can be intercepted and they can be shared. So binding is the reversing of that process. I am sending a message from my phone number. And it's one of the ways that strengthens the score of the sim and the phone number and the trust.
And then we already talked a bit about identity proofing. So take a picture front and back. Now as you're doing that in real time, we can verify the driver's license with AMVA, which is the aggregator for the Department of Motor Vehicles across the 50 states. And any passport can be checked for digital signatures against the IKO database. So this is the issuing authority for passports.
So again, not just taking a picture, not just asking the user from information, but putting all this stuff together and verifying it with the credit bureaus is what we call data triangulation. One plus one equals three. And it really makes a big difference in the level of trust you can have with a new hire or a new customer when you need that high level of assurance. And then we're going to touch a bit, a little deeper about biometrics. This is what you can use to match the photo on the driver's license or before you log in as route into your Amazon cloud infrastructure. "Hey, Sam, would you just look into the camera? I want to make sure it's you and not a bad actor."
And then putting all this into a wallet is what makes it extensible, portable, private. And this is where the sea of change is coming in the industry. So let me have my identity and let me use it over and over. So if we call this the verified identity triangle, what's your favorite part of this, Sam?
Sam Tang:
I'm going to point on one main part, which is the data triangulation. And the reason why I want to focus on that, Mike, is because your accuracy of your identity proof thing and trust of the person is really the accuracy of the data that you use as well. And one of the things that we always look for is not only of what data you see about the person external to the environment, but more importantly, what if we were able to include your internal data as part of the verification process as well. So the data triangulation is the number one piece here.
Mike Engle:
Absolutely. Once you have the data, you can start to make really intelligent decisions. So let me just pop up a quick example of how a new hire could go through talent acquisition and transmit this data. And maybe we'll see if I can prove that you're Sam Tang here in a few minutes as well. That might be fun. And we'll talk about-
Sam Tang:
We didn't rehearse it though. Knock on wood. It's going to work.
Mike Engle:
Here's one example of a modern identity enrollment. And important thing to realize here is this is somebody just onboarding their own identity for themself into their own wallet, and then with consent, transmitting it to a third party. So what I asked Sam to do this morning was this process where he launched an app, set up his wallet. And that's a couple of biometrics and a pin. So you see here, this is a pin to protect the wallet, turning on some biometrics, and then enrolling a live ID. This is your real life selfie, and this is an enabler for identity verification and zero trust from an identity perspective. I didn't want to show Sam enrolling his identity, but we'll get to that in a second.
Sam Tang:
But Mike, something that the audience may not have seen. You were asked to smile and you smiled. That smiling is actually being used for the part of the verification as well. That's key.
Mike Engle:
Exactly. We call that liveness. There's two types of liveness. One is active, which is what you saw there. It's a little more friction, where you're asking the user to just move your head or turn left to right or smile, and we'll see that in a second. But there's also a lower friction ways of passive liveness. And that just uses the environment, the fact that you can tell it's real. And if you've ever scanned a check into your banking system through Chase or Bank of America, whatever, they use document liveness. Can I tell this is a real document, not a picture.
And so these technologies are evolving and really becoming a game changer for user experience. So we've enrolled a couple of biometric assets, and then depending on who you are, your country, what you're trying to do, we can scan government credentials. And this is doing all those things that I mentioned before, checking the security, matching the photo front back, et cetera. It takes a few seconds, far more secure and easier than taking a picture and sending it to HR. And we also support passport, very similar process, scan the front, extract the data, match the photo. But then we can go a step further and hold the photo or the phone up to the passport and read the chip. And that gives you a digitally signed, trusted credential from in the United States to Department of State, for example. And so with the press of a button, we can ask somebody. So let's try something brave here Sam, I don't know if you have your app handy.
Sam Tang:
I do have my app ready. I have it phone ready.
Mike Engle:
This is our 1Kosmos demo site. And what it says is, "Did you already enroll your identity?" Like we did just a second ago. And now, if I really wanted to know that I am in an online transaction, Sam is my doctor as an example, or Sam's my new employee, and I want to verify that he's the person on the government credentials, it's as simple as asking the user. So Sam is now scanning this QR code.
Sam Tang:
The glare?
Mike Engle:
Yep. When it's on a monitor, it can be, you have to tilt it a second.
Sam Tang:
Give it a sec. Nope, it's reading. It's just not scanning right now.
Mike Engle:
It's either brave or foolish to do a live demo on web.
Sam Tang:
I'm just trying to get the phone to scan, but it's not picking it up as a QR code. Give it a shot. No, it's not scanning.
Mike Engle:
No problem. No problem. So I'll pull mine up, doing this remotely. So here's my phone and what Sam is doing is scanning the QR code.
Sam Tang:
Oh, by the way, I just got it to scan.
Mike Engle:
You did?
Sam Tang:
Oh, it just went away again. No, go ahead. You can do it.
Mike Engle:
So now it's asking me, you can see, to engage with the camera, proving that I'm real, not a deep fake or some other type of bad actor. My data is now transmitted with my consent from this digital wallet and sent to the requesting party. And what happens then is HR gets a digitally signed credential from whatever is in my wallet. So here's my credentials transmitted and HR receives this and trusts it right out of the box. So we'll get Sam to do his live at another time. Thanks for trying. It's a great sport.
So we just went through the enrollment. And now, what happens, once we've done this, that data was transmitted and goes directly into your IGA process. So whatever it is that jumpstarts your journey into the system. Now the final step in this is where the beauty of doing this digitally kicks in. I can now email the user their credential to get into their applications on day one.
And so if I just extend this a step further, I'm sent an email and all I have to do is say, all right, I just got through, today's my first day on the job and I'm going to, again, simple process, starting with user experience, scan this QR code, give permission to transmit my credential, and I am staring at my downstream applications. I can get into whatever platform, into my desktop with that same experience every time. I have chain of custody on the identity that was given to me. Only I have it in my wallet, nobody else can use it because of my biometrics.
So, how does that compare with the, I don't want to throw ENY or EYG under the bus, but I know you guys are heading in that direction as well, right?
Sam?
Sam Tang:
We are. And EY, being one of the big fours, one of things that we always emphasize is really focus on compliance. So what I'm really talking about here is, through this journey, this user experience, we got to make sure that everything's audited for purpose of keeping evidence as to not only just how people got their access, but when do they use their access. And that's going to be very crucial.
