KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In this engaging panel session we will explore the critical topic of Identity Resilience in today's rapidly evolving threat landscape. As organizations face increasingly sophisticated cyber threats and regulatory challenges, the resilience of identity management systems and practices is paramount to safeguarding sensitive information and maintaining trust in digital interactions.
The panelists will share insights, best practices, and real-world experiences in building identity resilience to withstand and recover from security incidents, data breaches, and operational disruptions. From implementing robust identity and access management (IAM) frameworks to adopting advanced authentication methods and leveraging threat intelligence, our panelists will provide valuable perspectives on enhancing identity resilience across diverse industries and use cases.
Furthermore, the panel will explore the role of Zero Trust, AI and Decentralized Identity in bolstering identity resilience and mitigating emerging threats.
In this engaging panel session we will explore the critical topic of Identity Resilience in today's rapidly evolving threat landscape. As organizations face increasingly sophisticated cyber threats and regulatory challenges, the resilience of identity management systems and practices is paramount to safeguarding sensitive information and maintaining trust in digital interactions.
The panelists will share insights, best practices, and real-world experiences in building identity resilience to withstand and recover from security incidents, data breaches, and operational disruptions. From implementing robust identity and access management (IAM) frameworks to adopting advanced authentication methods and leveraging threat intelligence, our panelists will provide valuable perspectives on enhancing identity resilience across diverse industries and use cases.
Furthermore, the panel will explore the role of Zero Trust, AI and Decentralized Identity in bolstering identity resilience and mitigating emerging threats.
Okay, so welcome to our panel discussion. I guess we should start just letting everyone, every participant to quickly introduce themselves and maybe start with some kind of a, an, an eye opening statement on this whole subject of identity resilience. And let's start from the left to the right. So please.
Okay, well, so I got the short straw. I don't have to go first. Perfect.
So iop, so the eyeopening thing on identity is that, you know, part of my identity is actually is working for RSA, I've been at RSA for 22 years, right? So I'm the field CT O of RSA. My name is English Schubert. So part of my identity is the work, which is for many of you as well, I guess.
So yeah, if that's eyeopening for you. Congratulations. Otherwise you have to come up with a eyeopener. Now I'll try my best.
So yeah, currently, so working for IC consultant more than one and a half years now. And yeah, I thought about this topic and I say, okay, this is the old thing I did. So I was also doing mobile banking, mobile application development for, for private equity banks. And that's more of a topic that I had during this day. How to prevent users doing stupid things. And I really love ZA and mobile phones for accepting every fingerprint when you have to write a display protection foil on it, which they delivered at some point during my career.
And that was a lot of fun to deactivate in biometrics in the app and a lot of happy customers. Here we go. So Rita Bachman working since 20 years for one Identity Quest software, Dell software, name it. So we changed the name many times. Still the same company, still the same contract, left 20 years. The internal it because of being boring about not doing what we should do to make the company secure. My name is Lucas, I'm from Negro in Switzerland and behind the governmental identity hubs, we are the largest identity hub throughout Switzerland.
My name is Fabian Valle, I'm the co-founder and CEO of keyless with the leaders in previously preserving biometric authentication. One fact is that face ID or local biometrics aren't really authenticating a user not tied to a real world identity, but just unlock the device that you're using. Well my name is George Pinto. I'm a incident response consultant working for St. Paris based in the Netherlands. And one of the eye openers is when people contact us for help is that we always try to understand what happened, maybe even why. And the answer is we don't know.
In other words, make sure you know what's going on in your active trajectory and also be prepared to do the thing when the worst occurs. My name is Beck. I'm a distinguished architect in of eBay in identity, also building up engineering teams here in Berlin.
Eyeopener, maybe it's interesting how we at this community talk about the most sophisticated authentication factors, the wallets, past keys, all of that, but most of our users are still satisfied or, or just basically use passwords and don't even know what a passkey is. Okay, thank you very much. It was a real great opener. Just to remind you, this is a panel discussion. It's supposed to be interactive both for the onsite audience and the online one. So I need to show, be taking care of the questions. So let's see what we have from the question list.
Yeah, I, I would like to start with David, you mentioned about stopping people from making mistakes. So what steps can these people take to protect their personal identities in an increasingly interconnected world?
