Introducing Journey’s Zero Knowledge Identity Network
In this Executive Insights podcast, BCStrategies' Jim Burton welcomes the father-and-son CEO and President of Journey, Brett Shockley and Alex Shockley. Journey is a security business with the mission of making it simple for businesses to build trusted digital relationships with their customers. According to Journey, verified identity needs to be the root of trust in the relationship between business and their customers. "One way of looking at this broader problem holistically is we're helping to answer the question of 'who is this?'" said Alex. "What we've done is help to facilitate tying in all of the different tools that you have available on your smartphones today to be able to prove biometrically that you are who you say you are, and then use our Zero Knowledge Network to extend that proof into different mediums."
Jim Burton: Welcome to BCStrategies Executive Insights. This is Jim Burton and I’m joined today by a couple of executives from Journey: Brett Shockley and Alex Shockley. And they have an exciting, new startup that I think is important for our audience to understand and to work with. So, let's start with Brett.
Brett, I've known you for – longer than either one of us are ever going to admit to anybody because it would start aging ourselves a little bit. And you've had an incredible career. I’ve always noticed that you were on the front of technologies and very, very innovative, and clearly, Journey is one of those. Give us a little bit of background about the company, and why you started it, and the problems you’re trying to solve.
Brett Shockley: Thanks, Jim. I'd be happy to do that. Yeah, we've had a lot of fun over the years definitely, as we've applied all this technology to the contact center, customer service industries. After I left Avaya a couple years ago and Alex had sold his digital marketing agency and we were both kind of looking at what to do next in the marketplace, one of the things that jumped out at us was if you take a look at the customer journey “problem” and opportunity, one of the big issues that our industry has struggled with for years is the question of who the individual is that you’re doing business with.
It occurred to us that verified identity really ought to be at the root of trust and the relationship between the consumer and the business. And so, we started digging into that and we recognized several fundamental issues. From a security perspective, the internet had never had a security layer that was focused on identity, and as a result, if you take a look at enterprise security, we've sort of seen an evolution that's gone from securing the network to extending the network with VPNs and SDNs to some of the latest things being done around Zero Trust to secure the application and the devices.
And securing all those things is great, but we're still not focused on securing the human being. Shared secrets and trusted devices can get stolen; your brother-in-law can look over your shoulder today when you’re working from home. None of those things are really addressed with the current approaches to security.
And then, privacy of customer data within the enterprise has sort of always been treated like any other data within the enterprise and it's only sort of been recently with all the external customer issues with data breaches and the regulatory compliance issues that have started to come up where people really realize that customer data, customer identity information needs to be treated in a completely different way.
Then finally from a customer experience perspective, going back to sort of the whole customer journey concept in the first place, security and privacy directly affect customer experience and normally there's a big tradeoff between the fraud issues that you’re trying to solve with security and privacy, and the friction issues associated with customer experience.
As we dug into the best way to address these issues, we ended up coming up with a new technology that we call the Zero Knowledge Identity Network. And it's really a fundamentally new approach and it's focused on some concepts that we've pulled in from other places in the world. For example, the concept that the intelligence community uses regularly which is “need to know.”
Today, we're pretty promiscuous about all the customer data that floats around an enterprise, as opposed to being very thoughtful about what information should be available or needs to be available by an individual or an application. In many cases, you just need to know that a piece of information is true or valid, or that someone's over the age of 21, or something like that. You don’t actually need to know their birth date.
Another concept is high veracity of the individual as opposed to as I said before, the device. And so, an approach that can identify somebody with a veracity of one in a million or up to one in a billion or greater, as opposed to most of the techniques today are sort of in the 90-something percent area. That makes a big difference in being able to treat people.
As I mentioned earlier, the issue with shared secrets and identifying devices. Those can be stolen. That really doesn’t protect you the way you need to. And I think the other thing with the current concepts that are out there is they tend to create large honey pots of data. So if we store all the data in a big, centralized database, a data lake, we distribute it into a bunch of individual data ponds, that attracts hackers. With enough time and enough value in those data lakes, those hackers are going to get in.
So, we really took a look at all this and with the Zero Knowledge Identity Network underneath what we're doing, we're solving simultaneously for security, privacy, and customer experience.
Jim: Sounds great. Alex, let me turn it over to you then and learn a little bit more about what the solutions and the benefits are of this solution. And I also want to let people know that we do have a couple of videos that show examples of it, which we'll put on so you can refer to those if you'd like, during your presentation.
Alex Shockley: Sure, absolutely. Well also, thank you for having us here. It's great to get a chance to chat.
One way of looking at this broader problem holistically is we're helping to answer the question of “who is this?” So, in just about any customer-to-business interaction, as well as the business-to-business and customer-to-customer, you've got this consistent need to answer the question of, “who is this?” at the start of any interaction and transaction.
And so, as Brett laid out there, there are a lot of different nuances to the techniques used to answer that question, and those techniques have some pretty big impacts on security, on privacy, on user experience. And so, we first spent a significant amount of time and effort building out this underlying architecture that we felt could address this problem more holistically. And on top of that architecture, we've now brought to market a suite of solutions that really help to solve this problem, predominantly in the contact center as well as in digital environments.
