Subscribe
Share
Share
Embed
AI-Powered Identity Verification: Beyond Passwords and into the Future
In this episode of Cyber Sentries, host John Richards sits down with Michael Engle, co-founder and CSO of 1Kosmos, to explore how AI is revolutionizing identity verification and authentication in cybersecurity. Mike brings decades of experience from Wall Street to modern startups, offering unique insights into the evolution of digital identity protection.
The Identity Crisis in Modern Security
Identity verification has become the new perimeter in cybersecurity, accounting for 80% of security problems. Mike explains how traditional methods like passwords and basic MFA are failing to meet current security challenges, especially as AI agents become more prevalent in our digital lives. 1Kosmos is tackling this through advanced biometric verification, behavioral analysis, and AI-powered authentication systems.
Questions We Answer in This Episode:
- How is AI changing the landscape of identity verification?
- What makes biometric authentication more secure than traditional methods?
- How can organizations transition from password-based to identity-based security?
- What role do digital wallets play in the future of identity verification?
Key Takeaways:
- Identity verification has replaced perimeter security as the primary security concern
- AI enables more sophisticated identity verification through behavioral analysis and pattern recognition
- Biometric authentication offers a more secure alternative to traditional passwords and MFA
- Digital wallets are emerging as the future of portable, verified identity
The Future of Digital Identity
Looking ahead, Mike discusses 1Kosmos's work on digital wallets and universal identity verification systems. These innovations aim to create reusable, trusted identities that can work across multiple platforms while maintaining security through biometric verification and AI-powered fraud detection.
Links & Notes
- Learn more about Cyberproof
- Learn more about 1Kosmos
- Got a question? Ask us here!
- (00:04) - Welcome to Cyber Sentries
- (01:03) - Meet Michael Engle
- (03:03) - Identity Threat
- (04:09) - With AI
- (05:50) - What 1Kosmos Does
- (12:48) - Adapting with AI
- (15:42) - Protecting Credentials
- (26:36) - Passkey Challenges
- (28:12) - AI-Driven Development
- (32:18) - What’s Next for 1Kosmos
- (34:40) - Learning More
- (35:42) - Wrap Up
Creators and Guests
What is Cyber Sentries: AI Insight to Cloud Security?
Dive deep into AI's accelerating role in securing cloud environments to protect applications and data. In each episode, we showcase its potential to transform our approach to security in the face of an increasingly complex threat landscape. Tune in as we illuminate the complexities at the intersection of AI and security, a space where innovation meets continuous vigilance.
John Richards:
Welcome to Cyber Sentries from CyberProof on TruStory FM. I'm your host, John Richards. Here we explore the transformative potential of AI for cloud security. This episode is brought to you by CyberProof, a leading managed security services provider. Learn more at Cyberproof.com. On this episode, I'm joined by Michael Engle, co-founder and chief security officer at 1Kosmos, a company tackling one of the hardest challenges in cybersecurity, verifying that users are who they say they are. We dig into today's top identity threat where traditional verification methods fall short and how 1Kosmos is using AI to go far beyond passports and driver's licenses validating identity across a wide range of document types and behaviors.
Hello, everyone. Thank you for joining Cyber Sentries today. I'm very excited to be talking to Mike Engle, co-founder and CSO at 1Kosmos. Mike, thanks so much for coming on the podcast.
Michael Engle:
It is great to be here. Looking forward to our chat.
John Richards:
Well, before we dig into a little bit of what you all are doing in the AI space around security, I'd love to hear a little bit about how you got to where you are today, co-founding a security startup. What led in your journey to get you to this spot?
Michael Engle:
Yeah, it's probably a bit of a unique journey. I got my first computer when I was 10, Tandy Radio Shack Color Computer 2. I started kind of hacking into things with modems back in the day, so online bulletin boards. There was illegal credit card theft and long distance stealing, all that stuff going on. I just took a lot of interest to the security side of it. Some of my friends got arrested for doing bad things, so I went into the white hat world pretty early.
John Richards:
Probably a good choice.
