Vendor Assessment: 1Kosmos
How To Kill The Password
A Buyer’s Guide To Passwordless Authentication Technology
Last Updated: 11 October 2021
Document Id: tch-vendor-assess-1kosmos
Company Key Facts
Web – https://www.1kosmos.com/ LinkedIn – https://www.linkedin.com/company/1kosmos/ Twitter – https://twitter.com/1KosmosBlockID YouTube – https://www.youtube.com/1Kosmos | |
Founded Date | June 2018 |
Founders | Hemen Vimadalal, Mike Engle, Rohan Pinto |
No. of Employees | ~60 |
Total Funding | $15m (Series A Feb 2021) |
Locations | New Jersey HQ, plus numerous across US, Singapore and India |
In Their Own Words | Mission – At 1Kosmos, our mission is to establish BlockID as the preeminent identity platform globally – to provide “individuals” with secure digital identity controls, and “service providers” with powerful tools to defend against identity fraud while simplifying the user experience. Our Story – After having conversations with industry leading CISOs, former members of the National Security Agency and the Department of Homeland Security, 1Kosmos’ founders realized the notion of knowing who is on the other side of a digital connection was disjointed and weak. Leveraging decades of experience and coming from successful cybersecurity ventures, the team sought to fill a hole in the market by creating a one-of-a-kind solution that ensures a user is who they say they are, at all times. BlockID is the only solution that combines indisputable digital identity proofing with advanced biometrics and passwordless authentication. |
Funding
1Kosmos have received one round of funding – a Series A in February 2021 – at a total of $15 million. This was led by ForgePoint Capital.
Customer Case Studies
Customer | Region / Sector | Details |
Hitachi Systems Micro Clinic | India / Digital Services Integrator | As a services integrator Hitachi were looking for modern passwordless technologies for their wide client base to provide secure and seamless integration across a range of enterprise applications. Upon successful evaluation, Hitachi deployed the technology internally for all staff (over 2000). All Hitachi employees are now able to authenticate using passwordless bound to a secure biometrically proven identity. This required a top down stakeholder buy-in and the ability to cover all applications and all user types. India presence for support and consultancy Rapid application integrationFull application & user coverage |
Technology Key Facts
Go To Market Message | Strong Authentication backed by Strong Identification – by leveraging advanced biometrics and blockchain technology |
Solutions | Workforce: Passwordless Enterprise / Remote Workforce / Physical Access Control / Single Sign On / Employee Verification / 2FA & MFA / Universal Web Login Consumer: Covid-19 Vaccination / eCommerce / Education / Financial Services / Healthcare / KYC / Universal Web Login |
Products / Platform | BlockID Verify / BlockID Workforce / BlockID Consumer / Advanced Biometrics / Private Blockchain Ecosystem |
Useful Links | Product DocumentationRelease NotesFree Trial Signup |
Technology Review
1Kosmos are a US based startup. Although they have had a relatively short runway for development (founded in 2018), they have secured a $15 million Series A round of funding and their founders have a strong history within the identity and access management industry – having been involved in organisations such as Vaau (acquired by Sun Microsystems) and Simeio Solutions (acquired by private equity firm ZMC).
Advisory Board
They have a strong advisory board containing former members of the US intelligence and security communities including Mike McConnell (retired director of the NSA), Art Money (former assistant secretary of defence for command, control, communications and intelligence), Kirstjen Nielsen (former secretary at US Homeland Security).
1Kosmos are tackling the two main sectors that rely on identity management technology, namely workforce and consumer. An interesting aspect is the end to end approach they are taking to authentication – namely applying a lifecycle model to the various different stages, from secure onboarding and proofing, biometric authentication followed by the distributed storage and sharing of personal information via a blockchain ecosystem. They label this “Identity based Authentication”.
They seem heavily invested in standards and being certified for integrations against the likes of NIST 800-63 series of digital identity guidelines, WebAuthn/FIDO2 authentication and secure biometry components.
