 Hello everyone. Thanks for joining. This is our monthly identity and security meetup that happens every month. This is our July edition. We are streaming in YouTube live and I have some housekeeping tasks to do before I introduce, get into the business. So thank you, Okta, for sponsoring this meetup. The platform, the YouTube channels is all sponsored by Okta and today I'm something about me. So I'm Pradipa. If you have regularly seen the meetup, you would have seen me in my past meetups. If you have to reach out to me, you would reach out to me via Twitter and LinkedIn. And today I'm joined by our amazing developer advocate from Japan, Dyson. Would you like to introduce yourself? Hi, thanks Pradipa. Hi everyone. It's good to be here. My name is Dyson. I'm a principal developer advocate at Okta, focusing on the CACMA identity cloud powered by Othero and I'm based in Tokyo, Japan. I wanted to join last time but I got a flu so this is my first time to join. So I'm pretty excited. Thanks, Dyson. I just pray to God so that you don't fall sick this time. So thank you. Thank you. So code of contact. So if you are in subject of any violations of the code of contact or please contact me or reach out to me via the meetup event. And we have updated this slide with privacy policy. So please go through this and then see how your database is being used and what is being done with your, what is Okta's privacy policy. And as always, we are actually looking for speakers. We usually run two speakers every month. Anybody who is willing to give a shared experience on identity and security, be it Firebase, anything and identity and security like if you're interested, if you want to give up full on demo, just reach out to me, submit the CFP for this, reach out via this URL at the QR code and then we can schedule it for the subsequent meetups. I also wanted to introduce about an Othero ambassador program. This is like to empower developers to create a community. This is for the developers who are passionate about being contributing to the community. Like if you want to write a blog, if you are passionate about giving a talk or going to the conference, this is something that you do. And then this aligns with your identity and security. Do apply for the ambassador program and then share your passion and then you might get eligible for an ambassador. So ambassador has its own perks. You go to this website and then see what are the perks for it. You also have a developer newsletter. So what the DevRel team is doing every month and what are the conferences we are going. This gets published in our newsletter. So do subscribe to this newsletter to get the latest updates. Just housekeeping, please leave your comments in the YouTube live chat. We are monitoring the comments for any questions related to identity and security or regarding the talk. We will get to it at the end of the talk and at the end of the session. Without further ado, let's get into business. And this is our talk of first talk of the evening. Cyber security, protecting your business and protecting your code. This will be done by our amazing ambassador, Lax. He is a web developer and also an open social service guest. And he did a lot. So Lax, the floor is all yours. Hello. Hi, everyone. Thank you, Pradeepa, for the introduction. Thank you, Dyson, for keeping us live on YouTube and everywhere. Vanakkam. Namaste. And I don't know how you say in Singapore or wherever you are. Good morning, good afternoon, and good evening based on your time zone. I am Lax. I'm a web developer currently working as a backend engineer at Web Dev Studios. I'm more interested in cybersecurity. You can say I'm a student. I'm learning cybersecurity and through ambassador program, hot zero in Akta, I've got a chance to learn more. And I'd like to share some of my experiences and tips with other fellow developers. So for today's talk, I always feel like we have tools, we have experts around us, but there are certain details or certain topics are kind of overlooked. We don't have talk or we don't create awareness amongst cybersecurity. So that's why I always keep in my topics as just broad and simple instead of talking about maybe a specific tool or a specific software. I keep my talks around just giving an idea or interaction about things. In this talk, I'll be talking about how we can, I mean, we in the sense of business owners, or you are a key decision maker, or you want a business, or you are planning to start a business. And also, if you are a coder, a developer, senior developer manager, whoever you are, how we can protect our data and why it is important. So first, a quick intro is like cybersecurity and intellectual property. So we all know cybersecurity related issues like vulnerability, threats, we got security issues or attacks and you found a bug fixing it. So all that stuff that we hear and we experience or see around us. But let's see what are the important data that needs to be like protected and what's your role as a business owner or as a developer? And how, let's see what are the stuff that's to be protected and how we can protect it. So I would like to start with internal documents in the sense it you can consider this as your company's assets. So if you are a small business owner, solopreneur, or like you have a startup, or you have an idea, you have a co-founder, whatever it is, you can, you might be having your internal documents right from a proposal document or to anything up to your project template, your employee training documents. Any document that you are using for your business is an intellectual property and that should be protected and should be accessible only to you or at least it should be protected by law. Otherwise, let's say you hire a vendor or you hire a freelancer and you share the document with them and they could easily make a copy of it and just replace their company name or their name and use it right. So that's where this kind of stuff comes into the intellectual property and also as a cybersecurity expert or as a business owner how you can take control over it. And another stuff is like your customer data or user data. Let's say five people are working for you. All of their details is your assets and then your customer data. You