Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
I guess it’s a mix of both. I’ve always been a security geek. I got my first computer when I was 12. I was messing around — I won’t say hacking into, but things with CompuServe and AOL when I was still running around high school. So, I got into this very geeky, security-like mode of always playing with computers in an interesting way. When I graduated from college, I got into distributed systems and all that, and my career morphed into running the infosec program at Lehman Brothers, back before the term CISO existed, and all that. We launched in the late ’90s. I did that until 2008, and then it went bankrupt — we’ll talk about that another time — but in that capacity, I was responsible for one of the first IAM projects on Wall Street — account management, account provisioning, before it was fashionable. I got sucked into it then, and it’s always been near and dear to my heart ever since.
Now, you’re with 1Kosmos? Other than a cool name, what is 1Kosmos?
Well, there’s a pretty neat genesis story for that name. It’s the number one, and the word, kosmos, which means “universe: in Greek. The founder — his name is Hemen Vimadalal — created the company, after having spent many years in the IAM space, for the purpose of helping people to manage their own identities.
We’ll talk more about that: 1Kosmos, one universe — the idea is, eventually, we’ll have our own identity under our own control, and you’ll be able to use that identity anywhere in the universe, which today is just on the planet Earth, but who knows? Let’s see where Elon Musk takes us. The centralized usernames, passwords, repositories and the surveillance economy of the people who “manage” our identities for us is going to change very soon. That’s where 1Kosmos, the name, came from. The company focuses on establishing identity and letting you use that identity in new ways that preserves privacy and increases security and better user experience.
That’s a pretty interesting genesis story with the one universe and how you’ve played that into one Earth at this point. One of the things we get out of the podcast is statistics where our listeners are coming from. It’s just always interesting. One hundred percent of our listeners are from planet Earth, so far.
There you go.
All right. We’ve got it covered.
It’s been evolving in my head for the last couple of years, since I’ve been focused on all identity, all the time. A lot of my history was, in the 2000s, worms, hackers, viruses and all that, and perimeter. Then the perimeter broke down and I started doing other things. Now, identity is the new perimeter. The new firewall ties into zero trust and such. Maybe we’ll touch on that, but if you think about your physical identity, you walk to an airport or you get pulled over by a state trooper on the Garden State Park in New Jersey, how do you prove to that individual, the TSA checkpoint or whatever, who you are? You reach into your pocket. You pull out a credential, a driver’s license or a passport — you hand it to them. That credential’s trusted. On that credential, you have some security features, and it’s pretty secure and it has your picture. The inspector will look at the picture, look at your face, and you’ve now just proven what your identity is to that individual.
We couldn’t do that remotely until very recently, because how do you give somebody a credential remotely and let them verify it? The only thing we’ve had for 60 years is an alternative — a username and a password. If you think about a credential being something you have that’s trusted and something you are, which is your face matching, listeners might hear where I’m going with this: We can now do a lot of those things remotely using a couple of new technologies that have evolved in the last, let’s say, five to eight years that are allowing this to be done.
My definition of a digital identity is very much in line with a physical identity, and that is a trusted credential that I can hand you. One of these that we all have heard of is a smart card. That’s a credential that if you’re in the government, you have CAC cards and PIV cards. They give you this very expensive thing, and a reader, and that holds your credential. Then, you match it up with a biometric, but we can now do that remotely for billions of users in a similar fashion. That’s the way I think about it, but really, digital identity has a different definition, almost, for everybody you ask.
That’s very personal, I think, for a lot of people. What you described there is the identity-proofing process — proving who you are, who you say you are, to whatever constituency you’re trying to do that to. This is a conversation we actually started a couple of weeks ago with Bala Kumar from Jumio, working through identity proofing and that sort of thing. I think this is something that comes up — assurance levels when it comes to identity. The differences between level one, level two, level three, and how that relates to standards like NIST. I think it’s NIST 800-63, for example, where it has some components of what level of assurance is either required or recommended for certain services out there. Can you explain what those three levels of identity assurance are, and where they might fit in the real world?
The identity proofing, it’s gotten hot since COVID. I’ve measured $600 million in investments, including Jumio, in the last eight weeks alone — at unicorn status for a lot of these companies, so it is hot because of COVID. What NIST 800-63-3 is, it’s a government standard, of course, and it’s being a government body, is the definition of how you prove who somebody is remotely by having them present credentials, verifying those credentials and matching it to their live self. It’s very much in line with the way we’ve proven our identity in the physical world, if I go back to that.
