A presentation - followed by a discussion – focused on the ins and outs of digital identity and authentication. Security has shifted from transactional to identity centric. What do financial institutions need to consider to prevent account takeovers and keep clients protected?
Transcription:
Diego Szteinhendler: (
I guess we're gonna start. Always, fun to be on next session right after lunch. So hopefully it will be fun and entertaining for all of you. Today, we're gonna have a quick conversation on fraud and security, and we're gonna talk a lot about authentication and identity. First, we're gonna start with a couple of 10 minute presentations, just a little bit of background, and then we're gonna go into a panel and we will also open it up for questions from, from all of you today. My name is Diego Steiner. I work on the cyber intelligence team at MasterCard, which includes all of our AI fraud identity authentication solutions. I'm gonna be the moderator for today and I have with me, Jen Martin, director and enterprise fraud and services from KeyBank. Jen leads the enterprise fraud services organization for KeyBank responsible for fraud prevention, strategy, operations, investigation, and client experiences.
Diego Szteinhendler: (
For more than 20 years, Jen has led teams across operations, analytics and executed transformational change in criminal justice and financial services industries. Jen serves on several fraud, risk advisory reports, and as the chair of the consumer bankers association fraud management committee. Thank you for being with us Jen. Ranjitha Iyer, she's an SVP of cyber and intelligence solutions at MasterCard. Ranjita drives the go to market and commercialization for cyber intelligence solutions for north America. She has responsibility for launching and market and scaling capabilities and assets in identity, cyber and fraud, AI authentication and crypto. An engineer at heart, she's passionate about innovation and technology, especially in the context of the financial and payment services. Thank you, Ranjitha. And Christiaan Brand, he's with the identity and security team at Google where he works closely on identity and future path of passwordless authentication. He's a co-chair of the 5 to 2 technical working group and he co-founded financial services security firm intersect in 2009, which focuses on authentication. Thank you, Christiaan. So with that, I won't bore you anymore and I'll just give the stage to Christiaan. You gonna set first, right?
Ranjita Iyer: (
Thank you Diego. Hope everyone's been enjoying the conference. I think there were some really interesting presentations this morning that I really enjoyed. The crypto one was very interesting with the backdrop of everything that happened last week. So there's a lot going on and boy is it great to see everybody after two and a half years off the conference circuit we're all back. So it's very exciting to, to be in person and talking about all of these things that we're all very passionate about. So with that, I'm just gonna set a little bit of the context around the landscape, and it's kind of gonna form the backdrop of authentication identity, many of the topics that we're gonna be talking about today. So not too long ago, you see the three big bubbles as, our ecosystem has been evolving and growing in complexity back in the 2011.
Ranjita Iyer: (
So it's not really that long ago, 2010, 2011, 2012, that type of timeframe, the ecosystem was fairly well defined from a payments perspective, right? So we had the traditional model, we were protecting payments from a network perspective at MasterCard. We continue to do that today. And then around the 2012 to 2016 timeframe is when we started to see that massive growth. Remember everyone was talking about omnichannel and devices and that's when identity and authentication started to rear its head as a big problem. And then fast forward that to where we are today, we're dealing with 2.5 quintillion. I had to actually look up how many zeros that is last night, but 2.5 quintillion bytes of data that is produced by about 4.5 billion people on a daily basis and soon getting to about 27 billion devices by 2024. So you're now seeing this massive proliferation of people online, connecting, wanting to transact, wanting to interact on various different devices, various different channels, and all sorts of new use cases, right?
Ranjita Iyer: (
Like buy now pay later. That's a big topic here today, crypto another topic, but all these people need to be authenticated. They need to be identified and verified, right? And so that's where a lot of the challenge lies and at MasterCard, we are seeing that affecting the ecosystem at scale. So if we move to the next one here, despite that complexity and the number of connections that are growing in an exponential rate, we're still using passwords in the main for authentication and poor security practices continue to plague the ecosystem. So, we pulled this from a website very recently on the passwords. Can you believe it rank one password is still 123456. So that has been the case for many years. So people want to have instant gratification. They want to be able to interact from various devices. Everyone has about on average 25 devices in their house, right?
Ranjita Iyer: (
And they wanna be able to interact on different channels, different media, social media, buy now pay later and yet we're still using passwords and 123456 is the most commonly used password. Now on the OASP top 10 poor security practices, you'll see there at number seven, identity and authentication failures still persist as one of the top 10 reasons why our ecosystem fails and fraudsters are able to come in. So if you think about all the ways in which, you know, we're getting exploited, cyber is obviously a big one, which is not the topic today. So I won't focus on that, but we see that everywhere. If the cyber cyber ecosystem is weak, it leads to breaches. Breaches mean there are more identities out there and you know, those identities can then be used to perpetrate crimes further down the chain, but digital crimes.
