Well thank you everyone for sticking with it. I, how many wants to go get coffee? How about the honest ones?
No, I'm just joking. I think we're all there. So I'm gonna spend a few minutes. I appreciate the time to tell a story and part of it is that, you know, I've been at Ping for about 13 years. We've been in our product group and it's interesting how we look at modern identity and what I call the evolution of trust. And so recently I read an article, it was in Forbes magazine and it had this statement and it said that, you know, all of our identities are under attack.
We're all, you know, kind of in a a fearful state. And in the statement, the title of the document actually said there's, what did it actually say? Sorry. It was that, you know, you need to trust nothing and verify everything.
How many believe that's to be true? So it's trust, nothing, verify everything. Well you know, I got a little depressed after reading the articles 'cause I thought, you know, there is a case when you need to actually trust someone. And there was an actual online game and I'll ask, I encourage many of you to go look at it, but it was by a person named Nikki case.
And Nikki case had a online game that was really built around this concept that individuals, when they play other indi individuals, they're probably better off by, you know, cheating and doing whatever they can to take advantage of the situation. And I, you know, used the game. I went online and I actually started using it and I found, you know what, it's true. I actually, if I could cheat and if I could leverage the game, I was able to take an advantage.
But as the game progressed and it started to identify a few things, it created characters.
And those characters were really more like us as humans. Consider we've got humans that are very agreeable and cooperative. We have humans that are also cheat. They also try to take advantage. We've got those that are a little bit skeptical. Those that if you cheat them, they're probably gonna give up and just cheat you back. And then we've got others that if you give them a chance, you know you are a little bit skeptical, you trust and you kind of use the golden rule, you know, you do unto me as I do unto you, you start to get a better result.
So in my conversation and my talk, I'm gonna talk and refer back to this game 'cause the game has a set of principles. It's as individuals we may be better off cheating, but as a group and as a community, we're better off gaining cooperation and trust.
Now one thing I thought was helpful is to just define what fraud is. And it's interesting if you translate it down to its very limit. It's really identity theft without our permission and knowledge.
Well, scammers are doing the same thing. Scammers are actually doing identity theft with our permission. And so you imagine this is somebody who's convinced us to actually give them the permission or give them some of our information to get it away from it. Now if you look at what this means, I think through the con the whole conference and in your conversation you see it's expensive. Everything from, you know, any of the, the predicted, you know, fraud risk.
I'll actually give you a case study later on that talks about how expensive it is to, to deal with fraud and how much it costs to be able to manage it. I even, you know, the last statistic here I wanted to call out is that there is an emerging type of fraud.
They're finding that big transactions because that's where all the money is, ends up being one of the, the critical attack surfaces. So if you look at the the fraudsters, you look at the scammers, you look at how we deal with this issue of a society that is made up of different people, it really requires us to do a few things.
So question for the group is to say what does it really require? What's required from us to establish trust with the users that we work with? And it really is just knowledge and insight. Knowledge being that, you know, experience from the past and insight is to be able to predict what's the future. Well when I was young my mother loved musicals. And so every Sunday night we had to get together. We all got popcorn and we had to listen to these musicals. And I'll be honest, I didn't really like them when I was younger, but I always thought that they had an interesting point.
And so when I looked at preparing for this, this talk, I thought what's something that resonated? And it was this song you consider Roger and Hammerstein, you know had King and I, you know, I won't talk about at least the premise of King and I but the concept was good is that you know, when you had Julie Andrews sing about getting to know you, she actually had an interesting phrase and I wanted to share this with you. So the song has a lyric and it says as a teacher I've been learning and you forgive me if I boast, I've now become an expert on the subject I like most.
And it's getting to know you. Then she further goes on to say, and because I get to know you, you can start to see that I am bright and breezy was the term she used because she was excited to learn about the beautiful things about that person day by day.
And so you consider this, this really becomes a blueprint for how we should be engaging others. It isn't about I think trusting nothing, it's more about actually getting to know people to understand who they are.
Now to put this in context, I wanted to at least give you some, some information and this was done off of a study, a guy named Mark Max Roser. He deals deeply in data and he identified that our experiences actually lack a lot of information. Our experiences that we have on individual basis is really pretty slim. And so we don't really get to know someone. But he did reference a study that talked about the average person meets about 800 people in their life. You get to know a little bit about them.
And so consider statistically if there's 8 billion people on the on earth, you get to know through your lifetime about 800 people.
That suggests that you know, a 1000th, 100000th of a percentage of the user population. Now how many think that's a really good way to get to know your user population? Hopefully no one raised their hand. It's not really 'cause it's a human interaction that doesn't really have a way to touch.
Well if you take that even further, even if you tried to get to know more people and you try to actually engage a little more heartily being taking a brey, a bright and breezy approach just doesn't work. So what do we do? Like we're in this boat where we need to establish trust and we needed to do it at scale internet scale. And we need to start to go beyond just distrusting everyone to finding a way to trust them, be able to cooperate with them.
And so I carved out a few elements and I want to talk through the elements of trust and see if we can build a way to have better insight and to have intuitive knowledge of an individual.
