Mike Small, KuppingerCole
Ian Glazer, salesforce.com
Dr. Michael B. Jones, Microsoft
Christian Patrascu, Oracle Corp.
Daniel Raskin, ForgeRock
Don Schmidt, Microsoft
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Mike Small, KuppingerCole
Ian Glazer, salesforce.com
Dr. Michael B. Jones, Microsoft
Christian Patrascu, Oracle Corp.
Daniel Raskin, ForgeRock
Don Schmidt, Microsoft
Mike Small, KuppingerCole
Ian Glazer, salesforce.com
Dr. Michael B. Jones, Microsoft
Christian Patrascu, Oracle Corp.
Daniel Raskin, ForgeRock
Don Schmidt, Microsoft
So I was asked to give this talk to introduce on the risks of social login. And it seems that the marketing people love social login. And first of all, what do we mean by the social site?
Well, I think it's really obvious. There are all these different sites, which allow people to contact their friends, to collaborate, to try and further their careers and to find out the history of potential employees.
Now, there's been an awful lot written about the risks of the use of social media. And I think that in the identity and access world, we have been very poor at protecting people from themselves that we seem to have always been concerned about protecting the enterprise from the malicious person, but the drunken email, the mental, the amount out photograph, which can come back to a point is, is, is a major problem. But that's not really the point of today's talk.
Today's talk is the idea that for one reason or another, you are being invited to one come to a consumer website, or even onto your enterprise using your Facebook logo. And I say your enterprise, because I came across one story where this was an organization where the employees had to sign on once a year and only one. And of course they never, they never could remember their credentials. So eventually the organization said, well, it's okay. You can use your Facebook. That sounded interesting. That's brings forward the general question, you know, who are you?
And what is your per when you actually use web? But the key thing about using this is it is another example of a situation where if you use it, you are trusting someone, you are using it as the consumer of it. And you trusting the identity is going represent you properly. And it's not lose your credentials. If you are the organization that is accepting, it rely then trusting. That is now what why people say it's because it gives a great increase in the, the end parties. All people that they're doing, people are more likely to actually sign on with their identity.
If they, if they're Facebook supposed to reduce the number of password resets and things like this. So there's a lot of reasons that, and in fact, Facebook started up by publishing all kinds statistics, which have been supported by other kinds of, of organizations promote that kind of thing. See space.
Now, in fact, this is an interesting example, came from forms, which is how a Japanese company is using the information that they can glean from your Facebook identity in order to target the product that they sent me. So they are looking at things like interestingly, they said your life, and you said you got pregnant. Are you married? Are you all beret? Like me?
You know, are you, are you a child? And what have you been saying on Facebook? What have you been talking about? And what about your friends? He knows about your friends and birthdays in that it will actually send you HS to find out, to buy presence based on what's found out about the interest of your friends. This depends upon you trusting they're doing now. The next question that people have said is a benefit of the next benefit forward is that it's supposed to reduce the number of password resets.
So there's, there's a login, provide this company mail check, which I not person can see log that. And they were persuaded this Facebook and Twitter log. And they noticed that after they had put that on the webpage, the number of password problems went down. And if you read the book, what actually happened was that the, the business part of the organization, didn't like the way the website looked after they put Facebook, told them to take off. There was a big argument in turn, which said, it's going to increase the number of password resets.
But anyway, so they did some careful analysis and it turned out actually after they put the Facebook logo, but only 3.4% of the people that were actually using them. And so the conclusion they came to was that the reason why things was that the, the way that they had redesigned the website in order to, to, to put the Facebook had actually improved the usability of the website to such an extent why the reset were down. So that's an interesting if you will, rebuttal of the idea necessarily password reset. Now.
So one of the things is that you don't actually, you, you still rely on the, the verification by the identity provider of you as the individual. And so you are putting yourselves in their hands in terms of the extent to which they verify your identity, the extent to which they check your identity when was done and whether or not that is all available, whether that identity services event. And so there's been a lot of stuff on the websites in the us about some situation where there was an error in Facebook, which made loads of people have to re-certify their identity to, to Facebook.
And this apparently occurred was a critical time from the point of view of eCommerce, which wasn't just before this black Friday follows the, the, that Thursday in November when everyone buys their presence. And so that's perhaps some of the things that you need to carry.
