Why a Secure Web 3.0 Starts with Decentralized Identity and Passwordless Access
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
Thanks, everybody for joining the webinar today. My name is Mike Engle. I'm joined by Gary Rowe and Gary Zimmerman will introduce ourselves in just a minute. But I wanted to start by just acknowledging International Women's Day. At one 1Kosmos, we embrace diversity and all the value that women bring to the table throughout all of our endeavors. So please join us on LinkedIn. We'll be recognizing a bunch of contributions and it's a great way to show gratitude and in many ways is overdue.
Gary Rowe:
Yeah, yeah, absolutely. And certainly from the team at TechVision, we support diversity, fairness, inclusion, a lot of the efforts that are going on. We see a lot of that, the identity space and the security space to get more women programmers and just involvement to open those doors and opportunities, I think is a great thing.
Mike Engle:
That's right. Thank you. And just a couple housekeeping items. We do have another webinar coming up in about a month, really focusing on multifactoral authentication. It's everybody's deploying it. Zero trust is in full swing in a lot of organizations, but it's under attack more than ever and we're going to talk about some of the ways that these gaps can be closed and really fixing the user experience that we've been struggling with. So Maureen or one of the other folks here will be putting a link to that. It's on our website as well. So sign up if you can, and just wanted to invite anybody who's on this call to come try out our technology. It's right there on the homepage. You get the app and you can experience what it's like to authenticate with single touch multifactor experience. It's pretty cool. Once you do this in any of your applications, you will not want to go back.
Lastly, my chief revenue officer Kevin Brown is giving away a $50,000 identity package. So we'll pick a winner randomly from the attendees today. You'll get an email, he'll go over the details, and if you can accept it great, and we'll be announcing who wins if they choose to have that be public, but it's not required. So let's jump in. So as I mentioned, my name is Mike Engle. I'm co-founder and head of strategy at 1Kosmos. 1Kosmos is the leader in identity management, both onboarding, passwordless authentication, real biometrics. I'm joined today by Gary Rowe and Gary Zimmerman. Gary Rowe, would you like to say hi?
Gary Rowe:
Yeah, I would, and let me say a few words about the presenters in this event from my perspective, hopefully, you will feel this, but I think you're in for a treat today. Mike has tremendous hands-on experience in the finance community in the area of security but then has built including being one of the founders for 1Kosmos several companies and has been directly involved in trying to move the internet security and technology forward. Gary Zimmerman who's on this call I've worked with for many years, he's a phenomenal analyst. He has expertise in big data in innovation and decentralized identity technology and is in the middle of doing primary research for TechVision's report on Web3, which is of course the main focus for today's session. So we'll leverage Gary's expertise there.
I've been in the middle of the identity space for a long, long time and used to help run a company by the name of Burton Group. That was pretty well known in the identity space, spent 12 years as president of Burton. Then co-president of what became GTP at Gartner after we sold Burton to Gartner in 2010, did several entrepreneurial things, including in the decentralized identity space, and then recognized there was a gap in the market and gap in the market we helped create and then formed TechVision Research in 2015. A lot of what you hear today, at least from the TechVision perspective will be based on not just Gary and me, but our analyst team. We do equal parts research and consulting. So we do a lot of projects for large organizations and infuse that into our research, but that much like a Gartner or Forrester or somebody, we do the briefings. We actually found out about 1Kosmos some time ago based on one of our large customers saying, "Who are these guys? We find them real interesting." That kind of started this relationship.
We don't cover everything. We look at identity and security and disruptors, and governance and privacy, and how we're going to build these next-generation ecosystems. I characterize it as this point of intersection between large enterprises, Wall Street, so to speak, and Silicon Valley, what are the disruptors? Where are things going? A Web 3.0, some of the stuff that 1Kosmos is doing fits right in that portfolio. If you can switch slides, please.
Mike Engle:
Sure thing.
Gary Rowe:
And I'll say a few words about just what we want to cover today, but let me say that, and Mike, Gary, and I talked a lot about this. I think we can get the most out of it by having a discussion by having a dialogue. Honestly, what we all are looking to do is to help figure this stuff out and help figure out how can we improve on a lot of the challenges we've had in identity and security over the last several years.
We saw a lot more of that, of course, during the lockdown over the last couple of years. So we'll start with what is Web 3.0, we'll try to carve through some of the hype and just give some clear definitions there, but we can learn from the past. So especially when it comes to identity and security and Web 3.0 and ownership and things like that, we'll then look at identity's role that it's traditionally been in Web 2.0 and look at how that will move forward, how we'd like that to move forward. Some of the things 1Kosmos is doing to promote that as we move to Web 3.0, and then pragmatically, what can you do today and tomorrow? So we'll look at coming up with some succinct recommendations. So with that, Mike, I'll turn it back over to you.
Mike Engle:
Great. Yeah. We're going to have a little bit different format today. It's similar to some we've done in the past. We're just going to have an open dialogue about each slide. There's not a whole lot of slides and really this is it. The material's pretty straightforward. We're going to get pretty deep into it and starting with the definition of Web 3.0 is all over the map. When I Googled this over the last couple weeks of getting ready for this webinar, the first three hits on Google were completely different definitions. So I went here and grabbed this from Wikipedia. But what I think we agree is that it's decentralized, that's the one common theme that is across every definition. It's pushing the control into the network and we're going to talk about that in some detail, even the labeling of it is different and being argued about in many threads, right? Is it Web space 3? 3.0 no space? So, you know-
Gary Z:
The cool kids call it Web3.
Mike Engle:
The cool kids. Okay. Right. Web no space three. Right?
Gary Z:
Exactly
Mike Engle: Lower case W, right? So I don't want to get in trouble. I got yelled at using the wrong emoji with one of my kids yesterday, but no, this is what we're going to talk about here today. It's really, this is changing the way that we are engaging with computers, technology, assets, and so forth. So with that, I'll jump in. And like I said the key promise in Web3 is decentralization, right? So if Gary Z, if you'd maybe just run through a couple of these points.
Gary Z:
Yeah, sure. I get to answer some of the more geeky parts of this here. So the first one is that in the current state of the protocols for the internet, it doesn't capture, what's known as state. So it doesn't know who is who, it doesn't know who owns what, it doesn't know who has access to what. So all of that information is captured on the server-side of the network and that created a situation where the network is basically not aware of what is happening. When we move to web3, that changes. So state is captured in the network. So it no longer has to be held at the server level by the company or whatever and so that makes things a little more equal in the network and that gets to the point of user's in control.
That means that the user can now share information from a client to a server, without having to basically beholden to that server. The final thing about this, and Mike brought up the decentralization is that that state is captured across the entire network. So no longer is there a central server that holds all of that stuff, it's replicated across a thousand servers in the network. And that allows people to do things like create metaverses, you've heard that term lately, but basically, it's allowing people through wearables and AR, AI, and ML to work through participation in the web, as opposed to just point and click kind of stuff. Then the big thing that people are talking about now is decentralized finance. So changing the role of central banks and fundraising to more of a democratic populous way of doing it. Of course, NFTs, which are the hottest things. They're like baseball cards just in electronic form.
Mike Engle:
Yeah. Yeah. If I hear one more story about NFTs and monkeys being sold for $60 million, I don't know what to do. But there's a couple of icons here on the right that I thought were really interesting. There's a network which promised to decentralize even Wi-Fi access. So you put up one of these devices in your neighborhood and you can get incented to broadcast that network out to the masses and let people use it. Then we're going to talk a little bit about the concept of tokenization on the next slide. The other one is this the constitutional DAO. That they call DOAs decentralized autonomous organizations. You can actually have an organization that lives in code through smart contracts, which I'm sure most of you have heard of on distributed technology and it can do things. So a group of people set up a DOA that almost bought one of the copies of the constitution for $40 million. That's a real game-changer and the point of this disruptive scale here on the third icon. So more to follow on that.
Gary Z:
Yeah. The one thing about the DOAs are really interesting, because basically, the internet doesn't have any rules about how values exchange or any of that kind of stuff, or even how people interact. It's just protocols that make those things happen. When you move into Web3, when you start talking about things like DOAs basically the behavior on the network is coded into the network itself. So when you want to change how things happen in the network, you actually have to go and get the community to agree to that. Then the changes are actually made in the network. So it's a completely different view of how you go about doing business.
Mike Engle:
Yeah, that's exciting stuff. Of course, the devil's always in the details when things go wrong in those, but we'll see how that shakes out. Just moving on for the rise of the token economy, right? NFTs are tokens. Tokenization is really a key aspect of Web 3.0 as well and it's a way for you to participate in the network in ways that you couldn't do before. So I know this was a lot of your material here, Gary Z if you could run through this again for me.