So first thing is you take wisdom well, you take the the elements of trust and first it's you know, gather data and then you analyze data to understand that data and its use to provide wisdom, which is really, you know, that experiential data what we learn as well as to provide insight.
So the first item here is just to try to understand the data and create information and understanding that information is really done through identifying the relationships that we have. Now, a really great source that we've seen a lot of examples here this week of just, you know, taking document authentication. Most documents have a lot of attributes that are verified, they become credentials that we can use this data. But it's not until you use machine learning to start to create the relationships that you start to get the information you need to make a decision.
So you consider in this example, this is really Jen, just a driver's license. Many of the identity verification technologies out there use that data as well as you know, machine learning to do about 150 analysis on that data and on the outcome of it is they have a fairly good understanding of the the user and the credentials.
Now the next is once you have the information, so you've taken data, you've done some initial analysis to create information, you start to know them a little better. We need to start then gaining knowledge and that knowledge comes by understanding patterns.
That's that notion. If, if I have a historical view of someone and I have a rich set of information and data, I can start to compare that to the future. That knowledge then gives us the insight to where we're gonna start make more additional patterns and we start to predict what the future might bring. Good examples of this is a lot of AI as well as advanced machine learning takes that information and it's able to establish patterns is as well as it's able to predict, it's able to do things like that's a a bot because the characteristics, the behavior doesn't match the pattern of the past.
You also look at knowledge and I think this is key is that you know, we start to gain information that really becomes a source of data. But it's not until we translate it, not until we convert it to knowledge that information that we can start to do things with that. And you look at many of the risk predictors that are in a a lot of risk engine, a lot of the identity fraud engines all are really that translation of how information associated to the pattern and knowledge and what the future might bring that bring that out.
And you see good examples of data about, you know, IP addresses and about location, about geofencing all translates into hey, you know, is this impossible travel or not is one of the predictors. Okay, the last, and this is where I would like to engage you a little bit on the concept.
Now when we look at you know, data to information to knowledge, there's one more step and that step is to understand principle. And that understand principle is important because it allows us to start to get to know how someone ticks, what are the rules that guide them, how do they interact?
I have a neighbor, he's very conservative, very right wing, you know an older gentleman, he wears leisure suits. His name's Dave but I want to call him Larry if you know leisure suit. Larry and Dave quite often gets in conversations with me where we debate and we debate heartily about things that we disagree with. But one thing I know is I know his principles, I know his character and I know if I ever left the house, he would go and and protect my house. If I ever left my door open he would go close it.
I even had a case where my garage door was open and he came the next morning and said, Hey, I turned it, I closed it before you left. And that was because I know Dave's principles.
So again, we may not agree on everything, but we share the same principles. Well in a digital world to understand someone's principles, to establish that next level of trust, we have to find things that start to become a little more intuitive to us. And that intuition comes from multiple sources. But you look at this spectrum, if digital credentials, which I think has been a common topic here, really centered around those credentialized identities, those things that somebody else vouch for vouches for us, then we have our natural identity things that are associated to our voice or our name.
And then we have those that are device related or machine related.
We start to get a pretty good picture of somebody's credentialed identities and something that's naturally who they are or something that that represents them. Now if you look at then today's world, what are some good examples of what I would say more, you know, principle based identification and principle based ways of developing trust. Now I'm gonna say we're far away from being able to do principle based trust, but a few things help. And so take live same, we take selfie liveness matching.
And what that does for us is it gives us a chance to interact. And when you can interact against data, information, and knowledge that you have, you start to be able to create an intuition. You start to be able to say, I know the user, I've seen the user and I'm now interacting. And oddly enough, this is where those fraudsters and scammers drop.
Once you have to engage them, interact with them, they they leave. And even more so you consider voice. Now I'm doing a multi-level verification. It's something that requires interaction, it requires me to know.
And it's interesting, I saw some technology last week that you can even determine age in someone's height by simply the tonal resignation in their nasal cavity and and the, the their voice and the level that it comes from, from a microphone. So consider two different examples. They're fairly early and emerging. But I would challenge all of you as you're in the industry to consider what are other principled ways we can start to identify and establish trust. A few things then is as we move away from the elements of trust to start to look at what's required.
First off, most often you can't just trust somebody before you know them. And once you know them you're never going to interact.
I think this ability to go from unknown to known and be able to, once you know them, protect them, ensure that you're, you know, respecting their privacy, you're respecting the, the resources that you want to hold most valuable. You make sure that the entire user journey is being managed. You also need to ensure that you have an adaptive trust framework.
And this is key 'cause quite often we spend a lot of time getting someone to an authenticated session and once we are in that session, authentication systems usually leave. We need something that sits in the middle to help establish trust. And that trust can no longer be about just allow, deny 'cause that user experience doesn't really create the trust or the intuition that we need. We need to also mitigate. And that mitigation can be, you know, asking them to reverify, asking them to prove with additional information or you can simply go educate someone.
