So good afternoon, early afternoon. No. Good morning, ladies and gentlemen, welcome to our track title authentication authorization. We have two sessions today, one big panel discussion, and then two, let's say normal presentations afterwards. My name is Alexei Balaganski and my colleague here is Matthias Reinwarth. We are both Analyst at, but of course, much more important are our distinguished gifts today. And we have a very Matthias
I'm just closing the door.
Okay.
So for our first panel discussion, we have four distinguish guests today, I guess no one in his room does not know who these people are, but let's just follow the protocol and say, we have next second Mo senior researcher at no research Institute, but also well known for his work for open ID Canara and other organizations. We have St. SVA, CEO and founder at Yubico. We have Anthony net, chief security ex architect at Microsoft, and of course, Ian Glazer, senior director of identity at Salesforce. So please welcome our guests to our improvised stage. This is going to be a panel discussion. So we are so,
So,
So before we begin, maybe we ask for again, totally unnecessary, but let's follow the protocol for a short introduction from each member of our panel. Just please tell us what you do and why you're here today.
All right. So I'm NAS senior researcher at normal research Institute. The chairman of the board of the open 90 foundation, one of the principal author of open 90 connect author of pixie and hold bunch of things. One of the founder of contrary initiative working the ISO for identity management privacy. So all sorts of I've been doing this thing, the standardization for over 15 years now. So looking forward to this panel.
Great,
Thank you. Hi, I'm St. CEO and founder of cubicle. Our company is a leading contributor to the fi U 12 specifications, open authentication standards.
Thanks.
You Glaser senior director of identity at
Salesforce. We have lots of users and wanna get rid of their passwords.
Tony, Tony Nalin Microsoft. So I work on standards at Microsoft and have done quite a few standards in the past.
Great. Thank you very much. Well, the topic for today, you can see it on the future. Authentication stopped tweeting the password. It's actually very interesting. I think just last week, I think I've seen a very interesting proative tweet saying like after 10 years of working in identity and talking about password being dead real soon, we finally had a password day, like last week, right? So passwords are probably here to stay or as they not, it's up to you to tell us your opinions. And then of course, to engage with our audience in a discussion. And the first one to present is net. Please welcome.
Okay. Given the
All thanks. So let's see. How does it work? This one? Yeah. Alright. So why S are unde or it's a little bit old for, but doesn't matter. Okay. We know shared passwords are screwed. We knew that for, I don't know how many years now, like 20 years and it's been declared dead for many times every year. It's been declared dead for the last 10 years or so, but share the passwords are still the fact standard for authentication. It's just like, you know, sorry, it's just like they're unde or something like that. We've killed them so many times, but it's still not dead. So, you know, when you think about reason, you might just go to the developers, right? Like him. And I've said, why do you use password system? Then he'll say, you know, it's cheap and easier, right. Then I'd ask. But us usability sucks on the cost of breaches. Then he would reply it going to be paid by them, not us. Right. That's negative. Externalities pass was a like air pollutions, right? And you know that these tools are all good, but factories didn't put filters till they were regulated. That means
Password is going to persist. There's a copy and pass here, I've passed twice. But like what password will pass persist unless some policy measures are put in place. So what kind of policy measures are there for this kind of externality in the market market failure problems? There are three typical types of controls, quantitative control tax and compulsive insurance. Each of them has its merit and de merits. Quantitative control is easy to implement apart from, we really don't know what quantity is actually right. Tax is somewhat better because it'll go through some kind of market mechanism, but still we don't know the tax what's the right tax rate is. And if we don't set the tax rate, correct, it will cause market distortion, complexly insurance is very similar to tax, but it's a little bit better in that sense that, that the rate is going to go through the market mechanism. So I think that, you know, we should be looking more at the insurance in these kind of things. And that's end of my presentation. That's, I'd like to throw, you know, these options as discussion items too,
Looking forward to the feedback of the other participants, because this is you're actually trying to make them leave them alone. So this work from say, if you just click once, then we see who we thought would be next intelligence test. Okay. Now, now it should. Okay. Should be sorry for that. It's okay.
Thank you.
I take a little bit different approach than that, right. Passwords are very expensive to use. And if I, if anybody's read the 2016 Verizon, you know, data breach investigation report, you'll see that, you know, 63% of the breaches happen because of passwords getting stolen. And so this, this winds up being a very expensive cost to both the, both the relying parties and the consumers themselves. So it's a cost of account that the cost of account average cost in, in 2014 was $154 per consumer, and about 30 to $60 per relying party, to be able to restore that particular stolen account from a password set. And today, you know, what we see is a life without passwords right today starts with platform support. So iOS has introduced touch ID, right? Windows 10 has introduced hello and Android has gone with a fi O U two F model.