Gary Z:
Yeah, sure. That first bullet there, it's a fundamental shift in the economic model. We got used to in Web 1.0, the fact that everything, all the information that we got was free, and that basically carried over into the interactive part of Web 2.0. And what that meant was that the only way to pay for the services we were getting from these providers was that for them to figure out how to monetize that in the different way than order basically asking us for subscription fees. So they basically started selling to advertisers our data and more importantly, our attention.
So what we have now is basically an attention economy. So companies like Facebook and Google and others put in front of you, ads that advertisers are basically paying them to put in front of you. They continue to drive more and more attention so that they can make more and more money. In Web3, because of the way tokens are working that shifts over to more of a decentralized model where the actual creators of content are the ones that now can monetize those. So it's no longer giving goods away for free, and it's no longer having the advertiser pay for your attention. It's basically an exchange of goods and value based on the tokens. Right?
Mike Engle:
Yeah. Did the activity here, just a couple of stats on this, the venture capital deployed over $30 billion last year into crypto startups, right? And many of them were the OpenSea types, the NFT pure platform plays. And the number of 65 crypto unicorns last year alone has come up 40 of them created last year alone. So in one year, 40 companies went to a billion-dollar in valuation and they've raised just tons and tons of money. So the crypto market cap exceeds over three trillion. So we have to pay attention to it. It's going to impact our lives in one way or another.
Gary Z:
Yeah.
Gary Rowe:
Yeah. Mike, let me jump in and make a couple of observations. The first it is hard to overstate. There's a couple of bullet items on here and a couple of points that are made about the rise of the token economy. It's hard to overstate how disruptive this is and the level of economic impact this potentially can have by simply moving from an environment where a relatively small group of large enterprises have had the ability to control the content, much of the content, the ad revenue associated with that and so forth. The network effect as we all call it has really kicked in the ability to have these tokens to instantiate rules and controls and intention can change so many things. I think that's been a big part of the investment that we've seen in this.
I think we've seen the financial community, the VC community looking at this and saying, this could be the disruptor. And if you think about it from the perspective of the web, and I'll just give a pretty high-level perspective, but for me to simplify things helps. So Web 1.0, that obviously passed many, many years or decades ago was all just static information. We would post things up there and it was a great environment to read and learn. Web 2.0, was all about consuming and creating. So we now engaged individuals. We engaged companies to actually write, but it was all, as Gary mentioned earlier, it was all then funneled through a relatively small number of orchestrators so to speak. Web 3.0 is read, write and instantiate some level of ownership or some level of control and I think fundamentally if you look at that really changes our model and in a lot of the details now that we'll walk through in terms of how identity services and other kinds of things support that are going to be really critical to actually execute on it a safe and secure way.
Mike Engle:
Yeah, thanks, Gary.
Gary Z:
Yeah. And just briefly, the network behaviors incented by the tokens, just a couple examples of that. If you try a crypto browser like Brave, it actually gives you the opportunity to earn tokens based on whether or not you want to look at ads. So they actually pay the user to look at ads from companies that are trying to get in front and enlarge their audience. And you could actually give some of those tokens back if you really like the content that you're viewing. And the same thing is true on Coinbase, which is another big place where people look at this stuff. They'll actually pay you in particular crypto to learn stuff about that crypto. So you're actually earning "money" by giving your attention. So it is just a way it's a change in the way the model's working. The platforms don't earn that money you do.
Mike Engle:
That's right. Yeah. And a key enabler, nice segue is at the heart of these transactions is cryptography. So cryptocurrency has borrowed on that term as well and the individual that participates in this economy has a private key that gets stored in a wallet. Now, you mentioned Coinbase, Coinbase is famous for being a custodian for everybody's wallet and making it really easy where they keep the keys, but it is this key that lets you participate in a network where nobody else can do that other than you being the key holder. So, at 1Kosmos, we built a platform that's based on this type of key technology and we're going to talk a lot more about how this key can become an enabler in identity on a few slides here. But this is one of the main enablers of this new economy that's popping up.
Gary Z:
I think the key here is it's in italics if the crypto wallet is an application and so it behaves just like any other application. You need to authenticate and you need to be authorized to let it do what it needs to do and that's one of the big problems that are facing what's happening in Web3 today.
Mike Engle:
Right. Yeah. Just like in the real world, you lose your driver's license, lose your pass passport, you have trouble, and it's quite a pain to go get that stuff back or recreated and the crypto world's no different. In fact, it's impossible and we've seen those types of challenges where people have lost $200 million worth of stuff because they can't find their wallet but with great power comes great responsibility as our friend Spider-Man's uncle said.
Gary Z:
Yeah, but that creates another dynamic that's probably going to take a while to fix, which is the users now have to take on that responsibility and that's something they're not used. So if I forget my private key, I can't go to somebody and say send me a link to reset it. It doesn't work that way. Right?
Mike Engle:
That's right. If it did, it would defeat the purpose.
Gary Z:
Exactly.
Mike Engle:
Now how identity flows into all of this have a little bit of a kind of path down the identity side of Web 3.0 and first starting by where we are today. That is where our identity is really being held, at least in our usage of it by a handful of participants. There's only a few icons here, but you get the idea, right? There's obviously more than two banks but there's a handful of tech giants, the FAANG types and they are the custodian. So imagine this, I'm a huge Google user. I've had Gmail since forever, and I have probably five or six Gmail accounts. If Google were to wake up one day and change something and say, "Hey, mike@google.com, there's something wrong with your account. We don't like it. We're turning it off."
They've basically taken that identity away from me and I cannot get it back. And of course, Facebook, everybody knows the example there. Also then in similar worlds, the banking industry owns all of your banking info and may let you use it if you're in open banking, for example, and share that information with somebody who's requesting it to give you banking services like opening a new mortgage. Of course, the credit bureaus are a third big player here where they just own so much data about you and it's all in a central easily hacked a history will show database. So imagine applying some of these principles to Web and pivoting away from that in Web 3.0. So we'll kind of get into this and the most recent example, that's probably been front and center of many of our attendees in the audience here is what happened with the IRS over the past two months.
So there was a big announcement where the IRS would only allow you to participate in certain IRS activities if you proved your identity, using some identity proofing technology that involved your biometrics and scanning your driver's license. This company would centrally store, and then be your custodian of your identity as you went on and did things with various government services, IRS, or at the states, et cetera. And when this really cracked open, Krebs posted a big article about this, and it had a cascading effect. There was a major backlash because this really a Web 2.0 type thing. So Gary Z I'm wondering what your thinking was when you saw this unfolding in real-time, it's kind of a mixed bag.
Gary Z:
Well, it is because, it created a concept of identifying the metrics with particular individuals and storing that centrally, which is all something that is a no-no when you're trying to work in something that's more decentralized and more privacy-oriented. So I can understand why this didn't work out very well.
Mike Engle:
Yeah. Yeah. Gary Rowe, would you scan your driver's license in order to pay taxes?
Gary Rowe:
Maybe.
Mike Engle:
If you had to, right?
Gary Rowe:
If I had to, and I understood the infrastructure behind it. I don't think most would look in at that level of detail, but it's scary. Where do they store it? How do they store it? How do they use it? Is there potential for replay attacks? There's a lot of issues with doing that. So you have to have some level of trust between your scanning of that driver's license and understanding how it's used and how your identity is instantiated beyond that. And which leads us to a lot of the discussions around tokenization of course.
Mike Engle:
Yeah. Yeah. Imagine-
Gary Z:
Being a little facetious. I'd probably do that more if I was getting a refund rather than if a [crosstalk 00:31:20].
Gary Rowe:
Yeah.
Mike Engle:
Yeah, exactly. Exactly. Yeah. Who would want to file a fraudulent tax return just for the sake of giving them data? Right?
Gary Z:
Exactly.
Mike Engle:
Yeah. Yeah. So, there's a lot of sins of the past that we can learn from, as we build out a Web 3.0 world. And if you watch the specifically, mainly the NFT news, you're seeing a lot of the same types of patterns that we've been hit with in the past, in quote, Web 2.0 world, right? Where the wrong people are able to do transactions, where things are copied and reproduced without permission, and so forth. And this is, I think really just a matter of the human side of it just not catching up yet from a proper regulatory or proper implementation of the technology perspective.
