Good morning or good afternoon, welcome to our webinar today, which is titled facilitating business with state-of-the-art identity proofing solutions. I'm John Tolbert from Cole, and today I'm joined by Vicram supermanium who's vice president of solutions at Simo. So before we began a little bit about us Cooper, and Cole's a global Analyst firm, we specialize in identity and access management, cybersecurity and artificial intelligence. We write reports of various kinds. We put on events and webinars, and we do advisory projects for clients as well. Our research has four major formats.
We do reports called leadership ES, which are comparative analysis of all the different products and services in a given market. We do executive view papers, which are more focused, four or five page overviews of specific products or services. We do advisory notes, which are like a longer form research paper that covers a, a specific technology topic. It's not really about any particular product or service. And then leadership briefs are much more condensed versions of like an advisory note where we try to keep recommendations down to just a couple of pages.
On the advisory side, we offer several different products. We have a strategy compass. This helps both end user organizations or vendor customers develop their strategies and roadmaps product roadmaps and, and transition roadmaps. We do portfolio compass, which is scoping out what a client has in terms of technology, looking at their requirements and helping them decide on what kinds of technology they may need to implement and how to get there. The tech compass is again, some requirements analysis and really helping with tools, choice, RFP, building an RFP and executing it.
And then the project compass is assistance with project management on those kinds of projects.
We also recently launched KC plus, which is our new content platform. It's really easy to search it's affordably priced and one, one seat for around 800 euros. We'll get you access to all the research for a year on the event side, we've just completed our cyber next summit in Washington, DC.
Last week, next week, we have the consumer identity world conference in Amsterdam. We have cyber security leadership summit and cyber access summit in Berlin and November, and then a couple other conferences, AI impact cybernetics world. And then our flagship event is EIC European identity and cloud conference, which is in Munich and may.
So about the webinar. Everyone is muted. We can unmute as needed. We're recording the webinar and both the recording and the slides will be available by tomorrow. And we'll save time at the end for questions and answers.
If you look at the control panel for go to meeting, you'll see that there's a blank for questions. So feel free to enter your questions into that at any time. So I'll start off. I wanna give an overview of current fraud, risks, fraud reduction techniques, and where identity proofing fits into that mix. And then I'll turn it over to Vik, to dive a little deeper into the identity proofing part. And like I said, we'll take the Q and a at the end.
So we'll just start with an overview of the fraud as it is today.
And as you might expect, it's pretty significant estimates were in 2015, that it was a drain of about 3 trillion on the global economy. And by 2021, that's estimated to be almost 6 trillion. So cyber crime is a growth industry, unfortunately, which industries are targets.
Well, of course banks, financial institutions, payment services are always gonna be highly targeted because of the nature of their business, but also retail gaming gaming sites are, are not only being targeted for fraud in terms of, you know, monetary gain. But I've recently learned about a large segment of the DDoS traffic in the world is people attacking gaming servers. So there's a variety of ways in which gaming is under attack. Insurance insurance can be a, a target for fraudsters as well.
Any anytime somebody might be able to get money out of a, a site or a company illegally they're gonna be targeted telecom healthcare. Healthcare is particularly focused upon by those who want to do synthetic account fraud. And we'll talk about that a bit more in a minute. And that's because healthcare records, electronic healthcare records often have much, much more detailed PII than say a retail site that you go to because you don't need to enter your social security number in a lot of details in order to buy products online.
But as you know, when you go to the doctor or any medical clinic, there's tons of information that they take. So healthcare records are important targets for fraudsters.
And then, you know, over the last couple of years, the travel and hospitality industry's been increasingly hit because things like your frequent flyer, miles programs, any kind of reward program where you can take those benefits and then cash them out or use them for, you know, some monetary gain. The fraudsters have definitely figured out that that's, that's a rich target.
And generally, you know, these kinds of sites are only protected with username and password and people don't necessarily go check their account balances very often there.