And one of the things I'm going to talk about towards the end of the session, which is how to take advantage of AI and the actual usage as part of this experience to make sure that we use that information, use that data triangulation, including the actual usage patterns that we see as part of the transaction approval of authentication transaction, authorization transaction, or even business transactions like payments. So that it's really the importance here is every step of the way because the visibility, we are able to audit and keep evidence as to how people would use their access and how they gain their access as well.
Mike Engle:
That's a key point. And if you notice the name of our product suite is called Block ID, and we have a private blockchain back in, which gets you back to that chain of custody. Imagine if, from the time the genesis moment when you joined ENY, you were given a credential, and then every time your identity was used, there's chain of custody for that authentication that goes back to the original one and says, yep, that login, so that Windows workstation is the same Sam Tang that was here, block by block by block. And so it's a real... It gives the InfoSec team some real warm fuzzies that nobody could manipulate the logs and things like that.
Sam Tang:
And Mike, just to give this a plug, from an adoption standpoint, and what you and I are seeing is that there's certain countries, certain regions that are ready to monetize verified identities as well. What that really means is that, what we're going to start a trend towards is that, what if we're able to actually truly verify in that identity and be able to reuse that identity for other purposes as well, like the B2B experience, like the B2C experience, like using that same identity for being a contractor and so on and so forth. So that's coming.
Mike Engle:
It is. And I'm seeing banks have a really solid identity profile of their customers. I trust my bank with a lot of info. And so if I could go to Macy's and Macy's says, "Do you have a bank account with one of the top six banks? We'll just create your account in five seconds and we're going to give you a discount." I'm like, "Sure." And it does a federated authentication. You see this with a couple different countries are rolling these types of schemes out. And it's promising because until the government gives us an ID that's portable and usable and digital, my stinking driver's license still doesn't have a digital credential on it, but it will soon. There's other ways to do it in the industry. So reusable identity is a real hot topic.
Sam Tang:
And Mike, I'll give this a plug too. The reason why a lot of the merchants, a lot of the retail stores are very excited about this is because it does reduce the amount of attention they have to pay to fraud detection as well. This truly is an enablement for fraud.
Mike Engle:
Exactly. Exactly. So last and final polling question, is your organization using or does it plan to use ID proofing in the next 12 months? So this is a simple one, yes or no. And we're seeing a exponential uptick in interest here. So all of our clients that do passwordless authentication, that's just trading in username password 2FA for public private key cryptography and biometrics. Their day two conversation with us is, all right, can we do it with verified identity now? And then some companies are calling us to start with this and not passwordless because of all the reasons we talked about here today. So I'm optimistic that we'll have lots of yeses here as they press this button. See how we do.
Sam Tang:
Oh.
Mike Engle:
It's a 50/50 split.
Sam Tang:
It's 50/50.
Mike Engle:
Okay. I think it's happening quickly though. It's like, it'll go viral. So let's talk about a couple of considerations. We talked briefly on AI deep fakes and more. Should you worry about biometric authentication with things like deep fakes, getting all this press in the news with AI and the ability to say, I could probably come here right now and say go watch all of the webinars with Sam Tang and generate me a nice little four second video of him on this screen.
Right?
Sam Tang:
Please don't do that.
Mike Engle:
Well, but it is a real concern, and especially with voice. I find voice, because it's just, there's so much audio out there, and it's not as much to look at or analyze, but what we find is you just have to stay on top of the trend. So don't just ask somebody for a static, to your point, you pointed out that liveness,
Hey Sam, hold up today's newspaper or just put two fingers in the air quick. It's hard to do that stuff on the fly. And so there's different ways where we can mitigate this. And rest assured that we have access to the same AI that the bad guys do. So we can use AI to detect variances in images, for example. And that's a big part of what we're doing today as we get more and more samples and see more bad guys do bad things.
So are you worried about AI?
Sam Tang:
Who me?
Mike Engle:
Yeah. Are you worried about it?
Sam Tang:
Am not worried about AI because I am a firm believer if you have nothing to hide, and if you feel like the services that you are using are using security by design as means of protecting my data, and as long as you have full transparency of all the things that you are using your phone for, all the services that you're using online for, your information's going to get out.
And I'm not really too concerned about AI because I know exactly what's going on with my identity in the open. It's out in the open. But as long as you are clear that you have clear vision of visibility into the services that you're using and also the way that you're protecting your data, I think you have nothing to worry about. But more importantly, it's not about the fear of AI, but more importantly for the enterprises, how can they take advantage of AI so that they can actually be more proactive and preventive and allow for people to gain access to things, make it actionable, make AI actionable to help your security organization.
Mike Engle:
Right, right. And we make the mistake as humans of comparing something new to perfect. So we're asking this question, "Oh my God, what about AI and deep fakes? Well no, what about somebody getting a username password and 2FA and stealing that? It is a thousand times easier for a bad actor to do that than it is for them to create some max headroom liveness of Sam Tang and injecting it into my Windows log on. So, I think we have to keep that in mind, and you don't want perfect to be the enemy of good and great.
Sam Tang:
And I'll share with the audience maybe a few more considerations if we have the time, Mike. Do we have the time? Just a couple more-
Mike Engle:
Oh yeah, we're doing good. We got about five, six more minutes and we'll wrap up.
Sam Tang:
I'll share with the audience other key considerations. Are you thinking about how to handle your onboarding services? So the first is make sure that you think about the solution if you think about applying technologies like this to focus on not just about the front door, but inject the process into the front end process like recruiting, like talent so that a lot of the front end work can be done even before it gets to [inaudible 00:40:08].
And the second thing I want to say is that solution here is not just about getting access to the environment, it's also the use of this at any given time at runtime that allow you to protect your infrastructure, your cloud, your on-prem services, your applications, your services, your data, your assets. So think about holistically as how to take advantage of this technology. The second one is, I think we used the word simplification quite a bit today, but the thing I want people to really realize is just because we're saying that we want to simplify things doesn't mean that the solution doesn't focus on compliance, privacy, security and so forth.
And again, if you do simplification correctly, I truly believe that you are going to be able to actually focus on what you true business value is that you're trying to glean from this solution. And that being, how much more transparency can you get? How much do you really know about your environment?
The second is how ready are you in case another COVID happens? Resiliency, how well are you equipped in protecting your assets inside your environment? And the last is the last R, these is, when I call it the four Rs, is remediation. How quickly can you respond to something and we react to something?
So I just want to make sure that people realize that just because we're talking about simplification and user experience, but there's other things that you can actually apply this technology to as well.