And so, you think about what happens today for example, when you call into say, your bank to ask a question about a potentially fraudulent charge, for example. If you call the 1-800 number printed on the back of your credit card, you’re going to be taken through the standard routine of keying in a 16-digit account number, followed by your mother's maiden name, followed by the last four of your Social, followed by different pizza toppings in some cases. You get connected to an agent and they start to ask you some of those real-time credit bureau questions – what address were you associated with in 1992, or what color car did you drive in this decade.
These processes are clumsy, they're expensive, it's a pain in the butt for both the user and the business. At the end of the day, this doesn’t really buy you all that much security. That information is broadly available not just on the dark web but now anybody can go crawl your social media profiles to kind of have a fighting chance to be able to guess a lot of this information.
And so what we've done instead is help to facilitate tying in all of the different tools that you have available on your smartphones today to be able to prove biometrically that you are who you say you are, and then use our Zero Knowledge Network to extend that proof into different mediums. So be that using the business's mobile application to prove identity into the contact center or to tie the phone, the camera, the different sensors in here to be able to capture other documents and information, and be able to facilitate capturing that information locally at the device, sending it to the different third parties that need it to be able to verify certain aspects of it.
Then as Brett mentioned before, rather than revealing that information to any requesting party, we're making it a lot easier to consume in a more privacy-preserving method by being able to give proof that things have been attested to or things have been verified. Which is what they really need at the end of the day rather than sharing the actual raw underlying credentials themselves.
Jim: Well, that sounds fabulous. Have you got any examples of how this can help say, a contact center to make sure that they're getting the right information and what benefits that would have to them? I mean, it's got to save an enormous amount of money if this can be tightly secured and you know exactly who you’re talking to.
Alex: Sure. So on the authentication question and the contact center specifically, the industry statistics will tell you that knowledge-based authentication takes 45 to 90 seconds. And in a financial services-oriented contact center, that could be at the cost of a dollar per minute. Real users fail that process on average, about a third of the time. So those are false negatives. And the rate of false positives, so fraudsters being able to pass that test in targeted attacks can be as high as about 60%. So the bar is pretty low right now for us to go in and surpass that.
When you start to layer in carrier forensics or you start to layer in voice-based biometrics, those providers will often tell you that their accuracy is in kind of, the 92 to 94% range. By being able to deploy device-based biometrics – so, with something like face ID, you can now get to about a one in a million proof that this is in fact who they claim to be. And by being able to then with Journey, tie in a third party, so second-factor biometric providers to do say, a second facial check – both facial matching as well as liveness – you can now eliminate the threat of phone porting or SIM swap, as well as reduce that attack factor to about one in a billion chance that someone else could pass for me by leveraging the biometrics on my device here to prove my identity into the contact center agent.
All that can be done without the contact center agent needing to ask a single security question or being exposed to any of my sensitive details.
Jim: Wow. That’s pretty amazing.
Alex: Okay. So, in our scenario here for an inbound call for example, let's say that I need to call to ask a question about a charge on my credit card. A user would be able to take out their phone, call the generic 1-800 number printed on the back of the credit card.
Now when that call is placed, Journey's technology integrated at the contact center, sees the incoming ANI and can do a database check to see if there's a mobile app associated with that ANI. And if there is, is it tied to a device that has the sufficient characteristics and capabilities needed to perform biometric proofs, for example.
And so, assuming all of that's in place, we can then route the IVR to prompt the user to login to their mobile app to verify themselves. So the IVR can verbally tell the user for better and faster service, please login to your mobile app. And if the user now looks at their device and says, you know what, what's going on here, we can push from the mobile app, a notification prompting the user to tap here to login. That one tap is what will then invoke the mobile app to open up and spin facial recognition. And that could be both the face ID or the touch ID that's local to the device, as well as a third-party biometric provider, should the business choose. So we can again check the facial matching and the liveness detection against what's saved locally on the device, as well as a cloud-based template.
When that passes, the agent on the other end then sees proof that this user has authenticated as well as, can pull the account details from that user's mobile app without actually being exposed to the user's sensitive PII or PFI, in this case, and without need to ask the user those sensitive security questions.
Jim: That's a great feature because I think about whenever I have to go on. They always ask me a question… I don’t remember it for sure… And then I’m sitting here talking to someone who has all the access to all this information about me, what my bank account looks like, everything. So, sounds like you've solved those problems. Boy, that's fabulous.
What about in a place where someone's trying to call me? Let's just say I had credit card fraud. How would something like that work so that the bank can get ahold of me and I’m not just looking at this as one more call coming to me that's been hijacked and someone's trying to spam me a little bit?
Alex: Yeah, that's a great question. Right now, the outbound connect rates statistically are about 15%. That means about 15 out of every 100 outbound phone calls from the bank are actually answered. And of those 15 that are answered, only about a third of them are the end users actually willing to answer the security questions to authenticate.
Unfortunately, with the crazy increase we've seen in spam calls of people spoofing different numbers to make it look like your hometown area code, we're being conditioned to trust those unknown numbers less and less. So, it's becoming increasingly difficult for legitimate contact centers to be able to get those phone calls out and connect with their customers for various purposes.
