In this week's episode, I speak with Michael Engle, Co-founder & Head of Strategy of 1Kosmos.

Mike is a proven IT executive, company builder, and entrepreneur. In the episode we uncover his professional journey from his time as head of information security at Lehman Brothers to co-founding 1Kosmos.

We discuss 1Kosmos’ BlockID product and the modern technological advancements that have enabled their vision of one day having one identity anywhere you go in the universe. We also touch on topics like the threats from deepfake technology and how workers, customers, and citizens are leveraging their solutions.

RESOURCES:

Connecting with Michael Engle

Michael Engle’s LinkedIn: https://www.linkedin.com/in/englemichael/

1Kosmos’ website: https://www.1kosmos.com/

Companies & Resources Discussed

1Kosmos enables remote identity verification and passwordless multi-factor authentication for workers, customers and residents to securely transact with digital services.

• 1Kosmos has a comprehensive tutorial on MITRE ATT&CK, which was referenced in this episode.

Bastille Networks a leading supplier of wireless threat intelligence technology to high-tech, banking, and the intelligence community.

Kantara Initiative offers certification services that assess conformance to the most rigorous of standards around privacy and the security of personal data. 

1414 Ventures is a venture capital fund backing pre-seed and seed stage founders focused on creating innovative digital identity solutions.

Hemen Vimadalal is a co-founder and CEO of 1Kosmos. He is the former CEO and founder of Simeio Solutions and is the current Board chairman.

Okta is an identity solution provider focused on workplace and customer identity.

Salesforce provides customer relationship management software and applications focused on sales, customer service, marketing automation, e-commerce, analytics, and application development.

Ping Identity and ForgeRock (acquired by Ping) provide a comprehensive IAM platform.

Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud-based IAM solution helping its customers toward a zero trust environment.

Thor Technologies was acquired by Oracle in 2005.

Sora is an AI model that can create realistic and imaginative scenes from text instructions. It is part of OpenAI.

CyberArk is a global identity security company centered on intelligent privilege controls. It provides comprehensive security offerings for human and machine identities.

Thycotic, which re-branded as Delinea, is a privileged access management (PAM) solution and platform provider.

SiteMinder is an IAM solution that is part of Broadcom.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation.

Industry standards referenced in the episode:

• NIST 800-63-3

• W3C

• SAML

• OIDC

• HTTP

Conferences referenced in this episode:

• FIDO Authenticate

• Identiverse

• Identity Week

• RSA Conference

FULL EPISODE TRANSCRIPT

Steve: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement Officer for PEAK IDV. For our audience, this is a video first series, so if you're enjoying the audio version, please check out the full video recording on executiveseries.peakidv.com, where you can watch the full episode, read the transcript, and access any of the resources or links brought up in today's conversation.

I'm thrilled to speak with this week's guest, Michael Engle, Co-Founder and Head of Strategy for 1Kosmos. 1Kosmos enables self-service identity verification and passwordless multi-factor authentication for workers, customers, and residents. So they can securely transact with digital services.

The 1Kosmos BlockID product suite is a biometric-based identity verification and passwordless platform with privacy by design architecture centered around a private and permissioned distributed ledger.

Mike is a proven IT executive, company builder, and entrepreneur. Prior to 1Kosmos, he was head of information security at Lehman Brothers, co-founder of Bastille Networks and numerous startups and technology projects. He also serves on the board of directors for the Kantara Initiative and is managing director of digital identity venture firm, 1414 Ventures. Welcome, Mike. Thank you for making the time to be on the podcast. 

Michael: Thanks for having me here. That's quite a bit. It's going to be a fun talk. 

Steve: Did I say your venture firm right? Is it 1414 or one four one? [Mike: Yeah, you got it. You got it.] Excellent. Well let's get started, Mike. Thanks for coming on the podcast. I imagine you spent a lot of time out in the field meeting different customers. What's your typical elevator pitch when you're describing 1Kosmos for people that might not have heard of the company?

Michael: Yeah, when my mom, right, asks me what you do for a living, it can be hard to explain any technology, but I try to make it really simple. I say “I can prove who anybody is remotely.” So everything we do today is remote, you're sitting at home, you're on your phone. So I can prove who you are and then I can get you into any system without a password. And so those two things, the uncertainty of who's at the other end of the line and the fact that we all suffer from and hate passwords, resonates with a lot of people and it seems to connect some dots in their head. 

Steve: Well, this is the first time, Mike, I've had a chief strategy officer or head of strategic planning or head of strategy. I'd love to hear more about your specific role and what the specific title do you like to use for that, because I've seen it different, a few different places?

