KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The paradox of simplicity is that making things simpler is hard work. - Bill Jensen
Building strong passwordless authentication from scratch can be very time-consuming. Integrating the necessary infrastructure into a typical password-centric identity code base increases code complexity exponentially. Taking into consideration that well-known user flows have to be changed and enhanced with new authentication options may also pose significant challenges for developers. They have to get it right - and make it as simple as possible for the end user.
In this talk, we highlight possible pitfalls and necessary considerations when implementing passwordless FIDO and WebAuthn protocols. You will recognize how a cloud-native approach can simplify the integration of passwordless authentication and smoothen the requirements for developers and product owners of any online service. You’ll also learn how to gradually migrate existing users to the new authentication methods in a frictionless manner.
Join us to explore three possible abstraction layers we’ve identified to take the complexity away when dealing with FIDO and passwordless multi-factor authentication. Ranging from utilizing a managed FIDO API and SDKs up to a fully-fledged passwordless-native identity provider that can be integrated with OpenID Connect. We also will share some secrets on useful extensions of the FIDO standards we’ve identified when building our passwordless user experiences.
Felix Magedanz, founder and CEO, Hanko.io
The paradox of simplicity is that making things simpler is hard work. - Bill Jensen
Building strong passwordless authentication from scratch can be very time-consuming. Integrating the necessary infrastructure into a typical password-centric identity code base increases code complexity exponentially. Taking into consideration that well-known user flows have to be changed and enhanced with new authentication options may also pose significant challenges for developers. They have to get it right - and make it as simple as possible for the end user.
In this talk, we highlight possible pitfalls and necessary considerations when implementing passwordless FIDO and WebAuthn protocols. You will recognize how a cloud-native approach can simplify the integration of passwordless authentication and smoothen the requirements for developers and product owners of any online service. You’ll also learn how to gradually migrate existing users to the new authentication methods in a frictionless manner.
Join us to explore three possible abstraction layers we’ve identified to take the complexity away when dealing with FIDO and passwordless multi-factor authentication. Ranging from utilizing a managed FIDO API and SDKs up to a fully-fledged passwordless-native identity provider that can be integrated with OpenID Connect. We also will share some secrets on useful extensions of the FIDO standards we’ve identified when building our passwordless user experiences.
Felix Magedanz, founder and CEO, Hanko.io
All right. This session will be about Fido, Fido, authentication, Fido, four developers. So a bit of out of a developer perspective without going onto the technical details too much.
Today, few words about myself, I already said it. I'm the founder and CEO of Vango. I'm active in the fi year working group. We are driving the marketing efforts mostly, but also creating white papers about Fido and its applications and banking. For example, on the PST two requirements. And I'm also recently joined our also recently joined the fi two technical working group. So there's no talk about Fido without the, the P word, the passwords and big gates predicted their desk. And in 2004, so 17 years ago, let's see where we stand. 2 billion credentials are stoned each year from service.
So credentials, meaning passwords, mostly and 81% of the cases. The data breaches itself are caused by weak or stone passwords and the cost for a company impacted by a breach like this around 5 million. So I ask you a question, why is every login today looking like this still right. 17 years later, and, and many technology steps later, and with webinar, sand and fighter two, this, this, this screenshots are from, from last week. So it's pretty, pretty the latest we can get and all of them have a password in it. So it's not passwordless. We can have an experience like this.
You enter your email address. There are instances where you don't even have to do that, but I, I, I skip that for today. The next would be a touch ID or a window cell, or a biometric authentication on your Android device. And you're in, this is the experience that is possible today. So this quote here, I found it and I like it. Making things simpler is actually hard work. And we came across this and of course, everyone involved in the Fido efforts will agree to that.
Having, creating an experience for the user as I showed this very, very much work to do. And I go through some steps that are, that are, have to be taken care of when implementing Fido.
And yeah, I just guide you through it. Andrew mentioned this in the last session as well about Fido, how to log in on a new device. This is one of the key questions you have to ask yourself. So with vital, the credentials are bound to the device you are actually using in that moment. So you go to from your laptop to your phone, what do you do the need to be some form of rollback, fallback authentication mechanism today? There's no way around it next web and platform authenticators.
So the technology that drives the experience I showed, they are available to around 35, to 80% of all users, but not a hundred percent of our users. You have to make sure that you also create an experience that caters to the other 20 or whatever percent of users that are not able to enroll their platform. Authenticator.
Next, I get that a lot. Registering a two F a platform. Authenticator does not make your account two F a protected. If the fallback authentication is still a password, your account is protected with that password. Make sure you, you know, that. And the next thing is, and this is maybe an answer to the first question you can switch to passwordless alternatives.
And one, one hot topic today is we call them parcelling. Some companies are calling the magic links. So this allows an account to be created and to be used on a new device, without a password.
So, but to, to make your account, to have a protected, you also need additional steps aside from the, from the pass link. And this could be, for example, if I security key, when you integrate the platform authenticator, you almost have everything to also support security keys, and a security key would be perfect. Second step after a past link, if your audience is suitable for that next, you have to integrate fi application stack. There are solutions available on the market.
We offer one of them that have SDKs and integrations plugins for, for all major platforms, but you always should start with UIUX planning. How is the user experience impacted by rolling out fi to your users? This is what we always propose to start with next. Most users never heard, unfortunately, never heard of fi or web. So you have to be careful how you, how you tell this new feature, how you announce it to your users.
And as I, as I said already, don't build your own Fido stack. Their solutions already available, open source projects were maintained.
And also, like I said, we offer for example, web and API backend, that does everything that that's need to be done. And you can just go ahead and, and build your application logic around that. And of course, I think the highest, the best and the least, the least code involved will be when you use an open ID connect identity provider that has native support for webs and already integrated. So migrating is my third point. I want to dig into, we propose for migrating existing users. We propose an intercept like this.
I don't know if you can, if you can read it, but it is on the legacy login and you tell your users, you can enable, for example, touch ID. If that would be on a newer MacBook, you can enable touch ID. Do you want to use that to sign and faster next time?
And yeah, this is what we do with our implementation and we see good, good results with that. It is also in line with, with the latest user experience studies that have been done by the fighter lines.
And yeah, the first point I already talked about the next thing that is very important, and they have been some, some studies by a German fellow that you should tell the user that the biometrics are stored only on the device and never leaves the device. So this helps with building trust for, for web and Fido. And of course we, yeah, we'll give trust to your application as well. And as I said, already, consider support for security keys. If you can, if your user base allow for it to have really strong QFA for platform authenticated, but also for the fallback authentication mechanism.
And I close with, with something I said is a PSA. We will offer hunk identity. That's our new product. It will be the world first passwordless native identity provider. So we built an open ID connect identity provider that is not based on passwords, but it is based on fi web both.
And, and yeah, I mentioned it is pass links for, for bank authentication. We build that on top of our open source authentication API that consists of a certified fi server. Yeah. And I think it's perfect for in the first step, at least for green free project startups, everyone who wants to go password list and won't want to do anything at all. That's it from, from my side. Thank you.