Gary Z:
When I look at this the technology is never going to be able to eliminate the bad things that people do to one another. So fraud and theft are going to be there. All you can do is basically ratchet down the technology to minimize what goes on in that space. But you cannot govern human behavior based on that. So what you're going to see out of here are people fishing to get credentials, to do what they need to do, people pretending to be something that they're not that's spoofing and people trying to hack into places to get information or in this case, particularly get tokens. So that's going to happen unless you can figure out some way to tighten down who's really doing what with whom in that and I think it requires us to relook at identity in this space.
Mike Engle:
Yeah.
Gary Rowe:
Yeah. Yeah. Relook at identity, relook at waiver information is stored how it's stored. At TechVision we've done I think Gary four or five research reports doing just about every year because it changes on decentralized identity. And in the old days, there was all kind of data that shouldn't be stored in the distributed ledger that was stored there. So that is where even though we're seeing standards and we're seeing this technology emerging in a decentralized way, you certainly want to look at the vendors. You want to look at the specifics about how it's stored, where it's stored, what information is on a public or even private ledger. Are you using that just to authenticate and to validate that you are who you say you are or are you baking other things into that? So I think there's a lot of details in the weeds that we want to be thinking about as we look at deploying this.
Mike Engle:
Yeah. So that's another great segue, Gary. So we've already had standards on how to solve some of these problems for years. The term decentralized identifiers has been around since, for certainly the beginning of 1Kosmos. And it has a very well-known concept, which called issuer holder verifier that we'll just touch on here briefly because if these techniques are applied properly to Web 3.0 transactions, it brings a lot of credibility to the table that's missing. So imagine if the IRS allowed you to onboard your identity and they Scout's honor triple dog swear that it is in your possession only, and you can transmit it to them with your permission. They would only use it to say yes or no, that this is the person paying taxes or receiving a refund.
That's the promise of the technology and so you could have a number of sources of people that already have some type of identity information about you. Of course, our governments issue driver's license and passports. Your banks maintain your financial identity because who else is going to do it? And even your phone, your telco has a lot of information about your SIM, which is something you have, your phone, where you are, where you typically are, et cetera, and can provide a lot of truth. Is this really Gary Rowe that I'm dealing with? So these one way or another, this can be issued and now you have the concept of a decentralized network. This is a part of the trust over IP model coming out of the Linux Foundation. So you have this layer one public utility where your information can be shared in a privacy-preserving way.
And what's given to the individual as the holder protected with that private key that we've mentioned a few times is the credential that they then hold. Finally, they can then leverage that identity and give it to what's called a relying party or a service provider. It can be anybody who wants to consume that and the real key here is you're not going back to essential server to have to validate it. The trust is here because we trust the cryptography in the network to say that I'm about to go on this website here. I'm asking for this proof of identity that was issued by somebody I trust. I don't have to go to them to ask for it. So this person stays in control. So I'll turn it over to you, Gary Z because I know you've done a lot of work in this space as well. And, and Gary, bro, I know you've even formed a company that does this type of thing as well.
Gary Z:
Yeah, you've outlined it pretty well, Mike, but the point here is that the issuer issues, which so the KYC proofing identity are actually credentials, right? They issue a credential to the holder and they digitally sign it and they hash it and they encrypt it so that it is what it is and it can be verified and authenticated. The holder presents that to the relying party as part of the authorization or authentication processes that they do. The relying party dips into the blockchain to make sure that they can pull the right information from the issuer to allow them to verify that the hash is correct, that they actually digitally sign that and that the owner's the one who actually has the right to use that. So the blockchain doesn't contain any of those credentials. It basically contains IDs, keys, pointers, and proofs. That's what's in there so the blockchain itself doesn't contain identity. It basically contains those kinds of things that allow the relying party to verify what the holder's actually presenting.
Mike Engle:
Yeah [inaudible 00:38:43] that cryptographic trust. Yeah.
Exactly.
Gary Rowe:
Yeah. And one of the things that, we actually put it in the title of this webinar, it's something that's actually one of our primary research themes. The whole world's talking about zero trust, of course, at least in security and identity circles. But I think it's real important to look at zero trust and zero friction together because it's all a balancing act. When you think about the potential of this digital trust model, and when you think about the potential of Web 3.0 associated with that, there's an opportunity when we think about in particular verifiable claims or verifiable credentials associated with this. There's a real opportunity to have something that allows the individual to specify what they want to have a seat at the table and to drive the conversation.
But from the relying party's perspective, if there's some level of verification of these claims of these credentials that are being made, we can somewhat have our cake and eat it too. We can have better security with something that is actually much more user-friendly and that gets into some of the things we'll talk about more. How easy to use and available are these wallets? How do you update those kinds of things? There's a lot of infrastructure pieces that need to be built in, but this is fundamentally I think a really interesting, solid model that gives us a lot to move forward with and in a very disruptive way.
Gary Z:
Just quickly to amplify some of the things that Gary's saying there, if you think about how we do things today, if I want to buy something, I go on a site, I click, I put it in the cart, then I have to go fill out my credit card information. They have to verify that and I put in my address and they have to verify that. Then they're going to tell me whether or not they can ship it right? Part of the reason that the websites capture all of that information is to make it easier for someone to do that on repeat purchases. So you don't have to enter that stuff over and over again. Think about what a model would be is if you have all of that information as a holder in your wallet.
So the website that you're dealing with is basically saying, I'm glad you want to buy these things how do you want to pay for it? And you basically tell your wallet. I want to use this and then it comes back and says, where do you want me to ship it to? And you go to your wallet and say, use this. And you're done. There's no entry. They don't have the information that they're keeping. It just is a much smoother experience and that's what the promise of some of this stuff is.
Mike Engle:
Yeah. Yeah. I'm going to go a little bit off-script. We didn't talk about this guys, but this is an example of my quote identity on a public NFT website called OpenSea, right? There's literally millions of these things floating around. A lot of bad press in the news lately with scams and people stealing things. But the idea of identity here is simply you present a private key. So if I were to authenticate here, it pops up and says, present your wallet. Imagine I'd pull my driver's license out and I could hold it up to the camera and prove to you who I am. They're not there yet, but that's where this will go based on a couple of standards that could kind of solidify what your identity is in a Web 3.0 world. So if I have just a simple browser-based wallet here, this is MetaMask, very popular, and I can simply click here.
It's now reading this wallet and it knows who I am without me having to type anything in. Obviously, that's not me. That's done on purpose. You can see that's not my face, but now as I'm engaging with the system, I'm just this wallet address. There's no identity linked to it. The future of this would be if I could take something that actually has a real identity bound to something that would be trusted and use this to sign transactions, to purchase things, or whatever, if the user wanted to you could buy something anonymously in this world. And that's typically what it's used for today, but that's how this is going to change. As we mentioned, there's already a bunch of standards that have been around for a few years on this. So a couple of them are the NIST 800-63-3 identity and authentication standards.
So what this does is proves who a user is remotely published by the NIST government body and there's really a flavor of this in nearly every country that's pretty much the same. It combines your identity anchors could be driver's license, national identity documents with your biometrics. So it matches your face to the driver's license. There's a certifying body called Kantara that says, "Yes, they do this form of identity onboarding properly." 1Kosmos is Kantara certified for NIST IAL2 and AAL2 for example and that biometric is getting a lot of attention lately. When I was at the Money20/20 Conference, a few months back, there was no less than a dozen companies that just scan your face and tell you who you are. So there's a whole certifying body. This has to be done right otherwise you run into the problems around decisioning bias, which used to be called racial bias, but now decisioning bias is much broader and the proper term.
Of course, using that identity, that exchange that you saw, where I click a button and I'm logged in automatically is a passwordless exchange. It's based on public-private key cryptography. The standard for using that in commercial technologies is FIDO, right? Stands for Fast Identity Online. It's been around since 2013. 1Kosmos is a sponsor level member here and this ensures that you have a privacy-preserving way to use that identity and when you put these together I'm using this cryptographic proof, like what I did with MetaMask and inside that wallet is proof that I am this person in the real world. You have what organizations can use to do things much better than what they do today to authenticate their employees, their contractors, even their customers. This is where identity and Web 3.0 will go. It's going there now because the technology support it. We just have to get it built into the fabric. So a bit of a monologue there, Gary, I'll let you say something here as well.
Gary Z:
I think there's a couple of things to add to that. Those standards have been around for a while. New ones are starting to bubble up through W3C around decentralized identifiers and verifiable claims or credentials that are starting to get some traction in the marketplace too. So not only are the standards that are getting built into the actual devices and how you capture stuff in the wallets but covering the protocols and how you exchange that information too. Getting back to that trust over IP stuff, it's laying out the communication and the standards for how those credentials and identifiers are verified and exchanged. Then when you get into the Web3 infrastructure, the actual network. Ethereum has first-mover advantage. So the people that are working Ethereum are creating standards for what the tokens look like and how the smart contracts behave because almost all of the work around the actual capture of state and the network is based on the EVM Ethereum Virtual Machine. So those are all things that are solidifying to make this stuff work a little better than it does today, which is in the Wild Wild West.