And so what this gives us is a chance to actually separate, separate the authentication from the identity, right? Totally separate those things. Authentication is just a fact that it happens. You can attach identity at any given time. And today we have over a hundred million users using windows tens without passwords, without them even knowing about it. So this is something that, you know, can happen behind the scenes, without anybody being involved. No user, you know, has to go through a, a major reconfiguration of anything. You know, when they get windows 10, they have the option to go ahead and just use, you know, cryptographic keys instead of passwords. And so also this gives a chance for a big change in the industry, right? It gives us a chance to remove IDPs from the, from the ecosystem, right? Because now we have the keys getting generated on the client side and the keys wind up becoming the authentication mechanism for all the RPS. And so, you know, puts the user in control of Federation, who they want to federate with the relying part, relying parties can now set the policy of which clients or which users that it can accept into the system with the attestations that come from the various devices. You know, if it, if it's a Yubico key or if it's a TPM chip, it will understand where that authentication mechanism is actually coming from. And, you know, we'll have various trust frameworks in various governments to help mitigate some of this stuff.
Thanks, Tina.
So now the click thing
I have to say, click
Is that no, no, you have to say, yeah, actually you do have just have to find out full screen mode. This one.
Okay. Since I started my journey as a hardware authentication innovator, some people have said that software is the future and my bank believed that too. They gave me a software authentication app. I, I happen to know a hacker who told me that it would take him about a day to write the code that would hack into my bank account and steal my money to inform the bank about this risk. I called him up and I got a very clear response on the other side of the line, please tell your friend to not do that.
So there's been a lot of buzz around biometrics the last few years. And I was very curious to try it out on my new nexus five, but when I was gonna set it up a little text message popped up saying, using a fingerprint to unlock your device may be less secure than a strong password pin or pattern. So we can't rely on static data. If you get a job at one of the big internet companies in Silicon valley, you are likely to get a computer, a laptop. And inside the USB port, you get a small authentication key, but you may not know that it's there. And I learned that from a guy that I met at the local train on my way to San Francisco, I noticed the small golden edge on the side of his computer. When I thanked him for being a customer, he looked very surprised and said, oh, I didn't know. I thought that was the new apple touch feature. Yes. I mean, being mistaken for an apple product is probably the highest achievement, a strong two factor authentication token can ever get.
So what is the challenge? The challenge is how do I get these keys to work everywhere on every service on every application, just seamlessly with a simple touch, no more hassle with great security and great privacy. And I mean, I know a guy in New York and he told me that he can identify the bankers working at wall street by the size of their pockets because they have this huge key chains with tokens and that cannot be the future. So what is the future? Just like our friend Tony told us it's standards, open standards built, built in directly into platforms and browsers three really important building blocks of those standards are five 12 work that is now being done in w three C and openly connect, combining something, you know, or R like a pin or a password or biometrics or location or something that is not very secure, but additional factor to hardware authentication that is natively supported in computing devices that you buy in phones, in computers, but also into small keys, like the YubiKey. And I'm very optimistic about the future. Thank you.
I got one of these I
All right. I have no idea. What's this. Oh, right.
Okay. So speaking from an enterprise of 17, some odd thousand people with a whole bunch of stuff, rolling out authentication services internally becomes a really interesting experiment for a lot of different things. And so one of the things we observe is both internally and, and out killing the password. Isn't a technical problem anymore in that we have all of the plumbing pieces that I think we need as an industry to achieve this right, that we have not only a variety of different, whether it's hardware factors or even if it's software, we have all of the, the technical integration capabilities that any in enterprise could go on and start to kill their passwords. The problem is at least from a technical perspective, the problem is this is a cultural problem. Passwords are a cultural and problem of habit, cuz we've had umpteen decades of two boxes.
Username goes here, password goes here and we've been habituated to doing this. And we have trained our users to do this. So when Google, for example, changes their login screen for Google apps. So that just as username, you would have thought the sky was falling. People freaked out because they were expecting to see username password. And all I got was username. So you talk to the folks at Google and they'll tell you their support lines lit up. Like you're broken. There's what happened to the other field. And the change even though is actually a much more secure change. What happened culturally broke things broke people's habits. So when we talk about how we move onto something else to me, it's not so much about the technology involved. It's actually about the cultural shift that occurs.
