#300 - Identity at the Center Defined

So let's actually turn episode 300 into a real episode where we talk about identity. Nah, I'm good. I'm just going to hit stop here and yeah, let's talk about something. So do you want me to read the question? So we've got like a mailbag. We got two really high quality questions that have come in over the past week or so. Instead of the usual crap we get from your listeners. And I'm just kind.

Of you had to put it that way. No, I didn't mean it that way, but I thought like, OK, this someone served us up a really good question for episode 300. I'll read it, but basically I'm going to summarize it first. The question was, you know, what is Identity at the center all about? And not the podcast necessarily, but the theme, the idea that went behind the name Identity at the center.

This is identity at the center. If it has anything to do with IAM, This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Good, I made you laugh right before we hit record here. I know I almost couldn't speak normally. Or as normally as you can speak, anyway. I was going to say, that's not that normal. I mean, you left that that was a fastball right down the middle,

Jim and I turned on that one. Episode 300 Jeff, what do you think? 300 crazy, man, what a year for milestones. I mean, five years. This is episode 300. We kind of saved this one for ourselves, which is the two of us. But yeah, I mean, crazy the amount of milestones we're celebrating this year. Totally crazy. Now. Do you remember what our original plan was for episode 300?

It was going to be when we started doing YouTube. Oh yeah, it was so exciting and too much of A opportunity. So we've been hitting the YouTube thing pretty hard this year. I think it's official, though. Now we do YouTube. So if you go to our IDAIDAC, podcast.tv brings you right to our YouTube page. Yeah, exactly. So yes, I, I thought about waiting for episode 300 and then I started, we started recording

in video recently. Like in the last couple months I was like, let me start practicing stuff because I don't know how to video at it. It was, it's been a long time since I did anything in it. And I think it shows in the production of the videos. It's like, all right, it's kind of basic, but that's fine. You know, I'm learning it.

I'll get better at overtime. But I started just doing it and it was just like, well, let me start uploading them just to kind of get a feel for it and sort of work out my process because I do have to make this manageable because the podcast is not our jobs, Jim. We have real jobs in the real world. Kind of is our job, but it's not our day job. Our day job is we're consultants at RSM. We've been doing identity strategy for over 20 years and that's what puts food on the

table. But this is a a passion of ours that we've been doing for five years, 300 episodes, and we're going to continue to do, who knows, maybe we'll make it to 500. Maybe we'll see. But yeah, it's fun. We're going to keep on doing it. And yeah, episode 300. So congratulations to us and I think that's it. That's it, That's it. That's it, right? As as the great big Bill Belichick said, we're on to Cincinnati. We could pop the champagne, but this might be the time we get to

twist off champagne. Yeah, and I was at a bachelor party weekend for my youngest brother and I'm, I'm good for right now. You drank your share. It did. I mean, I didn't have too much drink, but I drank more than I normally would, that's for sure. And so did my brother, so he had a good time. Yeah. Back to dry, Jeff. Yeah. In more ways than one. My dry sense of humor, right? That kind of stuff. Yeah. Let's see. What else? Another milestone. Another milestone, right with the five O 1.

Go ahead. I'm Yeah, I'm gonna let you take

that one. Yeah, this is something that I have been eagerly anticipating since November of last year, but I am proud to announce that we are now officially A5O1C3 recognized charitable organization or nonprofit. For those who people who are not aware, I actually with Jim's help set up a nonprofit organization called IDAC Corp and the whole intent is to basically help kind of fund the

podcast. So if you've been paying attention, basically since the start of the year, we've been starting to do sponsored episodes every so often. We don't do too many. We don't want to saturate it. And again, this isn't our job. We kind of have to make it easy for us to do. We'll do maybe like one or two a month and hope to kind of offset some of the expenses that we generate just, you know, through this between, you know, software services. I mean, hard drive storage is

getting nuts with the video now. So you know, stuff like that. But yeah, we're officially as of as of now recognized 5O1C3. So if you sponsored with us in the past, hey, tax deductible now. So sponsor early and sponsor often. Absolutely, Yeah, it's a big mouse. And then Jeff, you put a lot of work into that. Really appreciate all the, the

hard effort. I I think that's the thing with the podcast, not just this thing, but all the work that happens in the background with scheduling, the awesome guests that we have, the sponsors that we have, all the post production editing that goes into the LinkedIn posts and now running it basically like a official charity slash business almost. I mean, it's the same level of effort is just there's no profit at the end of the day. Right.

And yeah, we have like to track expenses and reimbursements and like all that stuff. It's like we're, we're officially like a real company now. Yes. Well, the good thing is, though, I mean, a lot of money went into this over the past five years, the past 300 episodes. You know, we started out with like A-team's call and record it to an MP4 file or MP3 file and throw it up there on on the Potosphere.