Now, one of the question is if you are an organization that decides the use Facebook as one doing, you know, to what extent do you open yourself up to competition? So this graphic sort of shows that what happens is that you want to go to that. So you log on via your social network. You so function was okay, but in fact, the, the, the social network almost certainly survived by sending its its space to advertisers. And those advertisers are providing information about the products that they, and so Facebook may have decided getting funds. You are interested in those products.
So what happens is that unexpectedly view going to get, which may in fact, tempt you away from the website that you were going go to. So that is one of the prices that you, if you use this identity provider in order to identify and sure the credentials, so perhaps I think what people really want and anyway, who is it?
And I, I was going to say, I'm here. I know that my wife is going to use my online grocery account to buy the groceries. That when I go to various stores, they offer me free wifi. But only if I give away my shoes in and all this can show. So of course, what do we do? We invent personas that don't exist, satisfy the criteria. And that one of the big problems is multiple identities that you may quite tell more than one email address, more than one identity that you use.
My wife, when I asked her to set for email so that I would stop getting all the emails coming to me. Cause I was for she, she created a lady's name on web, and I was really quite so because short after that, we started, we started to get all of these emails, all of these physical post to this name and this name doesn't exist. People think there is some of that main within our address. And so the problems we know who you are. And one of the benefits that social is an assurance because people don't, we, we are.
So if you are using it, the, the, the risks that I be talking about are you have to have trust in the provider. You have, you put yourself in the hands of identity in terms of the service availability, because your customers are known to that site. They may redirect advertis to your customers. It's in competition or your customers identity may be given to other people that are your competitors. And then you have all kinds of privacy issues that people perhaps aren't very, because they didn't realize what they're do want, what they're doing by the, so what can you do?
Well, one of the interesting things is that standards are an important issue because certainly if you were to connect yourself with something that's using prior to standard, then everything you connect with, you have to have, you have to have different standards. So there's a lot of things happening in the standards area. And it's good to say that if you will, Sam, the foundation of all, this is over 10 years already. Now open ID has moved almond and has become adopted. We've got fourth as well. And there is now an interesting new initiative.
That's come up this final Alliance, and I'm just going say something about Alliance. Cause in company, we are wondering whether in the fi and the ability to connect this with a device of your choice, rather than a, rather than a website of your choice and support this with strong authentication, whether this is going to sign the guest for, for the use of social media. And it's interesting that PayPal did this deal with Samsung regarding the new galaxy five, which automatically includes this burden to do fingerprint authentication.
So that's, that's an interesting question in moment. I hope you'll get our panel to start to look at some of these things. So in effect, we've talked about some of the risks. What you can do about them is you can think about whether you want allow each or not. That if you do allow it, you need to choose the right provider for the kind of audience. And there acceptability that. It's a good idea. If you're going do that way choice and prepare yourself for all the dreadful things that cannot, and they could lose people's credentials or service could not be available.
And if they lose credentials and they're stone, then you might help people fraudulently buying things from you on the basis. They are someone and dust, not least is questions of privacy. So that's my introduction to the subject. What I'm going to now is to ask panel following, Okay, This is chair here. Some microphone I'm introduce, we will open up.
So the in, can you In laser salesforce.com, I work with the identity product management Team In terms just maybe briefly on social mobile. It's something that is not surprisingly primary concern for us, mostly because our customers want to service their customers, whether it's a sales process and support of an ongoing product support, service management, or even just marketing. So they give us a lot of requirements around what they'd like to do in the social. And that naturally leads over into the global setting as well. Thank you. Yes. Good afternoon.
I'm Smith from Microsoft corporation. I'm a principal program manager, which is a design position. So things like cross across and services, things like this, our products that I've designed and led development over the years. And if you think about those, they had two things in common. They were about a user somewhere over there that enclave, and they're trying to authenticate these some things over there, but they were all pretty much on premises. So which meant that they were pretty much about employees or business partners.
So now what I work on, I work with team Cameron on business to consumer government, to citizen type services where we're trying again, the thing is AAD. Our Azure active directory is about, you know, the employees of our customers and the services that we're bit adding to extended are about the customers of our customers.