Mike Engle:
No, I love it. So let's... I'm going to throw one other quick demo in here. We talked about deep fakes and biometrics. Imagine if you could, so here's your stealable username and password. And many times Windows doesn't even have a 2FA on top of that. You can do some Windows, Hello, but take it a step further instead of username, password, we can take that face that's been enrolled when I did my onboarding. And again, look into the camera, smile, blink, and I'm staring at my desktop. Takes a couple seconds and you have a very high degree of certainty that that is Mike Engle logging into that very important CyberArk console, whatever it is. So that's a real game changer. And again, comparing that to username, password, 2FA, and then give the user an even better experience, 15 minutes later, the works station's locked, have them just tap their Apple Watch.
So this is an example of amazing high five moment for your users when they're like, "All right, my watch jingled, I tap this button and I unlock my screen." And you can put all kinds of security controls around that stuff as well. If the watch is taken off, it doesn't work. So we talk about biometrics and the ability to do this stuff in a better way, that's what we're thinking. Be aware, but don't worry and use biometrics properly for zero trust into your system. I think they're the future of user experience and security together. And then putting these things into a digital wallet where you have privacy and the user in control of what they're doing, it is the future. And you're seeing the tech giants really lean into this and it's going to make a difference in how we do things.
So any final thoughts on this slide here before we get into Q&A, Sam?
Sam Tang:
No, one final thought here. Again, I'm going to repeat what I said earlier just because today we are focused on your workforce. And the workforce is not just about your contractors and your employees, but it's your third party and your business partners as well. But more importantly, you've got to apply this strategy to thinking about how will this satisfy with all the business models that you need to satisfy. Again, earlier I said B2E, B2C, and B2B, but it's very important for us to focus on how we can actually take advantage of this technology across the board, not just for B2B.
Mike Engle:
Excellent. So I got just couple questions here. I'll touch on one before we wrap up. So the first question is, is the document scanning that you showed supporting international? So we have large multinational organizations. And the answer to that is yes, we support 200 countries. I didn't even know there were 200 countries, but when you count provinces and things like that and thousands of document types. And we're doing this globally, we support not only driver's licenses, but state IDs and tribal documents and all kinds of things.
It's still an evolving art form, but it's getting really repeatable and predictable. So the answer there is yes. And for international, if you're working for a multinational and it's a hire like that, you're hiring somebody overseas, they probably have a passport anyway. And that's really the same type of credential across a hundred different countries for that as well.
And then the second is, what are some of the ways that you make sure that the biometrics are secure? So there's a couple of important certifications there. There's organizations like iBeta, which validates the efficacy of a biometric. So they'll do things like rubber mask tests and cut holes in somebody's photo and try to fake it, have different people to get our iBeta certification. I think we had to have 200 people test certain authentications using our engine and so forth.
So the type of attack detection they do is something called PAD, presentation attack detection. And PAD level 1, PAD level 2, you need that for certain industries. So you can always ask your provider for their biometric certification. And then one other really big scoring one, there is something called FRVT, facial Recognition vendor testing from NIST. So they have dozens of algorithms and test thousands of images, and we'll make sure that you pass all these tests as well. So hopefully that's helpful.
Sam Tang:
And Mike, something to point out, and maybe this is top of mind for some of the audience, is that the more important thing is that you are FIDO2 compliant. Yeah, Mike?
Mike Engle:
Yeah, FIDO2 and also NIST 863-3. So, thanks for bringing that up. Those are two really key identity standards. FIDO is the future of passwordless, so you want to make sure you're working with a FIDO2 certified vendor.
Sam Tang:
And Mike, going back to the first question, I do want to tell the audience, the way I registered was actually using my password, not because I wanted to test. Of course, the first reason I wanted to test out the legal document support is 200 countries, but more importantly, it goes beyond just license, driver license. And the second thing there is commission and other legal documents will be supported like your student IDs and things like that as well going forward. So more importantly, the 200 countries, but it's passport and driver's license are crucial.
Mike Engle:
That's right. When we tested this morning, I did take a screenshot, so this is Sam's onboarding this morning, but-
Sam Tang:
When I was able to scan the barcode, yes.
Mike Engle:
Exactly. Like I say, if you have have bad lighting, sometimes you have challenges. But yeah, this has been really great, Sam. I appreciate you coming on and sharing your insights.
Sam Tang:
Thanks for having me.
Mike Engle:
Anything coming up in the industry that you'll be working on? Of course, we'll all be at the Money20/20s and things like that later in the year.
Sam Tang:
No, so I'm going to focus on staying put for a little bit and I'm hoping that I'll be making a trip to Europe again pretty soon just on the speaking engagement on a similar topic.
Mike Engle:
That's great. Let's enjoy the summer while we can. And again, thanks for coming on and thanks for the audience for joining and asking a couple of questions and hope to see you all soon.
Sam Tang:
Thank you.
Mike Engle:
Thank you, Sam.
Sam Tang:
Bye-bye.
Mike Engle:
Have a great day.
All right, well, let's get started here. We'll start slowly so we can give people a chance to get beyond their back-to-back meetings.
Thanks everybody for joining. We're here today to talk about new ways to onboard and authenticate our workforce, employees and contractors. My name is Mike Engle. I'm joined today by my colleague in the industry, Sam Tang. Sam, if you wouldn't mind saying hello and tell people a little bit about yourself.
Sam Tang:
I would consider myself as a friend, more than a colleague. But Mike, thank you. So thanks everyone for joining today and very excited. This is top of mind topic for both Mike and I. We've been working together for quite a bit of time, and I'm hoping that the audience will hear from us, some of the emerging trends, why we're pushing the boundaries around authentication authorization. So very excited. Thank you, Mike. Back to you.
Mike Engle:
Thanks. And as I mentioned, I'm Mike Engle, a co-founder and head of strategy here at 1Kosmos, and we'll get into the weeds a bit on what 1Kosmos does as we start to tell our story. And just quick icebreaker before we get started. Sam, maybe tell something a little bit about yourself, either maybe the last fun thing you did or the last couple years, one of your favorite trips you took or something.
Sam Tang:
No, thanks for that. And I have to say, I was going to talk about my Italian trip back in June. That was amazing. Lake Como and Venice and so forth, so forth. But actually what I want to brag about is the ability for me to actually do nothing for three days last week during July 4th break. And for the audience, think back, when was the last time you were able to actually say that you did nothing three days in a row at any time? So-
Mike Engle:
Amazing.
Sam Tang:
Very, very proud of myself for being able to do that.