Michael: Yeah. I mean, my roots go back to information security. It's what I've done before it really had a term, but having started a couple of companies, you do everything. So I've done a product and I've even written programs that are still in use by my first startup from 2008. I've done marketing, I've done sales. So chief strategy officer means you do whatever it takes to create strategic vision for our company. And I could get involved in marketing for a while, but really it's the direction of the company and positioning us properly for what the buyers are looking for. That's really what it comes down to.

Steve:  It's almost like a chief everything officer. If you're handling product and strategy.

Michael: That's right. Trash needs to go out, you call Engle, let’s go. That's whatever it is; you’ve got to get it done.

Steve: Well, I've been following 1Kosmos for many years now, and I've seen some of your live talks. There's one I saw at Identiverse last year, and then maybe one at FIDO Authenticate. Can you share a little bit more about the origin of the company, and then, you know, what is the significance of 1Kosmos, as you said. 

Michael: It actually has a great origin story. So cosmos means universe in Greek, right?

Cosmic, cosmos, and the idea is that one day you will have one identity anywhere you go in the universe, which isn't the case today. Today, you have one way to prove who you are at the airport and a hundred ways to prove who you are online and we're aiming to solve that problem. And there's lots of ways to do that.

In the mid 2010s, when we started this company, that was the goal. It was to say, let's create a way for you to prove who you are and make it easy to use for everybody. And so that was really the origin story. And you couldn't do this even say 10 years ago, because the technology wasn't ready for it.

So you could say, “well, why didn't we do this in the nineties or the two thousands,” right? It just wasn't possible and I'll explain a little bit more about that. So that's really the genesis of the story. It's-- we just want to be able to prove who we are and stop bad guys from taking over our identities.

Steve: It's interesting, you mentioned, why didn't we do this in the nineties? I recall Microsoft, they had a passport program that they were trying to put out in the late nineties, early two thousands and the technology just wasn't there. So timing's everything. I'm curious how you met your co-founders.

You're-- specifically maybe the CEO is it Hemen Vimadalal. Is that how the CEO says his name? 

Michael: You got it close. It's Hemen Vimadalal. I think I say it better than he does. But yeah, so, it's funny. I-- you know, in the information security world you know a lot of infosec people. Because a lot of the people that worked either with or for me in the past are now heads of security all over the world, but I didn't know Hemen until a common CISO or head of security at a bank said, “you got to meet this guy.” And so I'm like, “yeah, not now I'm busy,” whatever. So it took a while, but a year later we got together and he was just finishing up building his last company. His last company was called Simeio. He grew that to like a thousand employees, just really successful.

And he's a sharp dude. So I said, “you know what? Let me dive in and see what he's thinking about next.” And we started putting the ideas for this together. So it was really just a mutual friend that brought us together and a turn of events.

Steve: And when you got started, what was the first target market or beachhead market use case that you were starting out with the company?

Michael: Well, it was-- yeah, it's funny. And I… almost every startup and then a scale up as they get bigger has pivots, right? If you think about it, Okta started off as some way to get into Salesforce, right? Just like there's these turns in the road, we started with creating that identity you could use anywhere. It was called self-sovereign identity. So imagine if you could hold your identity 100 percent in your possession, protected with a private blockchain, and you could use it anywhere. Great, sounds great. But there's a chicken and an egg problem. It's like the first day that Apple Pay hit the market, you couldn't use it anywhere, right? You need the network effect. 

So early on, we said, you know what, let's focus on that, but let's really figure out how to solve the day one identity problems, which is getting into your corporate systems, right? How many times have you had to use a password today? Probably pretty many, right? Already just today. 

And so we focused on that and that worked out really well because companies were struggling with two factor authentication or a lack of it and looking for better ways to do it. So we went from this, I have my own identity, I can use anywhere to let's solve the authentication problems and figure out how to introduce identity over time. And that's really how we evolved.  

Steve: And what markets and industries are you focused on today with 1Kosmos? 

Michael: Any, because identity is ubiquitous. You need it everywhere, right? You need it if you're shopping at the holidays, logging into your corporate system, logging into government systems, it doesn't matter. So I think we've touched just about every vertical out there already. The early adopters are typically financial services. They have more money. They have all the bad guys are going after them. So we started there and we were very successful early on. Same thing with like telco operators and other tech companies that service lots of clients. So that's kind of where we started, federal government as well.

Steve: On the financial services topic, before we go too deep into 1Kosmos, I'd love to hear about your time at Lehman Brothers, where you were lead for information and corporate security. And looking at the time frame, just from your LinkedIn profile, 1996 up to 2008 when they collapsed effectively.

It's pretty transformative for banking. The way people started going online to bank for the first time, opening accounts, et cetera. How did you see both the IT world of online and then this physical security side of it? How was that evolving during that time period when the internet was…?

Michael: Yeah, I thought that physical and security would come together more than it has.