So making it easy for people to log on with something that they remember, but making it secure enough, such that the, you know, identities are not stolen or misused or appropriated any way, the possibilities of using social log ons and phones and the various combinations are all part of what we're building. It's all very intriguing topic. And I think we should have, but Yes. Hello. My name is Christian Petco. I do work for Oracle for management. I've met Oracle since 2001, and I also agree that it's a very interesting topic. Actually.
I would like to share an anecdote with you all about the social logging topic. It's was 2011 when, when we presented that first end of the year. And when we showed this first two customers, the feedback that we got, and it's all about the risk that we, we, we spoke about earlier was okay, I don't need that. I won't trust Facebook. I don't need this social belonging.
So I think we, we, as a vendor back then also did a big mistake about how to position this thing, what what's the value about it, and especially what are the risks associated with it and how, how do I deal with the risk deal with the risk and was a good learning exercise for us? So, no, it's, it's, it's not about trusting Facebook. It's about making it easier for the user. And by the way, it's, it's mobile and social. So it's not social alone. So it's mobile and social and very expanding to artifacts. And through this week, we can deal somehow with the risk keyword strong.
So it's a pretty important topic. And also for us, a good learning exercise and the only thing which, which I feel it, it belongs to bigger pictures, not such social login. It is mobile in social, and it has multiple for sets to it exactly to deal with those risks Microphone protocol. That's right.
So I'm, I'm Daniel I'm with, for Dr. And for DRS very much focused on customer facing identity.
So, you know, when we talk about social and mobile, we're, we're thinking a lot of this in terms of relationship and use cases. And so to kind of echo the point that just mentioned, you know, we really have to think about this, the context of the enterprise in relation to the, you know, mobile device, mobile device, the social identity, all these different combinations of things. And in the end, it all fits into a broad business strategy, particularly when you're focused on the, the customer facing side. So it might be how you drive revenue.
It might be how you are more agile in delivering your service more effectively. And so, you know, we, we spend a lot of time talking about how to build platforms to do this in the context of those use cases, thinking about it from the context of how to drive that top one revenue or help the C CIO achieve more of what they're trying to do to serve their business.
And, you know, we look at the, the operational cost piece as well in terms of cost savings and things like that. But to us, this is a hugely critical topic. And we see it coming across, you know, companies trying to enable things across set, top boxes, cars using social login friction. And so context context is the key I'm Mike Jones from Microsoft. I actually have a related but different role than Don, which is where I think we're both on the panel that I work on identity protocol standards primarily.
So I worked on O 2.0, I've worked on open ID connect, which finished earlier this year and some of the cryptographic and understandings underneath it. I also serve on the board of the open ID foundation. And I won't go into it now until Mike sets me loose, but I actually have a diet tribe to give on why you want to use third party login.
And my, you you're actually reducing your risk by doing that well, very so if you're particularly a small business or an organization setting up a site, and you'd like to have users have a persistent relationship with you, you sort of have a choice and that there's a spectrum of what you've seen. You can either run your own username, password database, and I'm sure whatever development tool you're using will give you basic login capabilities by doing that.
But unless you are in the business of it, administration and security and all of that, you're doing something that's not in your realm of expertise. And there's some possibility that your accounts will be compromised and things will go horribly wrong later for some number of your, your users. And it will cost you money or cost you customers. Whereas there's a small number, but within each jurisdiction of the world, a few, usually very professionally run identity providers that are doing things like doing dynamic risk analysis.
You know, when I went to log into one of my sites, when I got to Germany, they started asking me questions because I hadn't logged in from Germany for quite some time. Your out of the box user name, password package is just gonna ask you the same question, whether you're in Belarus or your home country, if that's Belarus, and there's all these behavioral analyses looking at blacklists and whatnot, that if you're using a Microsoft or a Google, or yes, even a Facebook, they're actually doing a lot to defend the accounts.
And you can leverage that by choosing to use third party login, or you can take all the risks yourself. Well, that, that's an interesting point. And so really you are putting forward the idea that that for a lot of organizations, money entities is not called the business. So you really just want external identity. So if you're Belgium government, if you, it could be bank. So to give their opinion, though, I think it's also about the beauty about it. It's also giving the user a choice, right? The user has a choice.
