KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well today we'll be on the, our digital world, which is growing every moment as we talk mainly we'll be focusing around identity verification and authentication. So begin with basics initially. And then we will move on to digital identity, which is a central figure to all this. We'll see at the emergence of digital identity system, from where it were previously and where they are now and where they're heading towards. We'll also look at the reference architecture of identity life cycles. We'll do a bit of deep dive into identity verification and authentication.
We'll also look at a use case to see how we are trying to get that holistic approach around this, this authentication and securing everything by simplifying the user experience. And we will just conclude with some new trends innovations happening in space.
Let's, let's dig in with some basics having that initial clarity. And as David also mentioned in as presentation that having that clarity of the terminology is quite important in the beginning. So verification, basically, when we talk about verification, it comes before identification and authentication, and often we overlook onto for verification. So verification is veracity of identity that this particular identity is true.
And before we register this, we can tell that the person who claiming this and receiving the credential is the right person, not some fraudulent iron entity, because if we will make mistake in the beginning, the authentication becomes kind of meaningless. You have, you can keep on doing all sort of iron identification authentication, but if you verify a wrong person who is claiming to be someone else, the purpose is already defeated.
And if, if we look at the definition also, it says that, I mean, when we are saying definition here in this context, it is merely the meaning of that word. And it says that process of gathering evidence for confirming accuracy or to the next thing which comes into the picture is identification. When someone or something claims an identity or someone might who in identity, I, I can claim that I'm an Ironman, but does that mean I'm an Ironman?
I, I don't think so. Your identity is something which is not entirely confidential. Someone other than you has that information.
So this, this lacks something and to supplement that part authentication comes into the picture here. You tell that, yes, I'm saying that I'm, I have this identity in my position and why I'm saying this because I, I will be authenticated with the credentials I have and I'll claim that it is true. And if we look at the identification, it is, it says the same thing, that it is a process of identifying someone or something or effect of being identified.
And we often call that identification as it is first step in the entire process, it is incomplete, but as we are moving on to have that better performance or the user acceptance, we kind of decouple identification from authentication. If we look at some national authentication center where we go, we do not give in our passwords or some pen or token. In the beginning, we give our social security number or personal number. If it does not exist, it'll stop you right there. So it is not one to many mapping you are doing there.
It is one to one, which of course is improving your, the performance and user experience. Users do not have to wait or fill the time they fill in their credentials and all those things. And then they see that, oh, this identity does not exist of separates itself out in the beginning and authentication. Of course, it establishes the confidence in the user identities presented to this system. And when we talk about authentication, we have our well known and established factors.
I mean, if you'll not talk about these authentication is not completed, right? So something, you know, something you have and something you are, these are the factors which we, which we talk about, which we have to mention when we are talking about authentic to show something, food for thought, right?
If, if we are, if we're talking where you are, do you think that is a factor in authentication? If it is, is it a self sufficient factor in itself? Because in my opinion, if we talk about machine authentication, it kind of becomes a fair amount importance that the Mac addresses and IP addresses, they become important somewhere.
You are, but does it apply for humans authentication? Also, I will let you think about that and talking about humans. Another thing which comes to my mind is photograph. What do you think about photograph is because for photographs, I think it is a biometric sector. And if we dig, if we will dig deeper into this, people will have conflicting opinions on that. Let no that cannot be a bio biometric thing, but we see it day in, day out at immigration counter. And at our, on our ID cards, we have photographs. We look at our ID cards, they are match against our face.
So in my opinion, they are biometrics. I will let you have those conflicting opinions and we can discuss more about it later.
So, sorry, anyhow, why we are doing all this things, why we are building all this infrastructure, the technologies, the process around all these things.
We are to full goal, the big picture which I have in front of me now, which I was supposed to come later, but the accountability, we are doing verification identification and authentication to achieve this accountability so that we can, we can tell who have access to which system when those systems have been accessed for what purpose those systems have been accessed and what has been done, we can establish that team of steps, that audit trail, where owners of their, those identities can be not held in responsible in, in every, in every scenario.
We'll not be holding people responsible for their actions to crucify them. But end of the day, it is important to have that accountability for all the actions which have been done. If we move on to max, we have digital identity because to all of this, they, we are having this seminar and I'm to talk just because of this thing is identity. Everybody's talking about this in one way or another. So where does it come from? Subject subject is an active entity. It can be a person service. So are emerging actors. They are emerging every day. Next thing is object.
Object is some passive, which is being acted upon. And of course it is some things and services interaction between the two gives rise to our digital identity. So when subject interacts with an object identity takes the central platform and around digital identity, we have of our personality experience, accountability and authentication, which previously the trust and relationship between subject, subject, and object, this entire of these six aspects is what makes the digital identity and these phases, which, which, which takes care of this process.
Identity verification is at the beginning, before we create an identity, we verify that we verify whom we are giving that identity to what sort of identity we are creating for this person with, with sort of rights and all those things. Once that is done, we move onto identity issuance and it's management. We make sure that we are issuing it to the right person. If I have a request for in identity, I can get it. Nobody else could get it. And then of course, we have to manage that once we have established that the use comes into the picture and, and we talk about emerging actors.
So I will touch a bit onto that with all the Google, a systems and apple series and all these virtual assistant coming into the picture. And you might have seen that groundbreaking internet breaking, actually internet breaking video of miss Smith, CEO, Google, where he made his Google assistant to book an appointment to barber shop. And that has been done live on TV, but what will happen if something goes wrong, who will be held accountable for that sort of mistake?
I mean, there was, if, if you did not get your appointment for not a big thing, but it's something more critical because we are going more towards that direction. So for such emerging actors, if we will have those sort of situations, if mistake has been made, who will be held accountable for those things.