Mike Engle:
Yeah, absolutely. Now, how could you leverage this in your Fortune 500 company today? It's actually being done and so the idea is similar to how you had that issuer in the top left corner of the issuer holder verifier model is your organization can embrace a digital wallet to engage with employees or contractors. So imagine the wallet that I pulled up here just a second ago, where I could simply come to my organization's website, scan a QR code, or otherwise press a button to engage with them and my information is transmitted either because they need it all of it. Here's a copy of my driver's license because you have to fill out an I-9 anyway, or just an Attestation that's trusted that says, this is Mike Engle.
Gary Rowe:
Hey, Mike, let me jump in for a second. At least on my screen, your slides are not advancing.
Mike Engle:
Okay.
Gary Rowe:
So I still have up the digital trust model slide.
Mike Engle:
Got it. Got it. Okay. Thank you. I'm going to reshare and see what happens here.
Gary Rowe:
There we go.
Mike Engle:
Okay. Yeah. This probably makes a lot more sense with this slide, if you didn't see this. So this is one we just talked about a second ago. It's the combination of NIST, FIDO, and iBeta coming together to proof who somebody is remotely. Thanks for... I could have talked all day to a blank screen, Gary, and I-
Gary Rowe:
I think we all can, but...
Mike Engle:
Yeah. It's like when you're on mute. So yeah. And just expanding that a bit is the concept of your citizen documents are needed by your employer anyway, they're needed by your bank for a new bank account. So let's do it digitally and then layer on top of it, the corporate or customer consumer credential to go along with it. The consumer is in control of its usage, but the service provider can turn the account on or off inside their service and not have to accept it anymore. So you close your bank account, right? Very straightforward in concept and we're seeing the adoption of this really take an uptick because of COVID. Everybody has to prove who they are remotely one way or another, or try and the fraudsters have been really coming at everybody because of all the holes in the system here today.
Then in terms of how that could flow downstream into your existing IT functions. We all have IAM systems that we work with or use as customers, and they all need strong identity. So we've got a couple key, major functions within our organizations today that if you had the combination of the cryptographic key, the biometrics, you could then have cryptographic undeniable proof as these systems are being used here on the right. So this is how I see Web 3.0, really being embraced by organizations in a way that's maybe not that obvious of its linkages. So Gary, would you say that Web 3.0 is a corporate function today? I don't think you're ever going to go into your clients in the short term and say, "Hey, customer embrace Web 3.0," but you can see how we could bridge the gap together here. Right?
Gary Z:
No, but people are playing with it even outside of the world of IAM. So using credential verification, some credit unions in the United States are starting to use this to take the place of their password regime already. So that when you try and do something with a credit union, you don't have to keep repeating information over and over again, as you move through the different services. Then in England, they're starting to use this for doctors to be able to exchange their credentials when they're move around inside of the health system. So if they're working in London one day their credentials, and then they go to the Glasgow the next day, they can present them there. So that the hospital knows what they're licensed to do, et cetera, and so forth. So this is going beyond just identity in the true sense of computer systems, but actually how people are interacting with each other in the real world.
Mike Engle:
Yeah.
Gary Rowe:
I do think that although most large organizations are not diving into the deep end with this yet within those organizations, because these are the kinds of things as we interact with them, that we push out there in the innovation arm of organizations, as they're looking at new future state models. This is getting a lot of visibility and attention there. We found a lot of receptivity over the last several years to the concepts of decentralized identity that doesn't mean they're necessarily deploying in numbers yet at least.
Mike Engle:
Yeah. Yeah. There are some technologies, as I mentioned that are out there today. I want to show one on the screen and see if it pops up. One of the questions that came in from one of our attendees here, he said, "How do you protect the identity?" And we've brought this up a couple times. Well, there's a few ways to do that. We'll get a little bit into the Q&A here. There's been already 14 answered questions. Thanks, everybody for asking them. This is an example of a cold storage wallet. Let's see, there you go. It's made by a company called CompoSecure. This platform's called Arculus and this has my private key on it. There's a phenomenal form factor and there's lots of cold storage wallets you can buy. They're USB-based or similar. But we're seeing a marrying where imagine if your credit card, which you use every day and you very rarely lose had the private key on it in a way that you could use it easily.
So what you can do now is take something like this, tap it to the back of your phone. And that is the secure transaction. It'll use NFC and that digital sign challenge-response goes to the remote system. You've basically done what I showed you with MetaMask and my browser, which can be stolen and the password's right there somewhere in my computer and it's turning into something. It's really like having a driver's license in your pocket. So this is just one example. It's getting more and more popular. The form factor is really key. Of course, our smartphones are the most common or most viable form factor for us to use. But of course, the bad guys are trying to figure out how to get into them as well. So another question that came up that you guys might have some comment on is how does the slow rollout of digital driver's licenses affect Web 3.0, and I'll just start by saying that it is a shame that we have to scan the driver's license manually using OCR when you have countries like Estonia that have had it digitized for 20 years.
So yeah, we're in our own way on that one, right? This here is something I put together to tee this up. There's a handful of the mobile driver's license is one way that hopefully you'll be able to get your digital driver's license and then use that to present a third party someday much like you walk up to the TSA agent and show them your driver's license. And they look at it, inspect it, same thing with your passport. There is a path by the IKO, which is the United Nations organization for passports to digitize the passport. It's making great progress. Apple announced the Apple Wallet. So you can put your driver's license in there in some states, although with Apple, it's probably going to be a closed wall garden kind of thing. Of course, that's only one platform of many, so it's starting to happen and I'm optimistic about its future.
Gary Z:
I think one of the things that we have to keep in mind here when you say states are slow on the uptick for digital licenses. I think there's a couple of reasons for that, right? One is that there's all of these agreements that basically codify the cooperation between the legal entities. So if Illinois decides it wants to do a digital driver's license, it has to go and negotiate that with the 49 other states to basically say, this is an acceptable form of this. The second problem with it is how do you use it offline. Three o'clock in the morning, get pulled over because your taillight is out. You show them your phone and there's no internet. So how do you prove who you are?
So those are some problems with some of these credentials that have to be worked through and that is going to slow adoption to this stuff. But I think the idea is that they are credentials. They aren't identities and they're not necessary for everything. So for instance, the old way of looking at things. I pull up my license to prove that I'm over 21. I don't have to do that anymore because I'm an old guy but that doesn't necessarily have to be done anymore. Because you can have a zero-knowledge proof that is scannable on your phone that says, basically I can prove that I'm over 21. So there are ways to use this that aren't necessarily dependent on the institutions formally adopting this because of some of the things that I mentioned earlier.
Mike Engle:
Yeah, absolutely. Well, we're coming up on the top of the hour here. We're going to wrap things up just so everybody has five minutes for a between meeting sprint. I really appreciate you guys coming on and having this discussion with me. If you have any closing thoughts or any information on where folks can learn more about TechVision Research, anything you have come in the next few weeks or months.
Gary Rowe:
Sure. You can go to techvisionresearch.com. We do have our annual conference that is from November 7th to the 9th in San Diego go and there's details on that. 1Kosmos will be participating in our conference. It'll be two and a half days and it's going to be a live event. We plan to be in person unless if things change-
Mike Engle:
Don't say it. Don't say it. We'll be there-
Gary Rowe:
I know I should not say-
Mike Engle:
San Diego. We're going to San Diego period. That's it.
Gary Rowe:
San Diego, California. November. Not a bad place.
Mike Engle:
That's right. Yeah. No, thank you for that. And yeah, of course, 1Kosmos the number one cosmos with a K, and thanks again. I'll just say thanks for all the women out there, making things so much better than that would be without you. We'll see all of you online and thanks again for your participation. I appreciate it.
Gary Rowe:
Thanks, everyone. Thanks to the team at 1Kosmos.
Mike Engle:
Have a great day-
Gary Z:
Thanks, everyone for listening. It's been great.
Mike Engle:
I'll just stick on and make sure the questions are answered, but thanks for answering all them from the team. I appreciate it.
Thanks, everybody for joining the webinar today. My name is Mike Engle. I'm joined by Gary Rowe and Gary Zimmerman will introduce ourselves in just a minute. But I wanted to start by just acknowledging International Women's Day. At one 1Kosmos, we embrace diversity and all the value that women bring to the table throughout all of our endeavors. So please join us on LinkedIn. We'll be recognizing a bunch of contributions and it's a great way to show gratitude and in many ways is overdue.