Yeah, so basically we're doing it right now pretty wrong. So protect a bit of your data. So we're running around with barcodes, barcodes right now and our names on it and also the company.
So yeah, try to minimize your attack surface, of course. Yeah. Try to not spread everything about your personality online to, to keep, keep the attack surface low, but also try to protect yourself by, yeah, using a device, by using biometrics. So even if you're using MFA, if, even if it's not the most sophisticated one or it's not really, doesn't really have binding and everything, it's still more secure than just using your password and, and being open for, for social engineering attack.
Now, who wants to go next? Anyone to add anything to that In terms of disclosing information? In this world today, everybody publishes all kinds of everything on the internet without even understanding how it can be misused and it can be misused in many ways. And like this gentleman said, many of their users, his users are still using passwords. Everybody has passwords. I hate passwords, but it's a fact of life. They're still there and they, for many companies won't go away anytime soon. So even from a sense, you could also say visibility could also be a sense of vulnerability.
'cause the more you publish, the more the other guy, the bad guy has to attack you. So if I think we all agree, keep publishing information as low as possible, an eye-opener made like saying that water is wet.
But again, it is true. The more you publish online your users, it's going to be a bad thing.
And yeah, it's Important. I totally agree with you.
I mean, one, one thing to add to this, we at eBay we had an, a internal talk from a social hacker that we invited. And I'm sure if you google for their, for social hacker, you will find them on YouTube is really interesting. So it's a woman who tried to hack someone's account without their, they they were basically sitting next to them. The reporter were sitting next to her and she called their telephone opera company and she had a recording of a crying baby in the background. And it's like, oh my god, my baby's a crying.
Sorry, sorry, I, you know, could you help me? I forgot my password, can you just reset me? And oh my god.
And, and she also used information that the reporter published on on his LinkedIn and Instagram and Facebook and all of that, like where he was born and other information that the, the security questions were asked to the social hacker. And she was then able, I think she changed his, his flight ticket, it was Las Vegas to the middle seat and took all his miles from his flight account. So he was not quite amused about it.
Maybe one, one thing I can add, so with the work with several European banks, we're finding most of the account takeover fraud issues or many of the account takeover fraud is happening through the call center, especially with crying babies or things in the background, putting some pressure and just trying to to social engineer and get the, the PIN code or the password. SMSO OTPs another big challenge.
And yeah, what we are finding is that approaches that exist today, be it the S-M-S-O-T-P or aki, they don't assure the genuine identity of the person when it comes to biometric information. Another thing, no, especially not in Europe, we are seeing the same in the US happening.
No entity wants to store and hold personal identifiable information, especially sensitive category PII on their service or with a third party and those, yeah, new device binding journeys, account recovery journeys where your bank may mandate you to physically show up in a branch or you get an activation code sent via letter to your home address. So these are all journeys that are so complex today because it might be the best solution aside obviously a private biometric yet to truly authenticate the actual user.
So yeah, For us it's quite challenging to convince our customers and users to make use of any kind of second authentication factor. It doesn't matter what what it is, it doesn't matter whether we motivate them by any incentive. So we cannot get them to use anything what is above or stronger than the password.
And, and this is for me a cultural problem because people just Belief that whatever they do With it, with the internet remains safe. And this awareness problem needs to be tackled in a much broader sense. I think there is also something other like chat GPT because people started writing their cvs whatever in chat pt to get nice letters for new jobs. So they put a lot of information in the end in the internet, which can be hacked or get by everyone. The same about flight tickets. There were some cases where people put picture of the ticket in Facebook with the code of the ticket.
So there are a lot of possibilities where people put things in the internet, not just personal information like pictures, everything. It's the same. Yesterday when I went out here in Berlin, a lot of people, tourists, they film during the walk through the street. So they never asked me, for example, if they allowed me to be in their film with all their communities behind and watching that I walk or pass by. So that's Just a, a few hours ago passed by how Many of those Exactly.
Yeah, that's why I took my off when I leave the event. And a lot of people, they keep it, you see a lot of people running around the airport by the way, after an event having the badge on. So there is a lot of possibilities to get your information in the end. And I think we need a bit more awareness on all these things in the end.
Sorry, but what is it in the end that kind of drives people to all these stupid activities? You, you just said earlier that everyone hates passwords, but everyone uses password. Like everyone wants to be private and yet everyone's run is running around with their badges. So what do we have to address? What do we have to raise awareness off humans, stupidity or No lazy, nothing else. It's easy. So I think most, most of the people, it's just, they're lazy. It's easy. It's the same with password.