have a paying customer or somebody who's just giving it, taking the trials and someone who just signed up for the newsletter. So everything is your own data. You earned the data and you should keep it safe. And if you leak, if you have any like data got leaked or you know, there's any data being misused or something like you will be under trouble. And then another stuff is like a product. Whatever product or service you are doing like you might be having a further enhancements, features, even bug fixes or you might have some other services or planning to add or do something more in your business. Let's say you call that like a pipeline, you might have some plans down the road like in the next two years, we will be releasing this plan in the next five years, we'll be doing this one. All that stuff, you might be sharing this with your marketing guy or let's say a SEO expert or whoever you hire and work with, but they should not use your data. It's your business data, it's your asset. So let's see how we can prevent this from happening. So these are the data, some examples of data to be protected. Usually as in, I hope most of you who are watching this stream online now or who are going to watch the replay, I hope most of you are developers or business owners or persons who are interested in the cybersecurity. But we all understand or we all think like when we say data, we'll be like, oh maybe it's like my finance documents or I did a survey, I have a survey, the results of my surveys, I want to keep it protected, not just that, right? Even if you have email subscribers, that's still data that's bound for protection. And let's say you have your employees data and still it needs to be protected. So let's see how we can protect one by one. So let's say if you are just starting out or even you are a developer, like let's say you are a PHP developer or Python developer, whoever you are, whatever language of your preference. So you might be saying like, I understand all this, but I don't understand the compilance or I don't understand certain stuff in the cybersecurity. It's just a jargon to me or you are a business owner or you are an investor, you are investing in this company or you are planning to buy or buy a product or service. When you read their service document or how the product works and everything or their security level, you might find some tech jargon, right? But you should be able to understand it. Not like you don't have to be an expert, but you should be able to understand, oh, okay, this is a hash and this is an encryption method. Basic stuff, you don't have to explain it or you don't have to understand all the like five types of encryption or like how to decrypt this one, not like that. But at least you should understand what is encryption, what is a decryption, what is a SSL or like things like that. Some basic stuff related to security. Then at least you will know, let's say you get a notification from your software and you'll know, okay, this is in a problem. Or if you see somebody else like your competitor site or competitor's app has a problem, then you will understand, oh, this company doesn't have this in place. When I have my product, I want this to be my top priority. I want to fix this stuff. I don't want my software to have this problem. So how you can understand the jargon? Like let's say if you are trying to learn finance or taxes, whatever it is, even medical terms, anything that's a jargon is like you may not able to understand it in the beginning. Even if you read, you may feel like, I get this stuff, but after reading, you might get lost. That's where you can use AI now. Your favorite free or premium AI tools come up with the option like explain me, for example, let's say a phishing attack. So you can say, explain me phishing like how you do for a five-year-old. So it's going to explain what is phishing in a simpler term or like explain phishing to my grandma, something like that. You can give that prompt and it's going to give you more details. You can start like that. It's a very basic or a silly example, but you can use that for any stuff that you want to learn. So this is how you can get started. Once you learn or familiarize with the jargon, then you will feel like, oh, I know how this works or I know what type of, at least you know how to search or how to get more information out of it. You should know at first what category or what type of attack or what type of infrastructure that you need or software or tool to use. And then you can start from there. And then you should restrict user access. Let's say you have a software and there will be like a few types of users are accessing stuff. You should restrict access. You can have access levels or you can like roles, capabilities or whatever that defines your purpose and the business goals. You can restrict them either by accessing the entire section of the software or the program or you can just restrict certain pages or certain actions like some users cannot delete this data, some users can just view this data. Certain people only can edit the data or even if they edit, you can save the edit history and things like that. So whatever software that you use, like for example with Auth0 or Octave in your login, you can see, you can set up user metadata or user roles. So that way you can restrict and it comes with other software too like whatever that you are using you can set. Another simple example is like Google Docs or Google Sheets or any Google product or even Microsoft as well. So whatever product that you are going to share with others, you may be sharing with their email or within your company and you can give them access like whether they can view, whether they can comment or edit. So that same restricting the access and this will avoid any potential leakage of data as well. Another thing to do is like you need to rotate access keys and tokens in the sense. So for example, you have API keys or anything that you need to ask users to regenerate, make it automated. So let's say maybe every 30 days is a good duration. You can based on the data, you can set it as either like one month, two months or whatever that works and then have some legal policies or processes involved. This is coming from my personal