BlockID Verify
BlockID Verify is very much focused on the initial identity onboarding. Many passwordless vendors will leverage mobile device integration that will rely on cryptographic based challenge response technology. What 1Kosmos has focused upon, is to bind the device not only to an identity, but to a verified and validated identity.
The verification process will involve taking a picture via the mobile device of existing physical identity papers – such as a US issued driving license or passport. The BlockID Verify platform will leverage AI technology to validate the identity record.
The process is certified (by the Kantara Initiative) to NIST Identity Assurance Level 2 and 3, as per the NIST 800-63 digital identity
The US driver license validation process relies on integration with the AAMVA (American Association of Motor Vehicle Administrators), whilst US passport validation relies on integration with the US Department of State.
Additionally, enrollment could include credit card onboarding and voice biometric which can be used for later identification.
The more attributes the end user chooses to enrol, the higher the level of assurance that can be assigned and in turn the higher level or confidence any relying party has regarding the presented identity.
During the enrollment process, a real time picture of the end user is taken, which contains liveness verification.
The real time photo is compared to the photo within the validated government credentials. This can provide assurance that the current user of the mobile device is indeed mapped to the verified claims within the government issued documents.
Once the validation has taken place, an Elliptic Curve asymmetric key pair is generated and securely stored within the trusted execution environment or secure enclave on the mobile, for subsequent authentication responses.
BlockID Workforce
The BlockID Workforce solution is based upon the verification components but with specific capabilities for authentication of employees and contractors within the confines of the workplace.
1Kosmos looks at the entire authentication journey – from the verification and enrollment process through to a range of application integration options.
Some interesting use cases arise from this model. One pertains to the validation of staff. By integrating the BlockID Verify process into standard HR employee onboarding, a higher degree of end user assurance can be achieved. This seems more useful for sectors with outsourced projects or where data security is critical such as healthcare, retail or financial services.
By binding the end user to verified claims, real time biometric data and in turn their trusted mobile, daily authentication and step up authentication events can be tied back to real humans.
Authentication is often triggered by QR code generation, with clients for Windows desktop login for example. The BlockID Workforce solution provides a range of enterprise integration options.
Physical Access
As the mobile device essentially becomes an extension of the user’s person, real time and human verified liveness checks can be integrated into physical access use cases. Scenarios that would typically require contactless smart card authentication, can be replaced with the mobile device and NFC (near field communication). The mobile app leverages the securely stored private keys to respond to cryptographic challenges generated by the physical gate or barrier. Not only does this remove the reliance on smart card technologies, but it improves the functionality by providing liveness verification and resolution to a real identity which a smart card cannot do.
Windows Login
1Kosmos provides a Windows GINA (graphical identification and authentication) client that transforms traditional workstation login to be QR enabled. The end user scans a QR code on their 1Kosmos application and performs a face based authentication ceremony.
Subsequent logins to an existing session can be completed via a push notification and fingerprint login.
SSO & IDP Integration
Whilst many systems rely on Microsoft Active Directory, 1Kosmos provides integrations to a range of external identity providers such as Okta, ForgeRock and Ping Identity. This can allow existing identity platforms with their far reaching application integrations and single sign on functionality, to leverage QR code triggering and advanced biometric authentication.
Privileged Access Management
1Kosmos provides integration to the CyberArk suite of PAM solutions as well ARCON. Again client configuration allows a QR code based login to these systems via the mobile application. During the process, the end user can select a persona or profile to login with, which is especially useful if the end user is both an “admin” or “normal” user.
Unix
Unix system access via SSH (secure shell) can again be QR enabled. This requires the user to enter their Unix username and password into the mobile application. Subsequent logins via SSH are handled via the scanning of the QR code.
Offline Access
If a Windows workstation has been configured to use 1Kosmos integration, yet the device is offline and has no access to Wifi, the workstation can communicate with the mobile application over bluetooth and follow the same QR code scanning process as if it were online.
