KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So we have a panel with the title of digital identity, best practices. And I have two, two really sort of strong experts here with me, which are Michael LER of one cosmos. And Eric accepts us of Signa. And so given that probably everyone has seen me before. I like to keep the of mine and directly move to, to Mike and try to Mike, maybe you quickly introduce yourself and come up with a very short, concise, first statement on, on what you feel super important to discuss today around identity, best identity, best practices.
Yeah, no, it's great to meet everybody. As you said, I'm Mike Engel. I run strategy at one cosmos long background in info security on wall street and some other places, but happy to, to jump in and talk about this with you here today.
You know, one cosmos is, is very unique in its offering of combining strong identity onboarding with using that identity based on industry standards that I know we're, we're gonna talk about here today. So looking forward to it.
Okay, John? Yes. Thank you Martin. For inviting me on hers. It's good to be her. My name is John Erics. I work for Cigna cat and we provide digital trust. We establish trust between our customers and their customers and work in the space of digital identity, onboarding authentication, as well as electronic signatures. I've been with Cigna cat for about seven years now. And I've been in the industry for, yeah, I can't remember very long, 25 years, I think. Okay. Yeah. I think we all each know each other for a long time, many, many years already.
So the point I'd like to start is so where we say digital identity, then this is probably diminishing a little, the complexity of the, the topic we have. And so, so maybe also in this entire talk, we, we, we look a little at, what does it mean in my perspective as, and also something I do do quite frequently is customers is a little bit about deconstructing the use journey for registration, for authentication, because it, it seems there's, there are so many elements and, and I see authentication, I see the IDPs. I see the protocols in between.
I see more and more identity vetting beyond trust finance industry. So how, how would you split up this, this, this problem? When we talk about each identity, best practices, I could start, go ahead, Mike briefly.
And, and this is really relevant for me because I actually have not been in the just pure identity space for my career. I started in info security.
And so, you know, at the beginning of my career, it was just, you know, perimeter protection, worrying about worms and hackers and viruses and all that. And we, we deployed at one of the first identity and access management systems in the early two thousands at Lehman brothers where I was, there was no identity involved in it. It was really account management and role based authorization.
Now, today, I feel like the word identity has taken a different meaning to your point, Martin. So how do you remotely prove? And that's key is prove, and John, you mentioned the word trust, right? It's now is something that we can do remotely that we couldn't do 5, 6, 7 years ago because there's a whole bunch of standards and technologies that are enabling real identity remotely, like you could do in person with somebody. So hopefully that's something we'll be talking about here today in some detail. Yeah. Yeah. Okay. Yeah.
So, I mean, I mean, it's, it's all about, I mean, I'm in the central, this it's, it's my person. Right. And I sometimes like to look at my, my digital identity, like an avatar.
I mean, it's the digital representation of me. Okay. And then I, I use this digital represe now and I go to somebody and for one, I want to make sure that I'm the only one controlling it. So nobody else can take over my avatar and act on my behalf. And second, when I meet you Martin with my digital avatar, you must know that you can trust it and know it's really me controlling it. Yeah.
Are, are we already there? So I, I would dare to say for, for most part of my digital life, I'm not dealing with the digital identity, but with accounts, right. Also an account, whatever account, a debt vendor, an account, a debt vendor.
And so on, I'm dealing with accounts that with identities, I mean, the challenge is you have too many of these, right? You have a lot of them.
And, and also I think an interesting observation, I mean, we're using the password as this link and, and password used to be, as you say, access to an account while to these days, the password is used to prove that I am who I, you know, that it's really and not somebody else. So that sort of the nature of the password as mechanism has changed to something much more important than it used to be. Yeah. Which is not a smart idea.
Isn't it, Mike? Yeah.
No, the word identity is so misused. So I, in, in the us here, there's very few digital ways to verify your identity with any source of, of portability, right. You're seeing these standards and, and country level initiatives like, you know, E I D a S type concepts in Europe and not over here. So every day I come to a new website and they just figured out two FA sending me an email code or a text message, and they say, verify your identity. And I just smack myself in the forehead.