Mike Engle:
Even when you go on vacation, you could be high-strung, you're running around, seeing all the sites and stuff. So there's something to be said about a good old-fashioned staycation, if you do it right. So yeah.
Sam Tang:
Especially the fact that I live in New York City.
Mike Engle:
Exactly. Well, good. Well, excellent. Well, we're going to talk today about the way we engage with our workers, our contractors, et cetera. And there's a number of challenges that we're going to address today. And really, the major, the root of the problem is experience. We're using technologies and methods sometimes that are stuck in the nineties. Things like email should not be a part of your conversation when you're onboarding and one time codes and things like this or stuff that we've been using since the nineties as well.
So we're going to talk about some different ways to do that. And not just about onboarding our new hires. And we all went through a revolution on how we did this after COVID and during COVID, of course, but then how we authenticate and engage with these people. Our employees have to log into their systems dozens of times a day or week. And so there's better ways to do this as well. And they can be done the same way at the same time. And it's really all about reducing risk while fixing a broken user experience.
And Sam, I know you've got gazillions of clients that you work with to solve these types of things. I'm sure you're seeing trends. I'm wondering if you could touch on some of the trends that are pushing the boundaries on how we onboard identities today and some of the things we could touch on there.
Sam Tang:
Thanks, Mike. So there's quite a few, but I'm going to pick on some of the more prominent trends that I'm seeing over the past couple years in terms of the space that we're in. So the first is, I think you mentioned that it's focused on workforce today, but it's really the solution and the approach that we take with IAM. What I'm seeing is that there's a convergence of B2E, B2C, and B2B requirements for IAM as well. What's that pushing a lot of our clients in thinking about how to organize and how to structure their support organization for IAM? So the solution that we really offer to our clients is it will satisfy the business models of B2E, B2B, and B2C as well.
The second thing is really, it's really emerging how the managed contractors and third party identities correctly with security, with compliance and so forth. And if you apply this technology of what we talked about today, it's going to allow you to simplify. One of the trends that we're seeing as well is combining physical security and also logical security, how to manage that access. And there's a buzzword, zero trust.
Trust is still going be pushed up the boundaries, but trust more importantly, it's not just about the identities, it's about the devices. It's about the assets that you're trying to gain access to. And the shift, culturally, of having a global set of services and global controls that we follow to regionalize controls, regionalize things that we have to do for authentication and for authorization, especially in the global footprint.
And of course lastly, most recently, AI, but more importantly, how do we take advantage of the AI to simplify the things we do in digital identity in IAM? So Mike, you and I, over the past three decades, we've seen trends come and go, but at the end of the day, if you look across the trends, there's two key things that we always focus on. You touched on one of those earlier, simplification and harmonization, and we're going to touch on both of those words quite a bit today. So back to you, Mike.
Mike Engle:
No, that's great. That's great. So let's ask the audience for a quick poll. And we have three questions that we'll be asking throughout today's webinar. And really, what is a number one priority? And it could be for you as a user or if you happen to own or manage some of this process, for you, as a deployer of these technologies.
So better experience, accuracy of the new hire, and we're going to talk about that next, and support for remote hiring and onboarding, which again, we all went through during COVID. So we'll just give this a couple seconds. I'm wondering, Sam, are you seeing any remnants of the practices we put in during COVID? Other than, traffic used to always be on a Friday where I live, now it's a Thursday because everybody works from home on Fridays, so seems to be-
Sam Tang:
Really, what I saw immediately when COVID hit is, obviously everybody experiences as well, remote workers, the support of remote workers. And so the anticipation of people working remotely was 10% to 20% at most before COVID. But when COVID hit, it was close to 100% and people were not really ready for it. And this is one of the reasons why we having this conversation today, is getting people ready for things that may happen that we don't anticipate.
Mike Engle:
No, that's great. That's great. So, the results are in here from the first poll, and it's a decent spread, but the majority is accuracy of the new hire, and we're really going to hit that hard here today. So let's jump into that. I have a couple of stats that I found that are pretty new and surprising, but that 5% of all new hires in the USA are fraudulent.
And the definition of fraudulent can be, you're not hiring the person you thought. That's the worst kind, because did you hire somebody who's there to steal secrets? But it's also people that just simply lie about their background and experience. And this research comes from the Ponemon Institute. So you think about it, that's 50 out of a thousand of your employees could either have lied or not be who they say they are. But the most common form, according to this study, is to gain access to sensitive information. A corporate espionage is a real thing.
I'm guessing, Sam, this is something that your clients worry about quite a bit.
Sam Tang:
Yep. And Mike, just something to add here is, what we typically do is we vet an identity, either it be an employee or contractor once, and then we assume that person that we just vetted is the same person two months from now, which is not the case. So that's why we need to look for a solution that allow us to do this continuously, not just one time vet.
Mike Engle:
That's right, getting to that real zero trust around identity. So, we'll be showing some examples of that here in just a minute. And of course, financial services are the most targeted industries followed by healthcare and technology.
So, I don't want to drown too much in stats, but the second and last one is the percentage of employees that hired somebody to do their work at least once. And I don't know if I'm guilty of this, but I've used services like Fiverr to have somebody make a graphic. Hopefully that doesn't count, but we've had clients, Fortune 500 clients that have caught their employees giving their credentials to a contractor in Eastern Europe because it's cheap and they get 30 hours of their week back. So if you can give your username, password in a one-time code away, you don't have zero trusts. And we call this collusion. So one of the things that we've built into our product is collusion proof authentication. How do you know, to your point earlier, I hired Sam Tang four years ago, but this is Sam Tang logging in tomorrow. So I think, this study here comes from the University of Maryland is pretty cool.
So, let's jump into some of the challenges. So we've all gone through hiring the old way, probably even the young kids on the call today. You go through talent acquisition, HR calls you up and says, "I need a copy of your government credentials." So what do you do? You take a picture, you email them. You used to have to go in person, but of course COVID changed all that. And then you're also worried about, is that person the same person that's emailing me the document? So HR may look at you in a camera maybe, or maybe they don't even bother doing that. They trust that it's the person that went through talent acquisition. So Sam, any challenges you've seen, some clients that you could share in this process?
Sam Tang:
As you mentioned, yes. Since you were addressing some of the younger audience members. So I would like to give a little bit of a history as to how the IM space even came to be. So if we took a step back with the three decades that, like Mike, I said, you and I have in this space. If you go way back in the late 90's, early 2000's, the start of our space is not at the point when it was not even called identity management. And for 20 years, if you take a look at what we did in IAM, it involved passwords, it involved credentials.