Michael Engle:
I got my first... Yeah, yeah. Otherwise, you end up in bad places. Not allowed to even use a calculator. So, I got my first gig in Wall Street in the mid-90s and transitioned into Lehman Brothers in 1996 and built the security program there. I spent 12 years doing really nothing but security, built a great program, a great team, and I'm not sure if any younger viewers here or listeners would know about Lehman Brothers, but it's the largest bankruptcy, I think the largest one in history. It's either them or WorldCom. So, after their sad demise, I decided to change tracks and get into the venture-backed startup world. So, I've started a couple of companies, a couple of very successful ones, including 1Kosmos and decided to stay in the security space, but with a twist on identity that we'll talk about here today.
John Richards:
Awesome. Well, I'm excited to hear more about that. Now, since you've been in this industry for a while, top threats kind of morphs over time and what people are worried about. So, what are the top threats that you're seeing out there today? What should people be focused on?
Michael Engle:
Identity. It is 80% of our problems. So, when I first started doing security, it was all about perimeter and firewalls and keeping bad guys out. But now the internet is everywhere. You log in everywhere, you do things everywhere, so there is no more perimeter. And the term that we use is that identity is the new perimeter. If you can identify accurately who's doing something, that solves most of the problems, right? Bad actors, if you knew who they were, you wouldn't let them in. Some of the stats floating around, there's a phenomenal annual report from Verizon called the Data Breach Investigations Report, and just check the trends on that over the past couple of years in identity and what they call the human side, either making a mistake or giving away your credentials or letting your passwords get stolen, et cetera. Is the number one problem.
John Richards:
Do you see AI exacerbating that issue or are starting to make it less of an issue as we use agents or is identity just as critical for how you roll those out and what permissions they have?
Michael Engle:
Yes. Are you using AI yourself?
John Richards:
Yes.
Michael Engle:
All the time, right?
John Richards:
Yeah.
Michael Engle:
So, this term agentic AI, you have agents that do things for you. Imagine having 20 agents now working on your behalf to do your shopping or organizing your things, just being your online agents, whatever they are, each one of them is going to need an identity. How do I know they really is John's agent? So, there's that whole side of it, but that's just kind of the mechanics of how we trusted. Same way, like you didn't know who was logging in back in the Netscape world, who's logging in? So, we created usernames and passwords. Those didn't last very long to being safe and secure.
So, there's that side of it, which the industry has not figured out yet. How do you give ChatGPT the agency for you to go do things? But on the attacking side, of course now there's deepfakes and I can clone your voice literally in seconds, and right now you don't even know if it's me, right? Do you know that this is me or is this somebody else who pressed a button in the deepfake software of the day and have cloned my likeness? So, there's a lot to deal with.
John Richards:
Yeah, I don't even think about it. Maybe I'm happy being oblivious, but that just means you're vulnerable if you're not staying aware what the attackers have access to.
Michael Engle:
That's right. That's right. And you're seeing the attackers take advantage of this everywhere in the personal side, on corporate side, that we can talk a bit about that.
John Richards:
So, with this identity kind of piece being so important, what is it that 1Kosmos is doing that's different? How are you tackling this challenge in a way that's different from what other folks are doing out there?
Michael Engle:
Yeah, a couple of things. So, let's say you and I wanted to have a trusted conversation now. Right now it's not, I really don't even know if you're John.
John Richards:
That's true.
Michael Engle:
Are you seriously?
John Richards:
I hope so.
Michael Engle:
[inaudible 00:06:19] nice. I feel like a little foolish because I didn't check this out ahead of time, but it doesn't matter. We're just having a chat. I'm not sending you my bank account yet, but could you give me yours please? So, there's a couple of things I could do that are actually not that much friction. I could right now press a button or paste a link into chat here and have you just proof who you are in about 30 to 60 seconds. And how would I do that? Well, you have proof in your possession that you are you. You have a driver's license, a passport, a state ID, et cetera. So, our tech would let you just take out your camera or use your desktop, scan the front, back and look into the camera and do a live selfie. We call that identity verification or identity proofing. And so, that's getting more and more common because you can't trust. How else could I prove it's you remotely? You could hold up your library card or whatever credential you have, but I couldn't trust that.
So, our tech will check 100 overt security features on your credentials, could even look you up in sources of truth. Like is that a valid New York driver's license? And do you live at 123 Main Street? There's a whole kind of art and science that goes into that that I can prove who you are very quickly, and we're bringing that to market in a whole bunch of key scenarios that businesses and consumers need.
John Richards:
How do you handle though that? So, that's all data to have on hand. Do you need that every time or is there a way once you're authenticated, you can use something to more rapidly authenticate the balance between the privacy concerns and ease of use and handling this sensitive data?