It's happened at some organizations where they're-- you take a holistic view at protecting assets and information together. But it hasn't gotten as much traction as I thought. I was trying to do that back in the late 2000s. So I built the infoSec program and then took on the physical security technology and that's your cameras and doors and access control, biometrics in the data center, right? So that was really, really powerful because what do you do in physical security? You try to know who it is that's getting into your data center or coming into your building. And it may sound familiar as to what we've been talking about for the past 10 minutes. If you know who it is, your job gets a lot easier. So, I've learned how to solve logical and physical problems with identity and actually create a lot of ROI on both of those fronts. So, it was a good time, but I'm really focused more on the identity and infosec side at this time. 

Steve: Well, with Lehman Brothers and just looking at the time frame, it looked like you were there right up to the end. They collapsed as part of the financial crisis and over leverage and all the other banks that had issues there. What was it like to have to wind down a company that probably amassed a ton of personal information especially for employees and customers. Could you take us back to that process for yourself?

Michael: Yeah, it was surreal. You know, I was in the executive gym with the president a couple months before it went bankrupt and we're shaving after we worked out. I'm like, “hey, Joe,” -- his name is Joe Gregory -- “Joe, we're going to be alright, right?” And he's like, “yeah, don't worry. I saw this in ‘94 and the great crash of ‘87.” It's like, it’ll be fine. And then, you know, he was the first one to go and then the whole company went not too much longer after that. So it was-- it sucked because every employee lost so much equity, they paid you equity back then-- equity is now zero. But that's okay, you know, there's worse problems to have in life, right?

Like whatever you make more money, you figure it out. What it was like, well, just seeing people carry the boxes on their shoulders going out 745 Seventh Avenue in New York City. You know that thought, it’ll never leave my mind. You know, it's like, where were you when the Challenger space shuttle exploded and where were you when Lehman Brothers went bankrupt? It's like, they're right up there with… I wasn't involved in the unwinding because Barclays came in and bought the building for pennies on the dollar. My wife was heavily involved. She was CIO at the time, so she had massive responsibility. So I got to do a little bit vicariously through watching her work. But yeah, there's not much, you know, it's just Enron, Lehman, not much to report there after that. 

Steve: Yeah. Are there any lessons that you learned during that time that you carried into the future, perhaps with 1Kosmos, how you think about risk and financial services? 

Michael: From a security perspective yeah, I mean-- well, first of all, don't put all your money in one stock, alright? So I worked there for 12 years. I had a lot of stock, right? But no, on the infosec side, Lehman was a great company because it was the right size and culture to get things done. So, I was the first shop on Wall Street to really deploy IP video. I-- you know, internet video across, yeah, like I had like 2,000 cameras that were IP enabled. And so now we can stream video anywhere, in the old days, it was hardwired. 

We built the first account management system on Wall Street. It was called Total Access Control. A product called Thor Technologies was behind it that got bought by Oracle down the road. So got to do some really neat things.

And the culture there was just get it done. Stop the bad guys. Very early adopters of intrusion detection and, you know, the first stateful firewalls that came out. So really you got to do a lot of leading edge stuff. And I see identity now, it's still the way we're doing it as leading edge, right? How many times have you had to really prove who you are online? Have you had to scan a driver's license with your phone recently?

Steve: For myself? Not recently. Not recently, but I'm a little bit more advanced in how I've got my system set up. I know a lot of people go through that on a pretty frequent basis, their opening accounts and whatnot.

Michael: Right, so just the way you open bank accounts today, it's still antiquated. You're still asking secret questions, right? What was your mother's shoe size when you were seven, that type of stuff that the hackers all know. And so I'm still in that a little bit of an evangelistic space where I have to show people the good news and then convince them to adopt it.

And that's really what it was at Lehman too, you know, you can get too far ahead on the curve. And you're deploying technologies, you know, what do they say? Creating a solution for a problem or you create, is there a problem? You're trying to find a problem for a solution, right? But no, I think it really did set the stage for me being able to bring this to the market in the masses.

Steve: With your financial services background and some of the other industries that you mentioned earlier that are, the identity problems are so universal; you've got healthcare; you've got government; you've got a private sector marketplace; all of these different industries share that common thread, which is knowing who that individual is. But they have nuances, they have differences in maybe they’re regulated or not regulated. How do you think about, as a strategy officer, those nuances and how you can serve as much as you can across those, but at the same time, support those in your strategic planning?

Michael: Yeah, so I mentioned that you couldn't do this 10 years ago, right? And so what we're trying to do is figure out how 90 percent of the population can use these identity concepts now. And there's, you know, two key enablers for that. One is your smartphone to save place, to keep things. It's got a little trusted platform module in there where you can keep a secret key. And it also has a high res camera in it that can take a picture of your face or even your fingerprints remotely or your driver's license. So this has become a really powerful gateway to the online world, as we all know, and now we can extend that to the identity world using those tools.

