What's Identity Authentication and How Does It Work? ft. Trusona's CTO John Summers

Jonathan: I hope you enjoyed our previous episode where we set up this series of podcasts on cybersecurity. If you haven't, I do recommend you go back and give it a listen. But here we are with episode two of our podcast series where we will be talking about identity. You have to know if that's a good person that you're going to let into your castle or your computer system. You got to make sure you're keeping the bad people out. John, please introduce yourself.

John Summers: John Summers. I'm CTO at Trusona. Trusona, as you know, is a company dedicated to authenticating people and not the words they type in. And so we're dedicated into finding the true persona and only giving access to an account to the true owner of that account.

Jonathan: Who am I? The real me. Good. Good. Now, it would be great if you could position Trusona as part of a broader space. It's called Identity And Access Management, IAM. How do you fit in with that?

John Summers: Correct. We partner with those platforms. We work with those platforms, but we do with the authentication bit, the key part of access management. But we're not the identity repository, something called an identity provider. People like Okta and Ping play that role.

Jonathan: And so therefore you're a critical point solution in that piece. So tell us a little more about what you mean by authentication, I guess is the word I want to use.

John Summers: So, I mean, when you think about sort of the modern digital business, you've got users and employees that need to get access to applications. Before you're going to grant them at access, you've got to make sure it's the right person getting in. And you'd really like to have that authentication, which is to say, that decision to let them in and grant them access to those backend applications, you'd like that to be really strong authentication, but you really need it to be not a whole lot of friction. Like, it can't be a huge pain in the net just to log in. That's true in both business- to- consumer, as well as business- to- workforce cases, but it's especially true in business- to- consumer. If you put some friction in front of a consumer trying to come into your business, they're just going to be like,"Forget about it. I'll go to one of your competitors that's easier to get into."

Jonathan: And I'm not happy when I have to go to, let's say, I log onto my bank and they text me a code. I'll get into the risk of even that being hacked. But I don't like texting in the code. And I'm not sure even love going to an authenticator app or my old RSA device that we used to have with codes on and things like that. So when you talk about reducing friction, you would consider both of those models high friction?

John Summers: I absolutely would. Yeah. You know? If I have watched you log into an account five, six times, shouldn't I be able to make that easier for you instead of making you go through the same high friction each and every time? We're really zoomed in on how do we help take the friction out, make the authentication strong, we're really sure it's you, but with very, very little friction. And not enough authentication companies are focused there. The company was founded with that proposition in mind.

Jonathan: And they think they're being nice by saying," Dear John, we're only going to bug you every 30 days."

John Summers: crosstalk.

Jonathan: So really we're only going to make it hard for you every 30 days. That's great.

John Summers: Exactly right.

Jonathan: So I'd like to go a little further down the path. You talk about making sure it's me and always within the elements of security with less friction in knowing that it is me. But nothing is perfect. So how do you think about that age old problem of ensuring no false negatives or limited false negatives in terms of not letting the good guy in or false positives where you let the bad person in?

John Summers: So that's a really great question and a key point to hit on. Most of the systems that are doing that today, there's some sort of measurement, some sort of probabilistic measurement that it really is you. And so that's exactly when you have false positives and false negatives. Yeah. You know? I think it really is you, but only to 90% confidence level. So there's a 10% chance I'm actually going to let a bad guy into your account. Ori Eisen, our founder, was in the risk business and wanted to, as he moved into this authentication space, get away from probabilistic measures. We want to be fully deterministic where I know that it really is you coming in. Most access control systems, they are probabilistic. Some percentage measurement that it's really you. What we are focused on is knowing that it really is the account owner that's getting access. And we do that by placing cryptographic keys down on the device that you use, and then having you authenticate to your device that it really is you with biometrics. So I've seen your face ID, your touch ID on the device. I know that's a device that I've authorized to access the service. So it's completely deterministic all the way through the process. And we're sure we're granting access to the true account owner.

Jonathan: So rather than bugging me every 30 days, it sounds like there's a tiny hurdle to get set up.

John Summers: Yeah. There's always a registration process. Like, when you're setting up an account and you're setting up a device to get access. That's right. And that's where those keys that I mentioned get planted down in the device.

Jonathan: I see. And it's fair to say that even more lay people are understanding the term two- factor authentication. They might see 2FA even on a screen and sort of get it, but we're going to this world of multifactor authentication. Can you explain what those multifactors might be today and what they might look like in the future?

