Interview

EIC Blog | Interview with Felix Magedanz

Name: EIC Blog | Interview with Felix Magedanz
Uploaded: 2022-01-11T12:00:00+01:00
Duration: 7 min 45 s
Description: Single factor authentication like passwords are considerate a bad practice. Passwordless authentication, done right, is not only more secure but also more convenient.rnLearn more about the increasing demand, regulations as well as use cases. Martin Kuppinger enjoyed a delightful conversation with Felix Magedanz from Hanko on the EIC 2021 about the future of authentication.

Posted on Jan 11, 2022

Single factor authentication like passwords are considerate a bad practice. Passwordless authentication, done right, is not only more secure but also more convenient.

Learn more about the increasing demand, regulations as well as use cases.
Martin Kuppinger enjoyed a delightful conversation with Felix Magedanz from Hanko on the EIC 2021 about the future of authentication.

Show description

Single factor authentication like passwords are considerate a bad practice. Passwordless authentication, done right, is not only more secure but also more convenient.

Show Transcript

Welcome, I'm I'm Martin Kuppinger, I'm founder and principal analyst at KuppingerCole, and I'm sitting here during the lunch break of our European Identity Conference, day number three, together with Felix from Hanko. Welcome, Felix.

Thank you, Martin. Happy to be here.

Yeah. A pleasure, and I think it's also great to be back on a hybrid event, meeting with people face to face, talking with people face to face. Felix, tell me a little bit about Hanko. What is Hanko doing? I think many might not have heard the name of your company before. So what is your business? What are you doing?

Yeah, sure. Let me start with a quick story behind the name why we call ourself Hanko. "Hanko" is in Japan and Korea, It's a stamp and you sign documents with it instead of the manual signature. And the domain was available three years ago when I started the company. So we called it a Hanko because we do digital signatures to replace passwords.

OK.

Well, that's the idea behind our company.

And how do you do that? So, replacing passwords, first, is a good idea. So when we look at what the US CICA announced just a few days ago, the other week, they said: single factor authentication - and a lot of what we do with passwords is that - it's formally declared being a bad practice. So that part is very clear beyond passwords. But what do you mean by using signatures?

Yeah. So as you said, the password is inherently bad today to use as a factor. Everyone does it still, it is a common practice. Today, there are standards available on the internet to replace the password by digital signatures and combine the signature this proof of possession factor, combine it with that biometric factor or the form of local authentication for your device. And these standards are called FIDO and WebAuthn. And this is what we specialize in.

Yeah. And when you just say when you have this, this stamp analogy. So is it that you're more on the "I sign a document like I do with a handwritten signature"? Or is it more the authentication side, or both?

No, no. We get that a lot. But in the end it is. It is just for authentication, so re-authenticating users. The signature part, we have to go into the technical details to make that clear. But in the end, with FIDO, with WebAuthn, you have a private key on your device and you use that for digital signatures that that prove the possession of this key without the key needing to leave your device. So this is the signature in the end, and that's.

So in the end it's passwordless authentication, which is based on having two types of factors, one is the device and one is your biometric.

Exactly.

Both strong factors.

Yeah.

And I think that that is something which might deserve a little bit more explanation because in a separate talk, I heard about passwordless authentication, I think it's still not 100% clear what is happening, and I think this is what you say with the signature. It's not a password traveling or something like that. It is just cryptographic information wrestling.

And the beauty of it is it happens completely behind the scenes. So the user is not aware of anything happening of this rather complex stuff behind the scenes. The user only sees Touch ID, Face ID, Windows Hello or Android biometrics, whatever it is available on the platform. And that's it. So it's as simple as it can get and as strong as it can get today as well. So that's really the beauty.

And what are the business use cases you come in? What are the scenarios? You come in where you serve your customers?

Great question. So, um, we see a lot of potential. Obviously, it is. In the end, we see it on every login. So not only on the 5% of logins that are of two-factor secured today, but also on the other 95% of all logins. This is what we aim for and that is the market we build our product for. But today, of course, you have to cater to the market that is available today and we speak with banks. We do POCs with banks. We did a POC with SAP. So securing the central identity stack of SAP and we also see very, very good use cases in e-commerce, for example.

That's what I would dare to say. You know, when I look at what happens today, when I'm doing some purchasing in the internet and over the past couple of months, I really evolved, so for a certain period I had a 100% sort of online supply chain for everything, food, etcetera, etcetera, etcetera. So I really found upon the, whatever online supermarkets etc, that it got everything here and it always was: Username, Password. Oh, back to that practice. And I think that that is really one of the big areas, so, how easy is it or how complex is it for, let's say, an online retailer, maybe not a super big one or even, to make this big step away from the bad to the good practice?

Yeah. So this is this is basically a product. Enabling, for example, an e-commerce merchant to plug in this technology into their e-commerce system, whatever they use. Because we cater mostly to developers, we have an API for that and SDKs for all major platforms, some plug ins. So we make it as easy as it can be for someone to implement that. And as you said, e-commerce had a huge uptake over the last twelve months. At the same time, the latest stage of the PSD2 regulation kicked in and made, especially for credit card payments, made the strong customer authentication a requirement for payments. There are some exceptions, but in the end it's not only the password that is involved. This is also the second step that typically redirect the user to the bank, so the issuing bank of the credit card. And this is a huge downer. This is a 10 to 20% off all purchases are dropped at that moment. And with with all the technology you can enable, basically Touch ID log in for the e-commerce merchant and also the Touch ID checkout, and that's it. So the merchant can control the flow from start to end without having to redirect anywhere. And this is something we get very good feedback from merchants.

So it's about solving the payment challenges, having a more convenient way for the user to log in by just using what he has on the device, and increasing the level of security, and I think this is a big thing in passwordless authentication if done right. It's about improving both security and convenience. So definitely very interesting. Thank you, Felix, for taking the time. It was Felix from Hanko here at European Identity Conference. 2021. Thank you for listening in.

Thank you very much.