I go fetch my six digit code, and this is what my insurance company calls verify your identity and it's, Hey, Hey, why, why, why do you complain? They at least work with two F a Yeah, no, it's Hey. Right. I deployed my first secure ID system in, you know, in the, in the mid nineties or early nineties. And now here we are just getting there in the commercial world here in the us.
But yeah, you're, you're right. At least there's that.
So, Yeah, but, but, but I think that that's an important point of point. You bring up the, it is still, so even if they move to a little bit of more modern system approach, and you could argue that that a lot of Q a is not those to modern, it's still, you need to prove that you mic that you're trying that you're Martin again and again.
And I, I would also actually say, it's not only that we need to prove it again and again, it's usually a very weak prove we have. Yeah.
I mean, in many cases as the, the example market, doesn't prove it's, you it's proved that it's someone with access to your email and even, you know, text messages, we tend to think, well, that's a secure mechanism, but I think back at the EIC conference three, or was it four years ago, I talked about SMS OTP being broken, but then again, it's still better than not having the second factor, but it's, you know, doesn't really prove anything about my identity. Yeah, no, we have, we have to move away from, from legacy to FA it's clear.
And, and, you know, there's really just two concepts that will allow this digitally in a reliable way. Right? One is cryptography. So we've been using PKI in a corporate setting for many, many years, and that, you know, is trusted by the us government, for example, with what they call the C and, and PI card where you actually have something with a certificate on it. So today now we can issue certificates that have some root of trust in them.
And, and that's one of the emerging standards. That's, you know, materializing all over the world. And then the other half of that is, is your biometrics obviously, right? So proving who you are remotely.
Well, we have, you know, how many cameras are in everybody's pockets today, right. With smartphones and built into our computers. So there's, these are things are heading in the right direction because of the commercialization of these consumer technologies, But you're still back to, you know, one, how strong is the process for user identification when you're using the certificate?
I mean, there could be a weak link in there and also, are you sure nobody, can I be sure that it's really you using that certificate? I mean, there's some access mechanism to that as well. And I think that's an important part which also wanted to raise, because it's also, when we talk about all the new ideas around wallets for identities, where we have all these proofs in, we, we then shift the problem to how secure, how dressed versus is that wallet.
I think that that is, that is the next challenge there, because if, if we all put, put all the exit into this basket, so to speak, then, then we need to ensure that they're not smashed by an attacker, so to speak. Exactly. And I think that's, that's one of the biggest challenges we have right now to go back to my introduction. I mentioned the avatar, how to set up a strong link between need the individual and the avatar. And I mean, password is operational not good enough.
And, you know, yeah, there are a lot of mechanisms, but none of them are really strong. Are you Sean or someone using the Tron avatar. Exactly. And there's a lot of things which can happen. I think you being food and Nordic are, are aware of this, this, whatever, new ABA UHS, where they don't appear on the stage, but using avatar as a music group. Yeah.
So, so a lot of things can happen these days and, and clearly faking an avatar taking over the wallets just simply without any avatar sinking, it is a risk. So Mike, you you'll take on this.
Yeah, no. So that route of trust is what's missing in a lot of areas.
So, you know, I know, I know John has experience in the Nordics with, what's been done with the national level identity systems there, schemes as they're called. And, you know, we're seeing these materialized where there's we see as there's kind of four ways you can anchor your identity digitally online. One is if you know, in a great world, your government issues, you a certificate that you can put in a safe place to your point, Martin, and you trust it, right? You gotta trust the wallets and trust the enclaves and have some verification processes.
Recovery is a, you know, a nightmare, but you gotta handle all those things. Estonia has been doing it forever, right? They're kind of the benchmark and have been doing that. So your government could issue a certificate. Your bank has a really good idea of who you are as well online. And we've seen a lot of that, where if you have a bank identity, they spend, you know, I've seen the industry stat $450, proving your identity for Patriot act K Y C a L type purposes. So prove you have a bank account. And that's another source of truth about me. I have a bank of America account.
I don't actually, so don't try hacking it, but I have a bank of America account. So that proves something about me that the bank trusts, and now you can inherit that trust. The other is your telco identity is a really strong source of truth about you, right?
The SIM, the validity, the SIM account tenure. And then I think there's a bit around your healthcare identity.