So I, I see those emerging actors emerging day by day, and the, the iron piece space is going to be extremely exciting, which is already exciting, and the heart will become hotter. So I will move on with this emergence of digital identity system was talking about those things in some sort of timelines, starting from 1970 and all those things. So I don't have those ears, but I have something which starts with directories long back.
We had directories and databases, not much of management and administration around it, but now when, when the number of users group larger, the iron entities account, all the terminologies being thrown into the mix, we have to do something and which, which gave rise to identity administration. And given that lot of passwords entities account, every user is having that. They were having that sort of problem of managing and remembering all set of passwords. Single sign on also came with that and we cannot our privileged and non-privileged accounts.
We cannot put them under the same lens and look at them. We have to separate them out to manage our privileged account. Pam came into the picture and as we are moving, our single authentication vectors proving to be weak, mostly is password.
And still, you might be seeing people having passwords 1, 2, 3, 4, 5, 6. You, you still see that. Or if from we coming from security world or IM, and we kind of face to users that use to rotate your passwords, put in a mix 10 or 12 characters, long each character tribe passwords separate do not use same passwords on everywhere. It is kind of becoming difficult, right? So to overcome that we help grow in another factor of authentication and multiple multi-factor authentication came onto the stage.
Then we of course have to make sure that our principal of police privilege, separation of duties stay intact as we are moving on. And every user having multiple accounts, we have to put some sort of governance around that. We have to make sure that privilege privileged free often account, which are often targeted by not lay around and can be exploited. So the business of certification boomed like yes, certification recertification, free reconciliation, all those things are going to happen. And they fall under identity government with cloud coming into the picture.
I mean, there's a pizza service thing. I, I have seen. So who thought that identity as a service will not be a thing identity as a service is coming, coming hot and vendors are making their product and like for on-prem for identity and service and organizations, enterprises, which are, even though they have been talks of security comes on around cloud organizations are moving because they do not have those capabilities in house, or they want to upload the responsibilities and services of things, which is going absolute great. And in all these things, there, there are some gaps.
We, unfortunately, we are not living in a perfect world. We are in real world where there are gaps, there will be gaps. And there is no such thing which is called zero risk. We manage down the risk to acceptable levels. So gaps are there. And to plug in those gaps, to automate some tasks where humans might do some sort of errors, we look towards some sort of automation and RPA came into the picture with ever increasing based again on the customer side, we, we have had quite a lot of talks on cm.
I, I will not talk a lot on this one, but we have cm just because we want to separate our internal. I am from a custom I am.
And with, with all these things, which we have talked about apart from that, the entire spectrum, which is around circle, it is booming with blockchain based identity they have in this custom about that, of our consortiums coming for password, less authentication or Federation for oof, keeping in mind, the fraud and privacy, everybody's going towards zero trust, bring your own identity is coming in because that users do not want to create more and more entities everywhere they go.
And for enterprises do not want to manage for iron P and to have our all sort of laws and compliances and GDPR coming in. If users will be using their identity, it is customer friendly. They have their data, everything has its own pro cons, right? But these things are coming in with AI, U B a. We are leveraging onto the analytics. How user are interesting with what sort of, we talked about subject and object, right? So how subjects are interacting with objects?
Those things are analyzed AI coming into the picture to do the behavioral biometric for continuous authentication for our document centric. It verification for all those things. We are leveraging these analysis, these behaviors, these AI.
So, and, and if we look at all these things, verification and authentication will be there. They go hand in hand with everything which we have been doing, which we are trying to do. We are trying to do these things to achieve efficiency, security, enabling the business and achieving that compliance. So with this, I will move onto RT lifecycle, sorry. So on onto RT lifecycle and reference architecture, I, I believe that security and reliability has direct inheritance with the life cycle reference architecture, and we have identity verification.
And in, in the beginning we registered the identity. We verify that, that this is the person who is claiming to be identity issue. And we issue the identity to the correct person and the usage. We often focus on the usage, but verification and issues have they come before that? If we fail at those stages, we are losing the purpose. Peter director mentioned that culture eats recipe for breakfast, but someone in cybersecurity mentioned that identity eat cybersecurity for that.
If we can deep dive into iron verification and kind of lost track off time subject Lauren, can you tell me my phone got off? Can you tell me how much time is it? 10? We have about one minute remaining.
Oh, so, okay. So identity verification. If we look at this, we have two verifications hardware verification, soft verification, where we look at the passports and do more physical verification on software. Look at their profiles on the social media and everywhere. And the key drivers for this is AML KCS and law enforcement come into the picture, which makes the physical identity and everything which we are doing is for risk driven businesses and security requirements. If you look at the authentication spreads, we have static dynamic credential.
If we are doing a passwords or OTPs, public, or deterministic, where we want a hundred percent or something can be there. If we are going on platforms, if we want to do it on mobile or browser, if we are doing it for older or younger demographics, because some old people do not like passwords while younger ones are like, okay, we don't like passwords. We want something else. And continuous, single point of authentication is of course, something with help of ouris and machine learnings.
So if we look at the UI for, for better UI, we want to have everything in one place where we have different channels with as a best vector and planned direction, which is active vector. In this one.
We, we want to bring the risk rating down for all these vectors and make sure that we have risk on the level, which is acceptable to the organization. If you look at the, and in the space we are, we have government centric, identity proofing. We are leveraging MLM, AI integration with service providers for K I C and AML compliance based recognition. In authentication. We have continuous authentication, Speedo MFA for passwordless authentication O O IDC to leverage onto Federation and P I Y for our user experience, better user experience. Thank.