Ranjita Iyer: (
So by 2024, digital transaction fraud will equate to about 50 billion globally, and then if you think about identity crimes, 38% of US consumers were victimized by account takeover attacks during the 2019-2020 timeframe and 85% of financial institutions, have experienced some sort of fraud in their account opening process over the same time period and the amounts of this fraud are staggering, right? So why are we struggling to identify good users? Right? I think one of the big key reasons is there's a lot of breach data out there. Credential stuffing is becoming very easy. You're able to do that with bots. You're able to do that with human farms, right? So bots look different to actual human farms, the way that the two operate are different and it's hard to realize that that's what's happening. And identity fraud is one of the largest challenges that we face in the ecosystem today.
Ranjita Iyer: (
So, we did a study earlier, this year with IT. And this is a little bit of a deep dive into application fraud and what we're kind of seeing in the market. Obviously application fraud is on the rise and as you'll see on the chart here, in the US card and DDA application losses this year is expected to be well over 3 billion dollars, right? So, it's a staggering number and with all of the government stimulus programs that happened over the last couple of years, we've noticed that people are creating accounts just to hold funds and then they move them. Right? So there's been a huge uptick also in the number of accounts that get created, because fraud shores are opening these accounts so they can hold money and then move them around. Right. So we're seeing a lot of that.
Ranjita Iyer: (
Of course I talked about synthetic IDs. I was at a presentation by Decoded a few weeks ago and if you go on to the dark web, you have to use a TOR browser to do that. If you go onto the dark web there's credentials available for sale for like 10 bucks or less, right. So full credentials. So a verified name, email, telephone, address, all of that is available for less than $10. So because of the amount of breached data, in 2020, there was over 5,000 breaches in the US alone. And with all of that data out there, it's very easy to go and get an ID that can be used to open an account and so those are all the reasons why application fraud has become such a big problem for financial institutions and other institutions as well.
Ranjita Iyer: (
What are some of the ways in which we can look at helping with that? So using data exchanges, consortiums of data. So if you have name, address, telephone, email IP, for example, is that triangulate to a person, or could that be elements taken from various places, but doesn't actually equate to an actual individual that's alive out there? And that's what a synthetic ID is. So using that, some kind of an exchange to check that those are all helpful, during your application process, device fingerprinting, email reputation. There are companies out there that are pretty good at this. They can look at an email and tell you whether that email looks risky and it will give you a score on that particular email. Now account takeovers is another one.
Ranjita Iyer: (
It has become one of the largest security issues, almost suppressing malware at this point. Login credential success rate has jumped to 9.9% up from just 1.9% in 2020. So, when once an account is created, so application fraud is already a problem, but once the account is created, account takeover then becomes a problem as well. So, especially in all of these new environments where people are trying to transact, and there are people creating accounts everywhere, the average number of accounts that somebody has is probably about 60. I think somebody mentioned this yesterday, between 60 and 80 accounts that are out there that you've created, maybe you haven't used, in like a year or two years. And so, you know, they're all out there, they're all available for fraudsters to kind of take over and as you can see, the numbers continue to be staggering.
Ranjita Iyer: (
So very quickly then, from a MasterCard perspective, how are we thinking about this? So, as I said, we have been protecting the payments ecosystem for decades, right? So we've invested in machine learning, AI technologies. We have that protecting well over 150 different types of attacks every day, on a daily basis globally across our network. We're also now facilitating authentication at scale. So what does that mean? So we have enabled EMV 3DS on the network available for merchants and issuers to use at the time of payment to authenticate a transaction. In the European market where PST 2, as you may have heard is a regulation where you have to do strong consumer authentication for eCommerce, over the last two years, PST 2 has really come into effect in Europe, and we have seen a massive improvement in approval rates and decrease in fraud.
Ranjita Iyer: (
So, for authenticated transactions now in Europe, the fraud basis points is about five basis points or lower. So that's, I think, a good success. We're still working on the experience, right? So that's always been the issue with authentication at the time of payment is the user experience. So we're still working on that and it's getting better and better, but there is a proof point of when authentication is applied at some level of scale, at some level of consistency, we are seeing good results in Europe. We've also invested in device technology. So we have all of the basic device capabilities, device, consortium, good devices, bad devices, behavioral biometrics. We've invested in that from a device perspective as well and we're also investing in identity protection. So being able to verify identities, what we noticed was we are protecting the payment network, but the fraud is moving to enrollment.
Ranjita Iyer: (
It's moving to onboarding, it's moving to provisioning. So when you provision a token or a credential on a device, for example, for our own business, we need to protect from IDs that are bad. So, we have also invested in identity technology as well to kind of help not just the payment network, but also beyond the payment network in other rails, other scenarios like crypto, buy now pay later, et cetera. And of course we love to partner with the standards bodies, W3C, we work very closely with them, EMV co obviously, and then the FIDO alliances is an industry body that we're very passionate about. We've been working very closely with them for years, and there's some really exciting developments that Christiaan is gonna walk us through today on FIDO and so without much further ado, I wanna hand it over to Christiaan to kind of talk about FIDO, what they're doing and some of the latest developments, which are super exciting.
