Zero Knowledge Attestations

Episode 262

State of Identity Podcast

02/23/2022

Episode 262

Zero Knowledge Attestations

What’s your favorite pizza topping? Knowledge based authentication is not really knowledge, and not really authentication. In this week’s State of Identity, host, Cameron D’Ambrosi is joined by Alex Shockley, President & Co-Founder of Journey, to discuss identity as the cornerstone of a better contact center. In this episode, you’ll learn how a zero knowledge identity network can solve for security, privacy, and customer experience simultaneously.

Host:

Cameron D'Ambrosi, Managing Director at Liminal

Guest:

Alex Shockley, President and co-founder at Journey

Links:

Share this episode:

Cameron [00:00:04] Welcome to state of identity, I’m your host, Cameron Ambrosi, joining me this week. Alex Shockley, president and co-founder of Journey. Alex, welcome to the podcast.

 

Alex [00:00:14] Thanks, Cameron. Really happy to be here.

 

Cameron [00:00:16] Lot to talk about today. I think you guys are right at the intersection of so many trends in the digital identity space. Zero knowledge remote customer interactions in the age of COVID, which I guess will now last for the rest of our waking lives. But super excited to have you on and thank you again for your time. But before we do all that. As our longtime listeners know, love to learn a little bit more about you, your background, what, what gets you spun up and excited about the challenges in the digital identity space? And I think the easiest way to understand that is to walk a mile in your shoes. You know, where did your digital identity journey start and what led you to co-found Journey?

 

Alex [00:00:58] Yeah, thanks. That’s a great question. And before I jump in, just want to say thank you again for having me here. I’ve been listening to your show for a long time, so it’s really exciting to get a chance to to jump in here and have the conversation with you. So my background, I would actually start outside of the professional realm in my more, my personal background sort of pre entering the workforce. I was pretty heavily focused on high altitude mountaineering, so always been kind of drawn to looking for your kind of off the beaten path, sort of bigger challenges and looking for, you know, kind of interesting ways to to to pursue what seems interesting, even if there is necessarily a straight line and how to get there. So I think that sort of mindset is something that plays a lot into the kind of the broader concept of entrepreneurship and helping to kind of rewrite how the the playbook works in a given industry here and kind of going forward from that, I guess, I would say, into professional background that kind of led me in this direction. I spent a good chunk of my career on the digital marketing space, so I founded a creative agency initially focused on sort of front end web design and development and broader user experience theory, and then evolved further into more sort of top of the funnel social media marketing activities and tying that all the way into web personalization and conversion optimization campaigns. And so that agency after a number of years there, but spent a big focus there on how do you really engage customers at the top of the funnel and how do you leverage all the different data points that you can collect and observe from how they interact with your content and use that to inform different decisions that you make on what to do with those users as they navigate through your your digital properties and domains? While I was doing that. So skipping forward a step here at my my co-founder and journey is actually my dad and my dad’s background. He had founded and sold a few different companies in the telecommunications space. He served as a VP GM of the Contact Center Business Unit at Cisco late 90s, early 2000s, watching the first voice over IP contact center. He more recently served as the CTO at Avaya, and so a big background in the communication space. And so while I was doing the digital marketing thing and he was sort of I at the time, we had a lot of conversations around my world largely revolved around top of the funnel digital marketing. And when you get somebody to pick up the phone and place a call into a business that’s just sort of functionally the finish line in that space. Whereas that’s the obviously more of the starting line in the context in our world. And so we’re looking at all of this innovation, all of this technology in the ad tech, in the tech world on helping to drive people to that point of placing the phone call. And as we talked about understanding how they’re navigating your properties and none of that information is really crossing the chasm into the contact center. So we first really started out in this space thinking about how do you better leverage that information as you sort of cross that chasm. But it became pretty apparent pretty early on that that what exists at that chasm is really the point of identity. How do you authenticate the user and how do you tie in all of these different digital attributes to better inform what you do in the context in our world? And as we started looking at that space, realized pretty quickly that there is a very natural choke point that takes place as soon as you go from digital to this contact center worlds where you’ve only really got access to the audio input. And so we started kind of poking and prodding at that and realizing that, you know, despite the fact that something like 90 percent of adults in headsets, they carry smartphones that have more computing power than an used to put somebody on the moon and power user experiences today do things like virtual reality. The contact center is still at large, really just looking at the audio input. So when it comes to authenticating a customer, they’re asking you standard knowledge based authentication questions. Maybe they’re layering in some voice biometrics, but there’s some pretty natural limitations to what that can perform, how accurate it can be and what the ramifications are from a privacy perspective. So we this back in 2017 sort of building some, some prototypes while we were sort of getting in forms and getting blasted with news from. The cryptocurrency space that was really exploding at that time and found a lot of the innovation happening in the self-sovereign identity space and ground zero knowledge cryptography to be really inspiring and really fascinating. It was actually at that time that I stumbled upon this podcast, so we actually went to the One World Identity Conference back in seven twenty eighteen. I guess it was in D.C. and learned a lot about show and got really inspired to sort of pivot from the original focus of more of a sort of attribute based routing solution to taking more of a holistic view at bringing identity and its sort of digital components into the contact center.