John Summers: Sure. I mean, let's start from what everyone knows. Username and password. Right? I have a username. I type that in. I have a password. I type that in. That's single- factor authentication. The username tells me what account. The password tells me," Should I let you in or not?" Problem, of course, with that, with all of the data breaches that have been taking place over the last several years, all those username and passwords are out there in the wild ready to be used by the bad guys to crack into your account and take over your accounts. So you really want to add something more to it. So a traditional something more is something you have like a device, a specific device, or something that you are like a fingerprint or a face ID. And so the combination of those multiple factors, that's how you get to multifactor authentication. And each additional factor increases my confidence level that I'm really letting in the right person.

Jonathan: Here we go again, it's friend or foe. You know it's a friend. You mentioned, you've seen me log on six or seven times. Would I expect in the future to some system, whether it's Trusona or somebody else, recognize, I don't know, how I type on the keyboard?

John Summers: So that is a technology that is in used today in some of the risk based authentication systems out there. They actually put a little bit of code down into your device, which executes there and reports back how you're typing keys, what the biometric, the biomechanics rather, of you typing, and whether that looks like what I've seen from you in biomechanics previously. That's a probabilistic measure as you can imagine. You're not sure you're getting access to the true persona, but it is part of typically a fraud system. Those are often used today most of the time. They're used sort of post the authentication phase. So I've made the decision to let you in. Sometimes it's used as part of the access control. Should I let you in or not? But often, it's applied once I've let you in to make sure that it still is you. As you may be aware, not everybody's machines are clean. So it's often that an bit of malware will make its way on to the device. And that's particularly true if you think about," Oh, like C- level of executives at a company, or a really wealthy guy trying to get into their bank account, those are the guys, the malware writers, they want to get onto their machines. And so, yes, there's the access control decision, but things like the typing that you mentioned or other biomechanical measures are often used post the access control decision, just to make sure nothing weird's going on as you're accessing the application and accessing your accounts.

Jonathan: Continuous monitoring kind of thing.

John Summers: Right.

Jonathan: So yeah, I do really like that. I do like that.

John Summers: It's actually called continuous authentication. That's the term that's used.

Jonathan: Now, when you're using face ID, I'm good with that because... Well, I would argue people are good with that because they have developed trust in Apple and face ID is an apple thing.

John Summers: Yes.

Jonathan: Now, if I'm told or someone else is told," We've put some stuff on your laptop and we're monitoring your keyboard, we're crossing into maybe a different zone of trust." And the person that's telling me that they're putting this zone of trust there is whom? Is it Trusona? Would it be my IAM provider? Would it be my company? This whole issue of trust gets quite challenging at this point.

John Summers: Oh it does indeed. It also has to do with the brands that you as a consumer are interacting with. So I know in my case, I give my bank, my financial services companies, I give them much more. I share much more with them. I trust them more. And look, they're taking care of my money, so obviously I trust them. And so I'm willing to give up a little bit more privacy so they can have stronger security that it's me. But if I'm going to sort of a brand site like an Amazon to go do some shopping or a Best Buy, I don't want them being quite so invasive in the way in which they deal with me. You know? You see it in a consumer area with sort of the people locking down their browsers so that the advertisers can't track them as they go across the worldwide web. So you're right. There are some very sensitive privacy issues that are involved in that stuff.

Jonathan: Well, we were setting up that MFA discussion. I mentioned that I could be getting a text message to my phone, but somebody could have my phone. And although that message might be hidden on some device, it's still hackable to some degree. That's the person in the middle attack. Right? Is it still real?

John Summers: Yeah, sure. You know? The first thing and the most important thing is really to change the paradigm for authentication on the world wide web. It can't just be username and passwords. That's a broken model. All of the data breaches just like... We shouldn't be doing that. Bad practice. So let's move away from passwords and let's get this no passwords revolution going. All right. So now we've gotten rid of username and passwords, but I still have to make sure that it's you. One of the key things about passwords is you go when you type it in, in your browser, and then that information is now sent to the site to try and decide whether to give you the website, just to try and give you access. So over that wire, that password is traversing. It opens up a vulnerability where if I'm a man in the middle and I can intercept your traffic; yes, I've got to crack SSL and do some things, but there's ways to do that stuff and I can get your passwords. So part of this evolution to password lists is to do authentication in a different way. That's one of the reasons we put keys down in your device. The way in which password list works, next generation password list works and the way Trusona does, is we send a message down to your phone, and then ask the software in your phone to sign that message with the key that lives only in the phone, and then send it back. This leverages public private key cryptography where there's a private key in your phone and we've got a public key in our backend. And so I can validate that your private key signed that message that you sent to me, but there's no password that traversed the wire. And so I can be sure it's you, but no man in the middle can intercept any message because they don't have access to your private key.

Jonathan: That's great. Now, we talked about the early identification and potentially continuous monitoring with may or may not be a biometric type thing, which is kind of a broader view of things. Does that change as we get beyond computers and phones into lots and lots of different devices like I don't know a thermostat that needs to be logged on somewhere? How do we evolve to this world of IOT?