How, since how many years we try to teach people to have different accounts, different passwords. There are tools around like password manager, whatever, but especially older people, they have the same easy password for everything. How many people change the pin of their credit card by the way? No one. So by the way, myself as well.
So, So, So I think it's, it's it's conversation of of energy. You don't like to change course, you know, change the, your behavior, how we do things and, and that prevents many from, you know, it worked before, it works now. Like what's the problem? And this is what the attackers actually then, you know, use to gain access, do fraud. But I like to just to, for the individual security, I like to just point out that there are many, many really non-technical users, right? We are all experts, we are all techies, right?
To a certain extent, but there are so many which have no idea how things work, right. And they often get forgotten also by us. Yeah. Like we talk about, you know, Fido and all this and and MFA and for them it's like, you know, I have my password written down here. Yeah. And then they get scammed. Yeah.
And, and then I, I see like, you know, in in, in like tips from like police like ah, you know, you have to, with your, with your grandchildren, you know, have a code word, you know, so it's like bullshit. That would never work because they, the attackers create those high stress scenarios. Yeah. So I think we need to also take into consideration that, you know, for certain groups of people, you know, things are still too complex. Yeah. And then for example to, you know, avoid fraud.
Like, you know, somebody like, you know, send me money because your, your grandchildren is in the jail or whatever, should I say, nobody will ever ask you for money. Full stop. Yeah. So just have practical things and easy way to, to secure them. Yeah.
Again, we, I think we as an industry often forget that they're, I wouldn't say stupid, but very non-technical users out there, right? And this is one of the reasons why those new fancy things don't get picked up the way we would like them to. Right. Based on what that gentleman at the end said, I don't think it's all about stupidity. It's about not realizing what can occur.
And like that gentleman said regarding the request for money through WhatsApp or selling side or I don't care, something, hey, I'm your daughter and I forgot my phone, I have a new phone number, can you please make transfer money? All that stuff. It happens continuously in the Netherlands with young people, older people. And it's a huge amount of money what people lose. And every single time it's surprises me that if for example, I would approach a person on the street asking for money, nobody would give me a cent.
But if I'm one of the attackers behind a computer asking people for money in a conning way and a smart way because I know I have some information, then there's a chance of getting money. And after the fact we can all say it's stupidity. Sometimes it is, but it's people not realizing what's going on. And I agree also, there are too many, well not too many because you can't really do thing. Something about it. Many people not they are non-technical. My mother-in-law, which is se 76, her passwords were really, really bad. Everything was reused all over the place.
But I taught her to use a password vault, how to use that password vault to generate passwords really, really long. And if there's anything that is out of normal, just hang up. She has been called a few times by a guy being so-called being from Microsoft. Well on the other hand I manage her computer so she can't install anything but okay, she has to call me. But I taught her look for the weird things that are just not common. And as soon as you don't trust it, just hang up. Don't do it.
If it's, if you made a mistake, we'll fix it later. Yeah.
Just one, one last word and maybe for me before we maybe have a next question, so, so let's replace stupidity with complacency. So that's what it is. Yeah. People just don't care. It's not comp stupidity, it's complacency. But like you said for for eBay for example, how to get people into two factor, make it more secure. We have to make it fancy, it has to be easier than a password before. And this is now coming up. So with pass keys, there's a huge chance to make things a bit more easier to lock into eBay.
So for me, I'm lazy. I don't want to put in my password for eBay. I don't want to put put in my password anywhere. So no matter matter if it's consumer or if it's work. Yeah. And then this makes it more easier for people and if I just go to my parents as a good example, but also to other people and say, okay look it's easier with pass keys now you just do this once and then you just smile into your mobile and you're locked in and it's more secure than it was before. It's not the securest. Okay?
We are never gonna get it 100% secure, but it's more secure and that's how we are gonna get people using those things. So we now have to wait for Google, for Microsoft, for Apple with the standard. And I hope this will help to get people finally away from passwords because I'm luckily away from passwords, at least with some certain mobile consumer markets. Yeah. There we go. Thank you.