 

Cameron [00:05:42] That’s amazing. And you know, I think with COVID, so much of this identity lifecycle and steps that could be, I think, taken for granted in how, you know, customers interact with both enterprises, you know, vendors that they’re working with in their day to day life was was completely upended. And I think what’s exciting to me about journey is that you guys are really looking to solve two challenges at once, right? The first challenge being, if I’m a bank, I’m any sort of enterprise that needs to reach out to my customers via the phone. I’m extremely susceptible to fraud, specifically due to reliance on knowledge based authentication, right? It’s like every word in knowledge based authentication is kind of a trap. Like, it’s not really knowledge, it’s not really authentication. I guess it is based. And then on the other side, consumers, they don’t know where they stand, either, right? Like, I get very convincing, you know, scam calls that make it sound like, you know, my bank is calling me or whatever, and I know better than to to answer that. But I end up some of the times calling my bank back myself just to confirm, like, was this real? And then, you know, I had to deal with the IRS recently. And when you call their legitimate phone number the robot voice that they had, you deal with like sounds, I swear to God like a scammer, like like some two bit, you know, fraud website to the point where I hung up and redial because I thought I fat fingered in. And maybe someone was clever enough to to get all of the phone numbers around the IRS phone number and hope you missed island and then, you know, share information with them that helps them, you know, take over your account, steal your tax, refund, what have you. But because of that response rates to these calls from platforms like when your bank has actually identified someone trying to wire money out of your account and they do need to get in touch with you, people don’t pick up, they don’t respond. So this this identity layer is fundamentally broken for these interactions, and it seems like you guys are really focused on kind of solving both of those and in each direction, right? Like helping customers and consumers feel better that when they reach out to a call center, that they can authenticate themselves easily. And also, when there’s an inbound call that the bank needs to reach out to them, the bank can kind of set that customer up to feel a higher level of assurance by sending a push message, for example, to their app, letting them know like, Hey, we will be calling you. And when your phone rings and it says it’s okay to bank, you know, actually is going to be us.

 

Alex [00:08:19] Yeah, you hit on a lot of great points there. Yeah, no. I mean, there’s a lot of a lot of really interesting stats in the space. You know, they say that as of 2021, we crossed the threshold where north of 50 percent of all phone calls to mobile phones, at least in the United States, are attempted fraud. So, yeah, exactly as you talked about, there were all been conditioned not to answer those phone calls that come from unknown numbers. And if we do have an answer and somebody starts asking us for sensitive details, our natural tendency is, of course, to hang out and maybe we’ll call the number back or a number from the back of our credit card or something to get into that business. And on the the more the inbound call side, when you call into the contact center, the the standards right now are that it takes between 45 to 90 seconds to authenticate yourself. And that’s going through this marathon of keying and your 16 digit account number, followed by your pin number, then answering those quote unquote security questions about your mother’s maiden name and your favorite pizza topping. And so we know which we all know that cats pretty thoroughly out of the bag on those those static giveaway questions. And so it’s not working for the user experience perspective. It’s certainly not working from a security perspective, and it’s not working from the operational efficiency side in context of economics far and away. The most expensive thing is the time of the actual agent. And when you think about a large bank or health care company, for example, that handles north of a billion phone calls a year, they’re taking 45 to 90 seconds to bring customers through processes that aren’t really doing a good job at authenticating them and our annoying customers by the time they actually get to an agent. You know, there’s a lot of, you know, direct and indirect costs that stem from that.