So if somebody can hack in and get your frequent flyer miles, you may not look at that as regularly as you would like a bank balance and then real estate, you know, real estate escrow, misdirections been a, a problem for years and it continues to be a problem, you know, where fraudsters will come in and at the last minute, send an email, getting the, the buyer to transfer money to the wrong account, and then it can't be recovered afterwards. So real estate is a, a fairly sizeable fraud target as well.
So in the market today, we're really seeing four major types of fraud.
There's new account fraud also sometimes called synthetic fraud account takeover, fraud, insider fraud, and transaction skimming, whether it ATMs gas stations, but that's not really what I'm gonna focus on today. We'll talk about these three types in more detail as we go on.
So a little bit more about the techniques that are used, if you think about mobile devices, which you know, more and more people rely upon for their daily interactions with all sorts of businesses, they're both banking, overlays and travel site overlays that look like real mobile apps, but they're there to harvest credentials. You know, a mobile anti malware solution would help with that screen.
Scraping, you know, that's, unfortunately some businesses rely on screen scraping or, you know, pulling data out of entered forms and passing them on this.
Isn't really a good security practice.
And it's, it's kind of ripe for fraudsters to pick that information up to key loggers. This is, you know, like getting a root kit on your PC. It's gonna harvest credentials as you enter them crypto jackers. This was a really big problem. It's still a problem now, but it's decreased in frequency a little bit. I understand this is gray wear pseudo malicious code that you might pick up on your, your computer or your phone.
The idea is it's gonna mine cryptocurrency in the background generally Manero and eat up your battery, your waste, your power, and prevent you from getting the work done that you want. I mentioned the real estate escrow misdirection already, and then fraudulent insurance claims claims, you know, targeting insurance agents and brokers getting their credentials so that they can sign off on fraudulent insurance claims.
So a little bit more on new account fraud.
This is where I was saying, you know, healthcare records, government agency records, anything that's got lots and lots of PII that would allow the bad guys to get your email address, phone numbers, physical address, social security, number, all that stuff to create accounts. Why do they wanna create accounts? It's usually for financial fraud for like creating mul accounts. So maybe let's say the bad guys out there doing ransomware, they collect all the coin. They need some way to transfer that so that they could get money in the real world.
So new account fraud is, is big and getting bigger over the last couple of years, mitigation for that identity vetting. What we're one of the focuses today, identity vetting can definitely help mitigate this very pernicious form of a lot of it's also perpetrated by bots.
So bot intelligence and management and other technique, and all drill into that in a so account takeover. How does that happen? Fishing is probably the most prevalent way.
You know, getting an email that looks like it's from perhaps somebody legitimate. I mean, you know, the, the fishing fraudsters have gotten quite a bit more sophisticated in recent years. The masking of email addresses the content in the emails has gotten, you know, much better. It's more able to fool people. So phishing is still the method of choice. And that involves either sending a malicious payload or a link to a, a bad URL where now, where it can be downloaded, maybe drop a keylogger or root kit, which is mentioned here four. So they can harvest credentials.
Other ways of getting that malware on the device to grab the credentials is from drive by downloads or redirects to fake websites.
Sometimes there's information and globally readable cookies. Spyware can steal that and use that to build credentials. Then you may have heard this term credential stuffing it's, it's kind of on the rise. This is related to eight there. If you've got compromised credentials from the dark web, let's say you, you know, your username password has been exposed from one site. You use the bad guys will go pick that up and try to run that password.
Maybe that email and password combination against lots of other sites, and they'll automate this and, you know, run these attacks over and over again. That's what we mean by credential stuffing. And unfortunately it's been pretty successful for lots of the fraudsters, because account takeover is, is a huge and growing problem. Brute force password guessing still happens out there in the wild too. All of which, you know, this points to passwords is not being a very secure method for authentication.
So yeah, account takeover fraud often perpetrated by, you know, getting the breach username, password combos also used for financial fraud, but you know, this type can be used for all those other areas. I mentioned just a minute ago, around different kinds of financial accounts, like pension plans, 401ks different kinds of insurance, medical, frequent flyer programs, any kind of reward programs that you might be able to cash out a benefit for for, for money mitigations here, multifactor authentication, risk adaptive authentication.