Christiaan Brand: (
Okay. Hello. As Ranjitha said, I'm Christiaan. I am responsible for, authentication security related topics of Google, specifically our foray into passwordless, which over the last week, week and a half, we've made a whole bunch of announcements on, also the last week at IO. So, I wanted to use this time today here to give a quick overview of where we are and also hopefully show a live demo if everything works out. But before we get started with that, who here has heard of FIDO before Ranjitha's presentation? Okay. Couple of folks. That's good. Let's talk a little bit about FIDO and why the work we're doing is so important to us. So this is a different data point which just substantiates what Ranjitha just talked about, right? Phishing, big problem, right? If you look at the data here, and it's a little bit hard to see there at the bottom there, but, you know, 10 years ago we were concerned about malware.
Christiaan Brand: (
We had malware, it was a big deal. We had to do something together as an industry to get rid of it. Operating systems have begun much, much, much better at rooting out malware. You know, you have the app store on iOS, which is curated. You have similar things on mobile phones, like Android windows, 10 windows, 11 protections are much better. Malware really isn't that much of a concern or that big of a concern as it used to be. However, phishing is a giant issue. Phishing is easy. I set up a webpage that looks just like your bank or a merchant, depending on what I want. Do I want banking credentials? Do I want credit card information? Do I want your Google account credentials? I'll set up a phishing page that looks just like Google and I'll send someone an email or a text and I'll get them to go there.
Christiaan Brand: (
Right, and I can tweak the URL bar a little bit. So it looks all good. It looks like the real Google or banking page and the user would inadvertently give me their user name and passwords. And we've collectively solved that as an industry by deploying things like multifactor authentication, two step verification, whatever you wanna call it. But the reality is none of those technologies really fully solved the phishing problem, because your view are sophisticated attacker. You can trick the user into also giving them your OTP, right? Or approving your login, or their login on your phone. It kind of like just depends on the sophistication of the attacker and we've been seeing phishing as like one of the predominant rising threats here and that's really why we got together as an industry about 10 years ago, to try and collectively do something about phishing.
Christiaan Brand: (
And that's where the FIDO Alliance was born. FIDO stands for Fast Identity Online. I think it was kind of like, we had the acronym and then we wanted to find something to fit it or something like that. But the point is like this Alliance is working together, Google's part of it, Apple's part of it, Microsoft part of it, Twitter, Dropbox, a bunch of other companies are all part of this lines, and have implement technologies based on FIDO over the last couple of years. But this is the year. We've said that a number of times, but this really is the year and I'll show you some of the, you know, technologies here in a second as to why I'm saying that. FIDO started out with physical security keys. Maybe you've heard about a security key. It's a physical fob.
Christiaan Brand: (
You log in somewhere, and you have to type your username and type your password and then you have to provide some other piece of information. The physical security key fob is where this started and I'll show you more of that in a second on what that is and how that works. We've additionally launched some technology which built some of the FIDO technology directly into phones and into platforms. Again, I'll talk about what that means in a second. We have even built purpose built payment flows on top of FIDO, secure payment confirmation. SPC is a very interesting 3D, secure, two compliant mechanism built on FIDO that allow 3D secure to be satisfied by using the local biometrics built into devices. What that means is, and I'll show more about that in a second. If I'm going to some payment website and I wanna buy something and 3D secure pops up, and I have to enter an OTP or grab my phone, I can touch the fingerprint sensor that's built into my MacBook.
Christiaan Brand: (
And that is 3DS compliant mechanism for authenticating that transaction. That's what FIDO enables. It enables us to use the built-in capabilities of our modern devices, biometrics on phones, on laptops, on desktops, and utilize that as part of payment, web or application flows. And what I really wanna talk about today a little bit and show demo as well is the next generation stuff that we really think will complete the journey to passwordless, which is the thing we call Pass keys. If you Google Pass keys right now, you'll probably see a bunch of announcements we've made together with Microsoft and Apple over the last two weeks. I'll show some of that technology here in action today. So the first thing we did with this fob, it looks like that USB thing that you plug into the side of your computer, it makes your login Phishing resistant.
Christiaan Brand: (
It means you can't be Phished. If you have a security key, you're not gonna be able to fall for phishing because the security key kind of like looks at the URL bar of your browser on your behalf and makes sure you're not being phishied. Great technology, but the application is limited, right? Because we're definitely not gonna get every user in the world to carry around a physical USB dongle. Right? So the technology was great, but the implementation of it was really limited in terms of scope, right? It was limited to enterprises at Google. Every employee uses one of these to log in every single day. Many other enterprises have done the same thing. If you're a high risk user, maybe you have one of these that you use to log into your Google account or your Dropbox account or your Twitter account, Facebook account.