 

Cameron [00:09:57] In terms of how you built the platform and and how you are solving these challenges without creating another honeypot, establishing this, this linkage between right, the legal identity I have as an individual, this kind of set in stone deterministic attributes like my name, my address, my social, for example, and then some of those other pieces, which is OK, maybe a more temporal linkage with something like my specific device or a particular account. You know, what was the strategy you took towards solving some of those fundamental challenges we’ve seen vendors have in the space with how you kind of square that circle and managed to provide these higher levels of assurance without setting up corresponding pitfalls in terms of data breaches, account takeover and other challenges?

 

Alex [00:10:46] Sure. Yeah, I’ll kind of outline maybe the what? First and then kind of get into the how in the why with it, that kind of reversing, I guess, the the Simon Sinek start with the why piece. But so on the what side, you’re the easiest way to describe it as you know, functionally, we’re giving enterprises the ability to tap into just about any any input or sensor or functionality that you can conceive of from the user’s phone at the edge of the network. And so as you outlined there, the idea that for you as an example, a customer calling into the bank rather than being limited to just that audio channel for asking questions and checking to see if that answer matches what’s on record, we can detect through our integrations at the contact center side whether or not that user has the business’s mobile app registered their device, for example, and as much of other forensics things we do in the background. But for the surface level here of this conversation, if we detect there’s a mobile app registered to that phone number and tied to that account, we can go ahead and forecast the IVR. The integrated voice response to encourage the user to log in via the mobile app to authenticate themselves, as well as push a push notification to their mobile app. So the user looks at their phone. They see a notification that says, Tap here to authenticate yourself and the agent. On this call, you tap that you log into the mobile app using whatever method you currently use to log into the mobile app. So another challenge in this industry is, of course, adoption of new forms of biometrics or authentication. So in this case, we’re saying, Hey, this user already has a mobile app that they already have a method of logging into that their experience with using and the business already has security procedures that are approved for letting this person be authorized to take certain activities. They log into the mobile app. Let’s extend that into the contact center rather than forcing them to do something new. So once they log into the mobile app, we now have this this private digital channel that we established between the enterprise and that session on that mobile app. So now when the agent needs to request something, whether it’s a cloud based biometric function, whether it’s scanning a credit card or signing a document that can be said to be an API, call it directly to the the interface on the user’s mobile app, where they can respond to it there, rather than speaking that information out loud to the agent. And so that’s where the the sort of the how piece comes to this that is particularly interesting, and this is where we’ve then issued a few patents on in quite a few more pending rounds where we have also trademarked as our zero knowledge identity network. And what that means at the end of the day is that what we’re doing is changing the way the data flow is through this ecosystem, if you will. So rather than an example of a credit card payment agent asking you to speak out loud your credit card number or typing in that information, where in today’s world that either is then seen and heard by the agent? Or maybe they pass it off to a quote unquote secure IVR? They’re sort of passing the buck to some other entity that needs to be secured and is subject to PCI audits. Instead, what we’re doing is we’re taking the public key of the payment processor and bringing that directly to the form fields on the user’s device. So when they scan their credit card or type that information, then that information gets individually encrypted locally on their device and that individually encrypted package. Cipher text, if you will, is brought from the user’s device, not through the contact center, but directly to the payment processor themselves, so they can decrypt behind their firewalls processes as usual for them to process the payment and then return the results back to the enterprise. And then the enterprise can choose how much of that information they want to surface back to the agent so the agent doesn’t ever need to see your credit card number you have. An agent actually wants to know your credit card number or Social Security number. We’ve got a whole different set of problems on our hands. But instead, what they’re receiving back is the thumbs up, thumbs down, or whether or not that payment passed or failed and maybe any other transactional data they need to have access to to support the conversation. But the idea is that it’s taking more of a zero knowledge proof sort of philosophical approach to saying, let’s focus on the output of the data rather than the input, because the output is what actually matters for powering this conversation. So rather than giving the input and then redacting it later from the call logs and trying to mask out sections of the screen and screen recordings, let’s just take that out of the equation entirely and give the agent access to what truly matters which. Is that that output, whether you’re so scared, no matter what was on file or credit card past or what have you?