John Summers: Yeah. IOT's a real challenge right now. And it's a huge concern for the US government and other government's critical infrastructure. We're proliferating these devices. They're all communicating over the internet. And if they are as vulnerable as other devices, that's a really bad thing. Think of Colonial Pipeline, which shut down the oil and gas pipelines on most of the East Coast. That hack happened because a username and password was left exposed and the hackers came in, and there was no multifactor authentication on it, got in and they were able to load up the ransomware and do what they did. That problem when you multiply it times millions of IOT devices gets even worse. The real underlying problem there... I mean, the way that's done today is through shared secrets. You give a secret to the device, you know the secret at the service, and now you can communicate from that device to that service. But anybody who can snoop that shared secret, and it does get passed over the wire, now can impersonate that device. And so that's problematic. And if they know the secret, they can get into the device and do things, nefarious things with the device. So we really do need to evolve the way that we communicate with the internet of things to adopt this more key based capabilities. It's actually a standard that is emerging to help facilitate that called the FIDO standard. F- I- D- O. It means fast identity online. And it's been in development for about 10 years and is really coming to the fore right now. I think we're going to see a strong adoption of that technology over the course of the next couple of years, which will really help us deliver on this.

Jonathan: And the route to it. You mentioned keys again. Is this PKI, this public and private key infrastructure.

John Summers: crosstalk. That's exactly right. Yes, it is.

Jonathan: I'd like to dig down just a bit more to sure it is me, I mean, really me, before you set up that MFA process. And I don't want to give you anything more than I have to. So how is it that you do that?

John Summers: So I want to be able to know that it's you, but I don't want to have to know a ton of information about you. And the public private keys are a way to do that. I can send a message down to you. You can sign it. You can send the signed message back to me. I can know that it was you, and I don't have any other knowledge about you, but I know that it's you because of the registration process that we went through. So it is a proof that it is in fact, Jonathan, that's trying to get into the account, but with no other knowledge than what you and I set up during the registration process.

Jonathan: It's interesting. So it keeps it a little more narrow and focused, which again, we're back to... Which I think makes sense. Some secure... You probably look at people's driver's license. If I remember some of the Trusona log ons. This-

John Summers: Well, that's a great-

Jonathan: ...getting through this validation's important. So help me understand the validation part of it because we always have to start with that.

John Summers: Yeah. So you go through this registration process. You've done it, I'm sure, a million times whenever you set up a new account. You put in sort of a name and a password, if you're using old username and password. Or in the Trusona case, you simply give us your email address and we'll send a magic link email to validate your email address. We'll set up the keys on your device so that we know that it's you and we store your public key in the cloud. So now we have set up a process whereby I can make sure that it's you as you authenticate into the service. Regardless of which customer you're using, we know that that device you and owned by you. And you are proving to the device that it's you by using the native biometric that lives on that device.

Jonathan: I think magic keys are very cool. And by the way, talking about removing friction, they really do remove friction. So you get the magic key. It comes to an email.

John Summers: So the email is used to bind the device to the service. I need to know what username, what user you are. Whose account should I set this up for? And so that magic link coming to your email and you're responding to it allows us to link your device to the account and the service.

Jonathan: Email. So there is still user ID and passwords.

John Summers: But the magic link, when you bring it up and click on it, now you're on your device and you're connecting to our service, and that's how we combine the two.

Jonathan: Because it's the device. So even if somebody hacked me, it would be not my device. So that's the magic here.

John Summers: Absolutely right.

Jonathan: Got it. So another cool example. I want to get to an ATM now. Give me the future of going to an ATM where I can have my phone and how my face ID might get me onto the ATM machine.

John Summers: You know? An easy way... And we haven't talked about QR codes that we use. Everyone, especially with COVID, we have gotten very used to scanning QR codes to look at restaurant menus in a non touch manner. Right?

Jonathan: So true. So true.

John Summers: But one of the things that Trusona did was pioneer the use of a QR code as a way to begin the authentication process. So you simply take your phone, open up the camera, you point it at the QR code that sets up the initiation of the authentication process, connects you, you'll get a little message on your phone that is," Oh. This QR code contains a link," click on that link. Now, that sets up the communication to the back end. And that's when we start to do that key based magic that authenticates you as we really know it's you. So now imagine you walk up to an ATM in the future. Then, you see a little QR code on the screen. You just simply take out your phone and open the camera, point it at the ATM machine. That begins the initiation process. You touch ID or face ID. Say," Yep, I want to log into this ATM." Boom. It just happens. Now you're in the ATM and you didn't have to touch anything. There's no pin codes or anything like that. You're just using the phone that you carry with you all day long.