Christiaan Brand: (
They've all deployed various implementations based on the FIDO security key standard, It is great, no successful credentialing since launch, but the application was limited. Then, we went one step further and we said, well, what if we use something the user already carries mobile phone? What if we could turn the mobile phone into a phishing resistant authenticator on the user's behalf? Mobile phones are great. They have biometrics built in. So we've launched some technologies built on this today. If you go to certain Google websites like passwords.google.com, it happens to be Google's password manager. We wanna make sure it's really you looking at your passwords that you've saved. So we're gonna make you authenticate in the olden days, you would've typed the password. Now we make you touch your fingerprint on the sensor and what's novel about that, you're gonna look at that and say, well, ever since the iPhone 5S we've had the ability to touch our fingerprints, new sensors and make an application do something.
Christiaan Brand: (
The novel thing here was, this is not an application. This is the Google website, right? So it's allowing websites and web applications running in the browser to make use of these native biometric components built into devices. That's what Fido enables. However, like the iPhone 5s has a sensor and everything that came after that, this was mainly a convenience thing. If you move to another phone, you're gonna be back to typing your password again. Today, if I download my favorite banks app onto my phone, I can sign in with my user and my password and enable my biometrics and I can use my biometrics every time I come back to the same app on the same phone. Tomorrow, if I buy a new iPhone, I'm gonna be back to entering my username and my password before I can enable my biometrics again, that's what we wanna get rid of.
Christiaan Brand: (
We're gonna get rid of that fallback to user user Amazon passwords, because that's the weakest link in the system. And that's what we're gonna be talking about in demoing here in a couple of minutes. So FIDO for payments, as I've said, we've built some capabilities on top of that. If you look at the previous example, I just showed that was purely me logging in, or me authenticating to some website. How can we deploy that for payments? So we built this thing in Chrome called SPC (secure payment confirmation). It's in Chrome right now, we have a couple of organizations that worked with us payment providers that built some of these capabilities into their products. This is also part of the new 3DSV 2.2 specification, as far as I can recall, which allow 3DS as I said, to be satisfied, 3D challenges, to be satisfied using local biometrics built into the system user goes and tries to buy something online with their credit card, no ping to the phone or anything else.
Christiaan Brand: (
That's weird. Really just touch your finger up, print on is answered. And your transaction is authenticated using these FIDO rails that we've built in at the bottom. Now, as I said earlier, the biggest problem we had so far is, it's great to have a biometric on a local system, because as you remember, and I'm sure you folks know that, but every biometric template that we have on a phone or a laptop always stays local to that phone or a laptop. In none of the consumer implementations, does any of the biometric data actually live server side. That's for privacy reasons, but the problem is that means if I lose my phone, I lose all my biometric templates and if I wanna sign into that same service again, on a new device, I'm back to having to enter a user and a password.
Christiaan Brand: (
So then the question is, how do we solve that problem? How do we up step a user into the world of biometrics and then leave them and keep them there, right? So that they never have to fall back to user and passwords to the point that we can get rid of the user user and passwords for accounts and have users live completely in this ecosystem of being passwordless. And that really is where this concept of passkey is coming. Passkey is a FIDO credential as we just established. It's something that lives on your device, but it doesn't only live on your device, it actually gets back up to the cloud and it can move around with you. So the flows look something like this, and I see my thing, yours chase ignore that. Not actually UI right up top there, if there's anyone from chase here, it's just something we mocked up. On the left hand side.
Christiaan Brand: (
And that's actually the demo I'll show you in a second. The thinking is, that users don't have to type user and passwords to log in anymore. They hit the button that says, sign me in with a passkey. And then because they have a credential on their device, they have an authentication token on their device, they pick which one they want to use. We'll look at that in a second and how that got created. They touch their fingerprint and they are magically signed in. So no complicated usernames and passwords or anything to remember. No second factors needed, no additional OTPs or apps or pings to the phone needed because essentially we're already authenticating the user with two factors here. We're authenticating them with their biometric, their fingerprint, their face, whatever they know about the unlock mechanism of the phone and the fact that they have their phone in their possession as the second factor that we're using, which really just allows the user to make, or the experience to be made much simpler for the user, but also at the same time, much more secure.
Christiaan Brand: (
And as I said briefly, this all is based on the fact that the credentials I create on my device gets backed up somewhere. Google will be backing up these credentials for you in Google's cloud somewhere, end to end encrypted fashion. Apple already spoke about some of these things. Looks like they will end up doing the same thing for users. So as long as you have an Android phone or you have an iPhone, you're gonna have credentials available that moves with you. If you buy a new iPhone, your credentials will be there. If you buy a new Android phone, your credentials will be there. Now, one of the questions are still, that's all good for me wanting to like, use my credentials on my phone, signing to my bank on my phone, but whatever I wanna sign into my bank on my laptop. And that's where part of Fidos standardization process comes in.