 

Cameron [00:15:04] As I understand it, one of the key challenges that has hamstrung, I guess, for lack of a better word developments in this space is the somewhat patchwork I.T. environment that many of these call centers are operating out of in terms of a mix of different vendor platforms, proprietary systems that have filled this gap for this missing identity layer. How have you gone about tackling that side of the equation? Obviously, consumers, you know, slam dunk to to integrate with the app that they already have are already using. How have you tackled the challenge of penetrating these kind of opaque back office call center software market and getting integrated with that end of the equation?

 

Alex [00:15:47] Yeah. So our team is made up of a lot of strong industry background types from the contact center space. So we certainly have a pretty unique level of domain expertize and knowledge on that side. I’m not one of them on our team. I know the one guy who comes from the marketing side. But, you know, we’ve taken a different approach than you typically see in the space in that the focus really is on this, this platform where again, we have the ability to API call, send these requests out to the device at the edge of the network. And you know that again, that device could be either the customer or an employee device or also driving products on that side of the world as well on more traditional AM. But the place that we sit is is an exciting one where our functions, if you will, are invoke able bodied agents there and bookable by the the IVR. The API calls through that interactive voice response on that side and invoked by bots for working on chat bot side. But it can also be invoked by other workflow engines that the context in which we have in place today. So we really provided flexibility on the enterprise side as to whether somebody is manually clicking a button to request one of these things, or whether that is triggered by some other enterprise function that exists today. And then on the consumer side, providing flexibility as to both where this information is popping up so it could be within an app, could be within a web browser that requests can be delivered via a push notification, could be a text message, could be an email, could be scanning a QR code. But then the other piece of where we get to operate here is that again, we’re really focused on this, this orchestration layer of being able to send these encrypted requests to users. But at the time, that request pops on the user’s device. What it is you’re actually requesting has quite a bit of flexibility. So we’re not in the business of trying to reinvent or come up with new forms of biometrics or a variety of other solutions in that space. And that’s where I love listening to this podcast and other resources in this industry. There’s there’s so much innovation happening around to behavioral biometrics and passive biometrics and the more enriched document signing and other other elements like that that we get to be a standardized platform to invoke these other third party functions, some of which we struck OEM relationships with others are more of a risk opportunity and others we give the enterprise the opportunity to just plug in their own APIs and can figure out, well, whatever they’d like to ask the user to perform on their device. And so that allows us to to really get to have some fun with what we unlock for new use cases the contact centers haven’t had access to in the past, and also to work with some of the latest and greatest technology that exists today and help these enterprises embrace new technologies as they come to the table.

 

Cameron [00:18:29] Is it true that you guys are also looking to solve some of these identity challenges on the call center side as well? You know, we’re in an era of remote work in general as well as an ever evolving threat environment regarding, you know, how folks inside enterprises are accessing personally identifiable information and and sensitive proprietary information. Can you talk a little bit about how you’re engaged on that? And in terms of making sure at the call center perspective, the employee at the call center is who they’re claiming to be as well?

 