Michael Engle:
No, exactly right. So, the user experience is our focus, and one of our superpowers is turning that experience that I just explained, your identity verification into a reusable credential. So, imagine now you log into your bank or your trading site today or whatever it is, and you do username, password, MFA, right? You have to go fetch a code or get a push on your mobile app that's old, stale, tired, pain in the butt, and the hackers know how to course that or get it or steal it or bypass it, right? So, what we do is we'll give you a couple ways where you can have a single touch passwordless experience that still proves that you're John. So, for example, you will go through that proofing exercise because I just pasted you a link where you called into my help desk and I need you to proof who you are.
I can say, "Listen, great. Now with the 1Kosmos authenticator app, you have already established that identity in that device, and you can just push a button and prove that you have that going forward." Right? So, it's like an authenticator. You have Google Authenticator or Microsoft Authenticator and all these things, but they don't have an identity link to them. We've actually put that verification process into the authenticator so that when you press the button, like you use your authenticator in a traditional way, what comes along with it is really cryptographic proof that you're still John tomorrow, the day after, a year later, and that's a real game changer. It's that reusable verified identity that gets you into any system.
John Richards:
Yeah. So, you've moved beyond just codes, now you're using real human data that you've validated.
Michael Engle:
That's right. That's right.
John Richards:
My mind's just spinning trying to think through the ramifications of the next level of what that enables, beyond trusting that, "Oh, hey, this code alone, you're getting actual data about this." Because I see this now on, if you think about applying for a job somewhere or something, you're like, "Oh, you've got to add in all of your data to prove who you are when you start somewhere new or you get a new account, but it's this one time thing, and then you're just kind of trusting going forward." But here you've kind of got that continual chain of verification that adds a new level of security to it.
Michael Engle:
Exactly, exactly. And so, there's another thing we should talk about a little later in our chat, but it's how do you make that work for anybody, right? Because what I just said is that the proofing works for 80%, 90% of people. There's some challenges with maybe usability or the phone's not working or I just don't get it. I'm too old to hold a phone. I'm not far from that. But what if you don't have an app and you don't have the ability to link that authenticator? That's kind of heavy, right? So, the other thing we've done that makes this really usable is I can turn your biometric into an authenticator, which means it's just you. So, no app needed, which again is a statement that I don't think anybody else can make. So, you go through that proofing exercise and I'm basically going to link your live selfie to a reusable authenticator that has deepfake mitigation and liveness built in and all those things that help stop the bad guys as well.
John Richards:
Wow. So, when you say a live authenticator, so this is kind of stored then in 1Kosmos ecosystem so they don't have to have it, and that can be re-referenced each time they go to use this again versus having their own app. Am I understanding that right, or am I completely missing where-
Michael Engle:
Yeah, it's kind of like, "We'll be a custodian for you." Now, the beauty of it is we don't actually store your image. So, we've created something called Live ID, which is a one-way hash, security experts will know about hashing. It's when you take a string, a password and turn it into math and a whole bunch of characters that can't be reversed. And so we can do that with your liveness as well. So, imagine you look into the camera and here comes this one-way block of numbers that even if you got those numbers, they're useless, they can't be reversed. And so if somebody were to get into our system and steal all of these things, it's just math that they've stolen a bunch of floating point numbers that they wouldn't know what to do with. So, that's a real game changer as well, because you have systems today like the experiences you get at the airport, they're storing your photo in a central database, and that's where the privacy laws and other challenges when you get hacked can really bite you in the butt.
John Richards:
Wow, okay. Yeah, no, that makes a lot of sense. It's coming together. So, how are you using AI in this space? I mean, you have to be knowing some level for the facial recognition, but I'm sure there's a lot of other spaces. How are you using this to expand what you can do this with identity?
Michael Engle:
The old way of doing verification is to look for all of the things that you know. So, I know that somebody logs in this way or verifies this way and you check all those things. So, it's kind of programmatic. You have to program the rules in. But what we can do now is let's say we've seen a million driver's licenses or passports as you can start to ask our AI engine what's common across them and start to look for outliers. So, it's that self-modeling that it can do that applies to not only scanning documents or scanning your live selfie, but the behavior of people as they engage with your system as they authenticate. So, bots have a certain behavior, you have a certain behavior. So, have you ever seen systems that... A away to tell that you're you just by the way you walk?
