Event Recording

The Path To Going Passwordless


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So, yeah, as I, as I was starting to introduce there, you know, the, the idea of the, the presentation is to sort of frame the issue at hand to define pass what passwordless is, which I think Martin has probably already done rather well anyway, but also to talk about what it isn't, because as with any new market, there's gonna be lots of vendors out there trying to adapt their message for the product they already have into being somehow a passwordless tool. Some of them will be telling the truth, some of them perhaps not. And it's important to understand, you know, what, what a true passwordless solution ought to look like. And of course, what are the pain points that we're seeking to address, right? What problems does it solve? What benefits does it bring both to the organization and also to the user, we'll take a little look about what it's gonna look like in our upcoming solution.
And then of course, we'll talk about that very important part of what's coming next. So the problems with passwords, right, our myriad right up to 50% of help desk tickets and therefore help desk expense is, is essentially wasted on dealing with password related issues. Average users have, depending on whose research you consult anywhere from 30 to 190 passwords. And even the low end of that is, is really quite high. When you think about it. And it's not surprising as a result that 81% of breaches involve weak or stolen credentials, right? And that number's been slowly decreasing over time. For some reasons that we'll talk about during this presentation, but it's still staggeringly high. And of course, among those 190 passwords, we would love to tell ourselves that on all of different cloud services that our users use, they definitely don't reuse their corporate password. And their corporate password is definitely really, really strong.
But of course the evidence would suggest in reality, when we look at breaches like the Instagram breach, that users are reusing their passwords all over the place, and they really like 1, 2, 3, 4, 5. So, you know, we, we really need to address the fact that when it comes to the balance between security and usability, from the end user's point of view, usability often wins out. And of course, none of these folks who had a password of 1, 2, 3, 4, 5, if you went up to them on the street would say, Hey, I'd really love to be hacked today. Of course they would say no. Right, but how far they're willing to go to mitigate that risk is actually limited. And so the challenges on us as, as it security practitioners, to try to make the gap as small as possible. And that's why we think passwordless is gonna be such an important tool in our arsenal to do that.
Right. So what is passwordless like, how do we define that? So for us, passwordless authentication is the idea of removing the shared secret, the something, you know, factor from, from multifactor authentication, and instead relies on something you have and something you are, and there's a lot of benefits to that, right? The something, you know, implies, you need to remember it. So that's a challenge. And as Martin showed in one of his slides there, when you're using a password, it's also a shared secret. So part of that's something, you know, is stored somewhere else, right? On a remote server somewhere, not directly, right. Usually a hash of it, but there's still a risk that if that remote service is compromised, there's a risk to you as a user, right. That's bad too. So for a bunch of reasons, we wanna get away from that and then start relying on something you are that's immutable and hard to steal and something that you have IE, a device, which can be relied upon to, to securely store cryptographic material in this case.
Right? So that's our definition of passwordless and that's important because you're gonna see vendors out there who do things like privileged access management, which is by the way, a great thing to do in, in a lot of cases, especially where non-user interactive stuff is going on, try to rebrand some of that as passwordless, because they can obfuscate the password from the user and just kind of replay it in the background. And that's a great story to tell from a userability point of view, the users are gonna love it. But from the terms of risks of things like past the hash or other kinds of breaches, it actually doesn't mitigate those really. And so, you know, it's not quite truly passwordless from our perspective. And so why are we doing this now? Right. Fingerprint readers have been around for ages, right? Why didn't we do this, you know, five, 10 years ago?
And the problem is one that's really easily seen in the, the adoption of fingerprint readers on, on smartphones, right. Been around forever. But if you wanted to do it in the past, you needed to buy a particular proprietary technology of some kind you needed to deploy it across your estate users certainly didn't have one in their own homes, right? You needed to provide it to them. And not everybody used the same standard right now. On the other hand, apple comes out with touch ID, right? First fingerprint reader, you know, to really gain traction in a, in a smartphone, which most people now have. And it uses secure key storage. It's based on a, you know, an open standard. And now everybody has one in their pocket that we can now take advantage of. So if you want to go biometric in your organization, now you don't need to buy everyone a fingerprint reader.