Gary Rowe:
Yeah, yeah, absolutely. And certainly from the team at TechVision, we support diversity, fairness, inclusion, a lot of the efforts that are going on. We see a lot of that, the identity space and the security space to get more women programmers and just involvement to open those doors and opportunities, I think is a great thing.
Mike Engle:
That's right. Thank you. And just a couple housekeeping items. We do have another webinar coming up in about a month, really focusing on multifactoral authentication. It's everybody's deploying it. Zero trust is in full swing in a lot of organizations, but it's under attack more than ever and we're going to talk about some of the ways that these gaps can be closed and really fixing the user experience that we've been struggling with. So Maureen or one of the other folks here will be putting a link to that. It's on our website as well. So sign up if you can, and just wanted to invite anybody who's on this call to come try out our technology. It's right there on the homepage. You get the app and you can experience what it's like to authenticate with single touch multifactor experience. It's pretty cool. Once you do this in any of your applications, you will not want to go back.
Lastly, my chief revenue officer Kevin Brown is giving away a $50,000 identity package. So we'll pick a winner randomly from the attendees today. You'll get an email, he'll go over the details, and if you can accept it great, and we'll be announcing who wins if they choose to have that be public, but it's not required. So let's jump in. So as I mentioned, my name is Mike Engle. I'm co-founder and head of strategy at 1Kosmos. 1Kosmos is the leader in identity management, both onboarding, passwordless authentication, real biometrics. I'm joined today by Gary Rowe and Gary Zimmerman. Gary Rowe, would you like to say hi?
Gary Rowe:
Yeah, I would, and let me say a few words about the presenters in this event from my perspective, hopefully, you will feel this, but I think you're in for a treat today. Mike has tremendous hands-on experience in the finance community in the area of security but then has built including being one of the founders for 1Kosmos several companies and has been directly involved in trying to move the internet security and technology forward. Gary Zimmerman who's on this call I've worked with for many years, he's a phenomenal analyst. He has expertise in big data in innovation and decentralized identity technology and is in the middle of doing primary research for TechVision's report on Web3, which is of course the main focus for today's session. So we'll leverage Gary's expertise there.
I've been in the middle of the identity space for a long, long time and used to help run a company by the name of Burton Group. That was pretty well known in the identity space, spent 12 years as president of Burton. Then co-president of what became GTP at Gartner after we sold Burton to Gartner in 2010, did several entrepreneurial things, including in the decentralized identity space, and then recognized there was a gap in the market and gap in the market we helped create and then formed TechVision Research in 2015. A lot of what you hear today, at least from the TechVision perspective will be based on not just Gary and me, but our analyst team. We do equal parts research and consulting. So we do a lot of projects for large organizations and infuse that into our research, but that much like a Gartner or Forrester or somebody, we do the briefings. We actually found out about 1Kosmos some time ago based on one of our large customers saying, "Who are these guys? We find them real interesting." That kind of started this relationship.
We don't cover everything. We look at identity and security and disruptors, and governance and privacy, and how we're going to build these next-generation ecosystems. I characterize it as this point of intersection between large enterprises, Wall Street, so to speak, and Silicon Valley, what are the disruptors? Where are things going? A Web 3.0, some of the stuff that 1Kosmos is doing fits right in that portfolio. If you can switch slides, please.
Mike Engle:
Sure thing.
Gary Rowe:
And I'll say a few words about just what we want to cover today, but let me say that, and Mike, Gary, and I talked a lot about this. I think we can get the most out of it by having a discussion by having a dialogue. Honestly, what we all are looking to do is to help figure this stuff out and help figure out how can we improve on a lot of the challenges we've had in identity and security over the last several years.
We saw a lot more of that, of course, during the lockdown over the last couple of years. So we'll start with what is Web 3.0, we'll try to carve through some of the hype and just give some clear definitions there, but we can learn from the past. So especially when it comes to identity and security and Web 3.0 and ownership and things like that, we'll then look at identity's role that it's traditionally been in Web 2.0 and look at how that will move forward, how we'd like that to move forward. Some of the things 1Kosmos is doing to promote that as we move to Web 3.0, and then pragmatically, what can you do today and tomorrow? So we'll look at coming up with some succinct recommendations. So with that, Mike, I'll turn it back over to you.
Mike Engle:
Great. Yeah. We're going to have a little bit different format today. It's similar to some we've done in the past. We're just going to have an open dialogue about each slide. There's not a whole lot of slides and really this is it. The material's pretty straightforward. We're going to get pretty deep into it and starting with the definition of Web 3.0 is all over the map. When I Googled this over the last couple weeks of getting ready for this webinar, the first three hits on Google were completely different definitions. So I went here and grabbed this from Wikipedia. But what I think we agree is that it's decentralized, that's the one common theme that is across every definition. It's pushing the control into the network and we're going to talk about that in some detail, even the labeling of it is different and being argued about in many threads, right? Is it Web space 3? 3.0 no space? So, you know-
Gary Z:
The cool kids call it Web3.
Mike Engle:
The cool kids. Okay. Right. Web no space three. Right?
Gary Z:
Exactly
Mike Engle: Lower case W, right? So I don't want to get in trouble. I got yelled at using the wrong emoji with one of my kids yesterday, but no, this is what we're going to talk about here today. It's really, this is changing the way that we are engaging with computers, technology, assets, and so forth. So with that, I'll jump in. And like I said the key promise in Web3 is decentralization, right? So if Gary Z, if you'd maybe just run through a couple of these points.
Gary Z:
Yeah, sure. I get to answer some of the more geeky parts of this here. So the first one is that in the current state of the protocols for the internet, it doesn't capture, what's known as state. So it doesn't know who is who, it doesn't know who owns what, it doesn't know who has access to what. So all of that information is captured on the server-side of the network and that created a situation where the network is basically not aware of what is happening. When we move to web3, that changes. So state is captured in the network. So it no longer has to be held at the server level by the company or whatever and so that makes things a little more equal in the network and that gets to the point of user's in control.
That means that the user can now share information from a client to a server, without having to basically beholden to that server. The final thing about this, and Mike brought up the decentralization is that that state is captured across the entire network. So no longer is there a central server that holds all of that stuff, it's replicated across a thousand servers in the network. And that allows people to do things like create metaverses, you've heard that term lately, but basically, it's allowing people through wearables and AR, AI, and ML to work through participation in the web, as opposed to just point and click kind of stuff. Then the big thing that people are talking about now is decentralized finance. So changing the role of central banks and fundraising to more of a democratic populous way of doing it. Of course, NFTs, which are the hottest things. They're like baseball cards just in electronic form.
Mike Engle:
Yeah. Yeah. If I hear one more story about NFTs and monkeys being sold for $60 million, I don't know what to do. But there's a couple of icons here on the right that I thought were really interesting. There's a network which promised to decentralize even Wi-Fi access. So you put up one of these devices in your neighborhood and you can get incented to broadcast that network out to the masses and let people use it. Then we're going to talk a little bit about the concept of tokenization on the next slide. The other one is this the constitutional DAO. That they call DOAs decentralized autonomous organizations. You can actually have an organization that lives in code through smart contracts, which I'm sure most of you have heard of on distributed technology and it can do things. So a group of people set up a DOA that almost bought one of the copies of the constitution for $40 million. That's a real game-changer and the point of this disruptive scale here on the third icon. So more to follow on that.
Gary Z:
Yeah. The one thing about the DOAs are really interesting, because basically, the internet doesn't have any rules about how values exchange or any of that kind of stuff, or even how people interact. It's just protocols that make those things happen. When you move into Web3, when you start talking about things like DOAs basically the behavior on the network is coded into the network itself. So when you want to change how things happen in the network, you actually have to go and get the community to agree to that. Then the changes are actually made in the network. So it's a completely different view of how you go about doing business.
Mike Engle:
Yeah, that's exciting stuff. Of course, the devil's always in the details when things go wrong in those, but we'll see how that shakes out. Just moving on for the rise of the token economy, right? NFTs are tokens. Tokenization is really a key aspect of Web 3.0 as well and it's a way for you to participate in the network in ways that you couldn't do before. So I know this was a lot of your material here, Gary Z if you could run through this again for me.
Gary Z:
Yeah, sure. That first bullet there, it's a fundamental shift in the economic model. We got used to in Web 1.0, the fact that everything, all the information that we got was free, and that basically carried over into the interactive part of Web 2.0. And what that meant was that the only way to pay for the services we were getting from these providers was that for them to figure out how to monetize that in the different way than order basically asking us for subscription fees. So they basically started selling to advertisers our data and more importantly, our attention.