Christiaan Brand: (
We created the brand new protocol, the proximity protocol between device to device. So between the phone and the laptop that allows me to seamlessly and securely use credentials that reside on my phone, on my laptop, and that's where I want to get to my demo. So I hope the demo Gods will be with us today because that's always a little tricky to do these, but I will try. And I just did a fresh install of the OS on this phone this morning, so we'll see. Okay. Just preface it with all of that. So, first thing I wanna do is I wanna make sure that this is connected. All right. That looks good. Let me just make sure I've got everything here. So what I want to do is I want to just show the phone screen up here on the big screen, because that's kind of like important. Hold on a quick sec for me. Have to restart this. Sorry. I promise I did this this before I came here and it did work again. Let's try this again. Okay. Let's try that one start second one. Let's try the first one. Sorry.
Christiaan Brand: (
Okay. That makes me a little sad. So I want to make sure that I get this up on here and what I'll do in the meantime, why don't we start with maybe a first question on the panel. I'll make sure I get disconnected and then we'll get to the demo. Awesome. Yeah, let's do that. Sure.
Diego Szteinhendler: (
First of all, if any of you have questions, I know Christiaan not only has an accent because he is South African, but he was fast. I don't know if anyone else caught that, but we'll get some time for questions, but let's just start with Jen first. Why don't you tell us a little bit of how does all of this fit within a financial institution? What are the things that you're looking at as pain points and as solutions to some of the things that we discussed?
Jen Martin: (
Yeah. I mean really resonate with a lot of data that was presented. Our clients can be their own worst enemies in this space. Right? And we saw that in the slides and with either not having good passwords, reusing passwords, right? We always counsel people make sure you've got unique username and passwords across, all of your sites that you work with, but they don't and so, having technologies that help bridge that gap, I wrote down a comment on the fact that it has to be scalable and consistent. This is where our clients, I think across all financial institutions struggle, right? That for identity verification tools, they kind of have maybe one complex password, one place and not in another. Right? But the more that we can use that scale in consistency and just make it available, not have options, right? We wanna have passwordless experiences because after we see the demo, it's really streamlined, it's a great user experience, but then also it provides that consistency, right? That you are getting away from that human interaction and requirement to create passwords. So we see it as both a security opportunity for our clients, who are our top priority as well as a client experience benefit as well.
Diego Szteinhendler: (
And just as a follow up, we talked about a few standards on the presentations. Are you participating in any of them and how are you participating on them ?
Jen Martin: (
Yes, FIDO, and really looking at how we can incorporate those standards and the tools and the recommendations and as part of our solutions, right? We wanna come out of the gate with a consistent application that can be applied universally.
Diego Szteinhendler: (
And I know you have a deployment now it's a final on USB as of now.
Jen Martin: (
Yes. But soon, we have a partnership with BindID, and transmit and we'll be on our online banking going, having a passwordless opportunity in the coming months. Yeah. That's awesome.
Diego Szteinhendler: (
How are we doing on this side? I can keep going
Christiaan Brand: (
Do one more. Once I get my phone to connect to the wifi, we are good to go.
Diego Szteinhendler: (
Great. Okay. So, Ranjitha, we talked about standards, but we talk about scaling solutions, right? Because a lot of the things that even us as users think about is where this is great, it works with Google or it works with this website, but how do I use it for everything else? What is the role of the network in helping scale some of those solutions when it comes to identity and authentication?
Ranjita Iyer: (
That's a great question and I think Jen hit on the word consistency and standards based, right? So from a network perspective, we're obviously connected to thousands of issuers and millions of merchants. So if there is a technology that works, whether it's FIDO, identity verification, if we can create a program around it for the benefit of the ecosystem, so that, that security measure is applied consistently across the network when needed either for payments or even for other scenarios. You know, that's where I see the role of the network in being able to create those programs and make sure that those technologies and those standards like FIDO and other standards can get out there in a consistent manner because I think consumers will use it if they understand it and they understand the experience and they understand that, that's the consistent experience that they should expect and these are the results that they can expect coming out of that experience. Right? So I think that comfort level for consumers is really, really important and I see the network playing a huge role in ensuring that these standards are able to be used by consumers in a consistent way.
Christiaan Brand: (
Think I am good to go.
Ranjita Iyer: (
We have a winner
Christiaan Brand: (
Yeah. We'll see at least one part is working. So you can see this is a real demo because things are already going kind of like lopsided, but anyway, we'll start. So here's a user. User wants to go to their bank. Right? Traditional user, when I sign into my bank, my bank is called Tri bank. I'm gonna enter my user and my password just as I have done a million times. Right? Difference is when I hit sign in here, I'm gonna be signed in, hopefully to the website, takes a little while the first time, so let's give it that. if I enter my credentials correctly, of course and then what'll happen once I hit sign in is, let's try that again. Sorry. I think I'm mistyping the creds here because I'm typing too quickly. There we go. Once I sign in, what should happen is I will be logged into this particular banking website, but in the background, the bank will check and see that there is capabilities on this phone available to create a new passkey for a user.