There's another little problem here. This one may actually be technical, which is, we know you want to have at least two factors or at least we sort of think that's the right thing. There's, there's two things that have to be presented, but not every factor is equal. The problem is we also don't know how they're not equal. We don't really have good science on. If I add this kind of modality for authentication to what I already have, how much more secure am I? The whole conversation gets really weird cuz we don't actually have much science around it. So you start getting into these scenarios where, well, yes, we collected a biometric, but the biometric unlocked a short entropy, a small entropy pin and that key material didn't necessarily. And all of a sudden you're in this really tough conversation about how much am I loading up on the user because we think it's more secure and yet we don't have any data to prove that we're doing. So there's this interesting problem about factors and how we select them both from a usability perspective, security perspective and changing people's habits. Let's start the conversation.
Okay. Great. Well, thanks for your introductions. I guess I'll ask the first question. Cause I have the microphone, as Ian just mentioned, passwords are definitely not a technical problem. Cause really for years have all the components for a solution. How do I have software standards? And even worse people actually hate passwords. I mean, if it's habit, it's very unhealthy habit like smoking. So how do we actually fight this habit? Do we have to introduce like anti password laws? Do we have to run some public awareness campaigns? Or
Let me get, since I got the Michael go first, but you, you mentioned smoke it like there's the answer, right? If you want get people off of passwords, charge them for using passwords, it goes to Matt's point about externalities. We charge people to use passwords. Like we charge people to use longer extended support on windows XP, let's say right, you want to do a behavior that is extraordinary. We use economic factors to move off of it. And we use the money from that to mitigate the risk to both ourselves as a service provider and our neighbors.
So you'll notice that this is the first time that, you know, the w three C has actually taken on a new web authentication besides basic authentication. So this is a big movement for w three C to endorse, you know, not moving to password. So we burned into all the, all the browsers and all the platforms. And this is, you know, the start of how this is going to happen. You know, it may not necessarily be a full tax on people, but you know, when somebody see when somebody logs onto windows, you know, they can use a pin, you know, and that's going back to your, your usability factor. They're still entering something. But that pin only is a gesture to unlock the TPM chip, which then generates the keys and, and authenticates you. So no passwords are actually flowing anywhere. And so you don't get into the account theft issue of breaking, hacking into a server and stealing the passwords
Outs. Is there a generic distinction between using an passwords, username and passwords in an enterprise environment and as a user on the internet, as a public user, as a consumer, as a customer, do you see a dividing line or should enterprises actually really be fined with taxes with insurances, which is much more difficult for us as the end user of users of services of subscribers to Netflix? I don't know.
I mean, you don't want, or at least I don't think you would want, you know, two different ways to do things. You finally, you know, just like when you use a credit card, you don't wanna have something different for your corporate credit credit card versus your personal credit card. Right. So, you know, I think this all applies to, you know, both consumer and enterprise users solution for both. Yeah. They're, they're looking for strong authentication. They have hackers at their doors all the time too, so it's no different.
So I think that now when the building blocks are starting to be in place, the first thing will happen is that a lot of the big online services will start marketing security. As you know, we have good security come to us. It's gonna be a market feature, just like Volvo, who invented that seatbelt. You know, they got brand recognition and we got good security and they drove the open standard. And you know, when you think about Volvo, you think about security, the next thing will happen. Just like the seatbelt. There will be regulations and laws putting on, but that's gonna come later. So I think, you know, it will take some years before it comes, but it's not gonna be too long because the problem is so big. So I think that every started saying it's been broken now for 20 years and we've been talking about it, but I can see that things are gonna happen really quick this year and the coming couple of years.
Yeah. So the, I think the industry leaders like Volvo in your example will lead. I mean the windows, hello thing is the first authentication system that my wife actually can use. Right. Just going in front of it. And it works, right. She had even problems with the four digit pins because she's using, she's having different pins everywhere. And she doesn't remember which one. Right? So I'm full confidence. I've got full confidence. That industry leaders are going to be shifting to that. The problem is that people who's gonna be decide on the applications who's gonna be lagging behind. And many of them don't have too much incentives to secure other things. So, you know, some kind of regulatory or, you know, majors non-technical majors, which could push them towards having some, something like that. You know, just like in the car you had the regulation to put the seat both right. Would actually help us a lot.