They probably have one, or at least, or a facial recognition scanner as well now in their pocket. Right? So they're used to using it. It's easy to use. The barrier to entry is low and the security is much, much better. And so we, we achieve this balance of improved security and improved usability with a greatly reduced expense. And so that's why, you know, the, the, the arrival of these devices and the standards that allow interoperability is sort of the why now moment, all of that's come together and we have sort of the perfect storm of we're ready. Right.
But you know, it's not all, it's not all roses, right? There are some challenges we talked already about, you know, the, the definitions and a lot of buzz in the market. It is undoubtedly true that there will need to be some education around the, the variance of what password is passwordless is just as back in the early days of, of multifactor authentication, we used to have to have discussions. And sometimes we still do about why, although SMS and push based asymmetric cryptographic MFA are technically two forms of two FA one is way more secure than the other, right? Those kinds of kinds of conversations are still gonna have to be, to be had in the world of passwordless also, it's a journey, right? It environments are complicated. And as we'll see in a second, there are some low hanging fruit for passwordless. And then there are some ones that are really on the top branches that are gonna take a little bit longer to, to effectively solve. And because that technology is, is, is relatively new, right? User experiences are gonna evolve over time as well. We're gonna learn, you know, what users really respond to well and what they don't. And, you know, anyone who's done research in that side of things will discover that sometimes what users really respond to well is really counterintuitive. So we expect there to be some journey there as well.
So let's look at our vision for, for what we think this is going to, to look like. The goals really were, again, as we talked about ease of use, right, and improved security. And for us, the, the really O obvious, low hanging fruit is federated applications. Right? And it's another great example of achieving an improvement in usability and an improvement to security so much so that most users, and even some it administrators view single sign on Federation as a convenience to make signing in easier and faster. But in fact, its goal was completely different, right? Its objective was to stop having users send all of these reused passwords to all of these fast services that were popping up all over the internet because then only, you know, our security was only as good as the weakest of the websites. I reused my corporate password on, even though I wasn't supposed to, right.
We wanted to centralize it. We wanted to bring it back to a central source where there was a single password. And then with all these SAS applications, we wanted to establish cryptographic trust relationships using certificates and keys so that the user's password, as Martin said in history station, that didn't travel, right. The password didn't travel. It was the key or signatures based on the key that traveled and established those trust relationships. And then we could centrally control that identity and the password associated with it. Well, we looked at that and went, that's fantastic. All we really want to do in the world of passwordless is take it one password further, eliminate that centralized password, establish a cryptographic relationship there. And we're good, right. Based on a biometric. So that's gonna be where we, we target things first and we wanna secure the entire journey and we want to be identity agnostic.
So one of the other great things about integrating with federated applications as a first step is that many of those solutions, in fact, nearly all of those solutions now be it ADFS, duo, ping Okta, everybody we're all using standards like oof or Sam or O IDC, right? So the interoperability is great. It allows us to be really agnostic about the actual source of the identity information. It allows us to control, you know, how we roll out to different groups of users. And of course, in a worse case scenario, it allows us to fall back on other methods when passwordless isn't to fit. Right? Most of these solutions certainly support a password, many support, smart cards. There's all sorts of other options there that, you know, for the odd exception, we're not stuck in a solution. That's just purebred. Password is only, and if you don't have the right device, we can't help you, right. Allows us to be really flexible.
And of course, it's easy users already view single sign on as a tool that makes their life easier. And the fact, the, you know, the idea that they may not have to enter a password anymore, either shouldn't be too hard to get buy in from those users. Right. So that's sort of our, our vision for how we start off and what the low hanging fruit is. Let's take a look at what it's gonna look like. Right? So the first sort of experience a user's gonna have with passwordless is during enrollment, right? And the assumption here is that, you know, we may have seen this user before for regular log ons, but we may not have biometric information for them. We've probably never seen their face or fingerprint, right. We need to enroll that in a way that's secure and trustworthy. And so the transition, right, as we go to log into some particular application is we're of course gonna enter our, our username.