Jonathan: How soon can I see that? I should ask you this head of sales, but tell me.

John Summers: Exactly. The technology's there today. We can roll that out. And when you look at ATM machines, they're just sort of sophisticated PCs connected to a large network. It's a thing that is doable in the very near term if one of the major bank chains decides they really want to do it.

Jonathan: We just installed a new laundry system here at my building in New York City. And there is an app and there's a QR code to turn on the washing machine.

John Summers: There you go.

Jonathan: That's a start. It's not giving me a hundred dollars in cash, but it's a start.$2. 45 cents later is not bad.

John Summers: Yeah. And I'll tell you. That's one of the things that COVID has done for the past with this revolution is just sort of make it much more comfortable with using QR codes to be able to access services. It's been a big deal in Asia for years now, but it's really taken off here in the US. I think it's going to get much more comfortable. So I think you're going you see it more and more.

Jonathan: That's great. So to summarize this and I'm going to misquote you or so please correct me.

John Summers: Sure.

Jonathan: It's to prove who I am coupled with what I have.

John Summers: Exactly. So there's one missing piece that we didn't talk about. What that allows me to do is to know that it's you and it's that device, and I've now established your access into the systems you're trying to get to. Well, if it's a really high security system, I'd like to know, not just that it's you having the device and going through the registration, setting up the keys and setting up the fingerprint stuff, I'd like to know that you map to a real person in the real world. How do I do that? I've set up this digital identity, but this digital identity of Jonathan, does that map to a real Jonathan in the real world? So for high security applications, you want to be able to validate that this entity that's setting up this new account, that maps to a real person. And so we will use driver's licenses to be able to do that. Ever looked at a US driver's license and you flip it over on the back? There's a little code, a machine readable code on the back that has your name. And all of the information that's on the license is embedded in that code. So for very strong authentication use cases, we can scan that code. We can then validate all of the information that's pulled off that license with the DMVs out there, and make sure that not only is this Jonathan's license, but it's not a fake because we go and do a database dip, look up the data in the DMV, it comes back and says," Yep, that's Jonathan's driver's license. All of that data matches." And now we're really sure that not only are you, Jonathan, the digital identity to get access, but that that's backed up by the real person, Jonathan, in the real world. Connection of a digital identity to a real world identity. We talked about being able to a digital identity to a real world identity. And we've got that all set up and now you can log into your accounts without a passwordless very low friction, very secure. And then, you go and lose your phone. What do we do now? How do I get you back into the system? Well, one of the things that is proof that you really are you is that driver's license that we scanned. So I can have you come in and say," Oh, I completely lost my phone. I need to reestablish service." We can go," Great. No problem. Pick up your new phone and scan your driver's license. We'll match that to what we saw during the registration process. That'll prove to us that it's really you." And then, boom. We'll get you right back up and running in the service quickly and easily. And that can be self- service. Nothing special needed to be done. You can go to a website, you can use your phone, you can do all of that in a completely self serviceable manner. And so I think that's a real missing part of a lot of the solutions out there in the market today.

Jonathan: And it's so much better than three security questions. What was the name of your first pet?

John Summers: Exactly. And I was talking to one of my customers about those kinds of knowledge- based questions. He said their internal audit demonstrated that the bad guys were better at answering those questions than the good guys were. So not very effective as well as being painful to go through.

Jonathan: So then, let's talk more about what it means to be really tied to a real person and what that might get us.

John Summers: Some of the challenges there, of course, that that's a fairly high friction process making you scan your driver's license.

Jonathan: Once. Once.

John Summers: Once. Exactly right.

Jonathan: I'm okay. Like, this is a lot to be gained for this once.

John Summers: It's true.

Jonathan: Wow. John Summers. Trusona. What a fantastic complex subject made so easily. Thank you so much for taking the time to be with us.

John Summers: Jonathan, my pleasure.

Jonathan: Let me bring Alex Manea back and talk about what's next in our podcast series.

Alex Manea: So another type of cybersecurity solution that I'm very excited about is solutions that can take massive amounts of log data and find the needle in the haystack. And we have an amazing podcast coming up with the CEO of a company called Devo that specializes in this. And I have to say, personally, I love this company and I love the CEO because I was actually the investment leader or the technical lead on the deal. And I remember I had a crazy aha moment where I saw in real time how much data they were able to process. And I immediately realized," Wow, this solution is game changing," because ultimately if you look at botnets and if you look at real time attacks against products that are released in real time, think of it like PlayStation 5s or new Nike shoes, those are incredibly powerful attacks and Devo has the ability to help companies stop those types of attacks. So I'm really excited about that podcast as well.

Jonathan: Thanks again. And I'll see you soon on the next Georgian Impact podcast.