The challenge is, what do you do when people can't or won't use an app or use a phone for some reason? Well, nearly every device at least has just the camera. So you and I are looking into this camera today. I can prove that you are Steve based on your face, the geometry of your face, your eyes, and all that stuff.

And I'm sure you're thinking in the back of your head. “Well, aren't you afraid of deep fakes?” And I'm sure we'll get to that. So it's those two things. Let's let anybody use a phone to prove who they are. And even if they don't have a phone, I can help them out. That allows me to serve literally billions of end users with identity verification services.

Steve: Your point about deepfakes-- and definitely we'll get to that in a moment-- this beard is anti deepfake, so if you try to deepfake it, the AI can't reproduce it; it's just too challenging. But, no, that's a great point. 

Getting in a little bit deeper into the 1Kosmos product stack. I was browsing your website and you have, in your ‘What We Do’ section, you talk about workforce, customer, citizen, sometimes it's referred to as resident. It's all powered by your BlockID platform. I'd love to learn more specifically about BlockID and if it's connected to blockchain as an example, because you-- there's a distributed ledger language at your site too. So can you go a little bit deeper on BlockID?

Michael: Yeah, it is a platform. It's not just a tool or a single concept. There's three basic tenets to the platform. You mentioned Verify, that's how you can prove that you're Steve Craig. So I can do that a number of different ways. I can have you scan your government credentials, or I can tap into third-party systems.

And then there's the, how do I use that across any application, right? Everything we do is online period, isn't it? Through an application, you're logging into something, whatever, and so the platform then gives you over a dozen ways to reach out and ask Steve, “prove who you are.” So if you combine those two together, that's where the platform play comes in.

So example, you're joining a new company today. You're going to go work for a Goldman Sachs or Walmart. You have to prove who you are before you can start. It's called the I-9 process in the US, right? Well, just reach out to the platform and ask the user to prove it. Boom, HR gets a green check mark and they're on their way.

But maybe you have a hundred-thousand employees that are already working there. Alright, well, they're about to log into your secret systems and you don't have proof of identity. Well, we can just route it over to them. Ask the platform to prove it’s Steve, and then let them into CyberArk or Thycotic or whatever it is.

So it's really a-- you can call it and use it any way you want. You can holistically embrace it across your entire stack and say, “we're going to put this everywhere” and organizations have chosen to do that. So with these little microservices, I just want to implement 2FA. We've got a great way to just do 2FA, right? I-- but then for certain populations, I want to share the identity with a third party, a trusted partner. That's the third piece that I didn't mention. It's something called Verifiable Credentials. So I can allow you to prove who you are, package it up, and then through distributed ledger and public private key technology, let you share it with anybody without them having to see your identity data, and that's the key thing.

So the concept of verifiable credentials is something we were talking about in like 2018. But the world wasn't ready for it, but it's getting ready for it now. And I'm seeing it being adopted in various pockets around the world. So those are kind of the three things that are built into the platform.

Steve: Across those three things, earlier, you mentioned Okta. And when I think of Okta, I think of identity and access management. Where does BlockID fit into those ecosystems? Is it an enabling layer or does it replace them? How should I think about these services? 

Michael: It is. Yeah, it's an enabler. So Okta or Microsoft, right-- Active Directory or ForgeRock or Ping and some legacy plays like SiteMinder. Those are single sign-on systems. I don't like to call them identity providers because they don't really verify the identity. They have a username, a password, a 2FA, right? We will provide the verified identity into Okta, Ping, ForgeRock, Microsoft.

And so we do partner with them when we let them do all of the single sign-on that they need to do. And they have very complex rules, right? Microsoft Active Directory has been around for like, I want to say 30 years, right? And it's entrenched; it's not going anywhere. But what Microsoft can do is reach out and say, you know, allow the customer to say, again, let's prove this to Steve Craig, route it over to us, we'll do our thing and give it back to them.

The other thing we do is-- those platforms that I mentioned only cover 20, 30, 40 percent of your environment. For example, Microsoft won't let you log into Unix. Neither will Okta, right? So then what do you do? Call, 1Kosmos, right? It's like-- so we can augment and bootstrap what they do and then make what they do better and cover all of the areas where they don't with verified identity and authentication. So that's how we round it all out. 

Steve: Makes a lot of sense, Mike. I'd love to double click a little bit on the identity verification part of it. My business, what I call this company is PEAK IDV, but I do talk a lot about biometrics and digital identity and the adjacent categories. I'd love to hear how 1Kosmos is building those verified identities.

Maybe if you could share the process or the signals you use to help companies do that.

Michael: Yeah, there's actually a government standard for identity verification, it's called-- if you're familiar with NIST, right? NIST makes all kinds of standards for the US. They have one for how much gas goes into your car, right, The Bureau of Weights and Measures or something. But they made one called NIST 800-63-3, which says, here's how you prove who somebody is remotely. And so what they'll say is you need two strong sources of identity and a couple fair and some, you know, some kind of low, mediums and highs, put them together and check them all out. And now you can say they're verified. 