Moving on, I would like to now tap into identity resilience. So what impact does the conversions of physical and digital identities have on identity resilience and how can it be managed effectively? Maybe I start quickly. I think it is very important to tie a physical identity to a digital identity in order to assure the genuine identity of the person, which a PAs key or a local biometric doesn't do.
And ultimately it just unlocks the device, especially in regulated industries or financial services for use cases where you secure high value transactions, changing your address information, making high value payments, strong customer authentication under open banking. PT two requires that anyways, especially account recoveries and device bindings requires a binding of the digital identity to the real world identity because after Christmas everyone gets their new phone. If that happens, the old phone is just lost or the the app is deleted, device binding is gone.
So banks are sending activation letters, pay their KYC providers. Yeah, yeah. Some money to, to redo the KYC or you have to physically show up in the branch. It actually happens to me a German citizen. I bank with a community used to bank with a community bank, a local bank in Germany. I'm not resident in Germany. The activation letter never got to my home address. That was during Covid and I couldn't fly. I had to wait six months in order to fly back physically show up in the branch, show them my new iPhone to tie that device to my account.
I could log into the main banking app, but especially in the DACH region, many banks still use a second token app for payment authorizations. And I couldn't bind that new device to that second token app. So in that context, binding my real world identity to my digital identity that it could reuse across devices and not just bind that to one device is very important. So you brought up one good point regarding the local biometrics versus the end-to-end biometrics and and the connection to re legislation regulation, which is something that we also spent quite a bit of time.
And you may, the question is like why are people hesitant with, why are certain people hesitant using biometrics? And I have a good anecdote. We were discussing with, I was discussing with my lawyer, well the eBay's lawyer for SCA, so someone who's not technical but who is really familiar with this space. And I asked her, well do you use PASIs?
And she's, no. And I'm like, why not? Well I don't want to hand my biometrics to Google or Apple. And it's a fundamental dis misunderstanding that they are not uploaded to to Google's or Apples or our servers ever. We don't see them.
We, we see a challenge response. We, we don't, we don't see the biometrics never ne never leave the secure enclave of the phone. But it shows if she a person who's super smart and familiar with the general area of SCA thinks this I'm I'm sure a lot of people still think it. So I've Oh sorry.
No, no, no, go ahead. Just one thing I'd like to mention around especially Fido and, and binding that to a person, those sync pass keys circumvent that to a huge degree. Right. And sync pass keys if you don't know Yeah. In in your Google account or Apple account, you know, it's synced across all your devices. Yeah. Which is a bit of a problem, especially when like with Apple, you can actually share the pass keys as well. Yeah. Which is like, yeah. That just blows all over the water. Yeah. And I think especially in enterprise use cases, yeah.
That is not on the rate of many that if you lousy pass keys Yeah. You are completely relying now on on those third parties.
Love em, hate them. Yeah. But the fact is that, you know, you basically hand over the keys to some other process and yes they are, you know, secure, they encrypted and all that, that's fine. But the fact is for a account covering all that, you're suddenly relying on somebody else. Right. And with the whole sharing of passkey, which I think is horrible, that actually just enables like all different kinds of attacks as well. Yeah. And that's something that, you know, the fire lines frankly rushed out and never really implemented or like designed controls around that from the start.
And I think that actually is a problem and that will actually become a bigger problem the more PAs keys are used. Well I totally agree with all what my colleagues told so far in a idealistic future world where technology is sound and everyone is using this future technology reality is completely different. Wherever we see multifactor authentication, most of the people make use of an SMS or something like this. And this is basically the binding of the sim card to your physical identity.
And recently we have experienced quite a lot of these swim sim wapping attacks where we have problems in the processes and procedures before that people do not do the real authentication, for example, in the store and the targeted attacks that take place, they, they are quite common nowadays 'cause we have so many different telco providers or sim card providers, basically that issue with very lazy controls and, and this destroys the whole chain of trust. And so I totally agree in the future world, 20 years from now, we will be safe, but up to that point we will have a really harsh way. Yeah.
And it's, it's really hard to, to keep those, like you said with I, I actually, I know this scenario. So also when we had issues with some mobile devices, so patches, you get a new Android version, they do, they change the binding, they do a new algorithm and then suddenly all your customers have a, a key, a secure key that's not working for the device anymore. And then you have to roll out like a bazillion thousand letters to the customers and they're cut off from their bank accounts for one week at least. So this is really something also we have to, to keep in mind.