That's, that's, you know, has some source of truth to it as well. So I'm optimistic that those anchors will, will manifest themselves in ways that we can kind of take that, that already built up trust and extend it digitally.
And, and in our recent cybersecurity leadership summit, we had also some talks about the EU and part nationally issued E I D concepts, which come up again and again, I personally believe, yes, this is helpful to have as another type of ID, but the reality, my perspective for best practice would be first. We need to understand the level of assurance. We need to, to be able to work with multiple proofs, multiple types of identity. If we understand the level of assurance, that is what helps us to say, understand, okay, this is maybe better. This is sufficient for this use case, et cetera.
And we need to construct our solutions, not for a single type of identity or authenticator or everything, but to, to, to remain flexible, to allow different ways to come in, where we understand how good or bad these ways are, that would be my perspective to be flexible on that. You want to comment or add or contradict. I definitely, I mean, from, from a personal perspective, I would like to have one identifier I used for everything. Right. And I would reuse that.
And then, like you mentioned in Nordic, of course we are far ahead. I have my, my Norwegian bank ID and I use that for a lot of different purposes, but I mean the more sites that do not accept it and accept it, I mean, I'm, you know, I have all these accounts. I still need to have, you know, a password manager to, to have that.
And even, I mean, back to the binding, even the new financial regulation in Norway came out last year, recognizes that using the bank ID doesn't really prove your identity because it could be your spouse or your child or somebody in new vicinity using. So they've changed the law on that, putting liability on a bank. Yeah. By the way, I would love to have more than one identity.
Very few, but more than one. Yeah. True.
I mean, that is cases where you want, want to do that, but at least you want simpler than to have, you know, 2, 3, 4, 5, you know, interest in your, your password world. Yeah. So you've mentioned, you mentioned the bank identity and yeah, you're right. If I just put in a username and password for my hypothetical bank of America account, that my wife could do that as well. She could fetch my two FFA or get the push message.
But, but if that bank were to take a live selfie of me as I'm authenticating that and issue cryptographic proof that I was the person that did that, it's a little bit of a different game changer. It's still a little bit James Bondish, you know, in practice, but our comp, our clients are doing that in their own environments. And hopefully that can, you know, become part of the standards that things like the Fido and, and Canera help companies achieve. Right. And I mean, what you're explaining is, is fine for the onboarding process.
But if you had to do that every time you log in, or every time you do a monitor transaction, I mean, people would be really frustrated and they would actually go miss the password, I think. Right. But just do it when they go to make a wire transfer. Right. Yeah. I'd like to see your face, please. That would be awesome. Yeah. Yeah. Yeah.
And, and in these days it is even more complicated because when I go to my notebook and he does face recognition, that works perfect when I'm at home. But when I'm traveling and wear a mask, it doesn't work anymore, but it's more, hopefully a temporary issue.
We are, we are facing anyway, we are close to the end of time for our panel. So John and Mike, I'd like to, to ask you for sort of one, one main recommendation, one main takeaway you you'd like to give to the audience tr you wanna start then Mike. Right.
So, I mean, look at what's in place. I mean, if you are in an Nordic, I mean, if you have the possibility to use one of the Nordic bank, I mean use it because don't try to be yet another identity provider use what's out there, but then also keep up your eyes open. What's what's coming.
I mean, the new European Euro union initiatives are very exciting, Mike. Yeah. I would add that. Just get started, right? There's there's two things that any organization can do for employees or customers.
One is, is the principles around identity onboarding. So let's change the way we, we bring new hires in the way we bring new accounts in and you do it digitally, right. Stop doing it the way we did it in the nineties. Same thing for the authentication. If you're not using, you know, passwordless technologies yet start in a very simple area and work your way into that journey, cuz it's gonna take years to get it done. So it's one step at a time. So start somewhere right now. Yeah. Yeah. Thank you.
One thing I'd like to add is understand that we are not talking about one big thing, but it's, we're onboarding and, and authentication's different. And all of these things have multiple steps and elements. If you deconstruct, you will get way more flexible and better understand what helps you, where and what is missing trauma.
And Mike, thank you very much for, for taking the time for this panel. And Waseda hand back hand back to Christopher.