And so some of the things that go into that would be your existing driver's license or passport. Simply hold it up to a camera and scan it. Or soon you'll be able to use your mobile driver's license, right? A couple of states have issued what are called mDLs, mobile driver's license. So imagine you could just tap it to your-- what state are you in? [Steve: I'm in California.] Yeah, California. So your California mDL could just push a button and then transmit the fact that you're you or you could just scan your California driver's license. And then we take the data and verify it with the DMV and check that your address is valid with the other information bureaus. And then we'll make sure that the addresses match that you own your phone number. That's a very important source of truth about you, right? How long have you had your existing cell number? Probably 10, 20 years, right? So that's a powerful trust anchor for you as well. 

And I can even have you verify that you have a US bank account. Another strong source of truth about you, right? I've had the same Wells Fargo bank account for 10 years, and I can prove that I can log into it. So there's all these different, we call them sources of truth. And there's about 15 of them that we can tap into depending on what the risk of the underlying system is that you're trying to secure.

Steve: Do you provide flexibility to your customers on which signals they use, or do you have recommended paths that they have to use to achieve certain NIST levels.

Michael: Yeah, completely flexible and API-based. So if you just want to verify somebody's phone number, we've got a service for that. If you want to do just passports or just verify driver's license numbers, we can do that. Or I can just do a face matching algorithm. Say you have faces in your database and you want me to work with the user to verify them as an example.

So it's very flexible. But we do have a fully baked-- it's called a credential service provider-- it's what the government uses. They'll say, “Hey, 1Kosmos, I need you to go verify Steve. Let me know when you're done and give me the data.” And so I would walk you through a, like an eight step process.

I'll do all that heavy lifting. And then you hand a package over to the government after you give consent. So we have both models piecemeal or the ‘big kahuna.’

Steve: I've been in this space about 10 years, and I've seen practitioners of these technologies often start with replacing, as you mentioned, the security questions like the KBA, they put IDV in place, and then they say they're done, they're good, they have that. But then they don't think about that ongoing verification process of how to continually make sure that person is who he or she are claiming to be beyond that entry point. I liked on your site, you have this concept of identity assurance and authentication assurance. How did those pieces connect in the 1Kosmos world from that initial IDV to making sure on an ongoing basis that that person is still that person?

Michael: Yeah, that's where the blockchain really can be a powerful tool. So-- and it's a private blockchain, right? We're not publishing something out on some public Ethereum ledger, unless you want to, right? So once you prove who you are, I'll give you that proof and I'll let you keep it.

And then every time you use or enhance your identity or authenticate, there's one entry written to the ledger. So, On June 22, 2023, you proved who you are, ledger entry, and you used it a hundred times, and then you added a driver's license, whatever. Well, the nature of blockchain says, here's how I can get back to the original block, right? That's how the whole cryptocurrency world works. You can prove possession all along the way, right? That's what keeps the whole thing stable. 

So imagine if we could do that with your identity. Well of course, now we can, because we're here. So, that's the idea is, I'm authenticating right now and I just did my face ID, but that face ID can be linked back to a proofing exercise that I did 18 months ago. That's a real game changer because without that, you just have a 2FA code, a password in a 2FA code, right? It's not rooted in any form of trust. So that's one of the big differentiators between us and just an authenticator that's out there.

Steve: And is that-- is there interoperability between, let's just say, Goldman and Walmart, we use those as examples. Do those two companies share access to that ledger or are the verified identities just within the ecosystem of that one enterprise? 

Michael: There's a couple of ways to do it. So, when wallets become more pervasive-- today, you have your Apple wallet with-- you can put things in it, right, like your Ticket Master, I think you can get into the TSA. So wallets will be a common, standardized way to be able to get to share data between parties. And that's through that verifiable credential standard that I mentioned W3C verifiable credentials. So W3C, right, they make the HTTP standard as well, okay? They have a standard on here's how you share credentials between parties. So what it would take for Walmart and Goldman or Boeing and Delta is simply to trust the certificate that's issued by the other party. And so it's a very straightforward process. The other standards-- actually I just want to expand on that-- that allow you to leverage any identity based technology. There's SAML, the security assertion markup language. There's OIDC. Those allow you to trust another entity for proof of identity as well. So, when you put them together, you get a lot of options. 

Steve: When you're working with the large enterprise companies in this space, from identity proofing to identity assurance, what are some of the most recent threat vectors? What's keeping the CISOs up at night from your perspective on the things they're worried about? 