We have it secure but it's not convenient again. So there are ways now around it. Now we get in Germany finally the AWE app. So you can use your, your ID card. Some other states are way ahead of us from the German region to also authenticate yourself with your local id. So that can be used again to show the bank. It's really you of course it can also be insecure to some point, but that will help in future to re-enroll the people if they do these stuff, if they, they start to de-install their, their application or just lo lose their mobile, the, the mobile is damaged.
But until then it's always the weakest point. So you have to wait for your letter or you have the service desk again, which can be used for, for big frauds again. So we're back at 0.0 again if we want to make it more convenient. Thank you. I want to take this opportunity to see if anyone's in the audience has any question right now. Okay. So maybe moving on now we talked about individuals, but what about enterprises, especially the small and medium enterprises who have limited resources? How can they tackle this situation?
Well For me the, the crucial thing there is that they do not know what is the real problem. And, and whether you go to some painter company or so one person companies, they have no idea what it really means. They have no idea about regulations and whatever is provided to them, they consider helpful and useful. And many of those people are not aware of what are the problems with passwords, et cetera. And they do not even understand the basics of, of technology like firewall.
There of course it's just about awareness, how you create awareness, how you come into the, into the situation that in Switzerland for example, we have no, no 99% of all legal entities we have, they are one or two person companies. And these are the real targets that need to be protected. So it's about awareness about spreading the word and helping them. The main focus about the discussion is, is continuously identities and looking at the question that was asked, what can people do these days to secure their environments?
Smaller companies or mid-size companies for example, let's take active directory. My belief is that the default install installed active directory is by default insecure. You have to secure it and there are many things you can do without buying third part, a third party tools. Third party tools are definitely worth having them because they provide lots and lots of functionality that are by default are not available. But what can you do yourself, I'm gonna talk about it tomorrow during my session, but to, to already give a few things is for example a tiering model.
If it on the internet, there's a lot of information about creating a tiering model out of a very high level tiering model is nothing else than segregating your administration to different levels. Tier zero for the highest tier, one little bit lower tier two even lower, and then you have your users. That's about separation of administration. I was just talking to a gentleman when I suddenly realized I was talking about tiering and then I realized, wait, in my belief when I'm talking about tiering, it is also about hiding information.
A few minutes ago I made the comment that visibility is also a certain vulnerability. So when you create your tiering model, you also should also think about hiding the identities and also the groups that are part of that identities so that an attacker cannot see. Why is that important? In active directory, every single user can see anything and because they can see anything, they can obviously look for the crown jewels and then try to attack you in one way or the other.
If you hide the information, it's not visible, they're not not easy accessible and then they have to do more effort to get it. Another one is, for example, laps a solution from Microsoft that is for free and that prevents lateral movement because by default, if you don't do anything, every single adminis, sorry, system might have, has the same account but also the same password if you don't do anything about it, which is tricky and because it's from images and then it has the same password.
If you use labs solution for Microsoft, you can make sure that every system has its individual account and password. Therefore you cannot move from one system to the other. There are many things out there that can help you. So make sure to use them. So one thing, especially for small and medium but also for larger companies is I see unfortunately many times they didn't even do the basics, right? Right. So it's proper risk management, risk assessment, classification of data, classification of users, you know, it's your help desk secure, do you have a service catalog? All those things.
I mean they are like, you know, simple in a sense when you are small or medium sized, I mean they get really complex when you're large, but you need that, that's the foundation. How you make a decision, how to protect a certain thing, data user doesn't matter to which extent which level. Yeah. If you don't do all that, that's your homework. You need to do that.
I know we, we all did this. Yeah, we all do this. Yeah. But many of maybe your customers or other companies I, so I go in there and I go like, I wonder how did you work? How did you get so far?
Yeah, we're not doing this. I mean there are all these great solutions out there talking about risk and like you know, the proper levels and different Yeah. That you cannot apply that because you don't know, you know what you have, what you protect in which way. So those basic things which are super boring sometimes, but they're so important because they're the foundation where you can build all the other stuff on top on. Yeah. Yeah. So first of all, I don't think it's boring ino. Yeah. So I think you're completely right.