But now, you know, we've upped our level, upped our game in terms of audio quality, you know, these kind of microphones, things like that. The Riverside platform that we record on. Yeah. That would be a good sponsor Riverside. Products until they sponsor us, you know, whatever platform we use. You didn't hear what Jim just said? Yeah, yeah. But it it wasn't, it wasn't cheap. And we've been doing it for a few years.

So yeah, it's definitely. It cost more than I thought, Yeah. And you know, going forward, I think we hope to make at least enough to cover the podcast expenses and, you know, hopefully maybe fun travel to fun conferences like Europe next year, maybe for EIC, stuff like that. So we'll see. But we do it primarily for for the for the walls. And yeah, yeah, that's it. Yeah, so let's actually turn

episode 300 into a real episode where we talk about identity. Nah, I'm good. I'm just going to hit stop here. Now let's talk about something. So do you want me to read the question? So we've got like a, a mailbag. We got two really high quality questions that have come in over the past week or so instead. Of the usual crap we get from your listeners. And I'm just kind.

Of you had to put it that way. No, I didn't mean it that way, but right, I thought like, OK, this someone served us up a really good question for episode 300. I'll read it, but basically I'm going to summarize it first. The question was, you know, what is identity at the center all about? And not the podcast necessarily, but the theme, the idea that went behind the name identity at the center. And so I'm going to read this

off. And we did protect the identity of the of the person who submitted the question they asked us to. We put them in a witness protection program. Exactly. So I'm the director of. I am at XYZ organization in phase Zero in the Phase zero assessment to modernize our legacy identity system. Myself and engineers have been listening to your show for quite some time and so many topics resonate. Thank you very much, Cha Ching.

Thank you, Cha. Ching yeah, my problem is we don't have IDAC and we want IDAC. We have identities coming in from the business side, students, affiliate side and Federated partner sides. This creates significant issues across enterprise systems. The question, what does the center actually look like? All identities created and are all identities created and

managed in one place. I would love to see a simple design for what right looks like and understand and understood that looks different everywhere from the consultant perspective, but still need the ability to explain the concept to executives. So what is identity at the

center? So first of all, well, and thanks for listening and engineers and clearly this is an education side of things. We're talking about students. So I think we've said this before, education tends to be one of the most complex identity and access management scenarios you can have, especially when you consider the number of roles and the dynamic context switching that people go through. You can be a student who is all of a sudden a part of the, you know, an employee who could

potentially also be a parent. They could be a teacher and everything in between and sometimes all in the same day. So very complex, which I don't know if a lot of people recognize just how how difficult sometimes managing all that can be on the education. So kudos to you for for thinking about that. What does the center look like? I mean, this is now we're starting to get a little bit into philosophy, I think of how you want to manage this.

But I'm going to throw this idea out there because here's what I think. The center of the universe from an identity perspective in my mind is whatever your identity and access management system or identity governance, whatever those collection of technologies look like is, you're going to have the center of the universe somewhere that's tracking and

storing all that information. Maybe it's one system like an IGA or maybe it's a couple systems like you've got some people in IGA and maybe some other people in, in a, you know, IDP directory or something like that.

But my, it, it's, it's really the philosophical construct of where am I centralizing as much of that data as possible to then do stuff with it. So if I have, you know, in the orbit around it, maybe there is a student system and maybe there is an employee, you know, like a HRIS type system, like a work day maybe, right. All of a sudden you start to pull in some of that data and you're going into the middle. And then what do you do with that?

Well, let's create accounts and you spin off into other planets that are maybe systems, you know, or maybe other use cases and things like that. So I think the it's the idea of you are trying to centralized as much of the identity controls as possible, not just provisioning, could be authentication, could be privileged access, it could be analytics, you know, audit

like kind of all that stuff. That's what I think of when I think of like identity, the center, it's the identities are at the center of your organization. You are providing as many governments or governments or risk controls as needed to make sure you're protecting the organization and the data you're collecting around that. That's true. No, that's really cool all. Right. Next question.

No, no, I want to add a few things, but I think that's a a big picture look at it. And I made some notes that I wanted to go through and I think I kind of took it almost from the standpoint of like when we first started, what did Identity Center mean to me? And it was always that identity was at the center of information security.

And I kind of took the idea that it's really when they talk about identity being the new perimeter, what does that mean? It's that, you know, we're having less of a focus on the perimeter and kind of keeping the bad guys out. And now we're saying that the individual resources, IT resources inside the network, we have to take kind of a zero trust approach that whether you're inside or outside that firewall you have, you know, you can't basically infer trust.