You can do that with the way you type, with the way you move a mouse, with the way your face and hands move. So, these all become part of what makes it harder to then spoof or fake as well. So, it's multiple signals that the AI engines cannot put together to paint a real good picture that this is John and not a bad actor or a bot or somebody using deepfake software.
John Richards:
Wow, that's incredible. It reminds me of, I heard when they're training like bank tellers, I guess this is more even back in the day, we moved to so much of a cashless society, but to detect fake bills, they didn't show them a bunch of fake 100 dollars bills. Instead, they just touched a lot of real money so often that then when they felt the fake bill, they could tell immediately it was different than everything else they'd had. And in a way, this idea of you've seen so many different driver's licenses that are valid across your system, that the moment when one stands out as an anomaly amongst that, it's like, "Oh, well why is this different? I've seen millions or billions, whatever it's been, of these type of documents." And the value in AI as we kind of grow there is how much context do you have to give it because that's what's unique about a person, what's unique about an organization? And so, how you're leveraging that to find these new attack methods is fascinating.
Michael Engle:
Yeah, exactly. It applies to anything that we do en masse, self-driving cars, right? The way Tesla has modeled its driving intelligence is by watching millions of hours of real drivers, hopefully good ones. That's not road ragers and people drunk, but no, it is pretty amazing. And we've applied that to both identity verification and the authentication side.
John Richards:
Now there's a growing worry maybe is the term for it, but of folks that maybe have credentials and there's these third-party folks that may be contractors or something that may be selling credentials, is there anything you can do to help in that space where you've got... It's not like, "Oh, I thought my stuff was secure, but I'm going through this chain of command." How do you kind of address that level of identity?
Michael Engle:
Yeah. So, your credentials have been stolen hundreds of times and it's getting worse. Now they're getting copies of your driver's license from banks and all these things. So, you can't trust the inferential forms of identity anymore. And let me explain. When you open up a new bank account here in the US, many banks still just use your data to prove you're you. "Hey, John, what's your social? Give me your date of birth, your home address." And then they may send you a text message hoping that they have the phone number right for you and that's how they open the account. They're not even doing the driver's license scanning. And of course, bad actors have all that data. All they got to do is get one code from your phone and it's game over. And they can do that by stealing your SIM. All right, just go down to T-Mobile and swap it out.
So, the only way is to prove it's you. And we do that with the biometrics that I mentioned before. So, you'll find that there's some organizations that are more forward-looking and they do real identity verification, and it's not just driver's license and passport, but there's other sources of truth about you as well, including your bank account, right? Banks have pretty good security. They've got a lot more to protect. So, if you can prove you have a valid bank account and you can log into it, it's another really great signal that we can apply. So, it's a combination of things, but we need every, what we call relying party. All those people that are using identity to provide services, we need them to up their game. They can't just take data anymore and say, "Oh, that's John."
John Richards:
Yeah. So, folks that do, is there a way to handle weak points in that system? And maybe that's where the anomalies or things like that might pop up. But if you've got folks that have taken in bad data and like, "Oh, can I use this to then poison the whole chain?"
Michael Engle:
There's different levels of identity verification, which I think is where you're going. So, if you're just scanning a driver's license, give me the front, give me the back and do a selfie. You are in an arms race with the bad guys because they're going to get really good at making the fakes to the point where the hologram is perfect, the fonts, the size, the shape, all that, and your system may get bypassed. So, there's standards in the industry that help measure whether a company has gone through the paces to do this right. One of the top standards is from NIST, right? The NIST standards body, it's NIST 800-63-3. So, this came out in 2017 and it says, "Here's how you do remote identity verification. We need multiple sources of truth. We need to look it up in the database. We need to reach out to you at a known address of record. We need to do the selfie match."
So, it's not just this one thing. It's not just scanning a license, but it's six or seven things all tied together doing triangulation. Now there's more friction in that. There's more times where it's going to fail. But if you are a government agency or a healthcare agency, those are the two bodies that have mandated the use of that standard. You have to go through quite a bit of testing to be able to provide and serve those governments and we're one of a handful of players that have been certified to work with the government at that level.