Correct. I, I got the point that, that you mentioned that that security is marketed as a pro for a company for, to really say, this is a good thing. This, you, we are securing your data. And this is something that really speaks to me as a user, as a consumer. But I don't think that I see enough companies actually doing this. I see it with my phone, which is much more secure than most of the enterprise accounts that I use. So this is, what's the question behind the, of the, the reason for the question, is there a dividing line between business and, and outside? Because I assume that some systems in the internet are much more secure than, than we are used to it from our, our corporate environments. And are there other incentives apart from making them do it?
I mean, there's a simple risk mitigation calculation, right? Holding a bag of passwords is holding a bag of toxic waste. Now there's some of us who have to do that, right? But we invest enormous resource in doing it as safely as possible, but you don't all, not every service provider is going to make that investment or is capable of making the investment. And so then they're left with risk. So they're investors, they're board they're executives. You should be thinking about this as a risk calculation. I'm saying if we get away from passwords now that there are great alternatives that are both usable and more secure, if we can actually get away from passwords, we actually reduce overall risk to us as a provider. And that's a very straightforward calculation. However, it takes, it takes courage to break the, the culture that we've already established, breaking a norm. So that's why Google was frankly, quite courageous to change the way their login screen works. Cuz we're breaking a norm, but they knew, wow, we're reducing our risk. Any company can be in this position. You've just got to, you've gotta commit to look. I'm gonna reduce this risk by changing and breaking a norm.
But you know, just getting rid of passwords is a very difficult problem, right? Because you have protocols such as pop S NTP that require passwords, those protocols have to get changed. You also have the issue of bear tokens right? Today you can have a very strong authentication that happens that cookie gets dropped on that server and good say goodbye, no matter what authentication you've done, that Cookie's gone at this point, somebody's stole, somebody's hijacked it and gone. So it is a multi-tiered problem that we have to solve. It's not just moving to our cryptographic operation for authentication. We have to look at the different pieces involved in, in this that we've done, you know, not much good.
Yeah. You know, and just as I was imagining a great solution, like you have a third field into your login form, username, password, credit card number. But unfortunately the problem seems to be a little bit more complicated. So yeah.
I just wanna add a comment on sort of the investment cuz we talk about is this a big investment? If you're not one of the major cloud companies who can make your own investment, I, I see the future will be just like we do today with Facebook connect, you know, those who doesn't, you know, wanna store passwords, they can offload it to someone else. And I think that's a model that will happen. The big identity providers who have built in good strong security will be identity providers for those who can take the investment. Also the community that are building these standards, we are trying to make them as affordable and simple as possible. So there's already open source servers out there that you can implement to implement F it takes less than a day from one intern. We heard that from one company who made support for it. And, and then it rest is free. I mean, it's not like you have to go to an IBM and get, you know, a hundred thousand dollars investment to make it done. And, and I think those are the core pieces, you know, make it open and simple for anyone to implement.
But it's, if it's easy to implement, if it's just a bad habit habit for, from, from users, shouldn't we just educate, make people understand what security means, what a password is that it is bad that they should not use it, that they should select the right services. Yes,
Yes. We definitely need to educate users. Is this enough? Just like you go to India, you don't, you know, eat the salad and drink the water cuz you know, you may get a deceased, you know, that's the kind of, you know, education you need to
Learn.
Okay.
You know, going on the internet without security, you know, cautions and learning about the options is, is I think there needs to be a lot investments in, in education the coming years. Right.
Okay.
Thank you. It's more, it's like public hygiene education thing, but I'll have to point out that one thing which the most difficult is to change the people.
That was my question. Educate is educated enough. Education is if I, if I tell my daughters two daughters, 16, 20, if I tell them don't use this service because it's just use name password, and it's going through your iPhone and you don't know if it's encrypted, even they don't care. And they're my daughters,
Right? Yeah.