And so identity essentially becomes the key to the door to get to use that asset or not to use that asset. And I also think it's kind of like it's identity versus IP or information protocol like TCPIP. So I think IT security prior to identity becoming so popular, TCPIP became the way that you controlled security for much of your network.

And it's still that that perimeter concept, but now it's we can't rely on just using TCPIP as a method for whether or not we trust somebody to come through the door. So that was kind of point number one. I think that, you know, identity is also at the Center for the architecture of those applications now, right? So it needs to be kind of like built into whether it's infrastructure or applications that there's an expectation that identity becomes a, a key way to secure them.

And that identity is usually external to the application or the device. So identity is, you know, potentially like coming like from the IDP like you mentioned. So that was point number one. I'm actually going to be flipping pages. So identity at the center of information security, I think is point #1 identity at the center of business. So there's a couple concepts here. First is I'm going to say identity is the person, right? Identity isn't the account.

So if you're. Doing I don't always agree with that, but go ahead. I know you don't always agree with that, but but to me this is an important thing. So if you are doing business with one person, but they have accounts over multiple applications. So a lot of this has to do with especially on the business side, has to do with what is the use case that you're trying to

solve. But now let's say you have you're an association or university, you've got all these applications, you have all these accounts and they each have metadata about the account, which from their perspective that is the identity. But now you want to take as an organization, you have a bigger picture of that person across

all these applications. You need to have a way to recognize that uncorrelate that they are one identity, one person owns all of these accounts and that if there are deltas in the metadata, those need to be worked out. So I kind of see the ability to connect those accounts as kind of very powerful and very important to the business to be able to recognize that identity across all these systems.

And that could be from a marketing perspective, you know, for example, being able to tell buying patterns and predict what that user might want to do next. Ultimately, you need to tie that back to an identity. A lot of that marketing data also is not an identity data like you're buying patterns, I don't think are part of your identity. I think the identity like ties back to who you are. But we can't just have an open an open book to say everything is identity. You know, you're buying

patterns. All of your privacy and context information like those need to be stored in separate systems and the identity needs to tie all those things together. What are your thoughts I. Mean yeah, yes to everything. I feel like we're talking kind of the same language. We definitely started with this idea of, you know, identity is the new perimeter. OK well that was like five years ago at least, so it can't really be called the new perimeter anymore. I would say identity is the

current perimeter. So people need to update their, you know, their vernacular around that. But yeah, I mean, I hate to say it, but, you know, it also depends on the new organization too. Like, what is what does center mean for them? Because center could be, yeah, we have a centralized team that's doing that versus we're a very decentralized organization that doesn't have a central team do that.

So I like everything you said. I feel like it echoes a lot of stuff that I said, so good answer. I've got a couple more. OK, I'm going to keep going if I. Can. All right. Yeah, you're very clearly prepared. And very clearly prepared. So first thing was really like the internal security concept of like identities at the center of your security tooling and the way you should approach securing your infrastructure.

The second thing is around building business models based on identity. So you know, I was talking about identity as kind of the the center point of connecting accounts and connecting data that ties back to a person. I also think on that same business channel that identity is now creating new business models.

And so the first one that comes to mind is decentralized ID and organizations wanting to become the the focal point for an identity and basically have that identity information and look at that as an asset and a way to differentiate themselves in the market and get ahead of their competition. But. When you say decentralized identity, that leads me to believe like things like blockchain based rate or things like that where there is no

center by design. It's a bunch of nodes that sync up somehow to each other, but you're still working off of the same platform or chain or whatever you want to call it. So how does that work from a centralization standpoint? So I'm not really thinking about the that technology per SE, but I am thinking of even let's imagine a scenario where, you know, say a credit card company becomes a decentralized identity

provider. And if you're to present that identity, you need to come back to that center to validate that that data is, you know, issued by them. Right. Yeah, I mean. So what, what's the difference between that scenario that you described, right, where you have, let's say you've got a bunch of decentralized platforms, right? One's finance, one's medical, another might be education,

another might be government. It really looks, feels and smells like to me, it's just another version of a social IDP, right? We, we had this process like, OK, well, I'll stop creating accounts and let's, you know, use your Google account to log in or your Facebook account or

your LinkedIn account or XYZ. I feel like we're headed down that same path again, where it's like, OK, use my, you know, finance account chain to log into financing, use my government account login to log into that chain, right? Things like that. Does it? Does it feel familiar at all? It totally does to me. There's kind of like the stickiness of the identity. I remember a bunch of years back when Facebook bought WhatsApp and it was like the amount of money they paid for it was like

stunning, shocking everybody. And it wasn't, I don't think because they were buying the technology, the ability to make phone calls and video calls, right, that that technology could have been had for a lot less money. It was all the identities that they had. And the more identities they could pull into the platform, the more it became central to their business that they could grow their business because basically their business is putting advertisers in front of eyeballs.