experience. I do some consulting or I did more even web development like kind of a freelancer in the past. Sometimes I do also consulting like people come and ask what type of software to use or either can be SEOs related stuff or whatever it is. So people come and just ask me get help and they get paid, but they don't have a proper non-disclosure agreement or something. It's just verbal. I assure them that I'm not going to tell anybody that I worked on this project or I offered my services for them, but it should not be the case. It should be like you should have a paperwork done earlier when you start the project. So if one party goes in the wrong direction, you will have some control over it. Sometimes you might be outsourcing your work to some other agency or some other person, some other professional. So there might be a breach of code of contact or like agreements. So you should have agreements so then only you know what is being violated or fix it and this applies to cybersecurity as well. Whatever data they should not be given to others, whatever data should be protected that you can own. Another thing to do is like you should monitor your stuff, whatever software that you are building, whatever business that you are running. You should have alerts. Alerts in the sense I'm saying notification can be either emails, SMS or a dashboard message or if you are using Slack or Microsoft Teams or kind of any other collaboration software, you should be able to get a notification there as well. So this way your team or you will be informed like oh okay somebody is trying to log in or some service is down so or some other package or software that you are using is outdated so you will know this is something that needs immediate attention. You can go and fix it. And this is kind of a biggie because a lot of people miss this one, mostly small and medium enterprises because for them they don't have multiple departments, they cannot offer that much and some business owners especially who are starting out and they are the superheroes, they like to do many things at once like they are their CEO, chief everything officers, they do everything right from recruiting to, they might be working as a virtual assistant, they do all that stuff for their business. So there's a great chance that they may not be properly off-boarding a person. So for example you hire a person to do something and maybe you may not restricted their access like you may not for example you hire a guy to fix a bug and their person might be able to still log into the website because you didn't delete or remove that user access right. So that includes past employees or contractors and also third party vendors or any other service that you are using. So have a proper off-boarding system, make sure that your business data is safe. And let's move on to the next part or the last part of my talk. So this is about more on the business side and this is now we are going to talk about how developers, engineers or CTOs kind of people, how we can protect our code or our software. So there are incidents that people log sensitive data like you see like maybe Next.js or other frameworks as well, other mini software as well. We collect some data for analysis like how whether we to understand the user experience we collect data right. So but we should not collect any sensitive data. So you can collect the persons maybe a browser or what which version of the app they are using so that that's okay. Non-sensitive data is recommended but you don't have to collect any sensitive data and you may not have any malicious thing in your mind. For example you may be collecting their user's name or password just for maybe your security audit or let's say you are trying to understand how secure the passwords are, something like that. So you might be doing it for some other purpose a good purpose but if some attack or somebody is accessing those logs and maybe if their intention is wrong and then your business name or your reputation is at risk. So I can show you one example that happened in the recent time. So why you WordPress first because I'm sure some of you are who are watching you will be like oh WordPress I'm a Java developer or I'm a dotnet developer. I'm not into WordPress sorry that's not for me but it's like WordPress is being used to by 40% of the internet and whether you like it or not it's like it's kind of a powerful content management system in its open source. So with the size of the volume let's say 40 percentage of the internet so you can get you know more statistics or some other interesting stuff from the WordPress space. So let's say you can see a million of sites logged plain text passwords in their log and that's through a security plugin so that's you know it's like I think I have used to this plugin or at least hear it or watch the demo or something it's it's not a that kind of a poorly coded or something but somehow they had a log and that log stores plain text passwords that's kind of ridiculous or that should not happen right especially for a security plugin. So things like that so if we avoid this kind of sensitive data being logged or captured or you know being shared unnecessarily then we can avoid one kind of a security or data breach. And then we need to follow coding standards and protocols every framework every language every programming language comes with its own you know coding standards and recommendations. So if you follow that it gives you some idea like for example if you want to add a new feature or if you are fixing bugs bugs or anything that gives you like you know let's say you have a version 1.0 and you want to upgrade to like a newer version or you are using let's say 10 15 different dependencies and you want to upgrade it and if you don't follow any coding standards or if you don't follow the set of protocols you will be in trouble like your app cannot scale right it's not just for scaling or not just for adding new features it also applies to security stuff. For example let's say you are using R0's old or legacy code and then if they release a new SDK or a new version of the SDK and if your code base is totally like I don't want to call it like a spaghetti code but like or cowboy stuff that's that's more a common term