You need to open a new bank account in, say, 2010. The bank, because they have high levels of identity requirements by the government for KYC, anti-money laundering purposes, they need you to bring in two forms of identity — a driver’s license, a passport — and we’ll check the box. Those are very trusted. What do they do with them? They look at them. They look over the paper at you. They say, “Yes, that’s you,” and they’ll file them away or do some other checks. That is a really high level of identity assurance. The same thing would happen with your employer. Before the employer would let you pay taxes and earn money, they’d need that same level of assurance.
The NIST standard says, “Well, how do you do that remotely?” The way you do it is by introducing multiple forms of identification, verifying them, comparing the data and then comparing it to your live face. So that NIST standard, 800-63-3 — and A is the part that says, “Assurance.” There are other components that we can touch on, but that A-assurance has level one, two and three. Level one says you’re just a name out on the internet. If you’ve created a PetSmart account, that is a level-one identity. You could be Billy Bob Thornton or Joe Smith or Jim McDonald. It doesn’t matter. There’s no real proof behind it. You can put your address on some credit cards.
To get to level two, you need two forms of identity proof that are verified and what they call strong forms of identity, and there are different ways to do it, and they may vary. Other countries have their versions of it, but it’s all based on the same principles.
To get to level three, the highest level of assurance, you need a way to prove that the person holding the document is a live person. So, that’s how you get from one to two to three — it’s increasing levels of documents and verification of that. Now, if you want to go open some types of bank accounts at a neobank or a coin-based account for crypto, they will do some steps of this process digitally, and it’s passing the checks that they need to meet the regulatory requirements.
It makes a lot of sense. When you were talking originally about going to the airport and showing an ID for TSA, and things like that, the Real ID scenario that we have in the U.S. — where there’s a lot of states that do not necessarily have an ID that’s compliant, currently, with TSA regulations, when it comes to validating identity — has put a lot of crimps into the process, especially with COVID. People not having the Real ID, and you were saying, if you’ve flown anytime in the last couple of years, you’ve probably seen placards up at all the checkpoints saying, “You’re going to need a real ID. The deadline is this.” And now, it’s been extended to a couple more years.
And that’s led to a crush, at least in Illinois, where I am, where the DMV, Department of Motor Vehicles, can’t handle the surge of people who are requesting real IDs, because when you go and get it, you have to bring in your person — obviously, yourself — along with a few documents that basically prove who you are: a passport, existing ID, utility bills. There’s a whole list of stuff. And I think this is an area that would really be ripe to be exploited to say, “OK, how do we automate some of that identity proofing at the state level to be able to address some of the backlogs that people are seeing in the real world rather than just kind of showing up and standing in line at the DMV?” — which I’m sure everyone loves to do — and work through that process. I’m curious to see if you’ve seen any uptick in state or government agencies looking more into remote identity verification and proofing since the COVID era began?
No, that’s embarrassing. I’ll try not to go on a rant, but here we are in 2021, and our government doesn’t issue us a digital credential. They’ve been doing it in Estonia since 1483— we have the Estonia e-whole thing that they do. It’s amazing. Of course, they’re a little bit smaller than the United States and most countries, and they can get it done because of their size, but they’ve set the standards. Here, in the U.S., we can’t even get the 50 states to come up with a common driver’s license or even put a digital credential on it. Our credit cards now have chips and pins on it, with our NFC chips with some data on them. It’s just embarrassing.
Because of that, there’s now a $20 billion industry of people taking pictures of a driver’s license to verify them. Why don’t we have a digital credential? So, that’s that. I mean, we have a digital credential in our passports. Every one of our passports has an NFC chip in it, and that chip has your personal information on it: your date of birth, your eye color, your first and last name, and a very high-quality photo of you. Imagine if we could use that for every online transaction. There’d be no more fraud.
They’re trying. In other countries — Singapore, Australia. The Australian tax office is letting you create digital identity there, and you can now create your identity for use for logging into Australian government services. They’ve digitized it. It still involves taking a picture — they haven’t actually issued a digital certificate in a way that they should. You’re seeing it get more attraction in some smaller countries, but it’s going to be a long time because of how long it takes to get things done. So, we’ll see. In the meantime, we’ll do the best we can with what we have.
Yes, there are some technologies that can forward that, but it is going to be an arms race to some extent. Just like you can forge driver’s licenses. I don’t know how much they do that on the passport side because of that chip in there — it’s hard to duplicate or reproduce. But one of the things that makes remote proofing a little more secure is the fact that you have to interact with the camera — you’re not just holding up a projector or a picture — and you’re asking the user to interact with it in a random way. For example, in our proofing product, we will ask the user to blink or to smile, or turn your head left and right, we check for depth of field, and so you can do some things like that. Now, you put enough money and effort into it, and you could probably fool any system. There are certifications that are evolving in the industry as well to help make sure that we’re doing the best we can on that front. The lab that tests the NIST 800-63-3 standard, for example, is called iBeta, and there are certifications that you go through to get your product to the highest level that you can with today’s technology.