Do the basics, but also in my mind, so what I like to tell people is it's all the always the human thing. So what will happen if you will get, get hack. So where will they start? What will is the worst thing that can happen? Imagine you will have a really, really bad day. How will this bad day look? And that always helps people to realize, oh shi, if they, if they get inside this system or this is really insecure, this is something you have to have a look at. So do the basics but also maybe play a lot around with their heads a bit and and try to engage them in the conversation.
See, okay, this is really something that will really make a really, really bad day for a company and that's where we should start first. And then also they start already thinking about what will we do if really something hits the fan. Yeah. Will not swear.
But yeah, what will I do if I then finally get breached? I act so I have a plan ready? How do we prepare for day zero? But what's the most important thing? And what's even the basis of basis thing is to then also for the co consumers, it's hard to teach them, but at least for if you have employees, then do some trainings. Yeah.
Try to, to phish them, try to scam them and try to make them really, really paranoid and try to be, make them aware of what can happen when they click an email and then just be glad that's an email that came from you to just trick them a bit. There You go. Thank you. Just a follow up on that one because I love what you said. Yeah. It's like ask those questions which are like really uncomfortable.
Yeah, you have, especially when you use cloud providers, you have to ask yourself the question or your customer, I'm not sure you know what type of users are in here, but what happens if your cloud provider gets compromised because they will get compromised. Yeah. Guaranteed. So what do you do then? What's your plan?
Yeah, I mean yes you would need to plan like for an outage, but what is hap happens when they get compromised. Yeah. And that could be anything. It could be a basic, you know, is service provider could be a security service provider, MFA service provider doesn't really matter. Yeah. You need to have a plan for that or your customer. Yeah.
So one of those uncomfortable questions to ask, Maybe one, one last comment on back to the basics doesn't only apply on the consumer side also in the, in the corporate side, I'm sure many of you have heard about the, the deepfake talked about gen AI or gen fraud, the trick to finance worker in Hong Kong to wire 25 million into a fraudsters account. But then you may also ask yourself how is it poss what's the business process for sending $25 million upon the CFO showing up on a zoom call? I'm sure there should be checks and balances for a wire transfer of 25 million in any organization.
So that's back to the basics as well. Yep. Okay. So if you still don't have any further questions from the audience or We do, Speaker 10 00:32:07 Yeah, just something that kind of listings where you guys, I'm fully with you, I fully get everything that's that that you're saying here. But one thing that's crossing my mind, and we haven't really spoken much about AI here this afternoon and all the other sessions have been, I'm just wondering if you take the theoretical part of what's happening now with AI and LLM that an assistant is gonna be available to sort of everybody.
So would an assistant to your grandmother, an AI assistant be something that would help her be more compliant and less stupid? Also for, for businesses that don't understand this, would an AI assistant help them set that up? Or is the risk of putting your information into the AI outweighing the advantages of the AI being your guide in, in this journey?
Well, your proper risk management could probably have an answer for that. Yeah. So I think AI can definitely help, but if you don't use it probably or like, you know, have a look at it and see what can go wrong, it can actually make things worse. So I think, you know, your risk management should actually say, hey, you know, maybe we start in these low risk areas to use some AI and then build from there. Yeah. But going all in for everything into AI and to say we have like a co-pilot that does everything. I would be rather uncomfortable right now. Right. But ask me again in five years. Yeah.
So yeah, we, we just said it like you said, with eBay then with people thinking pass keys, my face will be stored in the internet and everything. So the same goes for, for then the ai, especially in the dark market.
Yeah, very. The the people are and very security aware, very data aware while everybody's still having a Facebook account at Instagram, but when it comes then to business, all of a sudden they, they are very strict on the data and I think that's, that's something where you first have to convince them that AI is a good thing and will help you and not will grab all the data and make you a slave at the end. Yeah. I come back to my previous statement because majority of people do not know what they are able to use and what technology does exist.
And if I, if we would just install any kind of a corona like thing on all the laptops of, of our grant models or so they dunno how to use it and if it doesn't pop up, they will never click on it and will never ask the question and they will never be aware that they could ask a question if they were in such a situation. Maybe one, one comment on the AI topic or gen AI from a fraud fraudsters perspective. I think the phishing attacks and overall impersonation, deep fake type attacks will become a lot more powerful, a lot more personal.