I think the stickiness of the identity becomes central to a lot of business models. You know, Federated identity is a big driver that as well. So you know, if you're using your Google account or your Microsoft account to log in across multiple platforms, you know, that's that's feeding into that business model. It's more people on that platform. And that's why you can get so many free services from different providers like Microsoft, like Google paying for.

Yeah, it's not. If it's free, what do you always? You're the product if it's free. Exactly. So that was my my next angle. You know that I think identities at the center of business for certain businesses. The last thing I think you touched on, which is it's becoming at the Center for governments. So especially like government to citizen communication, more and more delivery of those services and management of those services is happening online.

If you're a like a county government, for example, you're providing a number of services through different departments within your within your government. Now you don't want your citizens to have to have a different ID for each one of those services, right? You want to have one central ID and then all of those services, they know their their web delivery to leverage that common identity. So I think that's important.

And then also from the back end, now that you have that tie, even though you might not have different identities in the in the back end, you want to be able to pull that data and say, what is John Q public doing with XY and ZA service? Now I know there's privacy implications, all that, but let's just put that aside for the moment. You have the ability to now report across different platforms all tied together with the identity.

Yeah, Well, I think the government side is definitely it's coming along, doesn't move as quickly as I think people hope, right? You everybody has like X number of government accounts. I think at least in the US, you've got login.gov. You also got things like ID dot me, which are kind of at the top level from a government, a federal government perspective. And then you've got your state

government. And then you might have, you know, your local governments and wherever you're at, it'd be nice to have, you know, a single account, like, you know, my North Carolina ID or for you, my Georgia ID or something like that. Why not just use login.gov at that point? I mean, it's just, you know, you have that probably already for your taxes anyway.

Right, others computing services, right and so, but I think what you're seeing happening like we're going to be at Identity Week America in just a couple weeks now, maybe a month. And I was looking at the agenda today. There are several sessions about mobile driver's licenses. I think the state organizations are communicating with one another, and there's central organizations that are trying to drive the adoption of Sanders.

So even given the decentralized nature of our government, of the Federated system, it's amazing to me to see how much progress they've actually made. Yeah, I feel like mobile drivers license sounds exciting. And then I were like, Oh yeah, it's not in my state. And then I just forgot about it because I can't take advantage of it. Right. Well, it's one of those things that it's probably like AI. It's kind of like an idea, an idea and then all of a sudden it hits.

Yeah. So in 5-10 years, whatever the cycle is where OK, now more people are using. It's kind of like the REAL ID switch here in the US where everybody had to go and get your driver's license if they want to fly basically. And I think the cut off is, is it over already or is it in the next couple months? I don't know. They've shifted a bunch of times because it's taken a long time to roll out.

I never worried about it too much because it didn't affect me because I was on one for for a long time. Yeah, I've had mine for a while too. Just for how much as as you know, I fly. Wanted to get that taken care of right away. Yeah, exactly. But if can you use a mobile driver's license at at TSA checkpoint or do you still have to have the the physical card with you? I don't know, I. Don't know. I have to look that up. Yeah, I have to have to research

that one. But there's a use case where it's like if if I still need it to fly the the value is extremely limited for me. Yeah, you'll be happy. How when you get pulled over? I rarely I I can't remember the last time I was pulled over. I probably was like a teenager. Yeah, you know, I got pulled over maybe 10 years ago 'cause I rode right near my house. And the weird thing was the police officer asked me like, why were you speeding?

And I said, well, I've been having problems with my transmission wasn't shifting And, and this is a true story, Like, so I was like stepping on the gas to see what the the shifting points were. Yeah, yeah. Doesn't sound very likely. They went back and roomed me a ticket. I was like, great, that's fine. Do that out on a country Rd. somewhere versus I. Guess so. Or something, I don't know. I was doing it where it was happening.

So, OK. So that is all I have for that question, Jeff. I hope we, I hope we addressed it right. I don't know if I mean, maybe I feel like he gave us an out with understanding that looks different from different consultant perspective.

But I guess from an education standpoint, I still think trying to centralized as much of that data identity data to do stuff with provisioning, deprovisioning, you know, single sign on adaptive MFA, right, all the bells and whistles. I think as much as that as you can pull into the middle somewhere, again, doesn't have to be 1 system. It's maybe it's a collection of IM systems that are doing this.