So really what you're seeing is that 30 years ago there was a lot of emphasis on maybe help desk, reduction of help desk, the management with password, password history, password complexity and so forth. But more importantly, if we had a solution that allow us to reduce the dependency on passwords, even if it's 80%, how much can we reduce from a management standpoint? How much can we improve from a security standpoint? There's quite a bit.
And the second is, the challenge is continuously the user experience, like you mentioned, but the user experience and everything that we do is not just about the end users. You need to do really take you look at the user journey as a whole to see how it impacts administrators, delegated administrators, end users, and people with elevated access, people with temporary access. So the user experience itself is very key. And the third I'll speak about is really how the business environment and cultural environments, external environment even changes to what we have to do in IAM, things like mergers and acquisitions or divestitures.
So how does that really impact the way that we handle IAM and how do we handle coexistence overall? And if we do, Mike, if you and I do our jobs correctly, what I'm hoping the audience will catch, what are our talk track and what we're presenting is really addressing all three challenges that we still see in the industry.
Mike Engle:
Exactly. It's migrated beyond so much account management right now. You have to actually know who it is and proof who they are and continuously authenticate them with that identity.
Sam Tang:
And credentials could be tokens, credentials could be a lot of things these days.
Mike Engle:
That's right. So we're talking about real identity here today because that's how the journey starts into an organization, is you have to fill out an I-9 form here in the US, you have to prove you can pay taxes. And that's where we can start to make a difference right out of the box. So talking a bit about identity enrollment and what it really means, we can do all this stuff digitally today and do it with a high degree of accuracy and still stop bad guys from bucking the system, if you will. And so, the top here in this first box, these technologies around identity proofing and identity verification are tried and true. You're seeing all kinds of service providers pop up, whether you're having wine delivered or you're verifying your identity on LinkedIn or trying to rent an Airbnb, they're now verifying your identity.
And yet organizations, companies are slow to embrace this. And I think that's going to change really fast, especially if you listen to the analysts and see where the energy's going in the industry in general. So what are the states of art here? Proofing. I am taking a picture of a government credential or maybe even using an electronic credential. In some other countries we can do that, where they have a digitized identity document. You're seeing driver's licenses get digitized here in the US, so there's hope. You got Apple Wallet and things like that that are looking very promising.
And then you have that data from a document and you verify it. I'll show a pyramid of how this process breaks out here in a second. But then take it a step further. I've just issued Sam Tang a credential, I'm verified his credential, and I can issue the authentication token at the same time. And that's this third box. So give the user a key and use that same biometric over and over again to get them into the system.
And think about the old way versus the new way. It really is an enabler. And this is what we call passwordless, at the end of the day. If you never had a password from day one, that's really the end goal for our new users. So let's pop in one more polling question, Maureen, if you could. We'll tee it up here. So real biometrics, we've talked about zero trust in identity. And Sam, I'm sure you're a believer in this, just because you're in the industry, but what are your thoughts on looking into the camera to prove who you are or using your voice and talking into a microphone? Do you have any objection to using this yourself?
Sam Tang:
No. If you follow what is going on in fear with some of the chatter around gen AI and the way that people can use deep fake and things like that. So what you're about to see today with Mike and some of the demos that you're going to see today, the way that you guys are verifying is very unique, and it's something that we're looking for, which is not more than just what I look like, but my gestures as well.
So, the speed I turn to the right, or the way I smile, the way I sound, tell me to speak my certain name, in a certain speed. Those are the things that only I know and I am. So that's what you're going to find today, is that just because password authentication is more than just being able to just take a look at your eye or your face, but more about gesture and also who you really are.
Mike Engle:
And the reason that we asked this question, this is, just seeing the results here. 80% of our respondents said they would consider making their contractors... We kept it into a specific bucket, but having their contractors use their face to log in. If you don't want to do it, don't work here. But I think people are getting more comfortable with it.
And Illinois, you have some pretty draconian rules around privacy, but it's just what you want to prevent is can Sam Tang's photo be used for other purposes other than that onboarding or authentication? If the answer is no, then you can trust it. And so you have privacy disclosures. How many times have you looked into a camera or had your face caught on camera walking down the streets of your city, Sam, right? It's like it's time to not be afraid of it, but to do it responsibly.
Sam Tang:
This aligns with one of the trends that we're seeing earlier when I mentioned the physical, the conversions of physical and logical access. That's very important.
Mike Engle:
Just put your face onto the turnstile and you're in the building. Why not?
So let's walk through the digital onboarding process. It's really straightforward. I had this covered in the last slide, but it's as simple as scanning your documents that get verified in real time and then it's transmitted into the onboarding system. Along the way, if you want, you can verify the person's location. And if they have to come into the office, I don't see why they wouldn't mind temporarily sharing the location, that they're at home. That you're developing a sense of trust with the employee. So ask them for the location. This can all be done inside of the app, phone numbers can be verified, et cetera.
And when it's done right, this can all be in control by the user. So if you think about the wallet that you have or your purse for women, I don't want to be gender biased here. You keep credentials in there and they're in your control. And you can now do this digitally as well. And the state of the art here has really advanced. So I'm just popping up about a dozen different security features that can be checked on standard documents. So there's nuances in how the fonts and the print and the photo layout and looking for glare. All these things are evolving pretty much weekly where the bad guys are trying to do certain things, the good guys are learning how to detect those bad things, et cetera.
And so, we're seeing a much higher accuracy rate. And people will say, well, Mike, well the bad guys could, insert bad thing here, but they can also do that to the HR person who's not qualified to look for it. So I guarantee you that my technology and my high-res 13 megapixel camera is going to do a better job than the HR rep. So let's again embrace this and not be afraid of it. I'm sure your clients are in tune with this type of stuff, Sam, right?
Sam Tang:
Yeah. I'll give the audience an example of what the importance of what Mike is talking about here, is really going back to what I said about the physical security is, what one of the requirements when COVID just happened is the ability for us to detect who the person is that's walking around the hospitals, going from floor to floor, room to room. How do we guarantee that the person who they say and they, they be accessing those locations? think about the sensitivity aspect of that.
So what we're talking about here, just application of that is endless. How about, what if we were able to actually use this technology also in front of schools, in front of hospitals, in front of manufacturing? So it's really, if you think about the application of this, it's really anywhere that you need to verify succinctly that a hundred percent the person is who they say and should they be there where they're at currently today?