Universal Web Login
Universal Web Login (UWL) is a concept 1Kosmos promotes to allow integration of “legacy” and “classic” applications into the landscape of secure biometric authentication. Many applications that have long life spans cannot be easily replaced or updated to use more modern or agile security techniques. UWL leverages an identity gateway and SDK model to abstract an asymmetric cryptography based challenge response authentication process that originates on the user’s mobile device. QR code triggered authentication events can be started via a JavaScript SDK embedded within the web application.
BlockID Consumer
The second main user area for 1Kosmos is external identities for consumers and customers. Again the BlockID Verify solution is the building block with some specific features for consumer use cases. External identity is often obsessed with usability and experience, looking to make the enrollment and device recovery processes as seamless as possible.
Credit Card & Voice
During enrollment additional data can be overlaid against the government issued credentials as seen during the standard workforce onboarding process. This includes credit card data and voice biometry.
1Kosmos are looking holistically at what passwordless authentication can allow the consumer to achieve – and retail payment processing is a classic example. By enrolling credit card data into the application and securely storing that in the TPM/Secure Enclave, can essentially provide a mobile wallet experience backed by biometric authentication. The capturing of voice biometric information during enrollment also provides more options for consumer authentication.
SDK
The 1Kosmos SDK can be embedded into existing customer facing applications and leverage existing authentication modalities – typically push notification and a biometric. Depending on transaction event details – for example high value payments – the level of user interaction can be increased or decreased.
Physical Payment
Payments for goods and services can be integrated using either point of sale QR code scanning or potentially NFC tap and go. Credit cards that were enrolled during onboarding are used, without card details ever leaving the device.
Live ID Advanced Biometrics
The 1Kosmos suite of solutions is based on advanced biometric scanning, enrolment, storage and authentication – known as “Live ID”. Their use of liveness detection delivers Identity Assurance Levels up levels 2 and 3, as part of the NIST 800-63 series of identity guidelines.
KYC (Know Your Customer) is becoming a vital component of many digital initiatives in the financial services, retail and ecommerce spaces in order to reduce the total cost of fraud (TCOF). Certified biometric solutions help deliver this capability.
1Kosmos provide a range of biometric services, in addition to being able to overlay existing attribute data. This triangulation of verification allows not only the mapping of a real person to entity authentication but also provides the necessary real time levels of assurance to relying parties and applications.
Private Blockchain Ecosystem
1Kosmos leverages Ethereum based distributed ledger technology to store the end user personal identifiable information (PII) and their biometric template. Two separate block chains are used to provide data separation. The Elliptic Curve asymmetric key pair on the mobile device is a derived key pair – created from a 12 word mnemonic passphrase. This derivation process allows keys to be recreated in the event of a device loss or migration – assuming the end user remembers their 12 word phrase.
An Elliptic Curve Diffie Helman key agreement process takes place to generate another key – this time an AES 256 bit symmetric key that is used to encrypt PII and biometric template data.
A smart contract is then created that is stored on a third blockchain that contains the W3C Distributed Identifier then links back to the actual PII and biometric data.
A distributed ledger provides several features to aid security and privacy preservation. The blockchain technology prevents tampering of data once it is stored, as all transactions are hashed for integrity. The blockchain records all requests (and responses) for PII and personal data for audit purposes.
User data is linked back to what is known as a DID – decentralized identifier. This is based on the W3C DID standard. The benefit of a DID is that they are not tied to a single organization or identity provider, and relay the consent and controlling power to the end user.
Relying party requests for user interaction (be it for network access authentication or the sharing of PII) are embedded into the blockchain ecosystem in the form of “smart contracts”.
These contracts contain the request details including what data is needed and why, providing the end user with full GDPR-esque transparency regarding data exchange.
The result of the consent action and affirmative authentication event are stored (in an immutable and unchangeable way) on the blockchain for future audit.
Once complete, data can be sent to the relying party. This data is encrypted, again with an AES 256 bit key that is agreed upon between the end user device and the relying party. Each relying party will leverage their own key, reducing data sharing blast radius to unauthorized parties.