And this is why security experts will always tell you don't reuse passwords insights. Lastly, here on this part, insider fraud, it's often financial transfers or theft of intellectual property or customer data from CRM. And we can guess who does that unhappy employees, or sometimes contractors, somebody with a money problem perhaps might be able to make money out of insider fraud.
Mitigations here are privileged account management, segregation of duties, making sure that essentially making sure that employees don't have access to more information than they really need to get their jobs done using risk based authentication, you know, tie it in with user behavioral analysis and having an insider threat program also.
So now let's take a look at fraud reduction techniques. So I I've kinda categorized these techniques into six major areas.
And we'll kind of work backwards here from bot Intel and management, behavioral and passive biometrics, which is different from user behavioral analysis, but then various forms of intelligence, such as intelligence about devices and credentials and at the root of it all is identity proofing and proofing and vetting. So we'll talk a little bit about each one of these. So on the bot intelligence and management side, it starts with detection and like anti-virus from years ago, vendors or service vendors in this space have learned to put these together into signatures.
So you can look for certain signatures of, of bot attacks. Other methods include maybe using an embedded pixel on a screen or dropping JavaScript on, on the browser. The JavaScript would invoke programs that would do keystroke swipe analysis, things like that, too. The idea behind it is to ensure that there's a real human being user behind it and not an automated program.
Then all of these vendors use variations of machine learning and deep learning analysis against huge sets of data so that they can better determine which is human behind it or a bot.
Because as we'll see, bots can be very like humans and the kinds of output that they create because the bot developers are, are trying to fool the detectors and then behavioral and passive biometrics kind of play into this as well. So I thought it would be interesting to take a look at this, this from Seneca Institute of information science, the one on the left is produced by a human. This is mouse movements, you know, in a game I believe. And the one on the right is a bot trying to do the same thing.
So, you know, at a real high level, they kinda look similar and this is why it takes solutions that are enhanced with machine learning, to run huge amounts of data through this, to be able to determine which one is real and which ones bought.
So besides detecting them, you've gotta learn how to manage them because you know, a large percentage of legitimate web traffic is bots. So you have to distinguish between which of the good, which of the bad, and which are the, the gray, and then what you want to do with that.
So, you know, on the good side, you know, there are bots that, you know, do inventory management, maybe a, a supplier for many retail companies, you've got your partners or your resellers that are coming in and looking at your inventory every day. You don't wanna block that because, you know, they're helping you do business, but there's also cases where other vendors might do inventory hoarding. So they're going out and, and using bots to figure out how much inventory you've got and then trying to, to buy low and then turn around and, and sell high.
So you would want to, you know, block that, or at least limit that. So, you know, good bots, you can whitelist bad bots. You can blacklist gray bots if you're not really sure, then that's where bot intelligence and management solutions come into play. You can have different ways of challenging them, you know, capture recaption kinds of things. We probably all get annoyed with those, but the reason behind them is because it's trying to distinguish whether or not we're we're real people or buts.
And then there's also other things that you can do throttling sending them to cash content, or just redirecting bots, you know, based on policies that you put into place behavioral and passive biometrics, as it was alluding to there's keystroke and Nelson analysis, there's swipe analysis for phones, touch screen, you know, literally how hard are you pressing on the screen? These biometric programs can kind of develop a profile of what's normal for you as a user, same thing with gyroscopic analysis.
Apparently we all interact with our phones a little bit differently, and patterns can be built up from there, gesture recognition, you know, maybe, maybe using a, a specific gesture to unlock a phone, and then how you do that network or wifi SS. I D you know, most of us are within range of the same networks or wifi SSIDs on a regular basis.
So, you know, understanding what the, what the norms are there, same thing for mobile network and location analysis, you know, building up a baseline of where you normally work, and then being able to say, oh, well he or she's not in their normal location. Maybe we change the risk score, and there are other factors, but these are the most common for behavioral or sometimes called passive biometrics.
So user behavioral analysis, this is another place where AI or machine learning enhanced detection techniques are really a necessity today because there's in order to be really effective.
You've got to do user behavioral analysis over a pretty long period of time. Many of the third party solutions here will integrate with social media.