Not only celebrities, it will be your mother, your sister, et cetera, calling you. It would feel very real. I personally think that is a danger in the short term. I think in the medium to long term, there will be the good AI fighting the bad ai. A bit like when the email technology came out, there was a lot of, I mean bad emails, a lot of phishing, and now email security is more or less solved and then it will become an awareness topic. Just like don't click on a link that you're not sure who, who sent it to you or call the person back who asked you to wire some money before, before doing so.
So in the short term, I think the danger is very real and the medium to long term, I think we'll have AI to fight the bad ai. Sorry, can I skip you a tangent because you mentioned phishing has nothing to do with your question, but I I just remembered a, an interesting anecdote as we all know, I mean, sies have a benefit of being phishing resistant, contrary to many of the other two-factor authentications like S-M-S-O-T-P and it's S-M-S-O-T-P is one of our, of eBay's most used s two-factor authentication is people are familiar with it, they know it, so they use it.
And so I read a a block article about phishing resistance and phishing how to, how easy it is to set it up. And this blogger, he wrote a, he created a docker image of an NX configured nginx forward proxy. They called it evil nginx.
And, and it basically, it connects, you configure it, it's super easy. It takes five minutes to set up. Every one of you could easily do it. It would forward, for example, to eBay's sign in page. So you see the eBay sign in page, you enter the credentials, it would forward it to our page, but it would of of course catch the password and everything. And they even had set up like they used eBay as an example in this block, which is why I thought it was interesting. And they faked the domain name.
They used ebay.com, but the a was like a Unicode character that was a acrylic, it looked like an A so it looked like a proper ebay.com. They used let's let's encrypt for creating certificate. So it even had the lock in the browser. It was quite amazing how easy it is to set it up. Not that I advise you to, to replicate this on our page. Okay. Well I I think it's just about the right time to finalize our panel discussion. It was really interesting and engaging. I appreciate all of your inputs and thoughts.
So can you maybe close up with just one short final takeaway from each of our participants? So I would say as a, as a takeaway, let's educate, let's go out there. We are the, the experts in, in this area of multifactor authentication, authentication in general privacy. Let's edu let's put more effort on educating everyone on how to use PAs keys, what a PAs key is and all the other methods In terms of identity providers like active directory and Azure or sorry, enter id Microsoft, enter Id don't assume nothing will happen for sure.
Stuff, bad stuff will happen. Make sure to be prepared, think about scenarios, create the plans, execute those plans on a regular basis, for example, once a year to make sure that everything works when you actually need it. Being prepared is the way to also make sure things can or will work. I would say give your consumers choice to authenticate themselves in a way they want to, in a way that is strong and secure.
There's no one silver bullet that solves every challenge, but they're very good solutions, especially for certain use cases that can be used today that many users can use in a simple and convenient way. For me, convenience of of use is crucial. If people have a easy to use solution that we as an expert are going to provide, which is then reliable and and can be used in many different circumstances, we, we can get people to a more secured identity. I think we should not forget the people which has no idea about it.
And especially there is still a huge majority of people which are not working anymore, not grew up with it and they don't know about all this. And we have all these fancy buzzwords and even IT, people don't know what all these buzzwords means. So we should not forget all the huge amount of people which has no clue about this. And I think this is in the end, the people, which I wanna say they are the risk, but they are the risky people get compromised or in the end working in a company and can be the phase of attack. Yeah.
So while we're then still out there educating people and hopefully coming up with fine solution, which may be AI thinks the human being, we should also then secure customers in the backend. So use behavioral analytics, check things that don't make sense and try to secure the customer from their own mistakes and try to catch this upfront and try to prevent further fraud when the customer is scammed because that will always happen and we don't find a solution anytime soon. So always also think about your backend, what makes sense, what doesn't make sense also in the company environment.
So if somebody is asking me again or your, your IP changed again from this country to this country was that you please also assume that teams was hacked because that's stupid as well. And there we go. So resilience, so resilient systems, they bounce back, right? If something bad happening, and I think you should ask yourself for, for every workflow, for every point where things go wrong, how can I recover from that? If that go, if something happens to that. And that's everything in your private life.
You know, if, if your mother-in-law gets called by a fraudster or in your business life, like, you know what, if something goes wrong, how can I recover? At least to a certain extent you might not do bounce back to a hundred, but to an acceptable level. So ask yourself that question. Thank you.
Okay, that was awesome. Thanks.