Alex [00:19:04] Yeah, absolutely. And that’s a really critical one and one that we’ve had a lot of traction and excitement with over that. The last is coming on two years now with COVID, so contact centers are an interesting space. The as I mentioned, a large bank or health care company will often place upwards of a billion phone calls a year or handle, I guess rather for a combination of both inbound and outbound phone calls. And so they’re usually made up of some subset of agents that are direct employees of the business and then others that are handled through DPOs or business process outsourcers where you’ve got banks of agents working as contractors either domestically or overseas and in contact centers today, particularly when they’re servicing regulated industries, banking or health care. Where you’ve got the hyper regulations, for example, there’s a long set of rules on how they need to operate in a quote unquote clean desk environment. So you have things like they need to go through a metal detector when they enter the contact center facility. They need to make sure they don’t have a cell phone available to check in the locker. When they get there, they’re not allowed to have a pen and paper at their desk. Or if they do, a lot of these contact centers will have classes and audits on making sure people know how to and our following procedures with shredding any notes they take during the day. And then, of course, you’ve got supervisors overseeing all of this, you know, floor managers walking around, you know, making sure everyone’s following the rules and then COVID happened and everybody went to work from home. And now all those same people are working from their kitchen table. So all of those rules, of course, go right out the window when you have absolutely no control over what’s taking place there. And so these these agents who are now working from the kitchen table are now exposed to all of these sensitive details that were once controlled to a certain extent by making sure people didn’t have the capacity to take notes or take pictures of it. Now they’re seeing the kitchen table and there’s no controls around that. What we’ve done is taken. The same set of tool sets are similar to tools that we’ve been using on the consumer side to handle things like identity verification at the time of enrollments and biometric authentication and turning that around to the agent. So most critically, at the onset there we can use the facial biometrics from the the agents webcam on their computer to actually authenticate them into their session. And we have Samuel and SSL integrations to tie that into whatever other tool sets the need to use for the day. And then we continually in passively reconfirm throughout the day that only the right person is present in front of their screen, so you can set conditional rules on the maximum window of time that somebody can go without successfully passively authenticating. Be that five minutes, be that an hour doesn’t doesn’t matter to us. And in that window, we’ll continuously reconfirm that the right person is present to their computer. And if we’re unable to passively authenticate them successfully in that window, then it sends an alert or trigger event that can either send it over to a supervisor or can automatically log in out of their systems. And then in real time, we’re continually checking to make sure there isn’t a second person presence in front of the screen. So if that happens, of course, you can send the same kind of thing, send alert up to a supervisor or disconnect them from our systems. They’re looking at the approach they’re taking to. This is is philosophically aligns with the same zero knowledge approach they’re taking on the consumer side in that the emphasis is really on capturing that event data that events that they successfully actively authenticated with facial biometrics, where they successfully passively authenticated or they their session timed out, or there was a second face detected or some other anomalous behavior. So it’s that event data that we’re delivering back to the enterprise and that can all be handled without ever capturing or saving any of the actual images from this. So trying to do this in a way where it’s not as pervasive from a privacy perspective as you might think with having the webcam permanently turned on during the work session? And the ultimate goal with this is that rather than focusing on a clean desk policy, whether it’s in a controlled contact center or somebody working from home, what we’re pursuing is more of a clean screen policy here. So when you combine this, this passive continuous authentication, you’re able to deliver that proof of agent authentication back to the customer on their mobile app with their mobile browser, so they can see proof that the person they’re talking to is a real representative of the business. The you’re shielding sensitive details from ever making it to the screen in the first place. And then from a compliance and security perspective, you’re making sure that only the right agents are ever. Present at the screen and engaged in these, these different toolsets they’re working with throughout the day.

 

Cameron [00:23:36] What’s next for the platform? Obviously, we’d love to get your your crystal ball predictions, but before we dove into that, it seems like you have a really strong anchor in the customer identity lifecycle. Are you guys hoping to continue expanding that into the onboarding and other moments of this customer journey?

 

Alex [00:23:54] Yeah. So so we do have onboarding solutions as well where we we can do document centric identity proofing and then tie into other KYC providers for the AML sides of that equation. But from where the platform is heading, our focus again is really on establishing that data tunnel, if you will, between the enterprise and the user’s device and always looking to expand what those capabilities are and expanding that use cases that we can help solve for. So your crystal ball predictions in the space, you’re seeing a lot of really exciting innovation and technologies around passive biometrics, for example. And so always looking for ways to to tie in to the latest and greatest technologies and capabilities so we can service our clients as effectively as possible. And ultimately, the hope is that we continue to push our customers and these enterprises in the direction of realizing that that static PII in particular is is really increasingly antiquated. And as I said earlier, the cat sort of out of the bag on, you know, all of our data being at the fingertips of the fraudsters, if you will. And so focusing on proof of ownership of the credentials or broader password list techniques as opposed to relying on that static information.

 

Cameron [00:25:07] On that crystal ball front, I did hear from you when we kicked the call that you did have your Magic Crystal ball with you. So would you know, love to hear some of those predictions where you see the space headed over the next one to three years?