You know, that can be a bit more of a challenge in Europe now with GDPR, all that has to be consented to, but some of those solutions can pull social media interactions into the user behavioral analysis for, you know, let's say, especially consumer facing retail, facing kinds of sites and services, then there are also some basic identity analytics that are involved, you know, frequency and time of logins.
Number of failed login attempts, whether or not the user's making changes to their profiles specifically on the finance side or, or if it is a retail side as well, UBA will look at, you know, is this a normal type of transac transaction for this person?
Does it fall within the, the normal amount range that they would do? Is it about the same pattern?
You know, there are many things that we set up on auto pay, or maybe we buy things at, at a certain pattern. So understanding how the baseline over a long period of time makes user behavioral analysis much more effective, especially on alerting for anomal from the device side.
Yes, of course. We're, they're gonna look at things like the IP address, the request originates from what network is it from?
Is it a, a known problem area? If so, you know, it might bump up a risk score, IP reputation, you know, again, this is like looking at a, a pretty sizable history for IP addresses.
You know, maybe bots are using the same networks. So you'd want to be aware that that might increase the risk geolocation delivered from the device geo velocity.
Sometimes that's called impossible journey. That would be like trying to log in from Japan and then log in from the us an hour later, that that shouldn't work device ID, device type, you know, whether it be, you know, Android, iOS, device fingerprint, you know, that's a little more problematic. That's why I put the asterisk there.
Some of the later mobile OSS are making it more difficult to actually extract a fingerprint from the device and by fingerprint, I'm not, I don't mean, you know, biometric fingerprint. I mean, looking at the device and developing a profile about the device based on characteristics. This has been a pretty important method that many fraud reduction solutions use and changes in those OSS have made it a little bit more problematic of late, but the vendors are working with the, the hardware manufacturers and SDKs are available now.
So I would imagine that long-term solutions will be in place here, device reputation, device, health assessment.
This is looking for malware or device reputation is looking for, you know, who is the device belong to?
You know, does it conform with known patterns of usage, health assessment, and malware detection, E U P S D two actually requires the no financial transaction governed by PSD two should be influenced by malware. So being able to get that Intel was important tracking the, I M E I number SIM protected against SIM swaps, then things like knowing which colors, fonts, and languages are installed on a device, is this a known user, or is it a, on a new device?
Is it a jail broken device or rooted doesn't necessarily mean you would wanna deny a transaction cuz some users root their own devices, but it's a flag that could be raised. And again, AI machine learning really has in place here, credential Intel. This is about, you know, let's say it's a large IDPs, have many, many customers, many tenants.
So they know about failed or suspicious logins across their entire network. And they can use that to benefit.
Let's say, you've got your own retail facing site or, or retail site on the network or you're using their identity services. You can benefit from the information that they have in their network. There are also quite a few third party credential intelligence feeds that, that you can integrate with generally using APIs to, to get more information on compromised credentials.
And then, and in the end, you've gotta decide based on all that, what are you going to let each specific transaction through is the compromised credential Intel recent enough? Is it corroborated for multiple sources?
Again, these are things that have to be considered in a risk engine.
So lastly here we'll talk about identity proofing. This is kind of the foundation for fraud reduction. This is really looking at, you know, at registration time, when somebody's gonna sign up for a new account, what can you do to ensure that that person is who they say they are so that you can give them an account? And the examples I'll use will be around banks and finance.
So often as you know, if you wanna go to a bank of, you know, you'll have to take some authoritative documents with you, whether that be like a driver's license in, in many cases in the us, something with a photo ID or, you know, passport also works pretty well to, and really this is about complying with anti-money laundering and know your customer regulations. And these are in place in many locations around the world and there are variations in how they're implemented. So that's something to be aware of.
And the goal of identity proofing is to increase identity assurance again, to reduce the different kinds of fraud that we're talking about here today.
So what I'm calling identity proofing plastic, let's say user wants to create a bank account again in the olden days or even today, you know, you can go to your bank, you can take those authoritative documents, a person at the bank will validate those.