Yes, that arms race is always something that’s interesting. It’s cat-and-mouse. I’m interested in it because I want to make some sweet memes and GIFs. That’s my own personal interest in it. From a technology standpoint, I would imagine it’s gotten easier to do some of this proofing work because of the quality of devices that are now out there. We’ve talked about this before in a previous episode, but the jump in camera quality, resolution, the ability to do things like depth sensing with things like lidar on the new iPhones, or even if you’re an Xbox fan — the Xbox camera had depth of field when it came to being able to determine where you are in a 3D space and not just a 2D image. Those sorts of things.
I would imagine those types of technologies have really impacted the quality and the ability to be able to provide a higher level of assurance that yes, this is, in fact, more accurate, and it becomes easier because more people have access to them as the costs have come down and those capabilities have been bundled into devices in the mass market. Is that right?
Yes, there are three technologies that we’re using to move identity forward in a way it hasn’t been done before: The first is the quality of the camera — ability to capture high-quality document images and do OCR, get the image off your face. The camera is a big enabler — 12-megapixel standard, that’s amazing. Your laptop still has a 720P camera in it.
The second is the trusted platform module — inside nearly every modern smart phone and computer is a separate chip outside of the main memory and CPU that is made just to keep information safe, because if you keep it in the main computer, other programs can get at it. This TPM is a safe place to keep your digital credential, your private key, which is the same as the driver’s license that I used in my earlier example — bridging physical and digital together. Two things: camera and the TPM. Now, I can give you a credential, something you have, and I can verify your face or your voice, something you are, and put those together. You’ll notice I didn’t mention the word passwords in either of those to prove who you are.
Then, the third is modern cryptography to keep it all safe, secure and easy to share. We leverage blockchain technology to keep your credentials safe. As you all know, crypto wallets, cryptocurrencies — when you have that private key, nobody can get it. Otherwise, the entire cryptocurrency market would melt down. If it’s safe enough to keep a $220 million wallet safe, it’s also safe enough to keep your identity safe. So, you put those three things together, it becomes a real enabler to prove who you are in a safe and secure way to remote systems that need it.
You know, one thing I always like to do is bring things back to a real-world example: My first experience with the 800-63 was, I was doing IAM consulting, but for a university, and the InCommon Federation has an identity assurance profile framework. One of the cool things about that university context is that most people go to a place — i.e., a campus — and they can present some form of identification. Essentially, they’re doing the whole process that we talked about at that manual level. But with COVID, but with remote learning, satellite campuses, things like that, it seems to me that that’s also an industry that will be ripe for this type of technological advance in identity proofing.
Mike, we titled this episode “The Intersection of Identity Proofing and Passwordless,” and one of the things we wanted to get into, obviously, was passwordless. How does that work? Do I still have a password, or am I truly passwordless? How would an organization go about implementing passwordless technology?
Yes, that’s quite a loaded question, but it actually is simpler than it sounds. When people think passwordless, they think 2FA, or getting a code or using some type of a token. And there are ways to get rid of your passwords with other things that can be stolen. Our definition of passwordless is using your identity to authenticate, instead of a secret, or knowledge based. Again, going back to your identity, it’s that private key and your biometric.
One of the most common use cases is your web-facing system. For example — you wanted a real-world example — instead of a username and password on a login screen, we put a QR code. That QR code is a way for your handset, your mobile — which has the key and can interface with your biometrics — to start a conversation remotely. Scan the QR code. It says, “Can you sign this and send it back to me, and start a secure exchange?” That’s it. You engage with that system remotely, scan the QR code, prove your biometrics— you have now proven that you have your private key via digital signature and that you have your biometrics, and basically, you’re in without even touching a keyboard. And there are other ways to engage with the system. You could have the message be sent to you via push, and it could be stepped up in different ways where you ask for biometrics along the way.
We have seen a lot of progress in remote access and a lot of interest in that for corporations and for the onboarding of new customers as well. That’s where some of the low-hanging fruit is today. The goal there is to simplify the user experience and prevent fraud. We’re seeing that being leveraged by SCAs— Strong Customer Authentication — on the payment side, and things like that.