Christiaan Brand: (
So I'll be prompted to create a passkey as in this case. So the website says, Hey, I recognize you're on a device that supports this new concept of passkeys. Do you want one? User is like, sure, give me one. So I click create a passkey, at that point, Android UI kicks in and it says hey, passkey, they're great. Don't have to do passwords again. And the user says, yeah, sure, give me one of those. At that point in time, it'll create me a passkey for this particular account, which is showed there. It's a little bit small, but it basically tells me for this user called Eliza, I'm gonna create you a passkey and I'm gonna store it safely in your Google account, down at the bottom. It says which Google account, this Pasky will be stored in and kept safely. So I'm saying, yep, sure.
Christiaan Brand: (
Give me one. I touch my fingerprint. Oops. And I picked up the phone without doing that. And at that point in time, I create the passkey and I'm signed into my banking account. Next time I come back to this account, I don't have to use my username and password ever again. I can simply hit the sign with a passkey button. It says, oh, you have a passkey available, which one do you wanna use? I wanna use the one I just created touch my fingerprint on the sensor. And let me do that again. Sorry. And I should be signed into this banking website and really is a real demo. Right? Let's try that again. Sorry. Create a passkey, do that, do that. Touch fingerprint, log out, come back, click the passkey, touch the fingerprint and I should be signed into the website. There we go.
Christiaan Brand: (
Right. So the user is signed in without ever having to enter a particular password. That's all good and fine. But what if this particular user wants to go to their laptop and sign in from the laptop? Well, I can go to the exact same website here, on my laptop and I can say signing with a passkey. At this point in time, I've never had this phone connect to this laptop yet. So something is being shown in this particular case, like a QR code that helps me to connect the phone and the laptop together. So I'm just gonna move the phone out of the way so you can see it properly. I'm gonna point my camera here at my screen. I'm going to click it and hopefully you'll be able to see it. I know that screen is frozen. This is not the greatest demo.
Christiaan Brand: (
Let me try that again. We'll see. And what I really want you to see at that point is I want you to see that the user has the option on the phone. I'll show it this way because it's kind of a little bit hard, but on the phone side, the user has the option here to allow this particular phone to connect to the laptop. I'm gonna say, okay, allow the connection. I get to choose the exact same passkey that I've just created on the phone screen, and I'm gonna pick it. I'm gonna touch my fingerprint. And once I do all of that, the user will magically be signed in on the laptop side. And again, not quite sure where that didn't work. I'm sorry. We did try this before. So the thinking here is, and again, I'll do my Bill Gates windows 95 demo at this point.
Christiaan Brand: (
That's why we're not shipping this quite yet. But the idea is that the user gets to take the phone connected over Bluetooth to the laptop. The Bluetooth proximity protocol is what helps the protocol be resistant against phishing. That means if anyone in a different country or a different part of the world somewhere is trying to trick this user into allowing the sign in. If the laptop and the phone, isn't in completely, in exactly the same location, then the login wouldn't continue. So there is a physical proximity test that's being performed when the laptop and the phone connects to one another, the same credential that I have on the phone is then sent directly to the laptop and allows that signing to continue further and more because the laptop has a built in fingerprint sensor of its own. I can also go and make a passkey on this local laptop.
Christiaan Brand: (
So, quickly since we have that, I'll show that if the user were to sign in on the laptop over here, because there is a local fingerprint sensor built into this laptop. I can even create a passkey on the local device here. At that point, I touch my fingerprint on the sensor and it'll make me a passkey on this particular laptop, which means if I come back on this laptop to this website ever, I don't need to have my phone available every single time. I can simply say, sign in with a passkey, touch my fingerprint on the local sensor here, select the credential I wanna sign in with and magically I'm signed into the website without having to recreate and rego to my phone every time. And as I said earlier, this single transaction and the single touch solves two factors, right? Firstly, I'm proving it's me because it's my biometric in the system. And secondly, I'm proving possession that I own the device, which holds the key. Thanks.
Diego Szteinhendler: (
Thank you Christiaan. Before you leave I'll shoot one quick question and then I'll open it up. To the naked eye, this could look like something that we already do, right? For, some people say, well, I already have biometrics on my phone. Sometimes they ask me to do the biometrics on my computer on the cryptographic side of FIDO, what's different that makes it more secure?
Christiaan Brand: (
That's a great question. And I think there's really two things here. I mean, to the naked eye you say, this might look a lot like me using my biometrics to access an application or even maybe me using a password manager that already stores all these credentials for me. So I think the two things are firstly, this is a technology that transcends just an application on a single phone, whether you're doing this in a website on the phone, whether you're doing it in an app on the phone or whether you're doing it from a completely different device on the web and talking via Bluetooth to the phone, the same credential gets used. So first we standardize on one single identity for the user and you don't have to have multiple identities and multiple upsteps from passwords. One time you go and you create the credential.