So, I think commercial entities should follow that similar standard. And you're seeing more companies, just your banks or Fortune 500 likes reference that standard for things they're looking for, even though it was made just for government agencies and healthcare so far. So, that's really helpful. And then in that liveness, you see talking about deepfakes and AI and the bad guys, there's several certifications from the Department of Homeland Security and testings that were done. There's something called PAD, presentation attack detection, and there's a couple independent labs that test products, and we just got our PAD level two certification. We put out a press release about this a few months ago. That's a really rigorous test. You've seen Mission Impossible.
John Richards:
Yes.
Michael Engle:
You've seen Tom Cruise do the rubber mask?
John Richards:
Right.
Michael Engle:
Right. Where he can become anybody. Well, our stack has been tested against that actual attack. So, rubber masks, injection attacks, software that manipulates, they spend hours and hours on one attack and up to like $300 in materials for one attack, and they do hundreds of attacks, and we pass that with 100 percent. So, if you look for these kind of five standards and testing criteria and apply them to your suppliers, your vendors, whatever, you'll have a much better success rate in stopping bad actors.
John Richards:
So, for organizations out there that say, "Hey, I'm still using a username and password, I want to up this." Looking at these standard bodies and saying, "What level..." And even shooting high and saying, "How do I mature up to this spot?" Is that the way to go to say, "Hey, I need to get off of this system. I need to move to something that is more robust, has biometric and is verifiable identities." How do you recommend a company that really is at the very beginning of that journey and says, "I want to really adopt this." What's the path to get there? Is it as easy as, "Hey, grab 1Kosmos vendor and be done?" Or is there a lot of internal where you're like, "Hey, we've got to update our systems in coordinate with involving the right tools and processes."
Michael Engle:
Yeah. It really is a journey. When we start with an organization, we'll look at holistically how they think about identity. Say we're working with consumers, customers logging into their platform to do things. How bad would it be if a bad actor has created an account? Well, if you're a toy company selling toys online, you're not going to ask for identity verification because as long as they provide good payment, you're kind of good. But if you're extending a million dollars line of credit, now you need to implement strong identity and verification controls or bank-level controls, et cetera. So, it really depends on the risk of what you're trying to do, and that's really for new accounts. But that also applies to who you're hiring. The problems that we mentioned when we first got on this call, who is this, John, applies so much to going all the way back to the first interview that somebody does at a company.
Talent acquisition. Are you interviewing the person who you think you're interviewing? Why don't you do a quick identity verification right there on day one and let them use that proof then for interview two, three, four and five? Very few organizations are doing that. We're working with quite a few that have either high turnover or a high risk of, if they let somebody bad in, it really would be detrimental. And then you make them an offer. Who are you giving the credential to on the day you do their I-9 or their onboarding? So, the North Koreans have figured this out. I heard a stat that a billion dollars a year is going to North Korea because they've gotten jobs at companies globally and they work really hard. They probably work better than a bunch of schmo Americans, right? Because they have to or they'll get shot. So, if you don't put identity controls all the way back at the beginning of your high-value customer sign up, your high valued employee sign up, or even the low valued ones because there's a lot of risk in somebody getting access to your internal systems.
So, those are the identity use cases. Now, the other thing you said is how do I... Today I'm using usernames and passwords. Well, that's like game over. You already have a long way to go to lock those down. So, now you need... 20, 30 years ago we started putting out MFA. Well, MFA has been bypassed and it's cumbersome. And I have six apps on my phone called Authenticator, right? It's such a pain. Seriously, I type AUTH and I see six apps, Authy, Google Auth, Microsoft Auth. So, there's two really good consumer ways, or they work for employees as well. And one is FIDO Passkeys. So, FIDO is the passwordless standards body. They're a little more than that, but that's kind of the lowest common denominator that they're known as. And FIDO stands for Fast Identity Online. They're a non-profit, and what they created is a way to authenticate without usernames and passwords and without needing to do out-of-band MFA like we've gotten so used to.
So, it puts a certificate locally with you, like a safe credential, and it can't be copied. It's not at risk in transit, it's not stored centrally in any databases. So, that's starting to evolve. So, what you're seeing if you log into Home Depot or Target or there's a lot of early innovators on the passkey side. Some of my banks are using it now, is you'll get a pop-up, you just logged in as John Richards and a pop-up and say, "Hey, would you like to set up a passkey?" What are you going to say, right? Most of the time, yeah, the second time you log in, it just says, "Press here to use your passkey," and you're done. So, it's similar to that reusable concept that you and I mentioned that how do I know it's you?