right if you are doing the cowboy coding like you do whatever you want in just if you don't follow any standards at all not only you even your teammates or even your senior or engineering manager or a CTO cannot go and fix it because it's like it takes time to read and understand what your code does but if you have follow the standards it will be up to the standards everyone can go and easily read and help you and regularly update your credentials this is like API keys, access tokens like you might be installing packages that packages might have its own access tokens as well or whatever repo like either GitHub, GitLab or any other Git software that you use it might have their own access tokens right things like that so you should keep rotating it so just to avoid that way it's like your code base is secure and as a beginner sometimes I used to even just add my access tokens or something in the repo itself like it sounds silly or you know still it happens because beginners doesn't know like they learn through mistakes and that's how it works so you don't have to share your credentials anywhere on the internet it's like that's just for you and it should be like a server variable like you don't have to store it or add it to your repo like in the Git or anywhere and with AI and with the more power tools that we have we should automate more so what you can automate you can automate your scan your code and then like how GitHub dependable does you can check if your dependencies are up to date if anything has a vulnerability issues or if anything is out of date or any other stuff as well like you can go and automate it and now with the tools like AI tools like codium or other any other free tools available as well so you can write you know automated testing you can write unit tests and you can automate deployments testing and all any other stuff and it will save you more time and as well like it will help you to be more productive and this is something that I always say in most of my talks it's like you get help and help others so art zero has a community forum and it's related to art zero and it's and their products and it's also like you can ask questions about security and like whatever package or anything that you use you can go to their repo like if they have a GitHub or any public repo or a support forum feel free to go and ask question even in Stack Overflow or anywhere ask questions so others will know okay this is not just me like you know somebody might be already struggling that they experience the same bug or same issue they are running into and they will be like okay it's not me alone so you ask questions that's how everyone people will know okay this is a bug or this is a issue or you might be doing it wrong that's how you get help and once you get help please share it with others it can be a youtube video youtube shots it can be like instagram stories you can share it in linkedin or if you are just don't want to write more you can answer the questions in Stack Overflow or in your blog or anything whatever is easier for you or at least help your co-employees sorry colleagues help your colleagues and stuff so the more you get help and the more you help others so you will be you will be becoming an expert in that topic in that software on the framework so that's how everyone learn and grows and also go with a more open source approach like you can have always have your premium or paid version of your software have a separate package or a plan but as much as possible you can if you have time in the bandwidth try to be open source like you write a package for a software let's say you have an SDK or you come up with some other cool simple script it can be a very simple script or a package or anything just share it with others going open source will help you like more people will take a look at the code and they can see like hey this is this could be a security issue and that's how we can learn and improve and this experience will help you with your day job or you know whatever project that you are doing and I know it's like today you might be a developer I'm sure in future you're going to be a senior developer or manager or CTO or you know you can be starting your own business or your own company so all that stuff that's how start with you know getting help in helping others so these are some resources I think Pradeep is going to is going to share these documents along with the slides so these are some resources and that you can get some help about cyber security it's like a introduction or start and that should be good for both business owners and also how to protect your stuff how to protect your code or anything and thanks thanks for joining today and if you have any questions please add in the comments and I'll try to answer or I'll at least find you all within the you know in the right direction you can reach me at lax at laxmaryopen.com or on social media I am laxmaryopen everywhere like facebook instagram linkedin and twitter and everything see you thanks thank you lax thanks for the awesome talk on the cyber security yeah I whenever I see this cyber security we feel like you know it's a very small thing it's like oh I know all this stuff but like you mentioned like the developer committing the credentials like IAWS access keys and they are going to the github those are all very basic things to take care so yeah yeah anybody who is like starting to think about your own code not like you know this is not just for the business owners like be the developer be responsible and then make sure to rotate your credentials not share plain text passwords or store the password put don't put this password in a sticky note share it with your colleagues I'm sure you have done it or at least heard of it so that's that's also all the things that comes to my mind doesn't what do you remember when you say cyber security what's the first instance that you remember well actually you know my wife can't remember the password or cannot use the password manager so she has a long notebook with the whole idea and password so it reminds me you know that it's not best practice but uh some people do that you know don't start to have like IT skillset so the system needs to yeah need to enforce the security