Michael: Yeah, the biggest one would be your help desk. So it's really hard for an organization to know who's calling into the help desk. And you've probably heard of Scattered Spider. Scattered Spider is one of the most famous hacking groups of the past year or two. They were the ones that took down MGM and Caesars and a whole bunch of other entities. So what they-- one of their common attack vectors is call the help desk and say, “I'm Steve Craig. I've got my employee number,” probably cause they stole it or bought it, right, and they worked their way into the help desk.

Well, what we're doing is we can drop in a tool that's literally ready to use in a day that'll say, “that's great, Steve, but I don't need your mother's shoe size anymore. I want you to prove your identity. We'll send you a link. You click it takes about 90 seconds.” The help desk operators screen turns green and you're in or not. And that use case has had our phones ringing off the hook because of the threat. 

The other one is knowing who you're hiring. So the North Koreans have figured out how to inject themselves into a couple, I'm going to say dozen companies at a minimum here in the US with fake identities. And so imagine if you hire somebody in Eastern Europe or North Korea or whatever, and it's not who you thought it was, that's a common use case for identity verification as well that's keeping a lot of people up at night.  

Steve: Those insider threats, I've heard about those scenarios, but they are becoming more and more common just because of the remote work and the need for talent globally. 

In preparing for this episode, I spent quite a bit of time on the 1Kosmos site. And I, for most of these episodes do quite a bit of research. And I saw something on your site that I hadn't seen really in any other website. You had a whole section around digital identity 101. And then you had a whole sub-part of the website on MITRE ATT&CK. Can you talk us through the MITRE ATT&CK and how 1Kosmos thinks about those threats? 

Michael: Yeah, the MITRE ATT&CK-- so for those that don't know what MITRE is, they're-- I want to say they're a nonprofit that offers all kinds of resources to the public. R&D projects, they're all about information security and threat. And they made this framework-- and MITRE is spelled M I T R E if you're looking it up-- but it's the ATT, A T T ampersand C K. And it stands for-- I'm going to mess it up a little bit, but it's-- adversarial tactics, techniques, I want to say, and common knowledge, ATT, ampersand CK. And it's incredibly comprehensive. So they've broken it down to say, here's how bad guys will attack your web services. Here's how they'll attack your mobile apps. Here's how they'll attack your industrial controls. So, if you know how the attackers are going to attack you, you know how to mitigate them. And so it's almost like an encyclopedia of bad guys, what they're doing these days. And there's a lot of them that talk about authentication, which is where we come into play. 

Steve: Yeah. I'll be sure to link to that part of your site. I found your content there to be really strong in terms of educating customers on the attacks and the different-- just the glossary and all the things you put into there. So bravo to you and the team on that Mike. 

Well, while we're on the topic of authentication, I want to touch a little bit also on the fact that BlockID is FIDO certified. I'm curious if you could, for the podcast audience, describe what it means to do a FIDO certified authentication, what passwordless means, maybe, you know, to use the reference you made earlier, explaining it to your mom, how do you explain being passwordless to your mother?

Michael: Yeah, I think the best way to explain it is when you look into your phone and unlock it without having to do anything. That's really a passwordless experience, right? You didn't type a password into your phone. The problem is, it only works on your phone. So imagine if you could do that at any website that you go to? “That would be great, Mike, tell me how.” And the answer is, is FIDO.

So what FIDO’s done, FIDO stands for Fast Identity Online, FIDO-- and they've been working on this since 2013. 1Kosmos is a FIDO member. We've been working with them to help shape the standards for quite a few years. They got together with the major tech providers, so Google, Apple, Microsoft, right, those are the big three. And said, “guys, would you build-- let's build this into all of our browsers and our mobile phones” -- and that's done. Your browser and your mobile phone is ready for FIDO. 

So I'd say we're about 60 percent there for it to become very common way to log into any website. And the experience is very simple. You go to-- let's say you're going to Macy's.com, you hit enter, probably just need your email address and hit enter and your phone will pop-up and you do face ID and you're in. Or, your browser pops-up and you tap your thumb or look at your face and you're done.

So, that's it. It's really extending that phone experience that we have, or your Mac, you know, or Windows Hello. To any application anywhere. 

Steve: If an organization is trying to improve their security posture, maybe moving from a world where all they had was a username and password into something better. They've got biometrics; they've got FIDO auth; they've got tokens; they've got SMS; how should organizations think about all these different choices and any recommendations? What recommendations would you have for them? 

Michael: Yeah, I think it's two things. So FIDO is great and it's making things a lot easier, but it's also putting-- it's, you know, your face ID doesn't actually prove that you're Steve Craig. It proves that you have your six digit PIN or your Apple ID, right? What's missing is the verified identity part. If you put a verified identity together with FIDO, it becomes very strong. So what I'd recommend is, look at the FIDO experience and combine it with verified identity. And you've really got a game changing experience. That's-- it's that simple, and you know, we help organizations do that with a kind of a one stop shop.