I think that maybe helps articulate it to some degree because once you've got it there, then you know you can do whatever you want with it. Let's go off and provision those accounts. Let's make things that are self-service. Let's run into analytics and behavior analysis, right? And all kinds of stuff like that. Let's let's adopt A single sign on and provide options where you can switch your, you know, your, your contacts based on whatever your role is at the time.

OK, I'm logging in as a teacher or faculty. I'm logging in as a student. I'm logging in as a parent, right? Whatever that looks like. I think you're in a better position for success if you can centralized as much of that data as possible. The the higher Ed space is very difficult, even if things kind

of just operated like, all right, there's these various personas and you know, we cut the politics. You just said we got these various personas and we have to make them work. That would be hard enough. But layer on top of it, Someone at a higher Ed client once told me he's like, what gets confused in the university system is people confuse academic freedom for administrative freedom.

And so you had people who were responsible for managing IT systems saying we have to have our own directory, we can't leverage common directory. I've worked with some higher Ed clients who put the kibosh on that and insisted that they do centralized certain things and they've been decades ahead in

terms of their approach. I've seen other clients where it's like they nobody ever put the kibosh and they're still dealing with those issues where it's like it's hard to do anything from a centralized perspective. It's hard to do a centralized e-mail, e-mail domain even, or an Active Directory because there's so much administrative freedom that is allotted to the the colleges that they're just going off and doing their own thing.

I mean, it's true for you. They allow any organization where you allow splitting of IM functionality and resources and you know, different services. You're going to run into that issue at some point. So we had another question.

We have time for another question. Yeah, let's roll. All right, So this question was from our listener, Scott. Jim, it might be interesting to have a discussion on the Identity at the Center podcast about how you confirm identity when you have a user on the phone. We have historically used the last four of a person's SSN, but with all the recent releases of SSN data, we're no longer sure that's secure. A secure method to confirm identity.

I think this is such a good question that highlights something that I find in almost every client that I work with is weakness in how do you authenticate callers to the help desk? Jim, is that you? Yep. OK, here's your password. Yeah, that's basically what a lot of organizations do. I mean, it sounds silly, but it's basically the same thing.

You're asking for public pieces of information that are already out there, whether it's an SSN or tell me who your manager is that I can find out on LinkedIn, right? All kinds of stuff like that. It's a good question because I think it highlights scenario that is maybe not addressed very well either by the identity market. I can think of one or two products maybe that kind of fit

in this space. And I think this is AI think this is a real challenge for a lot of organizations because they do fall back on SSN or they fall back on, well, what's your phone extension, right? Little pieces of information that are really not, you know, easy or not difficult to to try and find. Yeah, I know that's you painted the example perfectly, so I again wrote down a bunch of

notes. I wanted to give these questions a fair shake, so I went out to the ID Pro, Body of Knowledge, and by the way, plug for ID Pro Fantastic organization, very reasonable fee to join and the Slack channel is worth the money. Just seeing the conversation or being able to drop your questions on that Slack channel and get responses, Fantastic. The Body of Knowledge is also very, very good. And so Dean Sacks. I hope I get that. Yep, that's Dean.

We're going to have Dean on the show, by the way, because he we'll, we'll, we'll segue at identifercy had a talk about what happens to identities after people pass on And we got we have to like talk about that. It's not it's not a subject to talk about, but you know what happens that scenario. So I know that we got to get him on. So Dean, if you're listening, we haven't forgotten. We're going to get you on. Oh, go ahead, Dean. Reach out because I'm giving you major props here.

So I read your body of knowledge article on account recovery and you had a statement in there that went something like the account recovery process needs to be stronger than that which is is recovering. So in other words, if you're trying to recover a password said stronger than a password, if you're trying to recover a second factor, it's got to be stronger than a second, the second factor that you're trying

to recover. So I thought that was pretty genius and I found that kind of like after I wrote some of these notes. So hopefully I don't, I don't, you know, negate anything that I just said, but I thought that was great. I'd get out there for everybody and and read that articles in like version three or something. Which is great because I was going to point that out. It's it's the account recovery V3. If you go to idpro.org click the link for body of knowledge.

You'll see one of the articles there is Account Recovery V3, which is great because a lot of times people write articles and they just let it sit and then the information comes out of date. So kudos for for updating. Yeah, and I'll put a link in our show notes too. Yeah, put a link that would be great. So, OK, so common faulty practice I think is what Jeff just said any kind of KBA. So what's your what's your mother's middle name? Or what's your favorite?

Podcast, of course, everyone's going to put a day in the center of. Course it's like what what color is grass? You know, got to get that right. So then I came up with kind of good practices.