things you know and I do agree that you know that not many companies have the automation stuff so while the employees are off-boarding there's some sometimes we forget that those people you know still have access so it's one thing that we need to keep in mind you know on-boarding and off-boarding stuff so it's pretty much yeah yeah you have to use an IT provider that just like makes it very easy breeze in and breeze out of doing the on-boarding and off-boarding or just really invest on the tools or build your own tools uh security is not something that you have to compromise uh you have to pay a large price at the end thanks thanks for the enlightening talk uh yeah see you soon thanks thank you thank you thank you thanks for joining me thank you nice and it's time to introduce our next speaker uh so how to use simpas and uh digital id to authenticate i came across this talk in api day singapore i'm so excited so i invited sachin to present this talk in our makeup uh so i'm going to introduce sachin uh so he's our i'm so excited to have him as an auditor ambassador he's just joined as a ambassador this month uh he has around 17 plus years of experience in the IT industry currently is working on platform engineering so if you have any questions on platform engineering and uh singapore's digital id or use any other government's id uh not just uh the singpas it's going to be the same so you can ask the questions right away and without further ado i'll just pass on to sachin oh sachin i think you are a murid so please unmute yourself hi everyone sorry for this i was speaking but i believe nobody was able to use okay hi my name is sachin i've been working in IT industry for 17 years and today we will go through high singpas uh you can use to authenticate and work out there singpas uh before we get into it first disclaimer all this content is my personal learning while working on singpas and my company and their business have no linkage to it that's something which i always like to share okay singpas uh is a digital IT which every singapore citizen and residents gets it uh singpas have one more consultancy that is uh cop pass that is for if you want to have v2b where government manage your complete uh if you want to authenticate from one business to another where you want to do a digital process and you want a digital idea out there so cop pass is used when you're going for individual singpas is a service which you can do singpas is managed and governed by a government technology agency or gov tech which is one of the eight statutory national project driven by the Singapore smart nation vision okay which have more than 200 organization government and private which basically where uh you are providing a service to citizen or resident of Singapore and you want to have a digital identity or digital way of interacting in there singpas is uh used extensively out there so knowing singpas will definitely help you a lot so this is a fact sheet about singpas uh and this is a qr code you can scan this qr code and know about that uh still i will go through each of them so they are majorly for uh fact sheet about it it's mine for it's an individual user info whenever any user logs in it will be prompt to him to uh whether you want to share his information if he allowed that so you can avail my info and at the end we will have a demo where we will cover this part of my info how exactly it will happen out there second will be mine for business as I told in the previous session that singpas do have me to be options we call as cop pass so if you want to know a business information sand who is the entity which will be working on that that is done with mine for business third is sg uh sg verify which is a way of doing authentications there are multiple way by which you can do the authentications you can use face verification where uh if you have a face reader uh mostly it is used uh where you want to authenticate uh if you have a secure environment where you only want certain type of people to be allowed and so you can use uh face recommendations and only after that you want to allow that okay so you can do that second is qr code base where uh you will be shown a qr code and uh from mobile phone we have a singpas when you can scan and once you uh uh approved you can do the login out there so even in qr code there are two types of qr code static and dynamic static qr code does not change and it is not advisable to do that however dynamic qr code is used most of the cases in the business cases right now at least okay and if you don't want to go ahead and you want to go to the old way of having a username password way of that we call as password login you can use that as well and to work on it the fourth service which is provided by singpas is digital signature if you have a business case where you want to have a digital signature or signing of contract or you want to authorize that this specific person have done that specific activity you can use sign which is one of the features provided by singpas so singpas is mostly used for two cases we call a singpas process flow one is onboarding process and second is uh sg login what is onboarding process for example if you go to any bank when you want to open a bank account so what really bank means is it's need your identity but if you are doing digitally or if you are doing online then in this case you go to singpas and authorize that specific bank or any other digital service that okay take this informations of might to be shared with that specific business and you can do the processing out there second is just for the login purpose where you just give your credentials and login and after that you don't want to use that you want to have your own role base process where if that specific user is there and on the time of onboarding you decide okay which role you want to do and want to move ahead so that's a second process which you can do for it so if you want to do singpas the information which will be provided by singpas organizations versus the information which client have to provide singpas will give you the client ID and tls server authentication certificate which you can see out here the client ID and the tls certificate as a customer you have to provide what will be the