Now, what needs to go along with the passkey is a verified identity, otherwise you just have another thing that you're transmitting that hasn't been verified. And there's usability challenges with passkeys. Like if I use it on Safari here, it doesn't work on Chrome there, and the industry's working on that. But that's the first step is to start to get your IT staff wrapped around the idea of passkeys and how they're going to change the concept of not needing usernames and passwords in the future.
John Richards:
One nice benefit over the MFA for that step is I always wanted to avoid MFA because it's an extra hassle, whereas a lot of the passkey stuff is like, "Oh, this saves me time," when it works by not even entering a password. I'm using something else to authenticate here that's more secure, but less of a hassle. So, I like when that user experience starts to work together with also the enhanced security. You get that, as you said, people are more likely to hit yes.
Michael Engle:
Right. You just reminded me to dive into just a couple of challenges on passkeys like you just said. So, if the bad actor has your password, they can set up a passkey. Now they've got the easiest way in the world to keep doing that over and over again. And passkeys can be shared, so not exported, not stolen. It's hard to get it off the endpoint, but using password managers, I can share a passkey with my family members, which is cool, but also can be scary. Imagine if I could export all the passkeys out of my password manager. Now you're kind of back to square one.
John Richards:
Good point.
Michael Engle:
Right. So, now I have all my passkeys in my one password vault here. If that gets lost, really not any better off than if they had all my passwords. Getting back to the biometrics, the passkey doesn't prove it's you, but your face does. So, imagine if you got some signals and you said, "Oh, John, does he usually log in from Pakistan?" No. "You know what? Let's ask him to glance into the camera." That would stop the passkey theft right away, right? So, that real biometric, that airport experience where you walk in, they glance in, they know it's you, I think that's going to be the future. Passkeys will be like quicks, just boom, press a button you're in, back it up or set up your passkeys with that biometric and a verified identity and you've got everything you need to really have an amazing experience and really high security.
John Richards:
Wow. Yeah, no, it sounds like a holistic approach. That really gets back to, as you said, to verifying who the human is with some kind of non-replicable feature, like their physical characteristics here. How are you all using AI to drive some of this? I'm interested in what's the cutting edge right now for where you guys are investing time in AI-driven development?
Michael Engle:
Well, of course it's being interwoven into all of our business units. So, we have sales and marketing and AI is now changing how you engage with people and market and create content, all that stuff. I think that's almost table stakes already, right? Create a white paper, oh, there it is. That looks terrible because it uses those same words. So, we're doing that. We're doing it in customer success to engage with our customers in product, in engineering and all these different areas. So, that's a real game changer, but I think everybody's doing that. Some of the things we're doing that are unique are in that identity verification. So, imagine you have trouble holding the phone or scanning your license, the lighting's bad. We have 24/7 call center agents to help guide you through that. That area is something where we're also innovating with AI to be able to have an agent engage with the user in their language, in their dialect.
And so, now you've probably done this with Whisper OpenAI type stuff where you're having voice conversations with these agents. You've probably played around with it. That can be real helpful for somebody because it's probably better than the agents we're hiring in some things. So, then we'll have a layer between somebody having a problem that does 5% or 10% that they just having trouble, the agent picking up the phone or doing a video chat somewhere in the middle, we have these agents that can engage with you and solve the problem really quick and it's actually customers like it if it's done right. So, that's an area. And then, I don't know if you have any questions on that, but you're seeing a lot of this in customer service and customer support, right?
John Richards:
Yeah, no, and I think the language capabilities there for folks who want to work in their first language and it's not one that you normally have in a call center staff is huge benefit. And just being able to... It feels easier when I'm talking to one that works well, but is, I know I'm not harassing somebody and we're not going through the what mood are you in today? Where're like, "Okay, let's just solve this problem."
Michael Engle:
That's right. That's right. Yeah, and the dialect thing. The language thing, right? It's so hard to learn 140 languages, but the agents do it a lot better. So, yeah, that's a game changer. But just the stuff we talked about in the beginning, it's the behavioral side of it where the AI can really see things that others wouldn't. I've never seen this driver's license before, for example. Well, it could be because Hawaii just released a new driver's license template yesterday and they didn't tell anybody, or it's fraudulent. And so, we're using AI to generate millions of fake driver's licenses internally and put them through the engine to see if any of them get through and get by. So, we can have the AI feeding the AI to see which one is doing better at any point in time. And that's all done with local models. We don't send any data out to public cloud providers or the commonly known GPTs of the world. So, that's the other thing is as you embrace AI, you have to be able to tell your customers that you're doing AI responsibly, right?