We're gonna enter our password because that's how we know the user at this point, having never enrolled them for passwordless, we're also gonna do multifactor authentication, right? Because we wanna verify that we're really dealing with the person we expect to be dealing with at that point, once we verified that user, and we know that they're on a device that's trustworthy, right? And Dua has numerous ways of verifying the trustworthiness and posture of the device. We may then choose to offer them enrollments and passwordless. And the beauty of that is it's really just a couple of clicks based on the device the user's using. They'll be given up to three or four options. The first will always be to use the dual mobile application as their passwordless authenticator. Assuming that device is capable of doing face ID, touch ID, or some other biometric authentication. If they're on a windows device, they'll be offered windows, hello.
If they're on a Mac device, they'll be offered touch ID and on basically all devices that are capable of doing so they'll be offered the option of using a 5 0 2 compliant security key, right? Because again, we're all we're doing this as a standards based thing we're using existing standards like web authentic. And of course, everyone else from windows, hello to touch ID, support that as well. So the user in this case is on a windows machine. They choose windows, hello windows, hello, pops up and verifies their identity in the background. The magic that happened is of course there's a private and public key that get generated. And the public side of that key gets sent to duo so that we can now send challenges to them in the future. The user simply sees a tick box and they're done. So now it's time to log in and they come back to the application or they go to another application.
That's integrated with duo as well. We may or may not remember their username from the last time we saw them, but we certainly don't need to ask them for a password or MFA anymore. We simply trigger their enrolled passwordless method in this case, windows, hello, verify their identity. And they're in, right. That's all there is to it. The end user experience is absolutely fantastic. And when tied with single sign on, right, we may not even need to challenge them for the passwordless log on for other applications, depending on the policy you set, we may just, for a period of time, assuming they stay on their trustworthy device in the location, you know, that they were in, when they logged in on the network, they logged in, when they logged in. That's another thing we're gonna be looking for potentially, they're just gonna get access. Right.
It makes life really, really easy, but of course it's far, far more secure, right? But improving access security requires more than just passwordless right. We're not quite done just saying, Hey, I got rid of the password. I'm good to go. Right? The current situation looks like this in the worst case. Well, sort of the worst case scenario would be, you're just using a password if you're using MFA so much the better, but if you're using different solutions and different applications, that's a real pain to manage and we could do this. That'd be better. It'd be more secure. But then the user would've to enroll multiple times for multiple applications. Right? And so we've already said the, the ideal way to handle that is to go with single sign on. But if we stop there, we've still got a problem. Right? A lot of the passwordless methodology depends on the trustworthiness of the device.
If I can't evaluate that, where I have to provide the user with a corporate device in order to have any visibility into its existence at all, there's a huge cost associated with that. It's gonna make rolling out to passwordless become really difficult. So we wanna add a couple extra things in here. Most of which thankfully duo already has, right. We wanna roll out device trust. We wanna be able to look at even the personal devices accessing our environment, which became even more prevalent in, in the world of COVID right with everyone working from home. And we wanna be able to do some checks on those devices and get some picture of their compliance. We also want to have sort of a net around the applications we're accessing so that we can do continuous risk detection and say, you know, just because I let you into application one, doesn't mean I'm gonna let you into application two.
I can have different policies, different granular factors I assess. And you know, the goal is to say that, you know, if I see something that I don't like or something changes, for example, as I mentioned before you change networks, you know, you were at home and now suddenly you're in Starbucks. I wanna be able to cut that session off or step up authentication or do something like that. And when we put all that together, we end up with this, this model of, of, of continuous trusted access. That is, that is really the goal for, for duo, with the passwordless solution. From there, of course we want to expand it. And the first two places we're gonna expand it are thick clients with embedded browsers, think most of the common VPN clients. And we also of course, wanna do passwords authentication from the desktop log on.