Right. And also the, about the risk calculations. So in one startups, you know, I happen to talk to a bunch of startups. As I was sitting, one of the committees for ministry colon back in Japan, one, you are talking with those startups, then we don't care the security property or privacy property at all. Right. You know, I tell them that the risk of breach is going to be huge that you might disappear if you don't do it right. But then they said, well, you know, we need a speed. We need speed. Unless we do it like this with a speed, we'll be disappearing before we finished implementing things. Also, you know, if something like the, the higher security staff requires consumers to ch their customers to change their habit, they are really afraid of it. It's gonna be huge risk for them,
But still, you know, the scare tactics do not work. We know that from an anti-smoking campaign, you know, even if you put a huge picture of cancerous lungs on the cigarette box, it
Just doesn't work. It
Doesn't help. And
How do you depict fraud? Right. So we went through this user experience. We went through what we, what we call UBI, which is out outta the box experience with windows 10, right? To get people by default to use the cryptographic operations for generating the authentication mechanisms. And, you know, we, so we had to think about how to present that to the user so that they would select that option. Cuz passwords are still an option on, on windows 10. And, and so, you know, we've gone through some of that and take some of the results back, you know, it is possible. And you know, so a hundred million users have now switched over without any issue. So that's, you know, a start on getting people to move away from passwords without even knowing it.
Speaker 10 00:30:34 Do you publish a result?
Speaker 11 00:30:36 No. Yes. You should
Get us a long way.
Yeah. Well, and, and that's the thing. If presenting someone a choice to change their behavior versus having no choice in the sense of, it's not a conscious thing I have to do, it just is so much easier to go this other route. Just so that's why, you know, touch on a phone is a great example of this thing. Like I don't necessarily think about anything other than the expedience at which I can get to the thing I want to get to. So as opposed to talking about it as user, if you don't choose this or horrible things will happen to you versus it's just an experience, it's part of my experience to use the thing I want to use. And it's very natural. That's how you make that change. So for a startup, you can start doing the right thing, right? You can drop you to Ethan in a day and go do that. But if you have a non-green field environment where you have 10 gazillion users where it's like, okay, and now tomorrow we're gonna change the login screen. Like cities will burn, right. People freak out. So it's how do you make that experiential aspect of it? So simple that it isn't a choice per se,
George, what
Really two questions. One of 'em have we solved the delegation problem across all software? Because half the time you have people sharing passwords is because they want their admin to be able to get into their email and their calendar and the whatever else. Right. So it seems like we have, from a cultural perspective, to your point, Ian, that's something that I would like to hear some thoughts about in regards to people sharing IDPs, like not doing identity themselves, from my experience, we solved a federated authentication. We haven't solved federated, federated, life, life, cycle management. Right? So there's a whole bunch of other problems. So either of those are interested in your thoughts,
So on the, on the delegation issue, right? So what we're, what we're attempting to do here is to separate out, you know, authentication from, from identity itself. Right? And so the authentication is just a fact that happens and you verify that it, that happens. It's up to the relying party to associate whatever attributes at once, without including any authorization attributes for back end delegation in, you know, using some of the ol stuff, that's that we're all working on as far as, you know, work for whatever we wanna call it. And so I do believe that that's, you know, a progression that we're gonna see, you know, coming down the line, Tony,
Speaker 10 00:33:22 You might want to define what is identity
Cause identity is whatever the relying party, whatever the relying party wants to do. Right. So it's gonna vary. And that's why we wanted to separate out the authentication piece
Speaker 10 00:33:35 Attributes sets of
Claims, right? Yes. Set of claim set of attributes. And we also wanted to make sure that we carried along the metadata from the authentication. So the relying party has enough information that it came from this U B key with this firmware rev. And you know, it was a push button, U B key, not a normal UBI, you know, not a finger swipe, UV key and stuff like this. So RPS will have a much richer way to do yes.
Well, we have to solve the delegation problem. We have to solve the delegation problem for UHT, right? So you think it's bad with like your secretary wants access to your calendar? Well, when it's a variety of other non sentient beings that want access to different resources, we have to solve that, that, that delegation problem. But to your point around Federation, federated provisioning, we tried, we tried to do this once Tony and it didn't, it didn't work out so well, no, your point is very valid, which is there's a cadence that each provider has for the life cycle of its individuals or its things. There's the plumbing problem, which I think we can get to solving. And I think ski V two actually is a pretty good way to do that. The problem is there's that cadence difference so that you have a business process, impedance mismatch essentially. And that's where things get messy. And I think actually we probably won't use skim for that. We're gonna use just in time provisioning and then have short lived delegated authorization so that we don't have to deprovision essentially, we just let the token age out. Just a guess.
Speaker 11 00:35:22 You're loud. Come on. Just sorry. I dunno. Being
It is okay. So then I should use the mic. I guess I, I also think about use cases like, you know, something happens to my federated IDP that I'm using and how do users get into my service or how do you know, how do we train users to, you know, create three identity providers that they all link to a single account at the RP. There's a whole bunch of those kinds of use cases that from an industry we have not addressed from a best practice perspective, which makes it very difficult for a relying party, a startup to say, I'm not gonna do identity at all, and I'm gonna outsource it.