I guess it’s one of the few areas where you can actually improve security and, at the same time, improve the user experience. But just from the standpoint of geeking out, if you have, let’s say, the enterprise use case scenarios, you have your workforce where you’re connecting to, potentially, hundreds of systems, and some of them are cut over go passwordless list. It could be in the cutover scenario, or it could be the SM systems that are so old, they’re not worth retrofitting into using passwordless technology. If they’re all connecting back to a common user directory like Active Directory, is there still an underlying password that the person would need to know?
In any system that’s architected with passwords in its central store, Active Directory, they still exist. The goal is to get the user to use them as infrequently as possible and, ultimately, to get rid of them altogether. A common path — we call it the passwordless journey — is, you pick two or three systems that you’re kind of 80/20 of where the most interaction is with the users. Any Fortune 1000 company, that’s your remote access, VPN, VDI, Citrix —coming in the front door — and then, as you hit the operating system, Windows or Mac, if you solve those two, and then, combined with your SSO system, you really are solving password challenges for 80% of your interactions with the user.
That means they’re not typing in their Windows password 15 times a day as their workstation locks. They’re not changing that password every 90 days with a new 16-character password, and, of course, there’s the security side benefits — there’s no credential to be stolen. But to your point, what happens when they hit that HR system that was built 15 years ago that still logs in with the legacy AD username and password? You don’t even know where the code is for that anymore. For that, the way we tackle it is, we let the user reset the password on demand by using their biometrics: “HR system, I need to change my 401(k) contribution. My username and password? I just spent 72 days not typing my password, and I don’t even know it anymore.” So, they hop up, they go into the app, they scan with their biometrics, they type a new 16-character password in, hit Enter, and then go to the website and type it in, and they’re done.
It’s not perfect, but it’s far better than calling the help desk or writing the password down on that 72nd day to go use it. Really, on demand, when you do need it, you can just push a button and have it reset in the same trusted way that you use to authenticate.
Yes, that really is an awesome real-world scenario, because I see myself doing that living in the nonpasswordless world — going to that once-a-year tax website, and you’re like, “I’ve gone here for the last 10 years, but I could never remember the password.” I’m wondering, in the original scenario that you brought up, the external website and single-sign-on systems that a corporation has, does a password solution like yours replace that SSO system or work in conjunction to integrate with it?
While we do support single-sign-on protocols — your SAMLs and OIDCs, etc. — we are not a single-sign-on platform that’s designed to replace your Oktas, Pings, Azure ID, SiteMinders, ForgeRock, etc. They’ve got very robust, deep integrations across the enterprise. The challenge they have is, they still need to use a name and password to get in the front door. When you come to that SSO system, you put a username, you put a password and then you do 2FA. You still have that same vulnerability of a username and password, and an interceptable code, and you have the user friction.
What we propose is, let us be the new IDP that sits in front of that identity provider, because we have a strong proofed identity — your identity assurance level two as per that NIST standard. Now, you know that when you go into the front door of your SSO that I have digitally signed proof that I’m the same person that gave you the driver’s license three months ago, and we can cover the systems that they don’t — no SSO system out there lets you go single-factor passwordless into Windows workstations, for example. They just haven’t touched those platforms, because they still rely on a password at the end of the day. We can touch the half dozen key systems that they don’t and help them with their journey to do SSO downstream, and it’s very complementary, and we work with them every day.
You mentioned blockchain earlier. I’m curious how you see blockchain and decentralized identity in general. How has that evolved the IAM landscape over the years?
How much time do you have?
Uh, let’s say we have about five minutes.
1Kosmos, the genesis story — take your identity anywhere and use it anywhere in the world. Going back to the company’s origins, that is the long-term vision. The principles around blockchain-based identity are embedded in two other standards that we didn’t talk about today. One is from the W3C, called Decentralized identifiers. You can think of that as your White Pages entry for where your identity would live in this identity fabric that’s out there. So, W3C DIDs, Decentralized Identifiers, set up that fabric, and there is an industry initiative via the Linux Foundation — everybody knows Linux — which sets all kinds of open-source projects called Trust Over IP. We made a Trust Over IP-compliant Decentralized identifier.
What that means is, all the work we’re doing today to go passwordless and have that public-private key pair in the future will allow your identity to be portable and taken with you, which is what the goal of a Decentralized Identifier is. At the heart of that is a distributed ledger, which writes the audit trail of who’s accessing what systems and so forth. So, it’s definitely out of the scope. It could be another-hour podcast on where the decentralized identity industry is going, but it’s gotten a lot of major momentum. You’ve got big names behind it: IBM, Microsoft, Accenture, Samsung — they’re all participating in these new decentralized identity frameworks that are out there, and that is the future of identity that will let it go across industry and even across country in a digital fashion.