So First things first is like, I think you the best starting point is to minimize the number of calls that people are going to have to make and have to identify themselves in the 1st place. So this whole space is around identity verification. If you're getting hundreds of calls, it's going to overwhelm your help desk and they're going to be more under the gun to close tickets, etcetera.

So human, humans will human. So if you can use self-service password reset, for example, you're going to cut those calls, you're going to have fewer people calling into the help desk in the first place. I think the next thing is kind of like around this subject is training to help desk to the extent you that you can on social engineering.

So social engineering was behind and I hate like naming breaches or companies that I have preached but MGM and there was a big YouTube. We'll swap out any any company name. Chances are that they the reason they got breached was probably through social engineering. Yeah, social engineering, it's like it's not just your one off teenager hacker. There's whole organization built around this and they're experts of socially social engineering. So train your help desk on what to look out for.

If you don't know then get on AI and start asking it like questions so that you can train your help desk and hopefully they they recognize as the same as phishing right? For e-mail you get all these like phishing emails where you get pretty good at spotting them after a while. But that's getting harder now with AI writing these a lot better and people putting more information around out there.

It's becoming difficult to spot. You used to be able to say, OK, well, this is clearly, you know, doesn't make sense from whatever language you're you're, you know, fluent in. This doesn't make sense now. It's almost indistinguishable. So I don't think you can count on that anymore. But you're absolutely right, like what to look for, you know, I, I would also say call your help desk and test them.

Do a little bit of pen testing on your own right and see and see what you can get away with and start to realize you know where where some of the issues might be and where you want to focus training right or or other processes to help with that too.

Yeah, some of these things I'm going to mention or like short term things you can do like call the person back on the known number, use caller ID. Hopefully you know you're not getting spoofed on the caller ID, which is something that a advanced hacker would probably be probably have in place. Third party verification tools like Experian, I think is one where you can start asking questions like, you know, which of the following cars did you ever own?

Those ones are, you know, you're not going to ask everybody those ones. But if you start to get somebody who you know can't answer some of the basic questions, but just really needs to be unlocked. This is actually one thing that this triggered for me was there's a difference.

If somebody is calling and they want they need to identify themselves to change the password to kind of a low risk thing versus if it's somebody who needs access to an employee account for example, that's going to put them into the trusted network and let them start data breach, so. Yeah, let alone admin accounts, right? If I'm an ACT to admin calling in for a password reset, that should immediately set off a different process to to verify that person. Right.

But your help this has to identify these are you know kind of a level one type of account or whatever. And everybody's going to assign their own risk to the some of these things. But I guess what I'm saying is not all these processes are appropriate for all levels of unlock. I think things that are in here until I got to that last one are things that potentially you could employ regardless. Now best practices, I think for identity verification are some biometric based system.

So starting to think about like that selfie thing where you, you hold up your ID like your, your driver's license or a passport and you do a, a live selfie test. Those things, if you can get those in place, like long term, that's going to put you in a much better position to do unlocks. But it's relatively advanced and kind of expensive for what it does, especially when you try to think about different identity assurance levels. 123, whatever it might look like, yes, it's the best.

Is it realistic though? For a lot of companies, probably not. Maybe finance, maybe. I could definitely see the medical, but medical typically or health generally don't have as much money to spend on stuff like that until there's a problem. Government for sure. I mean, they're, they're kind of doing that now for a lot of stuff. Yeah. So, so dialing back to good, I think even multi factor authentication, being able to

send a code to somebody. Look, I mean if you use you and I fly Delta a lot, if you use their chat application within their chat application, they require you to go out and re authenticate. So anything like that? Where chat works for you. Usually it's just me trying to get help on a flight and the the in flight Wi-Fi stinks and so it doesn't. Know where you go there you go.

So I, I think some of those solutions are certainly things that you can get value from at a low cost, especially if you're talking about a, a large customer base when you're talking about employee access. I think one thing you said there, it's unfortunate, it's like. People aren't going to take this seriously until they get hacked. Yeah, OK. Well, if that's the case, then we might as well just shut up. Stop doing this podcast. Let's get rid of let's that's it.

Identity is no longer at the center. It's just a free for all and you know, have fun with all the data. Yeah. But I think the last point I'm going to make on the identity verification stuff is you said, well, it's very expensive. It, it might be too expensive for you, but I think it's worthy of doing the research and going back and see if you can build the business case, you know, certainly could reduce risk profile. Yeah, maybe it makes sense for a

certain population too, right? Executives, admins. This does not have to be a binary, all or nothing type of approach. I think you need to figure out where the risk is and how much you know money do you want to apply to reduce that risk. Amen. How do you feel about an sending an SMS to an employee? Maybe they've already, Maybe you know what their cell number is Is Hey, I'm going to text you a code to make sure it's you, I think. That's.