 

Alex [00:25:21] Yes. On the contact center side of the world, it’s really interesting when we get engaged early in these conversations with with the enterprises we’re working with in that oftentimes we hear that the the contact center has no connection with or no overlap for. These employees had never met the people on the digital side of the house that are driving that, the digital side, the user experience. And so coming from my background and my dad’s background, our collective mindset here. Those are two halves to the same coin. It’s the same user journey, whether it’s taking place digitally or over the voice channel. And so I think the writing is on the wall that businesses are ultimately interested in driving a unified user experience, driving more self-service, more IVR containment and providing a better holistic experience in an omni channel capacity for their customers that those two worlds need to unite and work on the same team. And I think we’re seeing a lot of that emerge then on the digital identity side with respect to what tool sets are bringing to bear here. I think we’re continuing to see advancements in just what sorts of use cases can be handled with, with minimal, minimal friction with the user across identity verification for enrollment and passively detecting anomalous behavior throughout that engagement in a really creative array of methods. Be it your location based behavioral sorts of things, we’re seeing some interesting things being done on that side, as well as a broader passive biometrics for other behaviors and invoice.

 

Cameron [00:26:55] Amazing. Well, Alex, this was super, super informative. I think this is an area of identity that in some ways has, I don’t want to say, languish, but to some degree fallen by the wayside in the sense that people, I think, discount the amount of these phone calls that are that are taking place every day and the the threats to their businesses through this channel. So really, really exciting to see a tremendous application of these technologies towards solving this use case. Always great to connect with you, and we’d love to have you on again soon to continue the conversation. Please be well and shameless plug opportunity for folks who liked what they heard. Want to get in touch with you or members of the Journey team to learn more. Get engaged. What’s the best place for them to go?

 

Alex [00:27:41] Yeah, I appreciate it. The the website is W W W Dot Journey Indeed.com. My email address is Alex, a journey ID dot com and info. Out, of course, is a way to reach broader group here as well. So thank you so much for having me. It’s been a pleasure speaking with you and looking forward to to stay engaged and next to conferences and other opportunities here.

 

Cameron [00:28:02] Thanks so much.

 

Episode 331

Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.

Episode 330

Secfense Chief Technology Officer, Marcin Szary, joins host Cameron D’Ambrosi to explore the current authentication landscape. They discuss why FIDO Alliance has been a truly transformative moment for the death of the password, how Secfense sets itself apart in a crowded and competitive landscape, and Marcin’s predictions for the future.

Episode 329

Measuring the reach of digital advertising and smartphone app performance is a difficult task made more challenging by tightening data privacy regulations. Edik Mitelman, SVP & GM of Privacy Cloud at AppsFlyer joins host Cameron D’Ambrosi to discuss the current state of the consumer data landscape, how platforms must balance first- and third-party data usage, and why the death of cookies is a tremendous opportunity.

Episode 328

John Bambenek, Principal Threat Hunter at Netenrich, joins host Cameron D’Ambrosi for a deep dive into the current trends across the cybersecurity landscape, from ChatGPT and deepfake offensive threats to leveraging data analytics across your XDR, SIEM and SOAR technology stacks for improved defenses.

Episode 327

Vyacheslav Zholudev, Chief Technology Officer of Sumsub, discusses the current state of the identity verification market with podcast host Cameron D’Ambrosi. They explore the factors driving platforms to move beyond basic identity verification and into other aspects of the digital identity lifecycle. They also discuss the challenges of implementing artificial intelligence in regulated use cases such as anti-money laundering (AML) transaction monitoring.

Episode 326

Host Cameron D’Ambrosi is joined by guest Marcus Bartram, General Partner and founding team member at Telstra Ventures, to dive into his company’s digital identity investment thesis, its transition from corporate VC to an independent fund, Strata Identity’s right to win, and the expanding role of identity in the cybersecurity landscape.

Filter by Content Type
Select all
Research
Podcasts
Articles
Case Study
Videos
Filter by Category
Select all
Customer Onboarding
Cybersecurity
Fraud and Risk
Go-to-Market
Growth Strategy
Identity Management
Landscape
Market Intelligence
Transaction Services