My AI is not going to have your company data put into some type of trained model out there that can be consumed by others. So, that's a really important part of it as well.
John Richards:
No, that makes a ton of sense, and I like how you're using it back to at the beginning you're talking about not storing some of this data, it's hashed value. So, it's not even like there's the risk of the image being out there, being learned on, the data being stored in a whole different format that still preserves the privacy of how they're using this. Let's see. Before we wrap up, I mean this has been super fascinating. Thank you, Mike. I'd love to hear a little bit what's next for 1Kosmos? How could folks find out more about that and how can they connect with you?
Michael Engle:
What's next for 1Kosmos is digital wallets. So, it's the future of identity. You have your own physical wallet or purse depending on what you carry, and you pull out your credential and provide it to somebody to prove who you are. And the world needs reusable, trusted wallets. So, we've been working on wallets before they were... Well, they're not quite fashionable yet, but you have the states are popping up with mobile driver's licenses, but that's not the end state because now you're basically turning your DMV username and password into something that you can give to an officer. So we're creating public wallets and employer wallets that stay within the container of where they need to be used, so you could with us set up your federal government wallet or your Acme Bank wallet and then use that to get into the systems that they trust, and then sharing that between entities.
So, one agency, you're over here, you got the wallet, use it over there. That's all something we've been working on really hard. There's industry standards around that. We think it's the future of that reusable, trusted identity. And then I can also link that with my wallet, link it to those AI agents that are doing things for me. So, it'll have a little token with it that says, "Yep, I know that this agent is working on behalf of John because it's linked back with a cryptographic signature back to that trusted wallet." Right? You're not just giving it a username and password to go do things as you. So, that's something we're working really hard on. We're going to see a lot more of it coming in 2025 and 202.
John Richards:
And I'm assuming since that's then also tied back to the biometric piece and the real validation of who they are, it's not like somebody can just grab a wallet. You still got the extra authentic... Because some of the wallets I've seen folks putting out, it's like again, just another version of a password where somebody else can easily get it. But if you're really backing that up with real user verification along those steps, then you can trust a lot more that it's my agent and not somebody else's.
Michael Engle:
Exactly. Exactly.
John Richards:
I mean, that's super fascinating and I'm sure people will want to check that out. What's the best way for them to learn more about what's going on or to connect with you?
Michael Engle:
1Kosmos.com. It's the number 1K, Kosmos. So, word Kosmos. K-O-S-M-O-S means universe in Greek and 1Kosmos, one universe, it's our philosophy that one day you'll have one identity anywhere you go in the universe, right? So, that's kind of where we got the genesis name for the company back many moons ago.
John Richards:
You're already planning for Mars and on with the universe, same identity, not just here on earth, but wherever I go.
Michael Engle:
Yeah, yeah. We already have a partnership with SpaceX, so when we all go to Mars, we'll just whip out our digital identity and we'll be set to go to live there with Arnold Schwarzenegger. So, that's the best place is 1Kosmos.com, and we've got a great LinkedIn presence, and I can be reached at michael@1kosmos.com as well. So, would love to hear from anybody who wants to know more.
John Richards:
Awesome. Well, I'll make sure we include a link in the show notes. Thank you so much, Mike, for coming on here. I learned a ton and best of luck on solving this universal identity problem. It sounds like you guys have a great start on.
Michael Engle:
Well, thanks for having me. It was a fun chat.
John Richards:
This podcast is made possible by CyberProof, a leading managed security services provider, helping organizations manage cyber risk through advanced threat intelligent, exposure management, and cloud security. From proactive threat hunting to managed detection and response, CyberProof helps enterprises reduce risk, improve resilience, and stay ahead of emerging threats. Learn more at CyberProof.com.
Thank you for tuning in to Cyber Sentries. I'm your host, John Richards. This has been a production of TruStory FM. Audio Engineering by Andy Nelson. Music by Amit Sagie. You can find all the links in the show note. We appreciate you downloading and listening to this show. Take a moment and leave a like and review. It helps us to get the word out. We'll be back August 13th, right here on Cyber Sentries.