So what we have now is basically an attention economy. So companies like Facebook and Google and others put in front of you, ads that advertisers are basically paying them to put in front of you. They continue to drive more and more attention so that they can make more and more money. In Web3, because of the way tokens are working that shifts over to more of a decentralized model where the actual creators of content are the ones that now can monetize those. So it's no longer giving goods away for free, and it's no longer having the advertiser pay for your attention. It's basically an exchange of goods and value based on the tokens. Right?
Mike Engle:
Yeah. Did the activity here, just a couple of stats on this, the venture capital deployed over $30 billion last year into crypto startups, right? And many of them were the OpenSea types, the NFT pure platform plays. And the number of 65 crypto unicorns last year alone has come up 40 of them created last year alone. So in one year, 40 companies went to a billion-dollar in valuation and they've raised just tons and tons of money. So the crypto market cap exceeds over three trillion. So we have to pay attention to it. It's going to impact our lives in one way or another.
Gary Z:
Yeah.
Gary Rowe:
Yeah. Mike, let me jump in and make a couple of observations. The first it is hard to overstate. There's a couple of bullet items on here and a couple of points that are made about the rise of the token economy. It's hard to overstate how disruptive this is and the level of economic impact this potentially can have by simply moving from an environment where a relatively small group of large enterprises have had the ability to control the content, much of the content, the ad revenue associated with that and so forth. The network effect as we all call it has really kicked in the ability to have these tokens to instantiate rules and controls and intention can change so many things. I think that's been a big part of the investment that we've seen in this.
I think we've seen the financial community, the VC community looking at this and saying, this could be the disruptor. And if you think about it from the perspective of the web, and I'll just give a pretty high-level perspective, but for me to simplify things helps. So Web 1.0, that obviously passed many, many years or decades ago was all just static information. We would post things up there and it was a great environment to read and learn. Web 2.0, was all about consuming and creating. So we now engaged individuals. We engaged companies to actually write, but it was all, as Gary mentioned earlier, it was all then funneled through a relatively small number of orchestrators so to speak. Web 3.0 is read, write and instantiate some level of ownership or some level of control and I think fundamentally if you look at that really changes our model and in a lot of the details now that we'll walk through in terms of how identity services and other kinds of things support that are going to be really critical to actually execute on it a safe and secure way.
Mike Engle:
Yeah, thanks, Gary.
Gary Z:
Yeah. And just briefly, the network behaviors incented by the tokens, just a couple examples of that. If you try a crypto browser like Brave, it actually gives you the opportunity to earn tokens based on whether or not you want to look at ads. So they actually pay the user to look at ads from companies that are trying to get in front and enlarge their audience. And you could actually give some of those tokens back if you really like the content that you're viewing. And the same thing is true on Coinbase, which is another big place where people look at this stuff. They'll actually pay you in particular crypto to learn stuff about that crypto. So you're actually earning "money" by giving your attention. So it is just a way it's a change in the way the model's working. The platforms don't earn that money you do.
Mike Engle:
That's right. Yeah. And a key enabler, nice segue is at the heart of these transactions is cryptography. So cryptocurrency has borrowed on that term as well and the individual that participates in this economy has a private key that gets stored in a wallet. Now, you mentioned Coinbase, Coinbase is famous for being a custodian for everybody's wallet and making it really easy where they keep the keys, but it is this key that lets you participate in a network where nobody else can do that other than you being the key holder. So, at 1Kosmos, we built a platform that's based on this type of key technology and we're going to talk a lot more about how this key can become an enabler in identity on a few slides here. But this is one of the main enablers of this new economy that's popping up.
Gary Z:
I think the key here is it's in italics if the crypto wallet is an application and so it behaves just like any other application. You need to authenticate and you need to be authorized to let it do what it needs to do and that's one of the big problems that are facing what's happening in Web3 today.
Mike Engle:
Right. Yeah. Just like in the real world, you lose your driver's license, lose your pass passport, you have trouble, and it's quite a pain to go get that stuff back or recreated and the crypto world's no different. In fact, it's impossible and we've seen those types of challenges where people have lost $200 million worth of stuff because they can't find their wallet but with great power comes great responsibility as our friend Spider-Man's uncle said.
Gary Z:
Yeah, but that creates another dynamic that's probably going to take a while to fix, which is the users now have to take on that responsibility and that's something they're not used. So if I forget my private key, I can't go to somebody and say send me a link to reset it. It doesn't work that way. Right?
Mike Engle:
That's right. If it did, it would defeat the purpose.
Gary Z:
Exactly.
Mike Engle:
Now how identity flows into all of this have a little bit of a kind of path down the identity side of Web 3.0 and first starting by where we are today. That is where our identity is really being held, at least in our usage of it by a handful of participants. There's only a few icons here, but you get the idea, right? There's obviously more than two banks but there's a handful of tech giants, the FAANG types and they are the custodian. So imagine this, I'm a huge Google user. I've had Gmail since forever, and I have probably five or six Gmail accounts. If Google were to wake up one day and change something and say, "Hey, mike@google.com, there's something wrong with your account. We don't like it. We're turning it off."
They've basically taken that identity away from me and I cannot get it back. And of course, Facebook, everybody knows the example there. Also then in similar worlds, the banking industry owns all of your banking info and may let you use it if you're in open banking, for example, and share that information with somebody who's requesting it to give you banking services like opening a new mortgage. Of course, the credit bureaus are a third big player here where they just own so much data about you and it's all in a central easily hacked a history will show database. So imagine applying some of these principles to Web and pivoting away from that in Web 3.0. So we'll kind of get into this and the most recent example, that's probably been front and center of many of our attendees in the audience here is what happened with the IRS over the past two months.
So there was a big announcement where the IRS would only allow you to participate in certain IRS activities if you proved your identity, using some identity proofing technology that involved your biometrics and scanning your driver's license. This company would centrally store, and then be your custodian of your identity as you went on and did things with various government services, IRS, or at the states, et cetera. And when this really cracked open, Krebs posted a big article about this, and it had a cascading effect. There was a major backlash because this really a Web 2.0 type thing. So Gary Z I'm wondering what your thinking was when you saw this unfolding in real-time, it's kind of a mixed bag.
Gary Z:
Well, it is because, it created a concept of identifying the metrics with particular individuals and storing that centrally, which is all something that is a no-no when you're trying to work in something that's more decentralized and more privacy-oriented. So I can understand why this didn't work out very well.
Mike Engle:
Yeah. Yeah. Gary Rowe, would you scan your driver's license in order to pay taxes?
Gary Rowe:
Maybe.
Mike Engle:
If you had to, right?
Gary Rowe:
If I had to, and I understood the infrastructure behind it. I don't think most would look in at that level of detail, but it's scary. Where do they store it? How do they store it? How do they use it? Is there potential for replay attacks? There's a lot of issues with doing that. So you have to have some level of trust between your scanning of that driver's license and understanding how it's used and how your identity is instantiated beyond that. And which leads us to a lot of the discussions around tokenization of course.
Mike Engle:
Yeah. Yeah. Imagine-
Gary Z:
Being a little facetious. I'd probably do that more if I was getting a refund rather than if a [crosstalk 00:31:20].
Gary Rowe:
Yeah.
Mike Engle:
Yeah, exactly. Exactly. Yeah. Who would want to file a fraudulent tax return just for the sake of giving them data? Right?
Gary Z:
Exactly.
Mike Engle:
Yeah. Yeah. So, there's a lot of sins of the past that we can learn from, as we build out a Web 3.0 world. And if you watch the specifically, mainly the NFT news, you're seeing a lot of the same types of patterns that we've been hit with in the past, in quote, Web 2.0 world, right? Where the wrong people are able to do transactions, where things are copied and reproduced without permission, and so forth. And this is, I think really just a matter of the human side of it just not catching up yet from a proper regulatory or proper implementation of the technology perspective.
Gary Z:
When I look at this the technology is never going to be able to eliminate the bad things that people do to one another. So fraud and theft are going to be there. All you can do is basically ratchet down the technology to minimize what goes on in that space. But you cannot govern human behavior based on that. So what you're going to see out of here are people fishing to get credentials, to do what they need to do, people pretending to be something that they're not that's spoofing and people trying to hack into places to get information or in this case, particularly get tokens. So that's going to happen unless you can figure out some way to tighten down who's really doing what with whom in that and I think it requires us to relook at identity in this space.
Mike Engle:
Yeah.