Better than nothing, right? I mean, we know that we know the issues with SMS, right? Not the strongest, but better than an SSNI would say, right? It's definitely better than KBA because it requires that you either somehow hijack the the SMS routing or that you have the person's phone, which is a very real scenario. I'm sure there's also applications you can use to log into the person's account to intercept their SMSS if you know there there's cell phone

credentials. They're using WhatsApp. If you're using WhatsApp. Or Facebook account. Yeah, yeah. So, but I think if you combine it maybe with some other options, so maybe it's just as simple as hey, let's we're going to send you a, a text message and ask you a couple of questions that kind of validate it better than nothing and probably better than what most companies I would argue are probably doing today.

Yeah. I think that if you came up with a framework that includes a few of these different things like questions, the KBA, some kind of hardware verification, and then a framework for like certain accounts, you got to be 10 for 10 before we're going to unlock you other accounts, you know, maybe if you get 9 out of the hand, if you say, I don't have my cell, I lost my cell phone, I don't have access to my e-mail. You know, it's very real scenarios where that actually

could happen. And I think you have to look at the risk associated with somebody says, I need all that and you have their account flagged in your database that they're an administrator. It's like, I'm sorry, you're going to have to call your your boss and get him to do something or. Her how do you feel about that having, you know the person's manager get involved in the password reset. I think for standard resets is it's not a great idea, but I think when you're talking about

like an administrator account. I'm thinking like scenarios where like a lot of companies will maybe have their process where, you know, they, they, they recognize maybe that they don't have a good way to validate the caller. And so they say, I need you to, you know, call your manager or we've sent it to, we've sent you the new password to your manager, call them for the password or something like that, right? Some sort of secondary step that kind of goes through the process.

Right. I mean, I can see that scenario getting socially engineered. Anything can be social engineered but. Yeah, it's better than just asking a Social Security number and then just send you over the password, so. Stop using SSN, it's not secret anymore and it's not secure. And don't use employee number either. Like I see a lot of organizations like, oh, employee number and then they print it on their badge. Like, OK, well that's not secret anymore either. Right.

Yeah. I mean, I think that, you know, the primary factor is the risk that you are being socially engineered. And I think there's certain accounts and there's quite a few accounts within the organization that just can't afford that have that happen and inconveniencing somebody is a big deal. But let's say the scenario is somebody called you and they said I work for IBM and I need

to, I'm not picking on IBM. I just just the first thing that came to mind and I manage your servers and I need to unlock this person's account or I need to unlock my account because I can't fix this production system that's down right now. And then they can answer like some basic information about themselves and who they report to and things like that. All things that maybe they got off of the company's Yammer site

or something like that. Now the person potentially could be socially engineered into unlocking that account. In other words, there's production system down, and if I don't get this thing fixed, I'm going to be fired. Yeah. Well, what are the odds of, Well, I don't say odds, but I mean, that's how attacks work in the real world as they move up and over and laterally until they find it. They could have breached a regular person's account. They had access to the Yammer.

They had access to the corporate directory. They've done, you know, enough Recon to find the information who they want to target and get information around it. And that's how it works. And so they work up and over right until they get to what they want. Right. OK, so do we ask? A question imagine this to even have the person password and what they're asking you to do is reset the the MFAI just got a new iPhone today. Yeah. And they want to re re enroll the device or whatever it may

be, I don't know. There's there's a lot of ways. To do that, hopefully that adds some color. I don't think there's a black and white answer. It depends on your situation, and it's about hardening the process to the appropriate level. But I think we can agree that SSN is no longer. It hasn't been for a long time, but if you're using knowledge based authentication and especially knowledge that is leaked or easily obtained, right?

Whether it's an SSN that's part of a massive leak or something that I can go on LinkedIn and do a little Recon and say, OK, well, now I know who that person's manager is, right? Or things like that. It's to move away from stuff like that and maybe shift to looking at different risk based models based on the type of user or who's calling in, right? Or or some of those different kind of options. Right. But not SSN. Don't use this. I'm going to draw a line right there in the sand. Agreed.

All right. Well, thanks to Scott for that awesome question. Yeah, that was a good question. And to our anonymous listener, and hopefully we help them out with the Identity center. If not, let us know, send us another e-mail. We'll we'll take another crack at it or we'll hop on a phone and just talk about it. We could do that too. And Jeff, I'm just sitting here thinking like anonymous e-mail kind of sounds like we made it up. I swear we did not make.

No, they asked for, they asked to be anonymous. And you know, we're we're identity and access management professional. So of course we're going to, we're going to honor that. Of course, if they feel like sharing, they can post on LinkedIn after they hear this and they can do their own thing. How about that? That sounds good. OK, we should have a lighter note. We should end this thing on a lighter note since we do that every every week.