Do you want to respond to that?
It's also like the practices of what do you mean that my fail safe phone number is not supposed to be the phone number that I use for my SMS authentication. Like, you know, it's all of those overloading issues as well. We have to address,
Speaker 13 00:36:19 I want to change the aspects NASA direction because when you speak to any it responsibility in a company, everybody knows that to factor our certification would be the best to have something and to know something, but why there are not changing such problem is the rollout of sketches you need for alternation because for a smaller company, like hundred people, it's no problem. But you personally personalize these GATS for 200,000 people is really a problem. And you also had bright processes, but you do. And people had forgotten the, sketch it for certification and must have something guys, as you had some sent back home, when you had for company sketches, it's impossible normally. So for me, it's the cost costs for rollout and, and not think that it can change it so easily. And I think it's also necessary for do set for all people. It's a company when a worker, for example, the BMW applied for a holiday, I think he needs no get no, no two factor certification. So that passport is still okay for me. Do you have any experience with this or any proposal? There's a problem.
Yeah. I mean, there's lots of ed, there's lots of edge cases in error cases, right. That we had to look at when we're trying to roll out this in windows 10, that, you know, people forget their devices, they lose their devices, you know, how do you bootstrap a new device and how do you authorize a new device? You know, since I'm switch, I may want to use a personal phone versus a, a work phone. And I want to be able to authorize, you know, I want to be able to generate the keys on either of these devices to be able to use for authentication purposes. And, you know, I'm sure we haven't covered all the cases, but you know, we went through quite a few of these error cases trying to make sure that recovery is no harder than I hate to say this, but you know, no harder than password recovery, right. Costs a lot less, but it's not gonna be, you know, we're not gonna put people through a much tougher process than, than forgetting your password. And so this it's gonna be a learning curve on how to take care of the error cases. And, you know, we're just getting a start of it. And I believe that, you know, most of the people on the panel have said, you know, it's gonna take a a little while, but it's definitely, you know, on the way. And you know, maybe we'll take a checkpoint next year. This time to,
We will be killing the passport next year. Yeah,
Sure. In the next year and the next year.
Sure. In terms of rollout, we, a couple years ago, we rolled out second factor to the entire company in three days, 17,000 people, three days, we 17,000. We over-communicated like you. We had practically daily warnings coming to people like this is coming. Here's the education. So for us, the effort was about 60 days of communication from it, from management to everyone saying, this is what's coming. This is the experience. This is what you're going to do. And then a lot of pizza and well-staffed help desks. And in three days effectively, we had somewhere on the order of 90% registration and use, there were some people that were on long term leave vacation. We didn't get in. But for the most part, I think the number is less than 500 people out of 17,000. We got on second factor in about a week's effort, so it can be done. But the hard part is not getting the token, seating them and distributing them. It is making sure that the culture is ready for the change and that you overcommunicate that as a rollout and would say would be well, actually, when we deploy UBI key, right? We have a lot of comms around, this is your ALO hockey, and this is what you use it for. And everyone gets them when they, when they come to the company. But it's about the communication of the cultural change more than so you, this is the technical aspect of it.
Somebody else was a question in the audience.