Gary Rowe:
Yeah. Yeah. Relook at identity, relook at waiver information is stored how it's stored. At TechVision we've done I think Gary four or five research reports doing just about every year because it changes on decentralized identity. And in the old days, there was all kind of data that shouldn't be stored in the distributed ledger that was stored there. So that is where even though we're seeing standards and we're seeing this technology emerging in a decentralized way, you certainly want to look at the vendors. You want to look at the specifics about how it's stored, where it's stored, what information is on a public or even private ledger. Are you using that just to authenticate and to validate that you are who you say you are or are you baking other things into that? So I think there's a lot of details in the weeds that we want to be thinking about as we look at deploying this.
Mike Engle:
Yeah. So that's another great segue, Gary. So we've already had standards on how to solve some of these problems for years. The term decentralized identifiers has been around since, for certainly the beginning of 1Kosmos. And it has a very well-known concept, which called issuer holder verifier that we'll just touch on here briefly because if these techniques are applied properly to Web 3.0 transactions, it brings a lot of credibility to the table that's missing. So imagine if the IRS allowed you to onboard your identity and they Scout's honor triple dog swear that it is in your possession only, and you can transmit it to them with your permission. They would only use it to say yes or no, that this is the person paying taxes or receiving a refund.
That's the promise of the technology and so you could have a number of sources of people that already have some type of identity information about you. Of course, our governments issue driver's license and passports. Your banks maintain your financial identity because who else is going to do it? And even your phone, your telco has a lot of information about your SIM, which is something you have, your phone, where you are, where you typically are, et cetera, and can provide a lot of truth. Is this really Gary Rowe that I'm dealing with? So these one way or another, this can be issued and now you have the concept of a decentralized network. This is a part of the trust over IP model coming out of the Linux Foundation. So you have this layer one public utility where your information can be shared in a privacy-preserving way.
And what's given to the individual as the holder protected with that private key that we've mentioned a few times is the credential that they then hold. Finally, they can then leverage that identity and give it to what's called a relying party or a service provider. It can be anybody who wants to consume that and the real key here is you're not going back to essential server to have to validate it. The trust is here because we trust the cryptography in the network to say that I'm about to go on this website here. I'm asking for this proof of identity that was issued by somebody I trust. I don't have to go to them to ask for it. So this person stays in control. So I'll turn it over to you, Gary Z because I know you've done a lot of work in this space as well. And, and Gary, bro, I know you've even formed a company that does this type of thing as well.
Gary Z:
Yeah, you've outlined it pretty well, Mike, but the point here is that the issuer issues, which so the KYC proofing identity are actually credentials, right? They issue a credential to the holder and they digitally sign it and they hash it and they encrypt it so that it is what it is and it can be verified and authenticated. The holder presents that to the relying party as part of the authorization or authentication processes that they do. The relying party dips into the blockchain to make sure that they can pull the right information from the issuer to allow them to verify that the hash is correct, that they actually digitally sign that and that the owner's the one who actually has the right to use that. So the blockchain doesn't contain any of those credentials. It basically contains IDs, keys, pointers, and proofs. That's what's in there so the blockchain itself doesn't contain identity. It basically contains those kinds of things that allow the relying party to verify what the holder's actually presenting.
Mike Engle:
Yeah [inaudible 00:38:43] that cryptographic trust. Yeah.
Exactly.
Gary Rowe:
Yeah. And one of the things that, we actually put it in the title of this webinar, it's something that's actually one of our primary research themes. The whole world's talking about zero trust, of course, at least in security and identity circles. But I think it's real important to look at zero trust and zero friction together because it's all a balancing act. When you think about the potential of this digital trust model, and when you think about the potential of Web 3.0 associated with that, there's an opportunity when we think about in particular verifiable claims or verifiable credentials associated with this. There's a real opportunity to have something that allows the individual to specify what they want to have a seat at the table and to drive the conversation.
But from the relying party's perspective, if there's some level of verification of these claims of these credentials that are being made, we can somewhat have our cake and eat it too. We can have better security with something that is actually much more user-friendly and that gets into some of the things we'll talk about more. How easy to use and available are these wallets? How do you update those kinds of things? There's a lot of infrastructure pieces that need to be built in, but this is fundamentally I think a really interesting, solid model that gives us a lot to move forward with and in a very disruptive way.
Gary Z:
Just quickly to amplify some of the things that Gary's saying there, if you think about how we do things today, if I want to buy something, I go on a site, I click, I put it in the cart, then I have to go fill out my credit card information. They have to verify that and I put in my address and they have to verify that. Then they're going to tell me whether or not they can ship it right? Part of the reason that the websites capture all of that information is to make it easier for someone to do that on repeat purchases. So you don't have to enter that stuff over and over again. Think about what a model would be is if you have all of that information as a holder in your wallet.
So the website that you're dealing with is basically saying, I'm glad you want to buy these things how do you want to pay for it? And you basically tell your wallet. I want to use this and then it comes back and says, where do you want me to ship it to? And you go to your wallet and say, use this. And you're done. There's no entry. They don't have the information that they're keeping. It just is a much smoother experience and that's what the promise of some of this stuff is.
Mike Engle:
Yeah. Yeah. I'm going to go a little bit off-script. We didn't talk about this guys, but this is an example of my quote identity on a public NFT website called OpenSea, right? There's literally millions of these things floating around. A lot of bad press in the news lately with scams and people stealing things. But the idea of identity here is simply you present a private key. So if I were to authenticate here, it pops up and says, present your wallet. Imagine I'd pull my driver's license out and I could hold it up to the camera and prove to you who I am. They're not there yet, but that's where this will go based on a couple of standards that could kind of solidify what your identity is in a Web 3.0 world. So if I have just a simple browser-based wallet here, this is MetaMask, very popular, and I can simply click here.
It's now reading this wallet and it knows who I am without me having to type anything in. Obviously, that's not me. That's done on purpose. You can see that's not my face, but now as I'm engaging with the system, I'm just this wallet address. There's no identity linked to it. The future of this would be if I could take something that actually has a real identity bound to something that would be trusted and use this to sign transactions, to purchase things, or whatever, if the user wanted to you could buy something anonymously in this world. And that's typically what it's used for today, but that's how this is going to change. As we mentioned, there's already a bunch of standards that have been around for a few years on this. So a couple of them are the NIST 800-63-3 identity and authentication standards.
So what this does is proves who a user is remotely published by the NIST government body and there's really a flavor of this in nearly every country that's pretty much the same. It combines your identity anchors could be driver's license, national identity documents with your biometrics. So it matches your face to the driver's license. There's a certifying body called Kantara that says, "Yes, they do this form of identity onboarding properly." 1Kosmos is Kantara certified for NIST IAL2 and AAL2 for example and that biometric is getting a lot of attention lately. When I was at the Money20/20 Conference, a few months back, there was no less than a dozen companies that just scan your face and tell you who you are. So there's a whole certifying body. This has to be done right otherwise you run into the problems around decisioning bias, which used to be called racial bias, but now decisioning bias is much broader and the proper term.
Of course, using that identity, that exchange that you saw, where I click a button and I'm logged in automatically is a passwordless exchange. It's based on public-private key cryptography. The standard for using that in commercial technologies is FIDO, right? Stands for Fast Identity Online. It's been around since 2013. 1Kosmos is a sponsor level member here and this ensures that you have a privacy-preserving way to use that identity and when you put these together I'm using this cryptographic proof, like what I did with MetaMask and inside that wallet is proof that I am this person in the real world. You have what organizations can use to do things much better than what they do today to authenticate their employees, their contractors, even their customers. This is where identity and Web 3.0 will go. It's going there now because the technology support it. We just have to get it built into the fabric. So a bit of a monologue there, Gary, I'll let you say something here as well.
Gary Z:
I think there's a couple of things to add to that. Those standards have been around for a while. New ones are starting to bubble up through W3C around decentralized identifiers and verifiable claims or credentials that are starting to get some traction in the marketplace too. So not only are the standards that are getting built into the actual devices and how you capture stuff in the wallets but covering the protocols and how you exchange that information too. Getting back to that trust over IP stuff, it's laying out the communication and the standards for how those credentials and identifiers are verified and exchanged. Then when you get into the Web3 infrastructure, the actual network. Ethereum has first-mover advantage. So the people that are working Ethereum are creating standards for what the tokens look like and how the smart contracts behave because almost all of the work around the actual capture of state and the network is based on the EVM Ethereum Virtual Machine. So those are all things that are solidifying to make this stuff work a little better than it does today, which is in the Wild Wild West.