Steve: You mentioned the help desk earlier and someone impersonating an employee, or maybe trying to take over a consumer account, I think password reuse, when that's combined with data breaches or even basic phishing, it just keeps creating these scenarios where the bad guys can take over accounts. The talk I saw that you had at Identiverse, I think it was with Kevin Shanley from AWS, and you talked about bringing verified identity and passwordless to the masses, and there were some really good summary points at the end of that. How would you recommend, specifically on passwordless, that a large enterprise move forward with that? Like, how do they get started? Because it seems like it'd be a major undertaking for them to get going. 

Michael: Yeah, it's getting easier and easier because your Apple keychain and your password managers, like LastPass or 1Password, they're getting really good at enabling it. So I'd say it's going to happen no matter what. And inherently all of your customers are ready for it. You just have to give it to them. So for example, you may go to Home Depot and they will pop-up and say, “would you like to go passwordless?” Of course you say “yes.” And that'll work most of the times, it's handling those exceptions that will make or break your program.

And the FIDO Alliance has a whole framework on best practices of how to ask the user and work with them and how to handle those exceptions. So maybe for some crazy reason, they're on a really old computer that just doesn't support FIDO yet, we have to be able to handle them as well. And so there's, there's so many resources now, and we have like a 10-step guide that we offer our customers on the best way to get started with FIDO authentication as well. 

Steve: Well, related to AWS, AWS has their marketplace. I know 1Kosmos is in there, what are some of the key partnerships or integrations or paths that they could get to your technology beyond the AWS marketplace?

Michael: Yeah. So from a protocol standard, I mentioned SAML and OIDC OAuth. Those are-- you can just use these protocols. From a marketplace perspective, we have partnered with the SSO providers. So we're in the Auth0 marketplace, which got bought by Okta, of course. We're in Microsoft's marketplace; we operate as a ForgeRock node. We're in the Ping, DaVinci Marketplace as well. So there, and AWS, as you mentioned. So it's really as simple as just going to your marketplace. And enabling our connector and you can use our services to strengthen the identity for really any downstream system.

Steve: It sounds like the technology path is pretty streamlined. For the business side, the business case, the business cost that comes with moving from one system to the other, that feels like it only-- there's only change when a breach event happens. And then, of course, it makes the news and then there's now SEC filing requirements for companies and whatnot. What do you think are-- what's the counter argument on being proactive? And what is the business return on investment that say a CISO or IT leader could see in moving this direction versus a status quo?

Michael: Yeah, there's a couple of levers to pull on. There's three that we focus on. There's your employee or customer user experience, right? It sucks logging in; you can fix that. Make your employees enjoy coming to work and staring at that screen on Monday morning, rather than having to jump through hoops. Don't change their password every 90 days, it's stupid. That practice is so old, right? And even Microsoft is suggesting to not do that anymore because when you try to make changes like that, it'll cause problems unless you think about it, right? So user experience is one. 

The second is the ROI of authentication. If you have a hundred thousand people at your company and you save two minutes a day per employee, two minutes, that's it, right? How many times do you press control, delete, and log in? There's 200 workdays in a year. The math gets into tens of millions in lost productivity. People don't even bother counting it because they don't know they can do anything. So one of our very friendly customers is Vodafone and they deployed our tech to 40,000 employees in less than a month. They demonstrated savings of multi-millions of dollars in the first year, just by measuring the time and the-- that they weren't wasting anymore. So there's money just sitting there that any CIO or CFO can go get. 

And then the other one is how much money do you spend resetting passwords and for help desk operations and things like that? Of course, there's all the security problems that you're fixing as well. I think those kind of go without saying today and they're hard to measure unless you know how much your cyber insurance costs and you've had a big breach and then watch how much it goes up if you can even get it.

So yeah, plenty of levers to pull on from an efficiency and cost savings perspective. 

Steve: Are there tools that you offer during a discovery process with an enterprise to help them make these calculations and…?

Michael: Yeah, they're industry standard tools. So we'll measure the net promoter score or customer satisfaction surveys. So before we start a deployment we'll say, “listen, please go ask your employees or customers how much they like logging in today. Scaled one to 10, they'll probably get a one or a two.” And they'll be like, well, “why do you want to do that?” “Because we're going to ask them in six months and you're going to get an eight or a nine, maybe even a 10.” And then you'll have this, this high five moment from your users making security better. 

So they're standard tools. People forget to use them or they, you know, we'll give them best practices on that. And then we have ROI calculators that you can just punch in some simple numbers. Scrub some log files to see, “alright it takes me 15 seconds to log in today, username, password, go fetch a code. I'm going to get that down to three.” And so then simple math. So keeping the tool simple is a great enabler. 