Speaker 14 00:40:30 I'm accepting that, that desktop based browser environment, it's pretty easy to roll out a second factor or multifactor, whatever. But in my company, for example, I'm addressed by users telling me, okay, I would like to have a specific wifi password on my, on my mobile device. I don't trust it to store the company password, but I have to store one because logging into wifi, using multifactor authentication on a mobile device, which is expected to lock in without user interactions. So exchange can perform active sync, update medical lender, remind me of upcoming events. Oh. And accessing exchange using multifactor from mobile device. Whoa it's didn't you say technical issues and plumbing are done. Doesn't feel to me like that. So do we wait for legacy systems like active soon to disappear or
Whatever? And so, yeah, so the technical issues are not all solved. There's some basic ones solved, but as I said, you still have, you know, all the various protocols that depend on passwords, SMTP, pop, you know, wifi radius radius. Yes. So you, we still have those issues to solve. So we do have some basic technology that most of the industry leaders have agreed upon. As far as the Crip, cryptography is concerned and how that payload looks, it's going to be now getting in, into, you know, working on the other protocols to get them, to be able to use this cryptographic protocol. And it's gonna take, as I said, it's gonna take a while to get everything, but you know, if we can get at least, you know, all the users that use their primary website to get off using passwords, I think we've made a, you know, a, a large accomplishment. And what we'll have is these edge cases left to, to wind up, to be solved. This
Isn't binary, right. Actually the realization, it, it really isn't about killing a password. It's we jokingly talk about it as just not really bury him very far down the ground. What we wanna do is diminish the frequency of use of passwords as a first step, we would like to diminish the importance of the password as a first step, but going from zero to yep. No one uses that and everything is second factor and there's no password anymore is, is completely unrealistic. But we can, in our own ways, in our own enterprises diminish the frequency, if nothing else start there. And that leads to more things that you can start to do, but we set unreasonable goals. I think otherwise
I actually think that a simple pin is a very good second factor to something more secure. I don't see the necessary of necessity of killing it, but it is that simple, extra factor. And it's not gonna be stored in big databases that can be hacked. It's gonna be taken care. It's local.
Yeah. It's just like data minimization possible minimization. Right. That's what we at.
Right. There's another question in the audience.
Speaker 14 00:43:46 Yes. I think Anthony said something very interesting. He said it's a multi-tier problem. Let's assume that everybody is using UBI key for authentication and that's very secure. But at the end of the day, or, or we have a, a cookie session cookie, we have an access token and we have iOS. We have browser, which try to protect this credentials. And the question is, how much should we invest on the authentication to keep the same level as actually the current operating systems? The current browser settings are capable to protect the credentials.
Yeah. So, you know, when we've been working on this issue for a while and we realized this, you know, you can increase authentication to, you know, very high levels, but the cookie or whatever you have gets dropped. And so we've looked at this and as part of, you know, our effort and the standards bodies, you know, we're pushing for token binding in I ETF. And so this is going to bind all the cookies or any cookie that you want or token or whatever blob that you have, it's gonna bind it to the HTTP session, HTPs session. And so, you know, you get that bang for the buck there. Somebody try, if somebody picks up that cookie and tries to use it on a different session, it's not gonna be able to the keys. Aren't correct. And so we're trying to make this seamless, right. To get Android windows iOS to pick this up so that you don't even notice that it's happening behind the scenes. It's all in the SSL stack. You don't do anything for this extra binding to happen
Speaker 15 00:45:39 Network,
Too. Yes.
Yeah. Cookie, another bearer tokens are another password, right? Yeah. We are trying to kill it.
Right. So, okay. To wrap it, at least this, this part of the discussion up is we are trying to kill the password by starving it, by making it less important by making it it's use less frequent. And you mentioned in, in the beginning, and I love the statement to, to, to apply regulatory measures towards, towards the use of passwords. And I'm still trying to find out what is a good way to actually achieve this because we all said, it's a better habit. It's, it's, it's, it's still there. It's cheap. It's others, others are relying for the, for the breach costs. And really what, what can, can we actually take away for all of us here for, to, to understand what we can do to make this more secure, to avoid the password as far as possible.
So from the regulatory point of view, think of password as personal data, right? Breach of it will have consequences for GDPR, right. And you probably want to get to buy insurance policy for something like that. But the price of the insurance is going to depend on what you implement. Okay. Right. So that's one way of doing this.
I can see service providers actually giving their users an incentive by saying, this is the cost of our service. If you have good security, if you choose the good security option that we have, we will charge less.
Okay.
We charge less. And I think that's gonna very good, you know, because money talks, if I go in and if I'm using Salesforce, instead of having to pay, you know, just an example, you know, a lot of money and then a little less money, you know, then, you know, I I'll probably take that option and I'll tell my, my team, my company say, you know, we, everyone, we need to save money. We're gonna go for that option. That's and everyone is a winner in that.
Yeah. But that's actually a change in paradigm currently when, when I want to be more secure, I have to go to Amazon, spend five bucks and, and have a UBI key $5 or more.
Yeah. But that's a little money compared to the, over the number of times prostate Institute.
That's true. Absolutely. But, but to convince, yeah, it's easy. We are special kind of people in this
Room be free software eventually. And it will be things in built in computers. You know, you go, go and buy, you know, chips directly integrated in your phone, your next phone or computer. So it's not only everyone is not gonna come to me and buy my product, even if that would be cool, you know? Okay.