Mike Engle:
Let's double click on that, because perfect segue. It's as if we've rehearsed this or something, which
Sam Tang:
Which we did not, Mike, actually.
Mike Engle:
We didn't. No, no. It was just, making it happen here. So verified identity, I mentioned two distinct categories, ID proofing and then ID verification, but it actually can go much deeper. There's a lot of devil in the details in doing this stuff. And so I'm just going to step through this pyramid quickly. Every website, whether it's Amazon, CDW, Macy's, will verify phone number and email. It's kind of the table stakes today.
As you're doing that, you can actually start to build some trust in that phone number, in that email. So, have I seen it before? Has my provider seen it? Does it have a risk score associated with it? But it doesn't verify identity that well, it's a starting point, just because I type in a phone number. And then we have something we call sim binding. If you think about any time you type in your phone number and you get a six digit code, that helps that you are in possession, potentially in possession, but those six digit codes can be intercepted and they can be shared. So binding is the reversing of that process. I am sending a message from my phone number. And it's one of the ways that strengthens the score of the sim and the phone number and the trust.
And then we already talked a bit about identity proofing. So take a picture front and back. Now as you're doing that in real time, we can verify the driver's license with AMVA, which is the aggregator for the Department of Motor Vehicles across the 50 states. And any passport can be checked for digital signatures against the IKO database. So this is the issuing authority for passports.
So again, not just taking a picture, not just asking the user from information, but putting all this stuff together and verifying it with the credit bureaus is what we call data triangulation. One plus one equals three. And it really makes a big difference in the level of trust you can have with a new hire or a new customer when you need that high level of assurance. And then we're going to touch a bit, a little deeper about biometrics. This is what you can use to match the photo on the driver's license or before you log in as route into your Amazon cloud infrastructure. "Hey, Sam, would you just look into the camera? I want to make sure it's you and not a bad actor."
And then putting all this into a wallet is what makes it extensible, portable, private. And this is where the sea of change is coming in the industry. So let me have my identity and let me use it over and over. So if we call this the verified identity triangle, what's your favorite part of this, Sam?
Sam Tang:
I'm going to point on one main part, which is the data triangulation. And the reason why I want to focus on that, Mike, is because your accuracy of your identity proof thing and trust of the person is really the accuracy of the data that you use as well. And one of the things that we always look for is not only of what data you see about the person external to the environment, but more importantly, what if we were able to include your internal data as part of the verification process as well. So the data triangulation is the number one piece here.
Mike Engle:
Absolutely. Once you have the data, you can start to make really intelligent decisions. So let me just pop up a quick example of how a new hire could go through talent acquisition and transmit this data. And maybe we'll see if I can prove that you're Sam Tang here in a few minutes as well. That might be fun. And we'll talk about-
Sam Tang:
We didn't rehearse it though. Knock on wood. It's going to work.
Mike Engle:
Here's one example of a modern identity enrollment. And important thing to realize here is this is somebody just onboarding their own identity for themself into their own wallet, and then with consent, transmitting it to a third party. So what I asked Sam to do this morning was this process where he launched an app, set up his wallet. And that's a couple of biometrics and a pin. So you see here, this is a pin to protect the wallet, turning on some biometrics, and then enrolling a live ID. This is your real life selfie, and this is an enabler for identity verification and zero trust from an identity perspective. I didn't want to show Sam enrolling his identity, but we'll get to that in a second.
Sam Tang:
But Mike, something that the audience may not have seen. You were asked to smile and you smiled. That smiling is actually being used for the part of the verification as well. That's key.
Mike Engle:
Exactly. We call that liveness. There's two types of liveness. One is active, which is what you saw there. It's a little more friction, where you're asking the user to just move your head or turn left to right or smile, and we'll see that in a second. But there's also a lower friction ways of passive liveness. And that just uses the environment, the fact that you can tell it's real. And if you've ever scanned a check into your banking system through Chase or Bank of America, whatever, they use document liveness. Can I tell this is a real document, not a picture.
And so these technologies are evolving and really becoming a game changer for user experience. So we've enrolled a couple of biometric assets, and then depending on who you are, your country, what you're trying to do, we can scan government credentials. And this is doing all those things that I mentioned before, checking the security, matching the photo front back, et cetera. It takes a few seconds, far more secure and easier than taking a picture and sending it to HR. And we also support passport, very similar process, scan the front, extract the data, match the photo. But then we can go a step further and hold the photo or the phone up to the passport and read the chip. And that gives you a digitally signed, trusted credential from in the United States to Department of State, for example. And so with the press of a button, we can ask somebody. So let's try something brave here Sam, I don't know if you have your app handy.
Sam Tang:
I do have my app ready. I have it phone ready.
Mike Engle:
This is our 1Kosmos demo site. And what it says is, "Did you already enroll your identity?" Like we did just a second ago. And now, if I really wanted to know that I am in an online transaction, Sam is my doctor as an example, or Sam's my new employee, and I want to verify that he's the person on the government credentials, it's as simple as asking the user. So Sam is now scanning this QR code.
Sam Tang:
The glare?
Mike Engle:
Yep. When it's on a monitor, it can be, you have to tilt it a second.
Sam Tang:
Give it a sec. Nope, it's reading. It's just not scanning right now.
Mike Engle:
It's either brave or foolish to do a live demo on web.
Sam Tang:
I'm just trying to get the phone to scan, but it's not picking it up as a QR code. Give it a shot. No, it's not scanning.
Mike Engle:
No problem. No problem. So I'll pull mine up, doing this remotely. So here's my phone and what Sam is doing is scanning the QR code.
Sam Tang:
Oh, by the way, I just got it to scan.
Mike Engle:
You did?
Sam Tang:
Oh, it just went away again. No, go ahead. You can do it.
Mike Engle:
So now it's asking me, you can see, to engage with the camera, proving that I'm real, not a deep fake or some other type of bad actor. My data is now transmitted with my consent from this digital wallet and sent to the requesting party. And what happens then is HR gets a digitally signed credential from whatever is in my wallet. So here's my credentials transmitted and HR receives this and trusts it right out of the box. So we'll get Sam to do his live at another time. Thanks for trying. It's a great sport.
So we just went through the enrollment. And now, what happens, once we've done this, that data was transmitted and goes directly into your IGA process. So whatever it is that jumpstarts your journey into the system. Now the final step in this is where the beauty of doing this digitally kicks in. I can now email the user their credential to get into their applications on day one.