What do you think? Yeah, so episode 300, this is it. What does episode 500 look like?

What are we talking about? 200 episodes from now, which is probably, let's call somewhere between three and four years from now. So when you say we, do you mean me and you or AI? Or AI counterparts. Yeah, whatever. Episode 500 of the Identity Center Podcast. Sounds like blank will be the topic that we're addressing, the main topic. I mean, we talked about the the whole thing with mobile driver's licenses and I think that's going to be very much our

reality. And we'll probably be having discussions about whether or not they should be used by more things, if we should be using mobile driver's licenses as kind of like a Federated identity capability to authenticate to more things. So I do think that's a real one. And I think AI, it's like, what are all the possibilities that AI can bring to the things we do today? I don't think that it's AI is going to be at the point where it's managing large pools of identity implementations.

But I do think that some of the like what we discussed with Merrill, where you can go into your system and just use human language models, human language to say what you want it to do. And we're starting to see the fruition of that come come forth. What do you think? I hate to say it, but we're probably going to talk about the same stupid things. People aren't using MFA or what are the basics theories of the time. How do I sell I am to my organization?

People just haven't gotten buy in yet. Or maybe they sold it once and they need funding again to catch up because they didn't sustain the investment to stay current. I hate to say it, but I have a feeling we'll be talking about still talking about stuff like that. But AI for sure, I think. I don't think it's going away. Trying to think what else? Episode 500. I mean, three to four years from now, hadn't we been like three to four years away from like blockchain identity?

Now you're like, is is this the next three to four years of sure it's coming along, right? Or the end of the password? Will we still be talking about the death of the password at that point? I think so. Yeah. Yeah, I do. Yeah, I, I, I, I and I don't mean it to be pessimistic, right. These are these are conversations that take place in every organization is, you know, yeah, we continue to have to sell the value of identity and access management. And how do we do that?

Because there's always going to be competition for dollars and resources to get things done. And no organization is unlimited. Well, maybe a couple, but there are the exceptions. So there's always going to be that conversation of, okay, well, what's new? How are we staying current or ahead of the curve, right? What are the new threats that are talking about? AI, I'm sure is going to introduce things we haven't

thought about. I'm sure somebody's going to get creative and quantum is going to become a thing we're going to be talking about. Well, how do we make sure that quantum is not wrecking all of our our security algorithms, right? Things like that. So there will be things, but fundamentally, we're still going to be talking about the same thing. Do the right people have the right access to the right thing at the right time? And is that access appropriate? There we go. That's good.

That's good. Hey, I just thought of something else. We never mentioned that we got

accepted to play a part to present A use case at the Gartner IM Summit in December. Of this year. It's been a couple weeks, man. It has been, man. It's like you can barely keep up with the good things happening. But on that front, I'm working the angle to try to get us a discount code. And of course, we won't have a discount code unless it's the best one. So keep your ears on the podcast.

Hopefully we'll have a discount code for the Gartner I Am Summit here coming up. Yeah, that's going to be exciting. I think we had such a good time at the last one doing the on stage sort of, I sort of us a mini identity at the center with Becky and Henrique on stage. And we may try to do something similar to that again. But yeah, it's it's an honor to be nominated and looking forward to doing whatever it is we're going to do there.

Yeah, and shout out to Becky because she really shepherded us through the process here. So very grateful for that. Becky's good. I am people about that. That's a good, good point. All right, let's see. Anything else? I know we're gonna be at a bunch of conferences. I'll just put all of our discount codes in the show notes. It's also on our homepage at idcpodcast.com, so I try to keep

that updated. Now, if you just Scroll down just a little bit, you'll see the different discount codes for Identity Week, authenticate conference, the Sempress conference, hip conf, basically. And then if we end up with something for Gartner, it'll be there too. But we'll have all that in our, in our show notes.

And hopefully people come out and either, you know, say hello or support us. Use the codes is the best way to to support show show that we can, you know, bring bring a party to these types of things and have some fun at these conferences. Heck yeah. Yep, all right. IDC podcast.com at IDC Podcast on X or whatever it's called at this point, idcpodcast.tv. Please give us a like and subscribe. We are trying to grow that Channel as much as we can.

And if you haven't, if you're listening to this while you're walking around, which I know some people do, just just click over to the YouTube real quick and just hit like and subscribe means a lot for us. Let's see what else. And yeah, connect with us on LinkedIn, you know, definitely get questions like we got today and we'll keep bringing it and hopefully you guys keep listening. So with that, we'll leave it there for this week.

Thanks everyone for watching or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.