You can log in, you have the normal way, or you can log in via Facebook, Google, or the other identity. I think also the user needs that choice. Right? Nowadays I it's really funny also on a mobile device on some apps, if I don't have the option, right. I simply de install the app immediately. Right. I won't use the app because it's my choice. It's easier for me this to social login. I think you made also a good point with, with okay, how to deal with the risk, right? So the user has a choice, but also the business then has also a choice to make, right.
If I'm coming through Facebook, the authentication Analyst is pretty low and I need some perhaps forms of strong authentication. So from, from the company perspective, then it's the choice of, okay, what damage can the user do? And after that, can the, is the real damage, okay. Then I perhaps need the strong form of authentication exactly. To protect that risk. So first authentic. Yes. There's at least two, probably more we can go from here.
You know, we could go on further about how to use mobile than to improve the identification of the user. That's one. I would like to jump to a slightly different one, the privacy of the user for a minute, because good case has been made and I support it.
You know, social ID reuse is a, is a nice way of bootstrapping things for the end user and providers, all of them are doing a lot of work to protect the account, but now let's be honest. They're not doing it out of the goodness of their heart. They may be doing it free only because we are not paying a whole bunch of people with advertising. Budgets are kingdom. And so they're selling our behavior are information are attributes. And that's the part of the equation that I think deserves some special attention.
This is, and by so one way, a way we're working on it. And I know others by intervening a cloud provider with certain capabilities between the eventual relying party and that social IDP, you can block the tracking. So you said something, I think it's within the space of less than an hour. I've heard two people say I was doing something and suddenly I got this advertisement for something I might like to, I didn't really want that.
And then the last gentleman said, and perhaps if it was less than nice, I would really like my wife, not suddenly see that advertisement, your mind can run, whether it was fair or not. Things come back.
Your, you know, the default information that comes from most of the social IEP is pretty rich in describing. And maybe all you need is the fact that you can authenticate is the same user, the same dog or the same anonymous person every time. So one of the things that we need to add onto social is a way to restrict them from seeing every place you're going with those laws. Otherwise it just increases the, do they have of our behavior and the ability to sell target advertis too. So that the privacy aspect is a big piece of the thing.
I, I won't go into a lot more. I'll just say that there are, we could do simple things like simply being an intervener and saying, I will take that authentication and I will present it over here. And I won't tell you where I went. It could be that simple or all the way. If you look at companies like IBM and Microsoft, there, others, those to the main ones who have privacy for technology, they can take things like explicit claims about date of birth and produce an anonymous claim, a range claim. This person is over 18 or over 21 or over 65.
So there's quite a range of privacy things that can and should be done on top of social. And that, that really raises question of, of what you, what you started talking, which is who's, cause it becomes the lobby. Can't get advertising revenue At the same time. Now you see Facebook anonymous logging, right? So now you have Facebook saying, well, we can connect, enable apps to connect and use essentially an anonymous assert credential. Okay.
So, so that's interesting, right? So they're actively throwing intermediary in ible, but you know, there's, we have to think about the threat model and for whom are thinking about, so the individual, they worry about the identity provider and they worry about the evil service provider. So we've got sort of two FOS to think about the enterprise is say, well, I'm kind of in cahoots, somewhat in bed with the IDP to some extent, because I'm maybe a only selected view of them and what the IDP does to their identities. Isn't my business. And I'm gonna do whatever my business is.
And then you have government and other intermediaries, they're saying, well, we'd like to impose constraint about how service providers can behave as well. So I think there's a couple of different touch points about how we want to think about what things we want to attacked. But I think we all agree about putting up one consent screen that says, I consent to use this, you know, the consent screen with a really wide scope, essentially like, yep, I can use social connection. Did you literally everything my API stack can enable. That's not sufficient, right?
And it's not sufficient because the end user doesn't know what they're getting themselves into. I think end user's actually pretty smart, but they don't realize that everything means everything. And as an enterprise, it's not particularly great either because I like to do things a little more fine grain. I want tailor my service. So as you spend more with me, the experience changes, which may be different aspects of my mobile Porwal and other things. So we do need to think a little bit about if the authentication event is your proxy or authorization, you're doing this role.
You need to think a lot more about where decisions made about what access happens regardless of that social law. I think the, the other piece I'd add maybe a little bit different from the privacy piece is I think this is a board level topic as well for the CEO. So when you're talking about this in the context of extending reach, I don't think there's any question that to be competitive today, to, to differentiates yourself from your competitors and to, to stay relevant, that you have to leverage all these different types of socials devices, things, et cetera.