origin what will be the redirect URL and what mode of communications you want to perform out there when you're working on sg verification in uat and production or we call a staging or production we have to provide authorization detail in the header okay in the request header while we will show the demo it will be we'll be using the environment and or it's also called a sandbox so in case of sandbox it is not required you don't need to provide this information out there so how exactly the onboarding happens so on the browser you go to the any partner applications okay it will you will be prompt to it you say it's okay you will be shown you want to verify it so you be redirected to the authorization server where authorization servers push you to the singpas where it will be prompting you which mode you want to authorize yourself whether you want to go with qr code or you want to enter your username password or if there is a place where there is a face recognition is possible so you can go with that so after you do the authorizations it will you give your concern saying that okay yes this information is I want to go it will go to the server it will generate the code the authentication code and the callback URL which will be given to the applications and the applications can use that token and pkce code wavefire and dot informations to get the token information and pass this token informations with that he can go to mine for collect uh users information which have been authorized by the business and give the information back out there so let's go to the demo part so uh for example uh take example of elizabeth first uh she is the user who came to the portal and she will log in so she will get a qr code out here and she will open his mobile phone you can consider this is there and scan this qr code on the mobile phone I think I have to refresh so again as you know right whenever you have to give a demo you will be getting some of the issues again let's try again let's take a case of elizabeth and we move ahead let's scan the code this time yep we pass the scanning and ask the applications uh so what is happening at the back end let's also go through that before we say yes so this is our base URL this is our callback URL I believe if I don't approve it we'll go back so let's say yes in the meantime let's go into detail out there okay so what we have done is uh this is the base URL which we have been there and this is our uh redirect URL this is the encoded format this is the client ID which we have discussed initially this is a noise which was there a you remember that when we talk about qr code there is two types static and dynamic so we have used dynamic signature method we use is rs 256 the state is one of the value which is used is demo kos 3 so this is the timestamps for start and the end out there okay so how exactly the URL will go when you are making the call okay as we discussed in one of the demo that we go for uh the header as it is a demo we don't add there the otherwise we have to provide the header at the same time so we provide this information it called for signatures and after that the callback URL and after the callback URL this is the informations which we got the status with the access code okay with the access code we make the call again with the access token we make the call again and got the user informations out here about the user and this is the informations which we are displaying out here so that's the verification part let's go for okay sg login sg login is where we just want to use sync pass only for authentication purpose not uh we don't want the user informations out there here what we want is just to get the token and after the token is done we want our our activity to get into it okay so how exactly this part will work is we'll go to the authorization part and it will redirect to user browser about you have to go to this specific site and get the token out there once we do the authorizations out there we come to the sync pass applications and we will be provided with options we perform that and once we uh pass the authentications it will be gone to the application and user can work out of that he will not uh here we are not taking uh mindful about the users we are not taking their details out there we are just proceeding further uh in a normal business application scenario what we really do once we take onboarding we don't want to uh next time the user's information we just take the authentications we have our key and we proceed further out there so for this let's go to various applications so what we do is let's take a login example out here where we're just logging out there where you will see uh login uh prompt out there where we enter the sync pass pop up of dynamic and i will connect i will scan this QR for a code from my mobile after i scan it will ask whether you want to authenticate this user i will say approve once i approve from my mobile phone it will just redirect out there it will not ask the business detail out there what happened okay let's try again so it brought to the side and as it is containing confidential information so i do that and back to the screen so all the references which i have taken out there are from these two sources which you can refer out there thank you for all the sessions thank you thank you sachin uh that was an awesome talk i'm was curious like uh how to use sync pass uh because that is like mostly used in singapore in most of the government site like in irs and stuff so uh so sync pass acts as a authorization server here is it like yes it acts as authorization okay looks cool the demo looks cool and as always the demo never works at the first time unless you offer prayers to the demo goddess there's what i really sometimes things goes fast sometimes it takes time yeah so we always pray to the demo goddess and then say okay that was fun that was good that was a good session yeah is it possible to integrate uh on an upstream to another identity server uh with us sync pass or is it uh that is yes you can do that uh but uh you that is where onboarding comes out there what normally people does is when they are doing the onboarding what they do is they take the user informations and go to a separate authentications where they