Sample Technology Integration Coverage
Identity Proofing:
US driver’s license |
US passport |
Mitek |
Zenkey |
Biometrics:
Proprietary LiveID |
NIST IAL 2 (Kantara Certified)NIST IAL 3 (Supported)NIST AAL 2 (Kantara Certified) |
Hardware Tokens:
Yubico Yubikey |
Operating Systems:
Mac OS |
Windows |
Linux |
Privileged Access Management:
CyberARK |
BeyondTrust |
Sample Technology Integration Coverage
Remote Access:
App Gage |
Check Point |
Cisco |
Citrix |
OpenVPN |
RSA |
ZScaler |
Single Sign On Identity Providers:
Auth0 |
ForgeRock |
Okta |
Broadcom (CA) |
IBM |
Idaptive |
Ping Identity |
SDK:
Android |
iOS |
Cloud Applications:
Adobe Creative Cloud |
Bamboo HR |
Basecamp |
Box |
Webex |
Docusign |
Dropbox |
Evernote |
Go To Meeting |
Marketo |
Salesforce |
ServiceNow |
The Cyber Hut Comment
1Kosmos provides a rounded and holistic view of the passwordless authentication ecosystem. By providing a range of capabilities from enrolment, mobile based biometric authentication, secure storage of PII via blockchain technology and the release of PII via smart contracts and verifiable credentials, they deliver a means to utilise seamless authentication journeys for end user value.
The nuances between workforce and consumer are identity are numerous, but it seems 1Kosmos have delivered a strong array of functionalities in both camps. Workforce enablement requires a broad array of integrations and authentication options to cover Windows, SSH, Linux, PAM and physical interactions.
Consumer identity requires strong identity proofing coupled with usable experiences which 1Kosmos delivers. As passwordless technologies become more pervasive, the end goals that authentication serves will become more important – and the use of smart contracts and secure PII handling may well become the standard design pattern.
Strengths
- Strong biometric assurance of identity data
- Advanced “LiveID” biometric authentication
- Standards first integration
- QR code based authentication
- Mechanisms for secure sharing of PII to third parties post authentication
- Secure private block chain architecture for storage and sharing of data
- Workforce application integration for a range of applications including SSH, PAM, physical access, a range of IDPs, AWS and VPN
Methodology
The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship. We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.
1 – OSINT
The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.
We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.
This process takes between 2 and 4 weeks to complete and uses sources such as the following:
- Crunchbase / Glassdoor
- YouTube / Twitter / LinkedIn
- Vendor Website
- Vendor Webinars & Events
- Vendor Whitepapers & Datasheets
- Vendor Case Studies
- Patent Search
- Blogs
- Documentation & Release Notes
- APIs and SDKs
- Downloads and Trials
2 – Vendor Briefings
After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.
The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer. This process typically results in some further more technical questions that can be easily answered via email and existing documentation.
At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.
This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages. Existing public case studies will also be analysed.
3 – Vendor Fact Check
Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented. The vendor typically responds within 14 days with any corrections and edits.
4 – Vendor Assessment Completion
After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.
At this stage, the document can be made available to buy side practitioners as a standalone artifact. This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.
Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.
Methodology Benefits
The benefits to this approach are twofold: firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates. The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.
The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.
Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.
The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.
Vendor Assessments are typically re-evaluated every 12 months.
About The Author
Simon Moffatt is Founder and Analyst at The Cyber Hut. Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.
Education
B.Sc (hons) Economics (York, 2001)
M.Sc Information Security (Royal Holloway, University of London, 2022)
Professional Memberships
MBCS – Member of the British Computer Society
F.CIIS – Fellow of the Chartered Institute of Information Security
Professional Qualifications
CISSP (Certified Information Systems Security Professional) – 2007 to present
CCSP (Certified Cloud Security Professional) – 2020 to present
CEH (Certified Ethical Hacker) – 2018 to present
CISA (Certified Information Systems Auditor) – 2010 to 2014
Research Interests
Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy
Disclaimer
© 2021 TCH Research Ltd. All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.
This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information.
The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy.
The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.