And if you check out, then, you know, you can wind up with a bank account, but increasingly we're starting to see, you know, in the last couple years, there's some very interesting mobile options here that are actually quite useful for reducing the labor intensity on the bank side. So here in this case, we've got same user wants to create a bank account instead of going to the bank, they can use their phone to do, you know, maybe a selfie photo verification or read the data in a, in a passport. If that checks out, then they can be granted access to a bank account.
Now this does have its own different set of risks. And, but you know, this is something that's a possibility that that banks or other kinds of financial institutions or other sites are, you know, more often than not looking at today as a way to reduce those costs associated with creating new accounts. And with that, I'll turn it over to VRI.
Thanks John and welcome everyone. My name is Vic ion. I'm the vice president of solution advisory at SIM been in the industry for about 13 years now.
And today, as John was talking about, we're gonna be talking about identity proofing and how it would help facilitate your business. So just a little background about Simio, we've been in the industry for about 11 years and we manage about 150 million identities across the world. Today they're distributed across 60 countries and we are SOC two type two certified as well as ISO 27 0 1 certified. We cater to use cases across B B2B, B2, and name it, anything in identity. We are able to do it our over five professionals who are dedicated to identity and management across I and access management.
Of course, we cater to all the different services and we're able to provide it in different delivery methods, either through the cloud or on premise.
Now, in order to talk about identity proofing, we have to realize that we are in the age of digital transformation. And what does that mean? Users or consumer expectations have become extremely high as they are interacting with us in the digital world. They have learned to expect the same behavior or the same experience that they have in the physical world to translate into something in the digital world.
Let's say, for example, I'm going and buying a gallon of milk at my corner store. If I go there regularly, I have a relationship with the shopkeeper. So anytime that I actually step into the store, he has a gallon of milk waiting for me. And he has the know me experience with me. And essentially I'm able to perform the transaction very quickly. This is the same experience that consumers are demanding in the digital world. Be it their, be it customers, employees, or partners.
They want a secure way to interact with you in the digital way, from anywhere, anytime, and from any device.
However, because of the growth of digital transactions, there has been a paradigm shift from Trustify to never trust and always verify. And this has exacerbated the consumer experience in order to help you understand this a little more, let's see how it all started. John already mentioned everything about passwords.
Well, why did they come up in the first place for a digital asset or for your digital properties? It was the easiest way to verify a user. All they had to do was create a username and password, and immediately it got the user in the door.
However, passwords got more and more complex. And as security professionals, we obviously advised the users that the more complex the password, the better it is. And of course we already know what discussions are going on in boardrooms in, in terms of password strength that is evident in the cartoon.
So what did that lead to exactly what we are seeing here in terms of statistics? What happened was obviously because the password strength started getting more and more complex. We can see that over 73% of online accounts were protected using the same or duplicated passwords.
What that led to is that over two people or two in five people have had their identities compromised just in the past year with passwords, we have to realize that the human mind is simply not scalable to remembering the passwords across all of the digital accounts that they, that each user has access to Fisher Fisher have become more and more intelligent in socially engineering, your information and cleaning all of their information and also fooling companies or the frontline people of the companies in or in divulging your information or helping put, helping do transactions that is really not meant to be performed.
So what did we do to solve the password issue along came MFA. However, users don't like MFA either. Why is it they still have to remember a username and password, and now they're having to carry around another device so that they receive an OTP or a pin code or do a push notification, but this has just exacerbated the user experience. Another thing is that MFA for your websites is typically very difficult to set up for end end users and users don't actually know if they have set it up properly or actually have MFA truly onto the websites. There was a study that was conducted by Dr.
Joshua Reynolds from the IEEE specific, trying to understand this problem. What he found was that across the tested of users, only 20% of the users were able to successfully set up MFA. What he had asked them to do was to set up MFA on some leading social websites.
So only 20% of them with clear cut instructions that were found online were able to set it up even in the first place. Well that it didn't stop there. What they had to do was make sure that they were able to be prompted for MFA during log on.