So the moment you're logged into your device, you're just logged into everything. Obviously it's a bit more challenging, the more you get towards the client applications, because some of them, you know, they're just hard coded to expect a password. And so we wanna be able to sort of wrap those in protection and, and use potentially other methods to get you into them, such that, you know, if they support something older, like Eros, we'd be able to do that as well. And of course add the, the risk-based authentication to that as well. So that, you know, not just can we block you if we see something that's wrong, but also the flip side of that, if everything stays the same and you're at home and you're on a trustworthy device, why are we gonna bother you? There's no need, right? We can just leave you alone, makes everyone's life easier.
You know, all of this is sort of a waste station on, on a journey that is gonna actually go a lot farther. And where we think that's going to go is, is true digital identities. And the, the reason for that is it solves a lot of problems that even, you know, password that starts to address, but doesn't get us all the way there right now, as we saw in the enrollment, right? One of the things we need to do, we need to fall back on user name and password to enroll you because of course, when you put your fingerprint on your phone, if we've never seen it before, we don't know it's you, how do we know that? It's you, wouldn't it be great if in fact, based on that same kind of cryptographic technology, we could establish a identity for you as an individual that you carry in store that can then be used to enroll and issue credentials like password, those credentials to you in an interoperable way across other systems.
And you know, it's not a revolutionary step, it's an evolutionary step. And the three things that we really need for that are strong cryptography, biometric authentication. And we want the ability to, to have audit ability to see where is our data being used. How's it being used and to have as an end user, some control over that, and at least a record of how it was used, right? And you know, all the lessons that we've learned in modern MFA authentication can be applied to digital identity. Right? All we need to do is take that one step further and say, you know, the user who controls their password right, right now, and they control their multifactor credentials right now, they should also control their identity. Right. And we should simply have ways of validating that and then using it. And so, you know, the model is not all that different from what we do today.
Today, you might have a, a credit card that's issued by a bank, right? It's ha given to you, you go to emergent, you try to buy something. They verify it by, you know, a trust relationship they have with the issuer, right. They'll connect to the issuer and check it. There might be a governance authority that, that, that establishes the policy for that. And as a result, you get to use your credit card, you know, but in this new world, we simply make all of that digital, right. We issue, we have an issue, you know, a governance authority that sets the rules for what your digital identity is. We have an issuer who would issue you that digital identity. And you can then use that to provide proof to a verifier like duo or like any other, you know, service on the internet who can validate you without having to ask you for a and password.
Instead, you establish that cryptographic relationship and you're good to go, right? It's, it's not a major change, but small evolutionary changes can make a massive, massive difference. And so there's a number of foundations that have sort of popped up over the last few years to try to develop a, just like Fido, an open standard that everyone can can use trust over IP is, is sort of one of the, the bigger ones that's coming together. And a lot of sort of major players have gotten involved with it. And the goal is to both, you know, handle individual identities, but also, you know, how is that gonna deal with legal entities and all that kind of stuff. Lot of major players involved from Microsoft, IBM, MasterCard apples, bringing it to iOS 15, for example, they're, they've done a deal in the us that you'll be able to digitize drivers' licenses across.
I believe all 50 states over here in Europe, Deutsche bank and commerce bank. And I G have created a thing called lease, which is sort of a tech demo of, of their version of this. And so, you know, it's actually really moving ahead at a, at a pretty quick pace. And the first step on this journey, right from any perspective is passwordless. And that's why we think it's not only important for today, but it's the foundation of where everything is going in the near future. Right? It allows us to solve a lot of problems out there in the market, both from a security point of view, from a user point of view, but also from a privacy point of view and a portability point of view. So there's a lot to it. And, you know, the, the ideas behind passwordless are really the foundation for this. And I think it's, it's really quite exciting because it's the first time that identity is starting to take into account. The fact that we live in a digital world and the plastic cards in our wallet are really not the most secure way to do things anymore.
Right. It's and it's not speculative. It it's, it's coming. And you know, for me, if you had asked me a few years ago, when is it coming? I would've said, you know, probably, you know, in five to 10 years, and now, you know, it's looking like a year to three years is probably the actual timeframe. And I think that's pretty, pretty exciting. And that's it, that's sort of an overview of, of where we think things are, where we think they're going and why we think passwordless is really the important next step. Thank you very much.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00