are used if you go to the bank they don't use sync pass after you do onboarding out there so what they do in onboarding take your say previously for what we used to do we used to go to the bank we used to give our identity proof you have to give your address proof we used to give our earning proof so with the sync pass you don't have to provide all these informations this is already available in the government so you just uh when you do go for onboarding you do onboarding out there give all this information because it is shared by the government out there it is already verified and it is genuine so once you are done that you can use auto or any other custom authentications train your application and move ahead that's the reason we have two sections where it's onboarding where you don't uh take uh you don't take sync pass as for authentication purpose you just use sync pass one time gather users for ek yc purpose and once your ek yc is done you don't you go for your own authentications and work out there there are certain applications just like irs is using for sg login to authenticate and they don't go for onboarding because on the back end of the system they manage internally out there so they don't go they take it from the back end system i think maybe because irs is still linked to the governments on the back yeah it's already so they take it from the uh governments of his bus and they move ahead so they don't use onboarding so case to case differ where is your business case more suitable out there okay yeah that was a very good session thank you so much sachin please keep us uh like share us with more exciting things i'm saying pass whenever you yeah i i again i i thought i have much more time i have still 10 more minutes i could have i didn't more content to it and no the onboarding would be a very what you said is right we could have included a yeah no we can have our session only for the onboarding and then see definitely something which is a mistake itself it's yeah it starts with the client it become a four hour session for us it's actually difficult when we have to integrate with the sync pass stuff because those data is protected right yes protected but see there is one major thing is uh lots of time what we get is that when we go for mine for to get the user information and customer feel that this is confidential information they denied the moment they denied the process is all closed yeah okay so that then uh the customer comes back saying that my onboarding failed you are asking these details so there are times when we are doing onboarding we go for custom forms where after onboarding we have our own custom modules where we take certain informations where concerns are required we know client will deny certain information where lots of people are very reserved to share their annual learning out there so but if you're going for a credit card they require this information right yeah to give you a credit score and do on top of that so this part they don't take it in mine for they keep they take it separately oh okay so we can actually filter the information there is there is almost around around 32 fields out there which sync pass provide you uh or we call this attribute so there are 32 attributes which you can get from mine for in case both mine for and cop pass as well or my for business so you can take that information sand you can put it when you are asking for what are the informations you are you're giving the consent so when you're asking the consent you define what are the attributes which you want to give to the business to be allowed okay that makes sense because you have the power to of denying it yeah that's what I was saying like so once you deny it then we have to go through overriding process right like yeah so it will be off uh uh currently most of the business is doing is they are going for offline mode where they're sending a separate form uh where we build a separate form for the same customer because at times customer really feel hesitant to provide this information so we have a offline module where we send them that okay we'll fill this form uploaded and we will take it from there okay nice yeah this is exciting yeah thank you so much it's nice to go ahead with that yeah thank you so much uh yeah thank you Dyson do you have anything else to share before we wrap this up okay uh yeah so a couple of things I want to share with you guys so uh we're gonna have the Octane October and we are going to have the developer days at Octane so we're gonna have like the developer focus event alongside with the Octane so if you're planning to come to San Francisco or go to San Francisco yeah which I'm planning to please visit the the the day at Octane because we're gonna have a lot of the activities talks and the special things also um uh we're gonna have the event page so I'm gonna be sharing the some info so developer what day is coming to the Octane thing let me share link to the comments also uh we're gonna uh our developer advocates are going to a lot of events so if you are see if you want to see them uh you can find that events where they are going to next yeah so I think those two things on the party but you also have there some announcements right so let's go ahead yeah so cdjs Singapore is happening so if you are in Singapore and you want to meet me or you know you have uh say hi I'll be in uh I'll be running a free workshop in on odd zero uh on how to implement passwordless how to do the mfa and also i'm giving a talk uh so you can go to the cdjs uh conference website and then find the schedule and the venue or just drop me in uh ping me in twitter and then I can give you the details uh so I'll be there next week 26 and 27 and 28 uh yeah just come say hi if you're in Singapore and hope to meet you all yeah I will meet you at that cdjs thank you thanks for taking a photo and then show it everybody yeah that's all I have for the announcement okay so I think this is a wrap of the identity and the security meetup in July and thank you the thanks and thanks Sachin to joining the you know our events and thanks for deeper for posting this event and thanks for everybody who's watching the you know amazing in the meetup so please close the round see you all next month bye