However, not all users realized that they had to enable it at the point of log on. This meant that they had a false sense of security and truly what the experience was and was not a frictionless experience to setting up MFA and doing log on. So what should we do to really apply the principles of zero trust to consumers so that they have a frictionless experience? There are some key principles to follow. We have to realize that zero trust and privacy go hand in hand.
Yes, we need a lot of information about the users to make sure that we are trusting and verifying them.
But consumers also need to feel safe that you are indeed securing and securing their information. Along with the transaction, there has to be a right balance between the amount of information and the assurance needed for a particular transaction. So you do not need to know all about all the information about an end user to perform a simple login.
However, when you're doing a financial transaction with them, there is the understanding that more information might be required. A focus needs to be done for increasing the assurance levels as the, as the user is moving through your digital assets so that the user is comfortable divulging all of the information that is required by the digital entity.
So this backs the question, what is the real question that we are trying to answer, or what is the real question that we are posing to the user who is trying to interact with us?
It is exactly what the slide says, which is, who are you and what are you trying to do with me in order to do that? We feel that the key to this transformation is going to be the digital identity. As long as a user is able to establish a trusted identity and present some digital credentials, they should be able to perform the same transaction that they had in the physical world have the same experience that they had in the physical world and translate that into the digital world.
Well, in order to do that, a simple identity would not be enough. We also have to understand that different transactions would require different levels of assurance.
Let's say, for example, I am actually logging into a website into a retail website. All I would need is a username password to log in. And I want that experience to be extremely simple.
However, when I am going to a bank, I'm say I'm transferring more than $10,000 to another account. Then the level of assurance that is required for that particular transaction is higher. At that point in time, if the bank were to send me another notification, ask for an MFA, then I'm comfortable having that particular experience and then interacting with the bank in such a way, this way, with the combination of trusted identity and different levels of assurance, we can help improve the experience for the user and also preserve the preserve the integrity of the transaction.
So let's take a physical world.
Now, we, now someone is actually going into a bar and asking for a no matter how cute or how nice McCleon looks. The bartender is not going to hand him a drink unless she has verified his age. So remember the question, the bartender, all that the bartender needs to know is the age of the person, is he over 21 to receive a particular drink?
So in this scenario, this person hands, the bartender, his driver's license, the bartender has a quick look and is able to verify his age and then hands the hands, the driver's license back along with the, that this person required. So it was an extremely simple transaction extremely quick. And essentially now McLaren is able to enjoy his drink. So what does this transaction, or what does this experience get? Right? It is asynchronous as well as extremely scalable.
The bartender was able to very quickly verify without having the need to have connectivity to another interface or another, another person and quickly hand over the drink.
The other thing is that there is implicit trust in the driver's license that has been issued by an authoritative source with the, which is the government. The bartender did not have to call the DMV to verify the driver's license and then issue the drink.
Also, the inf there is, there is confidence in the information that has been put within the driver's license. And therefore the level of assurance in that, in that date of birth or at the age is extremely high. So that the bartenders and now the bartender's able to issue the drink.
However, this transaction gets some things wrong. When the person handed over the driver's license, there are, there are pieces of information that this person is divulging, which is absolutely not necessary for the transaction to be provoked. The person has handed over all of his information to the bartender and the bartender is able to glean the first name, last name, date of birth, address, weight height, everything that is available within, within the driver's license when there was absolutely no need to have that being divulged.
There is absolutely no Federation in terms of sharing of claims. And there is only one document that this person is able to issue for this particular transaction. So how do we solve this? The key to this is going to be identity proofing. It is absolutely necessary that all the information gets verified, but only certain amount of information gets divulged for the particular transaction.
However, a person should have the ability to combine all of the information that is known about him and establish a digital identity so that they're able to perform transactions seamlessly. This can be done through verification of a lot of information, such as first name, last name and education, email, phone number, and all of this information through authoritative sources. Now this verification to authoritative sources can be done in a progressive manner and does not need to be done all at the same time.
This will help simplify the user experience and enable these users to prove their identity and carry it extremely in extremely simple form factor and provide it for particular transactions that they need to do in the digital world. We at has taken a at this and have created the identity vault identity. Vault is a simple application wherein the user is able to take all of their information and have that verified across authoritative sources.