Christiaan Brand: (
And once the credential is there, then forever and ever, you can use that same credential from different devices and on the same device. And because it gets backed up like with a password manager, even if you move to a brand new phone, you'll still have all your credentials available so you can go use it. So that's kind of like the first thing that I'll just quickly mention. The second thing around the passwords is and why this is more secure, a typical password is a symmetric secret, right? It's something, you know, and it's something the website on the other end knows. If that website gets breached, as what happens at some point, websites get breached, credentials gets published and your authentication tokens are out there in the wild because this is based on public private key cryptography, the website never actually has your secret. They have something that they can validate that you knew your secret, but they don't actually have the thing that makes you unique. So even if for some reason there is a bridge on the server side, the stuff that gets breached cannot actually allow an attacker to get access to your account. So it's kind of like both reasons. So asymmetric cryptography, and the fact that the user doesn't need to keep falling back to passwords, which makes this better than a typical password manager.
Diego Szteinhendler: (
Right. So let's open it up for questions. Otherwise we're gonna run out of time, but I do have one more question for all of you afterwards. Any questions from the audience? Yeah. There's one over there.
Audience 1: (
So that's correct. (inaudible)
Christiaan Brand: (
That's exactly right. So, actually if you look at latest nest recommendations in 863, I think, Nistel states that if you have multifactoral indication deployed, it's probably not necessary to keep refreshing passwords every 90 days. Although, PCI, DSS still talks about like the 90 day password refresh, but with this technology, definitely because there is enough entropy in the actual private key. It's like having a password that consists of like, you know, 3000 characters. Like it's something that will not be breakable in a finite amount of time. So the thinking is that once you have these types of credentials, they can essentially live forever and you don't have to keep changing the password. Exactly.
Audience 1: (
Right. So just to be sure you brought up the thing I was gonna ask next. So we are a FinTech and we have PCI compliant. So we will continue to be PCI, and PCI compliance forces us to change the password. So our users hate that. Right. So they will not need to do it anymore while we will still continue to be PCI compliant. Correct ?
Christiaan Brand: (
Absolutely, correct. The idea is that if there is no password, there is nothing to keep updating. Yes. A hundred percent.
Audience 2: (
Hi, excuse me. Obviously very, very impressive. And sort of to add on to the question there, where there are now no more passwords, right? That's correct. What happens then when it doesn't work? How does the customer then get logged into their accounts?
Christiaan Brand: (
That's a great question and we kind of saw that from my demo here, as well as like what happened there? So the thinking here is that, we'll build the technology to a point where it's pretty robust, right? The credentials will live on your devices, it'll live in the cloud. So you'll have a way to get hold of these credentials and use them. If they're not available, for some reason, maybe you lose access to your Google account that houses all these credentials or something catastrophic were to happen, then we would fall back to some form of account recovery. Account recovery today, like when a user forgets their password systems already or I guess like entities already have password recovery mechanisms in place today. If I forget my password with my bank that I bank with, I call them up and there is a process that they would follow that process today gets followed.
Christiaan Brand: (
Like, I mean, how many. Let's say there is a thousand of these happening a day about users forgetting their passwords. That process can't be super robust because there's a thousand users phoning in our thinking with this mechanism is that we will get that thousand down to maybe 10, if we only have a small number of these attempts happening per day, because we've solved the issue of forgetting passwords and everything else, we've basically narrowed it down to only user, the technology stops working because the user cannot sign into their Google account anymore, or whatever that is. We can actually move from a thousand of these attempts, which is happening on a pretty regular basis, to something that happens pretty rarely only maybe 10 out of a day, which means we can treat them with more rigor. So that's kind of the thinking there would still be the need for an account recovery process, but we won't have a thousand. We might have 10.
Audience 3: (
This is super exciting. I just have one question, which is, if this is all stored in the cloud, now, if I can take over your Google account, I'm taking over all of your passkeys. Is that like a good understanding or how do we protect? It feels like we're increasing the exposure somehow.
Christiaan Brand: (
That is a great question. Today I think industry already accepts that risk to a certain perspective because of password managers. And we all know when password managers started out 15 years ago, like, you know, services did a lot of work to try and not make password managers work because it was like, Hey, we are putting all of our eggs in this one basket. What if that account gets compromised? I think there is more acceptance over the last couple of years for password managers in general. We're also thinking from the Google perspective, like, we have a lot of processes and a lot of things in place to try and weed out bad guys from accessing Google accounts and I mean I can do a whole presentation on exactly what goes into some of that. We don't necessarily think that, Hey, we do much better than everyone else out there, but we do spend a significant amount of effort on that particular problem. That said, just getting into the Google account will probably not be enough to get your passkeys back.