Steve: Excellent. Excellent. Well, Mike, we're almost out of time. I have just a few questions I want to run by you. One thing we talked about earlier was deep fakes. And I have got a question for you around that. We saw about 6 months ago, there was a lot of news around this Hong Kong-- a deep fake where-- it was a CFO or someone in finance-- moved 25 million and that was lost. And it was all because of a deep fake video call. And then there's other companies that quote like X thousands percent of deep fake attacks, but then others say, actually it's because we had very few. And of course it looks like a thousand percent increase. What's your opinion? Is it-- are these outliers-- is it hype or are you seeing these attacks at scale for your customers? I'd love to get your industry opinion on it. 

Michael: Yeah, the Hong Kong one-- it's a legit problem. You know, my friends in the industry are seeing real attacks from, you know, against their system. So I think we're going to see more and more of that. The political front is also inundated with fake political campaign messages, either a voice call or even they're doing-- there's tons of video calls. I saw some amazing articles on this. So it is a real problem. 

There's a couple of compensating controls. There's-- the bad guys are using AI and Sora’s of the world to generate the fake video. I have five tools on this computer that could have me become you pretty quickly. Although the beard does make it a little harder, so keep that rocking that beard, alright? So now the-- there's also AI tools to detect the AI because your head will be moving a certain way. Right now you're blinking a certain amount of times. You have certain micro expressions, the way you smile or whatever. So we can detect those and we can also detect when a stream is injected into another stream. So there's a lot of compensating controls. 

But, going back to how we started this conversation, don't rely just on the video. If I reach out to you and send you a text message. I can have you press a button and my screen can turn green. I don't even need to see the camera. I know it's you. Why? Because you have a digital credential that's verified on your device. So it's a combination of compensating controls that I think will be-- when you have that real verified identity and I can do the equivalent of holding up a driver's license and saying, “yeah, it's really me,” right? So it's, you know, relying on one technology can get you into trouble.

Steve: We're getting to the end of the podcast episode. I'm curious what you have planned at 1Kosmos for the balance of 2024. Are there any big roadmap items or major releases you have coming this year?

Michael: Yeah, there's, there's a couple. So, we are pushing into the federal government quite heavily. So we-- because we're government certified that NIST 800-63-3, we're able to serve any public facing agency. So you'll see a lot of us out there in DC and around. So we're putting a lot of effort into that.

And then we have some really bleeding edge-- just glance into a camera and I can prove it’s you. So it's a combination of your face combined with liveness detection and deep fake mitigation technologies where it will be as easy as just unlocking your phone on face ID to get into any website. Because the-- one of the big problem with wallets is when you lose it, you have to go start from scratch. So we have a wallet recovery that is a game changer. So we're pretty excited about some of the technologies we have coming down the pike. 

Steve: Great. Well, I'll be sure to track your announcements from your LinkedIn and from your website. It sounds amazing. 

Well, we're at time, Mike, if you've seen any of these episodes of EXECUTIVE SERIES, I like to go a little bit beyond the professional profile, see the person behind the press release, so to speak. And I spend time doing research, but I couldn't find much about the personal side of Mike Engle, which might be by design, perhaps you're limiting what's out there. Can you share with us on the podcast, passions, hobbies, activities that you like to do outside of the business and technology world? 

Michael: Yeah, we stay off the TikToks and stuff like that, just because of our background in infoSec. So you won't find me on Facebook, maybe a little bit of old stuff, but yeah, we're-- we have a pretty big family. We spend a lot of time doing family stuff, hanging out with family and friends, and we spend a lot of time on the water. So sailing-- my son had a life guarding tournament today, so we spent three hours paddling and swimming. Not me, I'm a little old for that, but my wife's always been a fan of the water. So we're-- anytime we can we're there and we'll take one trip a year to a warm destination to keep that theme going in the winter. So it's pretty simple. 

Steve: Well, great. Thank you so much, Mike, for being on the podcast. For those that are listening or watching or reading the transcript, what type of conversations would you invite to have? Like what would you like to hear from the market? 

Michael: Yeah, let's have a talk about how we can make your customers and their employees' lives better and easier. So, the bad guys are getting really good at this stuff and we have the right tools to kind of fight back. So let's do that. Let's have a conversation. 

Steve: Very cool. And do you have any shows planned for the fall where you are going to speak at again? Any repeat? 

Michael: Yeah, we do Identiverse, the Gartner IAM conference, Identity Week in DC is coming up in, I want to say September, October. We go to Octane, and anything with an identity focus is definitely one. We go to RSA every year as well.

Steve: Very cool. Very cool. Well, thank you, Mike, so much for speaking with me. I look forward to watching your continued success with 1Kosmos and I'll keep an eye on these future releases you have around deepfake, liveness, and matching, that sounds pretty cool. 

Michael: Please do. Thank you so much for having me on. I appreciate it.