And there's kind of a contradiction there. So on the one hand boards are saying to their CEOs, get that reach, drive revenue, get more engagement out there yet. If there's a breach, they're at risk losing their jobs. And so I think some of the points that were hit about how you leveraged the technology in a smart way to protect yourself, leveraging the adaptive capability is a great the O two and oof two and connected rate. But it's all just a beginning, right?
If you think about where we are from a standards perspective, it gives you the ability to the authentication and have an oof token that you, you still need all of these other capabilities that we traditionally needed in the identity world. How do you do policy tied to these things? How do you actually do attribute sharing and profile? What about password sync or, you know, other areas there, you know, there are other pieces of, well, of the stuff that Ian and folks at Salesforce are doing Salesforce connect.
We create a really interesting way to kind of simplify and make it easy for people to manage the identity from the, the enterprise directory that still, you know, have the provision and password synchronization authentication to the clouds that it eases that ability to get out to the cloud. So there's a lot of ways to skin the cat, but I, I also think from the technology standpoint, there's still a long way to go and beyond the standards where they're today and the discussion on boom, what's the next place we're going to actually take this to a deeper level.
And it's that next level for me, that I think really is what shapes, how you actually drive value through relationships. So I think we're just at the surface level we're providing access, but now we need to start doing more interesting things with identity until your point earlier. I think identity is critical to the business, not something that they want to outsource for certain use cases for areas where it's core to the services that they're offering to as their differentiated business offers, you know, identity on the employee side.
I think maybe you'll see more of the S and the one logins and folks like that, stepping up and outsourcing, but you're not gonna see Toyota outsource how they handle identity between authentic car to my Toyota. Yeah. So you were raise the point there about standards. You raise a claim two, perhaps.
Could you just say, I mean, why is maybe everybody, if you could give a two minute say why look at Oh, wealth two is designed to authorize access to resources in a controlled way, in particular, in a way that doesn't involve handing your password to the resource off to the third party, that's trying to access that resource. It used to be, if you were going to use, say a photo sharing site and you wanted the photos to be displayed on another site, the way that would work is you would give your password to the photo shared site, to the other site. That's bad auth solved that that's good.
OAuth does not provide identity for the end user. And there have been some ad hoc mechanisms that have been built where they assume, oh, if you have an access token, which is an Noha construct to a resource, you must be that user. This has resulted in a lot of identity. Fiascos shall we say every time open I connect is an extension to OAuth. That adds an actual cryptographic assertion about the identity of the party, that authenticated in addition to having resource access.
So you both know who in a principled way, and you can get access to what and their distinct, and that's the main thing that open connect adds to oof. So if all you're doing is giving some piece of code access to something without caring who it is, oof is okay. And there's use cases. That's fine. If you actually want identity, you want use connect. Thank you. Thank you.
The, the big question that, that everybody get to say something. Well, I'm trying to figure out one thing that my colleague said, I agree that Toyota probably doesn't want to outsource the authentication of its car airplane.
You know, when is the authenticating, device's probably something going keep in their network. But I will guarantee that I have, I am actively working within one or more representative of every market segments, you bank automotive cash and oil banking, healthcare, wholesale retail, you know, insurance. They definitely want to outsource the, at least the password reset pain of identity management of their consumers. They want that out monkey off their back. So just no two ways about that. We should understand that they don't want to do it anymore, but they want to do it.
They may want know, some of them may be very considerate of you and not be trying to glean everything out of your social space. Some may want everything they can suck.
I mean, they can vary. I think that you will find that there are enough of them who are willing to say, I want to make the pain go away. I want to make it easy for my users to log on. And I'm willing to behave in a professional enough way that I get your business and he doesn't get your business. Now he can be the, the data mine monger, and I'll be the nicer kinder, you know, sorry, you know, is that I think we're gonna have a certain shakeout in the marketplace between, so, and it goes, and I'll just to finish and say, who's going to pay for this.
Well, I know who's proposing to pay us. And it's the relying parties. It's the service provider, because so far, our entire industry has been built around providers. They may not get paid, but they have all the coins of the realm. They have everything, they know everything. They see everything and a new day is here and it's got, got to benefit the end users and the relying parties. And it's the relying parties are gonna pay for.