I remember one of our customers actually their main purpose if I found that someone was struggling accessing into the app, they sent them to go get trained, get certified and then back in. So that mitigation and how you mitigate that I think can really help establish greater trust among people. Now a few examples then if we look at mitigations, you know if I have a dis you know a detect, decide and direct some of the direction you can is if you're seeing authentication attacks you can always step them up.
You can always then establish additional password policies that are helping you know, if you, again it's a new user, do we don't quite know them, they're outside the firewall under an unmanaged device, I can certainly have password policies that support that. I can also establish passwordless journeys. I can't tell you how many customers I've talked to that said Passwordless actually ends up being the most secure because I'm giving them a delightful experience and they're not going out of bounds, they're not doing other things to cheat the system.
And then last is just I think we all know risk signal policy is very important. The more you can fine tune your risk policies to get to know and to establish trust is important. And then the same is on authorization. That ability to you know, provide fine-grained access control get you to a least privileged approach really makes a difference. These show up when you're in session and you're making an access request to a service. Make sure that you check that that session hasn't been hijacked. You make sure that you have the ability to be able to time out this session if if necessary.
And so make sure that as you're authorizing someone managing access to request important data that you can support that. Alright, to finish up, I had two examples. I just wanted to have some case studies to have you connect. You know Ping has customer large European retailer, they're, they do clothing as well as cosmetics and they were challenged with a lot of attacks they were having.
They were essentially, you know, credential stuffing attacks, leveraging bots.
They were using some, you know, credentials that they had found and they started to go after the system while by implementing a very simple identity fraud solution within their environment, they were able to reduce about 83% of the current attacks, which gave them about a 10 x return. 'cause they were able to, you know, eliminate the bots as well as they were able to provide a much better user experience. Now another one that I find interesting is this is a trucking management platform company and they were seeing all kinds of attacks.
There was devices that had been tampered, they were getting a lot of bots that were attacking them and they were trying to just manage account onboarding as they went through. And what they were able to do was implement risk as well as verification technology.
They're going to over time start to include even decentralized identity and wallets. But their world was, they were just getting attacked. They were just trying to get accounts created so they can bring 'em onto the platform. By implementing a lot of this risk, they were able to deploy very quickly.
It was in a matter of a few months they were able to get up and running and they were able to detect 83% of the attacks and with some precision tuning there, well over about 90% of detection. So definitely a good cost savings there.
Alright, so in summary, I just wanted to highlight a few things and go back to that analogy that if we can all become more cooperative as we can all become more interactive, as we all start to understand our users, and again, be skeptical, but again, trust we can start to get to form well-known identities and those known identities come from just a person's identity.
Who you are, the credentials you have.
Also, we can get to know people by knowing their affiliations, knowing what company they work for May, knowing what memberships they have, even being able to say, Hey, I know this person has a very active loyalty program in United that tells me they're a person and they are who they are. You have a person's eligibility.
You know, there's a use case where you have contractors wanting to, you know, go in and and fix windmills in America. And being able to be accredited to be able to work on that platform is very important. A great way to get to know the person. And then a person's experience. And I think this is one area that we have a lot of opportunity ahead of us, is to truly understand someone's journey. Understand that all humans are not infallible. We all make mistakes.
And so be able to know when someone's just making mistake and when they're doing something wrong will allow us to establish greater trust than always just assume no trust and always verify. So I'm gonna leave you in a summary and go back to this musical that I saw when I was younger. But in closing I just wanted to leave you with a quote out of the song and it says, it's a very ancient saying, but a true and honest thought that if you become a teacher by your pupils, you will be taught.
And so understand that too often we spend our time trying to protect, trying to block, trying to be scared of fraudsters. And I would encourage you to do just the opposite. Let's get to know our users better, let's get to interact with them, let's get to be good stewards of their data and ensure that we understand what's important to them. And with that, I'll leave you that thought and be done, but thank you. It's a musical reference. I
Know.
No, I was gonna say your mother and I have a lot in common. I love musical references, Oscar Hammerstein, lots of wisdom in, you know, especially in the South Pacific. Be careful what you say and things like that.
Yeah, really, really good. We have two quick, quick questions. How crucial is the initial data quality at at identity establishment?
How I, I think it is critical. I mean it is just a data point and so I found that even if you have partial truth, partial faults, that will be part of your analysis. We've seen in a lot of the data we capture that once we go in to do some machine learning on it to find the relationship we find it just doesn't fit. It's actually anomalistic. So it doesn't have to be perfect 'cause I think there's means or tools to determine its quality.
Okay. And the question is how do you handle deep fakes?
How do you handle deep fakes? That was that, that promotion there that we had on front.
It's really the way we've seen it and we are seeing patterns today is that you identify that sometimes AI and DeepFakes are too perfect. Most of the detection we've seen is that because they are too perfect because they're, they've lost that intuition, the intuitiveness of it. We can start to detect that their pattern is again, too real, too good versus what I think normal people have. So we've been able to determine when it's fake and when it's not.
Great. Thank you very much Lauren.
Thank you everyone. Appreciate it.