They could very well take their driver's license or passport or health card and verify all of that information across the different entities that are, that have actually issued them, or have the capability of verifying all of that information. They're also able to use the identity vault and carry it around within their apple wallet or Android wallet, and are able to pull it up very easily and proceed with a particular transaction.
The identity vault also provides an easy method of sharing of claims across the user, as well as the merchant.
This is a, this functionality provides the capability for the end user to go ahead and create the digital identity about themselves and really give the same experience that they have in the physical world. And in the part, in their example, they're able to provide this digital identity and very easily get the same experience. Another part of the identity vault is the fact that we have created a gamification aspect of this and created the true ID score for the end user. The true ID score improves for the end user, even after verification of the basic information through an authoritative source.
Well, how does that happen? Well, we are providing the user the ability to re-verify the same information across multiple sources. So if you were to verify the first name and last name through your driver's license passport, as well as a health card, the score and the trust of the information and the level of assurance within that information is extremely high. And therefore the trust score is also high for the end user.
So let's take a quick look at the experience for an end user and as to how they would be able to prove themselves.
Soon as the app is brought up, they're able to simply register using social accounts or create a username and create a, create an unverified identity for themselves there on they're able to take government issued documents, take a picture and have that verified with the authoritative sources on the backend. So in this case, William was able to take his driver's license and then verify his first name, last name, the age, as well as the address through the authoritative source or the DMV there on he, his two ID score has increased to a score of 61.
Next, another thing that we are able to provide end user is the ability to manage the claims. So in case William actually did a particular transaction and supplied a part, supplied a bunch of information to a retail, to a retail enterprise. Then he also has the power to revoke those claims from being sent across anymore. This provides William the ability to securely manage what is being shared about him with different enterprises.
So let's take the example of Alice doing the same transaction that we had in the physical world.
So if Alice were to go ahead and look to purchase alcohol, what she can do is pull up the Samuel app and then show the digital identity, which generates a QR code. The merchant is able to scan this QR code and immediately verify the face that Alice has. This is the first level of verification that happens there on subsequent information is required for Alice to complete the transaction such as tifying her H that is a request that is sent from the app to Alice.
And the, and Alice is able to, Alice is able to answer the simple English language question, whether she's over 21 years of H Alice is able to approve the sharing of claims through an, through the face ID or touch ID and do multifactor authentication, and then share the answer to the merchant that, yes, she's over 21 years of age.
There is not a sharing of date of birth that happens, but rather the answer to the question that she's over 21 years of age, this way, it prevents the merchant from gaining much more information, but also enables the merchant to provide the transactions because the age has been verified in a secure manner.
So how does the identity vault work? Let's take a look at a short video. Now let's take William again. And once William is able to register, he takes a selfie.
And now this selfie is getting matched with the picture within the driver's license, with this, all of the information, the driver's license is matched, and now William has a trust score. William is able to utilize all of this information of his home address and his age to perform a particular transaction. He goes to a merchant, shows the barcode, and once the merchant is able to verify his age where now William is able to get a verification request, he approves this, and then he is trans he's transferring the information back to the retail merchant with this.
Now William is going in and, and has been able to go ahead and perform the transaction. Also, what you saw is the fact that now William was also able to revoke the claims that he had given to the retail merchant this way.
Now William was able to do identity proofing, easy sharing of claims, have a digital identity card, which is secured and have the same experience that he had in the physical world translate into the digital world.
This way we can simplify the consumer experience and have that translate into the digital world and make it very easy for users to interact with us with also increasing levels of assurance that are required to perform a particular transaction. So what do we gain with all of this?
We gain the ability to give the consumers a seamless and frictionless user experience, prevent fraud in a way that because the user comes to us with a digital identity and a verified identity, secondly, we are able to take the principles of increasing levels of shortage and demand, different levels of claims and different levels of authentication for different transactions, and subsequently provide the user an increasingly easy experience to interact with digital enterprises. With that I'd like to thank you for attending this webinar. And I think we'll open it up for questions.