The second standard, which goes hand in hand with it, is called W3C Verifiable Credentials. We use Verifiable Credentials to let somebody get industry or personal certifications and put them into their digital wallets. So, which school did you go to? Here’s a digital certificate to prove it. Do you have a COVID vaccination? Let me issue you that certificate, and that certificate makes it really easy to share your identity attributes in a privacy-preserving way. That’s the future of identity. It’s what gets me excited — I spend probably 20% of my day working on those future initiatives with industry associations and so forth. So, thank you for asking. That’s where we’re going.
Mike, I’m wondering: With the blockchain, is it the technology that enables what you guys are doing, or is it just the path you chose to build your platform on? In other words, would there be a 1Kosmos solution without the blockchain? Would that even be possible?
We are blockchain-agnostic. We’ve chosen to build ours with a particular set of technologies, but it’s an abstraction layer, so we can run on Ethereum or R3, etc., but it is a very powerful enabler because of the reasons I stated earlier. When you put that private key in the user’s hand, it’s undeniable that the cryptography behind blockchain is very solid. There are other ways. There are people that say you don’t need to use blockchain. I don’t know if they’re using a centralized database. Some people just keep it on the phone only. What happens when you lose your phone? You start over.
The combination of those two, in my opinion, is the only way I’ve seen that’s really viable. And again, Microsoft, IBM, 1Kosmos, Accenture — just Google any one of these companies and the word blockchain identity, and you’ll see these entire practices spun up. We’re not the only ones to think that way, and I think it’s going to be a continuing trend to put those two technologies together to keep user data private and in control of the hand of the user.
Is the idea like, I would have a wallet, and in my wallet, I would have a driver’s license — in other words, an identity issued from the state of Georgia and a credential issued from Rutgers University, where I went for school, and etc. — because that’s how it sounds to me.
The way we’ve architected it is, your private key is in your enclave in the TPM of your phone, and as you’re enrolling credentials, you encrypt them and put them into a blockchain-based file system. We don’t write any PII to a public blockchain. We use blockchain as a private permissioned mechanism to keep data safe behind the scenes.
Where the public ledger would come into play is where you could say, “Hey, world, here’s my public key if you need to get ahold of me,” much in the way PGP works, presenting a secure email — you have a public key that’s out there that anybody can use. That public-private key pair is the enabler. The private blockchain keeps the data safe, and if you ever need to make sure your data can never be read by anybody, you just destroy your private key. Much like you could throw away your cryptocurrency wallet if you wanted to. Again, it’s an enabler that — there are other ways to do it, for sure, but it is the leading way today.
Mike, you’ve been really gracious of your time, and we probably want to start to wrap things up here, but before we go, any final words of wisdom, Mike, that you want to impart upon us?
Any IAM fans out there, the passwordless journey is one step at a time. There’s so much going on in the space. It’s hard to know which way is up or down and who’s telling the truth or not, but anything that you can get your hands on and play with, it’s very easy to prove this stuff out. I’m sure there’ll be a lot of geeks out there like me that get their hands on it and log in to their corporate or personal mail without a password for the first time, and that’s when you become a believer. It’s like that first time you use Apple Pay — you’re like, “Oh, I get it now.” It’ll be a fun journey for all of us in fixing the problem.
I can’t remember the exact quote, but something that’s technologically advanced is almost indistinguishable from magic.
Magic, that’s right.
Yes, exactly. I totally butchered that, but I think you got where I was going with it. Jim, what about yourself?
Like I mentioned, I’ve been obsessed with ransomware lately — as I think a lot of the world has. If you’re an IAM practitioner out there and you’ve been wondering, “How do I get funding for my IAM initiative?” I think that’s it. It’s ransomware, because executives — nontechnology and technology executives — are quaking in their boots right now on “How do we get our arms around this and not be the next big victim of a multimillion-dollar ransom?” Folks, the information is out there. Just do a Google search on “ransomware tracker,” or look at some of the recent ransomware attacks and follow the links, and you can educate yourself pretty deeply in a couple of hours, a couple of days, and it’s interesting reading when you get into it. It’s almost like a spy-versus-spy novel.
Thanks, Jim. Good points there. I think how you eat the elephant, walking on the beach: one bite at a time. That’s probably where I’ll leave it for this week. Mike, thank you so much for your time. I’ll have links in the show notes to connect with Mike on LinkedIn — go to 1Kosmos.com so you can learn more about what they’re doing. With that, we’ll go ahead and leave it for this week. Thanks, everyone, for listening, and we’ll talk with you all in the next one.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at Identityatthecenter.com.