Mike Engle:
Yeah, absolutely. Now, how could you leverage this in your Fortune 500 company today? It's actually being done and so the idea is similar to how you had that issuer in the top left corner of the issuer holder verifier model is your organization can embrace a digital wallet to engage with employees or contractors. So imagine the wallet that I pulled up here just a second ago, where I could simply come to my organization's website, scan a QR code, or otherwise press a button to engage with them and my information is transmitted either because they need it all of it. Here's a copy of my driver's license because you have to fill out an I-9 anyway, or just an Attestation that's trusted that says, this is Mike Engle.
Gary Rowe:
Hey, Mike, let me jump in for a second. At least on my screen, your slides are not advancing.
Mike Engle:
Okay.
Gary Rowe:
So I still have up the digital trust model slide.
Mike Engle:
Got it. Got it. Okay. Thank you. I'm going to reshare and see what happens here.
Gary Rowe:
There we go.
Mike Engle:
Okay. Yeah. This probably makes a lot more sense with this slide, if you didn't see this. So this is one we just talked about a second ago. It's the combination of NIST, FIDO, and iBeta coming together to proof who somebody is remotely. Thanks for... I could have talked all day to a blank screen, Gary, and I-
Gary Rowe:
I think we all can, but...
Mike Engle:
Yeah. It's like when you're on mute. So yeah. And just expanding that a bit is the concept of your citizen documents are needed by your employer anyway, they're needed by your bank for a new bank account. So let's do it digitally and then layer on top of it, the corporate or customer consumer credential to go along with it. The consumer is in control of its usage, but the service provider can turn the account on or off inside their service and not have to accept it anymore. So you close your bank account, right? Very straightforward in concept and we're seeing the adoption of this really take an uptick because of COVID. Everybody has to prove who they are remotely one way or another, or try and the fraudsters have been really coming at everybody because of all the holes in the system here today.
Then in terms of how that could flow downstream into your existing IT functions. We all have IAM systems that we work with or use as customers, and they all need strong identity. So we've got a couple key, major functions within our organizations today that if you had the combination of the cryptographic key, the biometrics, you could then have cryptographic undeniable proof as these systems are being used here on the right. So this is how I see Web 3.0, really being embraced by organizations in a way that's maybe not that obvious of its linkages. So Gary, would you say that Web 3.0 is a corporate function today? I don't think you're ever going to go into your clients in the short term and say, "Hey, customer embrace Web 3.0," but you can see how we could bridge the gap together here. Right?
Gary Z:
No, but people are playing with it even outside of the world of IAM. So using credential verification, some credit unions in the United States are starting to use this to take the place of their password regime already. So that when you try and do something with a credit union, you don't have to keep repeating information over and over again, as you move through the different services. Then in England, they're starting to use this for doctors to be able to exchange their credentials when they're move around inside of the health system. So if they're working in London one day their credentials, and then they go to the Glasgow the next day, they can present them there. So that the hospital knows what they're licensed to do, et cetera, and so forth. So this is going beyond just identity in the true sense of computer systems, but actually how people are interacting with each other in the real world.
Mike Engle:
Yeah.
Gary Rowe:
I do think that although most large organizations are not diving into the deep end with this yet within those organizations, because these are the kinds of things as we interact with them, that we push out there in the innovation arm of organizations, as they're looking at new future state models. This is getting a lot of visibility and attention there. We found a lot of receptivity over the last several years to the concepts of decentralized identity that doesn't mean they're necessarily deploying in numbers yet at least.
Mike Engle:
Yeah. Yeah. There are some technologies, as I mentioned that are out there today. I want to show one on the screen and see if it pops up. One of the questions that came in from one of our attendees here, he said, "How do you protect the identity?" And we've brought this up a couple times. Well, there's a few ways to do that. We'll get a little bit into the Q&A here. There's been already 14 answered questions. Thanks, everybody for asking them. This is an example of a cold storage wallet. Let's see, there you go. It's made by a company called CompoSecure. This platform's called Arculus and this has my private key on it. There's a phenomenal form factor and there's lots of cold storage wallets you can buy. They're USB-based or similar. But we're seeing a marrying where imagine if your credit card, which you use every day and you very rarely lose had the private key on it in a way that you could use it easily.
So what you can do now is take something like this, tap it to the back of your phone. And that is the secure transaction. It'll use NFC and that digital sign challenge-response goes to the remote system. You've basically done what I showed you with MetaMask and my browser, which can be stolen and the password's right there somewhere in my computer and it's turning into something. It's really like having a driver's license in your pocket. So this is just one example. It's getting more and more popular. The form factor is really key. Of course, our smartphones are the most common or most viable form factor for us to use. But of course, the bad guys are trying to figure out how to get into them as well. So another question that came up that you guys might have some comment on is how does the slow rollout of digital driver's licenses affect Web 3.0, and I'll just start by saying that it is a shame that we have to scan the driver's license manually using OCR when you have countries like Estonia that have had it digitized for 20 years.
So yeah, we're in our own way on that one, right? This here is something I put together to tee this up. There's a handful of the mobile driver's license is one way that hopefully you'll be able to get your digital driver's license and then use that to present a third party someday much like you walk up to the TSA agent and show them your driver's license. And they look at it, inspect it, same thing with your passport. There is a path by the IKO, which is the United Nations organization for passports to digitize the passport. It's making great progress. Apple announced the Apple Wallet. So you can put your driver's license in there in some states, although with Apple, it's probably going to be a closed wall garden kind of thing. Of course, that's only one platform of many, so it's starting to happen and I'm optimistic about its future.
Gary Z:
I think one of the things that we have to keep in mind here when you say states are slow on the uptick for digital licenses. I think there's a couple of reasons for that, right? One is that there's all of these agreements that basically codify the cooperation between the legal entities. So if Illinois decides it wants to do a digital driver's license, it has to go and negotiate that with the 49 other states to basically say, this is an acceptable form of this. The second problem with it is how do you use it offline. Three o'clock in the morning, get pulled over because your taillight is out. You show them your phone and there's no internet. So how do you prove who you are?
So those are some problems with some of these credentials that have to be worked through and that is going to slow adoption to this stuff. But I think the idea is that they are credentials. They aren't identities and they're not necessary for everything. So for instance, the old way of looking at things. I pull up my license to prove that I'm over 21. I don't have to do that anymore because I'm an old guy but that doesn't necessarily have to be done anymore. Because you can have a zero-knowledge proof that is scannable on your phone that says, basically I can prove that I'm over 21. So there are ways to use this that aren't necessarily dependent on the institutions formally adopting this because of some of the things that I mentioned earlier.
Mike Engle:
Yeah, absolutely. Well, we're coming up on the top of the hour here. We're going to wrap things up just so everybody has five minutes for a between meeting sprint. I really appreciate you guys coming on and having this discussion with me. If you have any closing thoughts or any information on where folks can learn more about TechVision Research, anything you have come in the next few weeks or months.
Gary Rowe:
Sure. You can go to techvisionresearch.com. We do have our annual conference that is from November 7th to the 9th in San Diego go and there's details on that. 1Kosmos will be participating in our conference. It'll be two and a half days and it's going to be a live event. We plan to be in person unless if things change-
Mike Engle:
Don't say it. Don't say it. We'll be there-
Gary Rowe:
I know I should not say-
Mike Engle:
San Diego. We're going to San Diego period. That's it.
Gary Rowe:
San Diego, California. November. Not a bad place.
Mike Engle:
That's right. Yeah. No, thank you for that. And yeah, of course, 1Kosmos the number one cosmos with a K, and thanks again. I'll just say thanks for all the women out there, making things so much better than that would be without you. We'll see all of you online and thanks again for your participation. I appreciate it.
Gary Rowe:
Thanks, everyone. Thanks to the team at 1Kosmos.
Mike Engle:
Have a great day-
Gary Z:
Thanks, everyone for listening. It's been great.
Mike Engle:
I'll just stick on and make sure the questions are answered, but thanks for answering all them from the team. I appreciate it.
Mike Engle
CSO
1Kosmos
Gary Rowe
CEO, Analyst
TechVision Research
Gary Zimmerman
CMO, Analyst
TechVision Research
By watching, you will learn:
- How decentralized identity modernizes MFA and delivers superior privacy and security
- How user consent, convenience and privacy will drive adoption of digital wallets
- How leveraging identity verifiers eliminates the need for passwords and 2FA putting users in control of their identity.
Web 3.0 envisions a decentralized Internet, a new generation of digital services where AI, AR/VR, and blockchain are merged to create broad new categories of Internet experiences. But how does any of this happen without first proving the identity of individuals accessing those services?In this webinar, 1Kosmos and TechVision Research took a critical look at Internet security and the need to place identity front and center to secure new and powerful services, provide convenient access and protect privacy. Why is doing this now important to be prepared for what’s to come.