And, and let me say one thing quick, in terms of the auto industry, Daimler has gone on record saying that all their customer facing logs are going to be based on open ID connect. That's not authenticating systems within the motor vehicle, and it's not employee identities, but the customer facing stuff, they're just moving people to the simple open protocol Wants To share one, one good experience of the customer of powers.
I, I agree that perhaps too, I might not look into that, but the state in the us, they have a Porwal 6 million users and actually 6 million users is a big reliability. So they would be happy perhaps to outsource that. And guess what the single sign process is the process that people try to pack most, right? So it's also something which those guys are willing to perhaps think about outsourcing. So while Toyota's not there other companies might be There, I guess, just to respond to that question. So that's actually a couple of good points there.
One, we need to look at the use case. So when you move to Mr. Facing internal, and you're talking about we're architecting systems for 80 users, users, the system has to be optimized to support those types of transactions. I can speak from experience, I guess, in terms of, for drop as a vendor, we see Oracle often and some other editors often I've never seen an I, a vendor actually bidding on the same time customer facing deployments that we're doing. I shouldn't take a hard line.
You'll never see outsourcing the vast majority, if it comes to in insurance Porwal and how they actually provide access. That's, you know, we're talking to the CEO and themselves, we talk about government Porwal or Canada doing Belgium.
Porwal, you know, those are the types of scenarios. And it's just, just, I think the other piece is the level of capability that's needed and customization that's often needed is quite critical. So when you look at the traditional architectures that were primarily built through for that employee-centric scenario, and often put together through acquisition architectures, you start looking at different perspective. How do you do the, do you can't have a different API? I can't have a different set of documentation. I can't have different UIs to implement a mobile offering for my, my service.
And so it's kind of this interesting dynamic we sit between. Cause on the one hand, I'd say on the SA side of things, things are still pretty simple in terms of what they offer from an identity standpoint. I think there's a lot of innovation happening there to get more complex around the policy and things like that. But on the other side, you have the extreme on the, the vendor side for traditional identity providers, you have these really complex portfolios, positive product.
And so when you start thinking about rolling up your services and agility, and you need to support what devices we need to do, social login, you need to actually start thinking about policy and sharing attributes. It's quite a complex piece of One of the things we talk about tensions.
You know, another one is especially around social use, maybe not so much normal. We could the conversation that, but on the social use on one hand, you have retail studies that show social login reduces shopping current event over on online stores, some phenomenal amount, 1925, something like percent. So it's a real, wow, this is lost because people are abandoning the sales process online because the checkout process is miserable. Okay. On the other side. So someone says reaction is, well, great.
Let let's use social log, but there's, there's a risk here that iden that we as identity professionals, don't see, but, and here it's interesting. The other kind of identity professionals sort of create this of people that manage brand.
They see, they say, well, hang on, you know, I'm this online retailer, why do I want to put an advertisement for someone else at the very point where I want euros from, why do I wanna put login with Amazon on my retail site? Why do I wanna put Facebook on my site, my brand in order to work with our customers? And so we've heard from more than one that I've said of our customers said, we love the concept of third party credentials. And thank you for making it easier for us to do.
However, we struggle with brand consistency. We don't want to be an advertiser for a potential competitor. And so we have this interesting tension where we, as the protocol along select yep. Gotta cover no problem. And then we step up into the board level back to Daniel's point. And it's like, well, hang on a minute. We're advertising who at the moment we want their money.
Oh, that's a bit of an awkward moment. So we have this other kind of tension, which is we want to facilitate ease of use and a variety of ways. And yet we want to have brand consistency when we're actually servicing our customers.
Now yes, they're Facebook's identities. They are our customers and that's their intention. So there's, there's a couple of points that have come up, which first of all, in a way that's a group of identity provides growing of around mobile phones. Cause the mobile is the second you've got your, so is, is in any phone providers, they really are all trying to think of how they could get these revenue. And then the second thing, draw the question.
Well, so where do we fit? These interests, the standards for, you know, identification, you know, for this kinda thing.
So, you know, you know, would it like to look at those two questions, some comments on, So just quickly we, our time going flow kickoff, just a couple of thoughts. So, you know, we're all familiar with yes, a variety of these, you know, the press pound to continue as simple as because of a phone number. And so there's the simple thing of this as just as authentication device.