So, what we're doing is a few different things here to help address that. First and foremost, because we have integrations both with the outbound dialer as well as the customer's mobile app, we can predict when somebody's phone number is nearing the top of the call queue and programmatically push out a branded app-based notification to the user to give them a heads up that there's going to be a call coming. So, we push out a notification to say, hey this is your bank, we've got suspicious activity that we've noticed on your account, we're going to be giving you a call in the next 5 to 10 minutes, or you can login and request a call at your convenience.
So, the user, if they see that notification, is already much more likely to answer a phone call in the next 5 to 10 minutes even if they don’t take any other action. Now alternatively, they can tap that notification, authenticate into the app, and then choose to either self-serve or to request that call. If they choose to request that call, that then triggers the outbound dialer to push that phone number right to the top of the call queue. And when that call comes in, again because we've got the integration points of both the mobile app and the outbound dialer, we can have the outbound dialer tell the mobile app what number to expect a call from.
So, moments before that call arrives, we can push that information to the device so we can actually now populate two lines of caller ID on the user's device to tell the business as well as the department, a reason for calling. So again, now the user has received that notification and now they're seeing the caller ID. So, much more likely to answer it here.
But let's assume that they didn’t see the notification and for some reason they're ignoring the caller ID and they didn’t see that piece here. The last line here of our opportunity is now that the user answers this phone call, again you think about right now, only about a third of those actually authenticate once you answer it. In our case, rather than the business asking the user for the last four of their Social or for other sensitive information, now they're asking the user to login to their mobile app.
The promise is that when you do login to your mobile app, we're going to be able to show you mutual authentication. So if you login to the mobile app, you'll see that you’re on a verified phone call with me. My agent ID is 1234 and my name is Alex. And so, once you’re authenticated into the app, we introduce this concept of mutual authentication. So, there's no need to go through the standard routine of keying in this information, asking the sensitive questions. Instead, we’re flipping it on its head and offering the customer a way of seeing the agent's information. So, we're kind of changing that paradigm of who's got the burden of proof to handle on their end.
Jim: I assume that you have a lot of this information online. So if I’m someone listening to this podcast and I went, wow that sounds really special, why don’t I figure out how I can use that with my company, they'll be able to find enough information on your website to be able to follow up and get into contact with you?
Alex: Absolutely. We've got video demonstrations of these solutions and more on our website. We are continuing to add more information here as we are preparing for broader, more general public launch events here. But always happy to schedule demonstrations and take deeper dives as well.
Jim: That's great. One of the things that I know when you’re dealing with a startup, startups go through these challenging times of finding the people. So often the entrepreneur is a guy that's got a great, bright idea, never run a company before. Brings in his good buddies who have never run a company before and they go through a learning cycle, and it's always a challenge. Some companies just don’t make it because they don’t have the talent there.
I’m looking actually on my screen here at the people that you've brought into your company, Brett and Alex. And it's pretty mindboggling the talent that you've got. I mean, these are industry-known quantities. Maybe you can talk a little bit about how you were able to go about and put together such an incredible team.
Brett: Sure. It's absolutely the case. I am very proud and frankly, humbled by the people we've been able to pull together as part of this team. And they're people that have been in the industry for a long time, known as the innovators, known as the good and the fun people to work with, and I think we all know what we mean in that world of restructuring and everything else that goes on today.
Our CTO is Michael Frendo, and Michael was one of the original creators of the voiceover IP business at Cisco originally. He's had a number of other stops along the way including, he ran Juniper's secure networking business. The guy that hacked the ATMs on stage at the Black Hat Conference worked for Michael. More recently, he ran global engineering for Polycom.
So, Michael brings a lot to the table from an engineering perspective. We have people like Mark Bakies, who ran product management for voice over IP at Cisco. And in fact, he had the notoriety that he did more EBCs than anyone else at Cisco one year. Over 250 EBCs in a single year. Andy Miller, former CEO of Polycom, Tandberg, IPC, and sales leader at Cisco is part of the team. Todd Parenteau, my co-founder at Spanlink is joining us from an operations perspective. Julie Runda's running the marketing for us. She used to do services marketing at Avaya.
Nick Adams is running salesforce. Nick was the CRO at CafeX and prior to that, a number of different sales leadership roles at Avaya. John Proctor recently joined us to run channels. John is covering building up that channel organization and he previously ran all the channels for BroadSoft and had a channel role at Cisco after BroadSoft was acquired by Cisco. Who am I missing, Alex? Did I catch them all?
Alex: No, I think you covered the list pretty well.
Jim: Well, great. You certainly fill a void in the marketplace. We've got some serious, serious problems out there. We all know with identity, identity theft, and it sounds like you've got a solution for the problem. So, thank you and I look forward to following your company. Maybe we'll have another podcast in a few months after you've had a couple of big wins under your belt and we can talk about the next phases of your business.
Brett: And maybe we can even do a podcast face-to-face, in person with a nice glass of wine alongside.
Alex: Wouldn't that be nice.
Jim: All right, guys, thank you.
Brett: Thank you.