And so if I just extend this a step further, I'm sent an email and all I have to do is say, all right, I just got through, today's my first day on the job and I'm going to, again, simple process, starting with user experience, scan this QR code, give permission to transmit my credential, and I am staring at my downstream applications. I can get into whatever platform, into my desktop with that same experience every time. I have chain of custody on the identity that was given to me. Only I have it in my wallet, nobody else can use it because of my biometrics.
So, how does that compare with the, I don't want to throw ENY or EYG under the bus, but I know you guys are heading in that direction as well, right?
Sam?
Sam Tang:
We are. And EY, being one of the big fours, one of things that we always emphasize is really focus on compliance. So what I'm really talking about here is, through this journey, this user experience, we got to make sure that everything's audited for purpose of keeping evidence as to not only just how people got their access, but when do they use their access. And that's going to be very crucial.
And one of the things I'm going to talk about towards the end of the session, which is how to take advantage of AI and the actual usage as part of this experience to make sure that we use that information, use that data triangulation, including the actual usage patterns that we see as part of the transaction approval of authentication transaction, authorization transaction, or even business transactions like payments. So that it's really the importance here is every step of the way because the visibility, we are able to audit and keep evidence as to how people would use their access and how they gain their access as well.
Mike Engle:
That's a key point. And if you notice the name of our product suite is called Block ID, and we have a private blockchain back in, which gets you back to that chain of custody. Imagine if, from the time the genesis moment when you joined ENY, you were given a credential, and then every time your identity was used, there's chain of custody for that authentication that goes back to the original one and says, yep, that login, so that Windows workstation is the same Sam Tang that was here, block by block by block. And so it's a real... It gives the InfoSec team some real warm fuzzies that nobody could manipulate the logs and things like that.
Sam Tang:
And Mike, just to give this a plug, from an adoption standpoint, and what you and I are seeing is that there's certain countries, certain regions that are ready to monetize verified identities as well. What that really means is that, what we're going to start a trend towards is that, what if we're able to actually truly verify in that identity and be able to reuse that identity for other purposes as well, like the B2B experience, like the B2C experience, like using that same identity for being a contractor and so on and so forth. So that's coming.
Mike Engle:
It is. And I'm seeing banks have a really solid identity profile of their customers. I trust my bank with a lot of info. And so if I could go to Macy's and Macy's says, "Do you have a bank account with one of the top six banks? We'll just create your account in five seconds and we're going to give you a discount." I'm like, "Sure." And it does a federated authentication. You see this with a couple different countries are rolling these types of schemes out. And it's promising because until the government gives us an ID that's portable and usable and digital, my stinking driver's license still doesn't have a digital credential on it, but it will soon. There's other ways to do it in the industry. So reusable identity is a real hot topic.
Sam Tang:
And Mike, I'll give this a plug too. The reason why a lot of the merchants, a lot of the retail stores are very excited about this is because it does reduce the amount of attention they have to pay to fraud detection as well. This truly is an enablement for fraud.
Mike Engle:
Exactly. Exactly. So last and final polling question, is your organization using or does it plan to use ID proofing in the next 12 months? So this is a simple one, yes or no. And we're seeing a exponential uptick in interest here. So all of our clients that do passwordless authentication, that's just trading in username password 2FA for public private key cryptography and biometrics. Their day two conversation with us is, all right, can we do it with verified identity now? And then some companies are calling us to start with this and not passwordless because of all the reasons we talked about here today. So I'm optimistic that we'll have lots of yeses here as they press this button. See how we do.
Sam Tang:
Oh.
Mike Engle:
It's a 50/50 split.
Sam Tang:
It's 50/50.
Mike Engle:
Okay. I think it's happening quickly though. It's like, it'll go viral. So let's talk about a couple of considerations. We talked briefly on AI deep fakes and more. Should you worry about biometric authentication with things like deep fakes, getting all this press in the news with AI and the ability to say, I could probably come here right now and say go watch all of the webinars with Sam Tang and generate me a nice little four second video of him on this screen.
Right?
Sam Tang:
Please don't do that.
Mike Engle:
Well, but it is a real concern, and especially with voice. I find voice, because it's just, there's so much audio out there, and it's not as much to look at or analyze, but what we find is you just have to stay on top of the trend. So don't just ask somebody for a static, to your point, you pointed out that liveness,
Hey Sam, hold up today's newspaper or just put two fingers in the air quick. It's hard to do that stuff on the fly. And so there's different ways where we can mitigate this. And rest assured that we have access to the same AI that the bad guys do. So we can use AI to detect variances in images, for example. And that's a big part of what we're doing today as we get more and more samples and see more bad guys do bad things.
So are you worried about AI?
Sam Tang:
Who me?
Mike Engle:
Yeah. Are you worried about it?
Sam Tang:
Am not worried about AI because I am a firm believer if you have nothing to hide, and if you feel like the services that you are using are using security by design as means of protecting my data, and as long as you have full transparency of all the things that you are using your phone for, all the services that you're using online for, your information's going to get out.
And I'm not really too concerned about AI because I know exactly what's going on with my identity in the open. It's out in the open. But as long as you are clear that you have clear vision of visibility into the services that you're using and also the way that you're protecting your data, I think you have nothing to worry about. But more importantly, it's not about the fear of AI, but more importantly for the enterprises, how can they take advantage of AI so that they can actually be more proactive and preventive and allow for people to gain access to things, make it actionable, make AI actionable to help your security organization.
Mike Engle:
Right, right. And we make the mistake as humans of comparing something new to perfect. So we're asking this question, "Oh my God, what about AI and deep fakes? Well no, what about somebody getting a username password and 2FA and stealing that? It is a thousand times easier for a bad actor to do that than it is for them to create some max headroom liveness of Sam Tang and injecting it into my Windows log on. So, I think we have to keep that in mind, and you don't want perfect to be the enemy of good and great.
Sam Tang:
And I'll share with the audience maybe a few more considerations if we have the time, Mike. Do we have the time? Just a couple more-
Mike Engle:
Oh yeah, we're doing good. We got about five, six more minutes and we'll wrap up.
Sam Tang:
I'll share with the audience other key considerations. Are you thinking about how to handle your onboarding services? So the first is make sure that you think about the solution if you think about applying technologies like this to focus on not just about the front door, but inject the process into the front end process like recruiting, like talent so that a lot of the front end work can be done even before it gets to [inaudible 00:40:08].