Christiaan Brand: (
You will need to get into the Google account. We might force you to also have a second factor in place, whatever that might be a physical SIM card that we've seen before, some piece piece of physical data. And then there is an additional element that we're bringing in lately, which is, if you happen to know the lock screen, the way that you unlocked your previous device, that's a good signal that isn't really used anywhere else that will give us. So the thinking right now is you have to have like some knowledge, which is maybe the lock screen. You have to have some possession, which is maybe the same phone number or the same physical SIM. And putting that all together will give you your passkeys back. Now, there is still a chance that a bad guy would be able to go to all of that trouble and get the data back.
Christiaan Brand: (
So there is a signal in all of this that I didn't speak about, which will allow an institution to detect when this transition has happened. So you will be able to detect, oh, I'm getting the same credentials, but it's actually from a new device. If you want to apply more rigor in that case, it's something that you can then do, but we're thinking that we already wanna provide best in class experience for a user moving from device to device. Very similar to how iCloud key chain works today, where you both need access to the account, but you also need to know some additional information that isn't typically shared in order to get you your data back. But it really is kind of like a chicken and egg problem that we're struggling with.
Diego Szteinhendler: (
That's another question to Jen. Wwe talked today a lot about authentication in the password sense. So an entry way or a key to enter a platform, but we also discussed, and Christiaan was just talking about alternative data, right? So how do you unlock your device or which device is connected? So beyond just password, when it comes to authentication, what type of alternative data is the bank using? Whereas, looking at using to be able to truly authenticate a person beyond just the password or the entrance to the platform, but in other instances where there might be risk and you still need to authenticate that.
Jen Martin: (
Yeah. I mean behavioral biometrics has become really interesting and better like the technologies around that. So how you're holding your device, if you're left handed, if you open or I open my phone with my left thumb, that makes it unique to me how I hold the phone, how I'm interacting with the device, especially in like new account origination, like really ties a real user experience to that event and can be a predictor of whether it's automated or a real person. And then if we can capture that data, being lefthanded, how you hold, hold the device, right. That, that informs that's really, truly you versus, versus not. And that, that's where as the head of fraud for a bank, all I wanna know is at that point of transaction, are you who you say you are and should you be doing that transaction? I think the network does a great job on the transaction. I think we all have more to do, and this is such a great leap forward and are you who you say you are and you're not being spoofed. I mean, the spoofing situation has been so bad for all the banks and to close that gap and eliminate that as a threat to our clients is really key.
Diego Szteinhendler: (
We see a lot of alternative data. We bought a few companies as well, but how do you, and this is for the three of you. And I think there were a lot of crypto conversations today as well. What's the evolution of authenticated someone using alternative data to a proper digital identity that's reusable and is that blockchain based? Is it not blockchain based? What are your thoughts? I know this is a wild card that I didn't have when we talked initially.
Ranjita Iyer: (
Great. Thank you.
Ranjita Iyer: (
Ranjita Iyer: (
I can start. With the work that Google and Apple and others are doing in terms of making this ubiquitous across platforms across browsers, there might be a world out there whereby identity becomes, and we've talked about this for a while. Identity is the new currency or the next currency, and there might be a way, maybe 5-10 years from now that we can have an identity and that's our access to various services. And so that's the kind of vision that, you know, we have that I think would be great to see happen. And I think the work that you guys are doing in Fido is a great step forward in that.
Christiaan Brand: (
Thanks. Yeah. I'll just add a brief piece. I don't think that the chips have completely fallen on this yet. There's a lot of initiatives here. You know, the digital identity foundation did, like there is a lot of work being done in this space. There is a bunch of startups. I know, many Lingham is civic that, is kind of like doing something in this space, trying to figure out if there is, if there is some, I guess, useful to blockchain in all of this, self-sovereign identity, has a tie in here? I think there is a lot of unanswered questions also just simply around the energy usage of these blockchain based solutions. That's the thing that we're thinking about, purely from an energy and kind of like from sustainability like question, is that the right technical solution to this problem? So a lot of thought is going in here right now. I think there might be things there, but we haven't completely found the winner in this space quite yet.
Diego Szteinhendler: (
Jen, any last Final comments?
Jen Martin: (
Yeah, I think that's exactly right. I think what it is yet to know is where all the passkeys are, like how many Passkeys proliferate. It has to be ubiquitous. Like, I think that how you interact and where those exist and the usability, is it at the device? Is it at the web? I think those are some of the things that still need to be worked out. Yeah. Around usability, but it is, the demo was awesome, but, because we're piloting it at KeyBank, you just hit the code and it connects, right? It is really seamless. And to be able to have a biometric login on an online banking, especially if you have an older client base that still uses predominantly online banking, it just eliminates that opportunity for credential abuse.
Diego Szteinhendler: (
Well, thank you. Thank you for all three of you. If I were to get something on a summarized versions, it's frictionless, it's standardized and it's scalable, right? The three other things that you all talked about and uses data that really makes the ecosystem more secure and easier to use. So those are things that I think all of you are very focused on. Thank you everyone else.
Diego Szteinhendler: (
And thank you for the questions.