And then there's on the other details of maybe specific things about it, whether there's in crypto cryptographic, keys, download or specific Mac device, etcetera, but there there's something else I just want to throw out. And then I want to pass the microphone along is when you think about the standard protocols today. So whether it's Sam or jot or whatever, you know, at the end of the day, what do they produce well to the geeks that produce what's called the Barto. This is Barto buy. So on the floor, the first one, you picks it up and spin it. Okay.
Doesn't, it's officially signed, it's authoritative, but it's not mine as soon as you grab it out of my hand. So one of the fun things we've been looking at with these devices is being able to issue a signed token, which has value and can be proven authority, but bind it to this device in a way that I can't give it to you unless it's released from this device. And then the next thing is, and, you know, NFP, if I, if we're offline, whether it's a sales or it's a first responder thing, I can tap the device, the whole network's down.
And meanwhile, I can still transfer to two things to you, something that has this value to you and you can prove the authority it came from. And I proved I released it. So there are a lot of things I wish we had another hour and a half to go into. Yeah. Yeah. I think it's a really interesting question because it really leads to where is all value. And I think the, the huge opportunity and the scary part is that it's just gonna get more complex, right?
And so, you know, you start to think about all the things that are happening with liability and you to internet things and more machines, machine communication. And you have scenarios where insurance companies now want to consume the data from, you know, the automobile provider that make, you know, decisions about policies and certain regions, all kinds of policy issues, privacy issues that come up.
And so, you know, we need a repeatable Scaleable way to do all this stuff, but again, it comes back to, you know, having a holistic view of all the different identity services that provide in the traditional world across all these devices, not only doing in online, but also for platform scenarios. So it's interesting. The world's gonna be quite different avoid fragmentation, right? Yeah. Actually put two questions, right? Yeah. The first level was about the identity Provider provider and the telco. Yeah. We as also working with telcos, I think we won with BT, the cooking a co identity award.
And for me personally, why holding this is interesting, why it's only telco trying to go into that business. I was expecting perhaps financial industry, well, public industries also have that business. Financial industry knows a lot about their customers. I think it's telco because they need new business models. So the competition is pretty high and being identity provided there is a new business model for that. And of course they have a lot of identities, but I'm kind of puzzled by other verticals. Don't go in that market as fast as telco.
All I, all I will say is I know a number of banks that have tried. They tried. Okay. And they just haven't been successful. Maybe other people speak to why, but I know they have definitely tried, Well, what I was thinking of solutions, that's like it's concierge. Yeah.
So, so, so effectively there's an inter the cloud is that will allow effectively to confirm the identity of a Canadian citizen who registered this in order to obtain or access some kind government service you want say. So where we have interesting federations, like is an interesting example. We have to be mindful of complexity because in concierge case, by law, there is only five identity providers and that's all there will ever be. So it's artificially constrained.
And the reason why I bring this up is that if we, as an enterprise, just thinking internally, today, struggle struggled with mobility. Then the UN complexity, when we start to look external to our customers will struggle more. And when we look beyond that, because let's face it, mobile is a warmup for IOT, right? So everything we're not doing well today in the mobile setting, we'll do fabulously horribly when we get to the internet of things. And this is only maybe simply only cause of complexity.
So where we can have a success in consuming third party credentials in a constrained environment, emulating that deployment model in an unconstrained environment is not necessarily risking for success. So the telcos have an artificially constrained environment in some regards, there's six in your country or three, your country or two in your, and that actually could be recipe for success, where if we sort of unfettered that for a certain vertical or certain use case, the complexity gets too great for us. I believe to.
I think the other thing is telcos are just, they've been doing this for so long and to the sun acquisition, the identity, primarily working a lots, you know, back types of transactions. And it just so happens with the CIO, the enterprise setting to their, their, their groups. We're now gonna shift to focusing on top line revenue and external facing deployments, just so happens that, that problems. So I think just further ahead, yeah. How to build and they know how to build, and they have lots of technology that they built. Yeah. I actually wanted to respond to something.
Ian was saying quite a bit ago now, which is about the perceived brand risk. And I understand at a visceral level, that's very real. I know of a number of companies though, that have taken a much more data driven approach where if your site is intended to produce a particular outcome or set of outcomes, you can actually do a live experiment and segment.