And the second thing I want to say is that solution here is not just about getting access to the environment, it's also the use of this at any given time at runtime that allow you to protect your infrastructure, your cloud, your on-prem services, your applications, your services, your data, your assets. So think about holistically as how to take advantage of this technology. The second one is, I think we used the word simplification quite a bit today, but the thing I want people to really realize is just because we're saying that we want to simplify things doesn't mean that the solution doesn't focus on compliance, privacy, security and so forth.
And again, if you do simplification correctly, I truly believe that you are going to be able to actually focus on what you true business value is that you're trying to glean from this solution. And that being, how much more transparency can you get? How much do you really know about your environment?
The second is how ready are you in case another COVID happens? Resiliency, how well are you equipped in protecting your assets inside your environment? And the last is the last R, these is, when I call it the four Rs, is remediation. How quickly can you respond to something and we react to something?
So I just want to make sure that people realize that just because we're talking about simplification and user experience, but there's other things that you can actually apply this technology to as well.
Mike Engle:
No, I love it. So let's... I'm going to throw one other quick demo in here. We talked about deep fakes and biometrics. Imagine if you could, so here's your stealable username and password. And many times Windows doesn't even have a 2FA on top of that. You can do some Windows, Hello, but take it a step further instead of username, password, we can take that face that's been enrolled when I did my onboarding. And again, look into the camera, smile, blink, and I'm staring at my desktop. Takes a couple seconds and you have a very high degree of certainty that that is Mike Engle logging into that very important CyberArk console, whatever it is. So that's a real game changer. And again, comparing that to username, password, 2FA, and then give the user an even better experience, 15 minutes later, the works station's locked, have them just tap their Apple Watch.
So this is an example of amazing high five moment for your users when they're like, "All right, my watch jingled, I tap this button and I unlock my screen." And you can put all kinds of security controls around that stuff as well. If the watch is taken off, it doesn't work. So we talk about biometrics and the ability to do this stuff in a better way, that's what we're thinking. Be aware, but don't worry and use biometrics properly for zero trust into your system. I think they're the future of user experience and security together. And then putting these things into a digital wallet where you have privacy and the user in control of what they're doing, it is the future. And you're seeing the tech giants really lean into this and it's going to make a difference in how we do things.
So any final thoughts on this slide here before we get into Q&A, Sam?
Sam Tang:
No, one final thought here. Again, I'm going to repeat what I said earlier just because today we are focused on your workforce. And the workforce is not just about your contractors and your employees, but it's your third party and your business partners as well. But more importantly, you've got to apply this strategy to thinking about how will this satisfy with all the business models that you need to satisfy. Again, earlier I said B2E, B2C, and B2B, but it's very important for us to focus on how we can actually take advantage of this technology across the board, not just for B2B.
Mike Engle:
Excellent. So I got just couple questions here. I'll touch on one before we wrap up. So the first question is, is the document scanning that you showed supporting international? So we have large multinational organizations. And the answer to that is yes, we support 200 countries. I didn't even know there were 200 countries, but when you count provinces and things like that and thousands of document types. And we're doing this globally, we support not only driver's licenses, but state IDs and tribal documents and all kinds of things.
It's still an evolving art form, but it's getting really repeatable and predictable. So the answer there is yes. And for international, if you're working for a multinational and it's a hire like that, you're hiring somebody overseas, they probably have a passport anyway. And that's really the same type of credential across a hundred different countries for that as well.
And then the second is, what are some of the ways that you make sure that the biometrics are secure? So there's a couple of important certifications there. There's organizations like iBeta, which validates the efficacy of a biometric. So they'll do things like rubber mask tests and cut holes in somebody's photo and try to fake it, have different people to get our iBeta certification. I think we had to have 200 people test certain authentications using our engine and so forth.
So the type of attack detection they do is something called PAD, presentation attack detection. And PAD level 1, PAD level 2, you need that for certain industries. So you can always ask your provider for their biometric certification. And then one other really big scoring one, there is something called FRVT, facial Recognition vendor testing from NIST. So they have dozens of algorithms and test thousands of images, and we'll make sure that you pass all these tests as well. So hopefully that's helpful.
Sam Tang:
And Mike, something to point out, and maybe this is top of mind for some of the audience, is that the more important thing is that you are FIDO2 compliant. Yeah, Mike?
Mike Engle:
Yeah, FIDO2 and also NIST 863-3. So, thanks for bringing that up. Those are two really key identity standards. FIDO is the future of passwordless, so you want to make sure you're working with a FIDO2 certified vendor.
Sam Tang:
And Mike, going back to the first question, I do want to tell the audience, the way I registered was actually using my password, not because I wanted to test. Of course, the first reason I wanted to test out the legal document support is 200 countries, but more importantly, it goes beyond just license, driver license. And the second thing there is commission and other legal documents will be supported like your student IDs and things like that as well going forward. So more importantly, the 200 countries, but it's passport and driver's license are crucial.
Mike Engle:
That's right. When we tested this morning, I did take a screenshot, so this is Sam's onboarding this morning, but-
Sam Tang:
When I was able to scan the barcode, yes.
Mike Engle:
Exactly. Like I say, if you have have bad lighting, sometimes you have challenges. But yeah, this has been really great, Sam. I appreciate you coming on and sharing your insights.
Sam Tang:
Thanks for having me.
Mike Engle:
Anything coming up in the industry that you'll be working on? Of course, we'll all be at the Money20/20s and things like that later in the year.
Sam Tang:
No, so I'm going to focus on staying put for a little bit and I'm hoping that I'll be making a trip to Europe again pretty soon just on the speaking engagement on a similar topic.
Mike Engle:
That's great. Let's enjoy the summer while we can. And again, thanks for coming on and thanks for the audience for joining and asking a couple of questions and hope to see you all soon.
Sam Tang:
Thank you.
Mike Engle:
Thank you, Sam.
Sam Tang:
Bye-bye.
Mike Engle:
Have a great day.
Mike Engle
CSO
1Kosmos
Sam Tang
Partner/Principal
Ernst & Young
In this webinar, we focused on unifying worker onboarding, identity verification, authentication, and access management. We covered a modern approach to:
- Accelerate onboarding for all workers through scalable, unified identity proofing
- Easily tailor security policies and controls by user and groups of users
- Simplify identity governance across multiple systems and directory services
- Improve security / reduce cyber risk with non-phishable, passwordless MFA
- Deliver a convenient login experience anytime, anywhere, from any device
Today’s workforce has evolved with the modern supply chain to include office and home workers collaborating with contractors, suppliers, and partners to achieve the corporate mission. Sustainability, productivity, quality, and risk management are the watchwords, but antiquated processes and siloed systems stand in the way.