Well, great. Really good information there. So questions let's see. So first question we've got is, could you please provide some examples of third parties that provide credential intelligence? So probably most commonly you would think of something like, have I been p.com that that's, you know, where I was talking about, you wanna make sure that the information is, is current and, and useful?
I think, you know, that one that one's okay, but, you know, there are others, very clouds as a service that essentially pulls that information together and makes it available via API. I think they have appliances that do that.
Then, you know, a lot of the IDPs, you know, Microsoft for example, will, will do that a lot with a large cm providers will integrate that third party credential intelligence for you. I just published last month, a leadership compass on consumer authentication, and there's a list of 21 vendors in that report. And I specifically called out every vendor that either provided that natively or integrated with third party sources.
So I'd, I'd recommend taking a look at that'd be a good place to start with trying to figure out which vendors have third party compromise, credential intelligence.
Let's see, next question.
Is, would enterprises have to adopt a different strategy for employee users or would it be the same? And I assume this means difference between employees and consumer facing, you know, on I'll just start with that. And then victim, you can chime in, you know, we, we see at least three different approaches there. Some companies will extend their enterprise. I am to include consumer facing identities and, and cover those web properties. The consumers interact with others will, you know, build a separate infrastructure for that.
And then others will, you know, essentially hire a CIM service to sort of keep that totally separate. But I, you know, identity proofing between the employee and consumer, side's very different.
I mean, you know, if you hire an employee, you can go in and you can get collect a lot of that authoritative information that you need. They're hired HR does that they populate in your internal, usually L D or ad database with that kind of information, but it's a, you know, totally different way of interacting with consumers, as opposed to employees. You've got to sort of do the progressive profiling, only ask what you need of consumers.
And then if you've got to validate some of it for use cases that require, you know, high identity assurance, then, then solutions that we've been talking about that have built in identity proofing would be something to look at. What are your thoughts on that?
Yeah, I mean, I think John, I would agree with you, right? I mean, the principles of proofing and principles of really trusting and verifying would hold good, even for enterprises, right? But obviously we have to first understand the business problem that people are solving. For example, I mean, a regular employee could have the same experience as a consumer, or I would say employees are demanding the same experience that they have with the consumer.
But absolutely for example, if you have privileged administrators, you would want a higher level of assurance and potentially perform MFA or additional vetting and verification for any privileged activities to happen, right. This way.
I mean, I think the, I mean, though, the platforms might be different or there might be another instance that you would want across the different sets of users. The principle could remain the same. And I think the emphasis would be on the assurance that is li that is required for the level of transaction that is being performed.
Right.
Last question here is what else can be done with identity proofing?
I, you know, I guess that depends on the use case. I mean, if, if it's an employee, you know, there's a certain amount of information employers can collect unless, you know, it's a, it's a government then, you know, they may do really, really thorough identity proofing so that they could issue somebody a clearance.
But, you know, that's certainly not the norm in, in general employee use cases. And then it's gotta be much, much more reduced set of information that you would want to get about a consumer, you know, and there are other third party services that will like tie into credit agency reports and things like that. It just depends on, you know, what a given use case requires. And then also what are the regulations that govern the kinds of information that can be collected and what can you do with that as a business that, that has to collect and process that data.
Right.
And I mean, absolutely right, John, right? I mean, another, I mean, another use case that tends to get ignored, or I think one thing that we've also had success doing is in, in a first responder or a disaster scenario, right?
In fact, through the use use of identity proofing, we were able to help a province actually send the first responders at the right time with the right amount of information because their citizens proved themselves. And the government was able to have their identity and was able to determine how many people were there in a certain location during a flood. They were able to arm the first responders with the right amount of information, how many people are there, how many people are affected, and they were able to provide the right amount of help in the, at the right time.
I mean, essentially proofing has helped save lives.
Yeah, that's a great illustration.
Well, we're at the top of the hour. I wanted to thank everyone for attending today. And as a reminder, the webcast and slides will be available by tomorrow and, and thank Vicram and Simio for your participation. And with that we'll adjourn and have a good day, everyone.