So a certain fraction of your user population gets one experience and another fraction gets another, and you can measure the outcomes from things like what happens if you introduce social login or whatnot on my identity journey some time ago, I was even talking with a major bank in the United States bank of America. And they were saying, well, one of the interesting things is there's not such a thing as a beta bank. All of them have to be live and do real transactions.
But in fact, they do, if they want to roll out a new feature and they're not sure it's gonna work all that well, they have a test population and it's the state of Tennessee. It turns out that it's big enough to be representative of many population samples against the United States, but not so big that if it fails in Tennessee, they can't just roll it back.
And so, you know, they're using this data driven approach and that's what I recommended. So what we say that was be, Yeah, you could, you could fill it out in Berg if you were more Tim. Right. Okay. So Just, I just want to jump back real quick to the, the statement.
So I will, now I will apply my phone as to why the tell are more successful. How many people have a phone, their pocket, their person or something. Yeah. Almost all the hands, except for people that just don't bother answer question. How many of you have a bank key fob? Yeah. So I think that's one of the reasons why the telco, because the device that you need for device based authentication is, you know, is on the present and, and, and we carry and we cherish it because you know, our social life depends on it. Okay.
So we're coming to the, so whatever each of you to just give a final statement of what your summary of your position is as a result of this. So making things easy for customers matters a tremendous amount and where there's risks having those risks professionally managed, is it benefit everyone participating sometimes that leads to federated login.
In other cases, per Daniel's point is it really matters what the scenario is, but let people whose job it is or who want the job of managing things like preventing account takeover from doing so, I guess where I would focus is kind of on the foundation. What's your identity foundation today, and is it prepared for all use cases that you wanna go after? And the use cases of today are just really different from the use cases of tomorrow. So you have to be thinking about, scale's a major piece. You have to be thinking about agility.
If you're worried about driving a service for the business, maybe three to four month frame instead of 12 month timeframe. And so, you know, there's a lot of different requirements that come from these use cases that you need to think about. If you don't have the right foundation to do it, you're gonna struggle and feel that pain that Ian's been talking about.
So, you know, I think having a unified identity platform that you know, is able to integrate with all these types of devices, very flexible, very quick leverages the standards is really important piece, or Should I sum it up best? So I think one key point is it's, it's not, not a silo solution. It's extending something you already have. This is a big point not creating a silo.
And, and I think the second, second major topic, I think we discussed that it's, it's simply a balance right? Between user experience and the avoiding risk, the topic about avoiding risk, technically it's possible. My summary point would come from the fact that we've already acknowledged that this problem has the size and scope of the internet. And it's beyond the number of people it's multiplied by the number of devices.
Therefore, I'm going to suggest that the only solution that could possibly even think of scaling to that is something based on the internet itself as well. So you need cloud based identity management service to handle a problem this big, just say, oh, but put it in the cloud.
Oh, I'll be happy. This not that's, that's the, that's the little, come on, little naive, a lot naive. So the next thing is, once you've got a cloud service, you need to do the thing we've all spoken to. You really need to make it easy. So you start using things in exist, you provide value, the right type of value to the relying party.
And you, you, you do protect the privacy of the user. So that comes back what something we've all known for a long time and never done a good job with this policy. But if one could build a system that could have a policy, which was based on standards, we comply with go regulations and then be tuned to whatever that environment is. Then we would have something to sync.
And so, you know, some of us are trying to build things like that. So I would say this behind every mobile device, behind every device is a customer. And we have to think about the holistic experience of how we service those customers so that I would lawyer you to say that we don't think about an identity service for its own sake in the situation. We think about this in the context of servicing our customers, whether those are partner organizations or individual citizens, and that what we should be looking for is the way to service those, those customers.
Realistically, convenience is part of it, providing security and protecting that customer is just as more part of it, because at the end, what happens next from a social mobile and internet perspective is really going to be a measure of trust, how much the people that we service trust now are brand. And so we view it in this way. I think it gives a lens to look at the risks and the opportunities as we service all of our customers and all. So I'd like to thank the panel and leave you with some calls, you know, are we going to be engaging in cruel things in my fridge?
If you're interested in the internet things, then I'm running a workshop on that on Friday. And you still sign. If you are interested in, we didn't really get time. There is workshop on and there's.