So, you know, it's gonna come down to the, you know, how this gets used. You gotta make it dirt simple for people to use this. You know, I've seen some numbers on, you know, iPhones and how many people are using touch ID and things like that. And it's remarkably high compared to using the pin or anything else that you have on your iPhone, because it's built in, it's simple. They swipe their finger. It's gonna be the same way with, you know, devices. Some devices will have built in chips, TPM chips. So you're not gonna go out and buy one. But if you want to have it mobile you'll, depending on your use case, you're gonna get a, you know, you're gonna get an external authenticator and be able to move that around. So, you know, as everybody here said, it's gonna be the, the usability of these new log on screens or these new ways to authenticate.
That's good.
I just wanna emphasize it's all about usability. And I think that this, you know, the effort that we doing will eventually get into payments too. So you don't have to retype stupid, you know, passwords, I mean, credit card numbers, you know, the same, you know, cryptographic protocols could be used for payment in the browser. It could be used for OT. It could be used for a lot of things that will just seamlessly be there. It's a bright new future.
Okay. The audience from, from, from your point of view, do you think that, or who is of the opinion that the, the making the user experience better is a good way to start? Or what would be a good start from your point of view? First of all, who thinks user experience and improving it is, is, is, is a good option to, to improve security. I will ask afterwards how to do that. Okay. And, and actually, are there, are there suggestions, what, what, what you are seeing in your practice? I know there are people, people from very large corporations in that room, and there are people from smaller corporations in the room. What do you do to improve on the one hand security? And on the other hand user experience for your customer or for your employees, customers to make things better. Is there somebody who dares to answer, oh, sorry, I come back to you. Sorry for that. I come
Speaker 17 00:50:55 Back. I, I missed some part of this session. So maybe this is discussed before. So forgive if I repeat that again here. So we have our environment. What I think is user is we are calling a staff only, or external collaborators also, because this experience we are talking about here is for staff internal users. But are we considering other collaborators who are exchanging information with us, our systems they log into as extranet intranet part? Are we considering that? Because that won't help much if we go with this type of
Absolutely. Because those collaborators tend to have some of the most sensitive access in the enterprise. So if you are not issuing second and third and possibly just hard dedicated hardware to those people, that's an unnecessary risk.
So part of this is making sure that, you know, if you've gotta manage device that you're getting the attestations from the devices back so that you can make that decision, that you know, what type of device it is, and if you issued it or what the firmware level is, etcetera, you can have now have rich, rich authentication policy on your, on your relying party, which you couldn't do before
The comments. Okay, go ahead.
Speaker 18 00:52:16 I had a very general question or comment. One of the issues about killing passwords or not killing passwords is that passwords can be reset. You can't reset a fingerprint information of biometrics. If it's the information is stolen from my device, right?
So what's issue
Speaker 18 00:52:37 For that.
So the approach that that we've taken is that we have things that we call gestures. Gestures could be a pin. Gestures, could be your fingerprint, cetera. They are just there to unlock the actual cryptographic operation. So they unlock the TPM chip. The TPM chip is the actually generates the cryptographic keys and stores. The cryptographic keys, since, you know, TPMS are supposed to be tamper proof, they go through their own certification process. Cetera. So yes, you're, you know, if you can have multiple gestures on a windows device, you can set it to a pin, you can set it to a fingerprint. So if you forget your pin, you can swipe your finger. If you forget your finger in the morning, you can use your pin, et cetera. So I don't see any. Yeah. And so, you know, there's gonna be no difference from, from passwords.
Yeah.
But what if someone has stolen your finger in the morning?
You know,
You're watching the wrong films.
You can, you can remove test
For liveness,
Right? So you can remove, you know, you can, you can test for liveness. I think, you know, what we have is we just demonstrated was we have Microsoft produces a, a called a device called a band, and it's their, you know, it's like a Fitbit, but better. And we demonstrated that if, and we did the authentication to windows, hello. And if you have a band and you have it on your wrist, we can test for liveness. And you know, if you, if you take the band off and set it right next to the computer, it's not gonna, it's not gonna log you on, you have to have it on a wearable thing, you know, and this will increase as technology increases that you'll be able to do all sorts of things.
It's
Really working.
I mean, we demonstrated, I can't, it's not, no, my manager's here so he can,
Okay. So one more question then I will wrap it up.
So Tony, guess it seems to me, the point you made earlier about separating authentication from identity would answer the question that we had before, which is I can revoke that set of keys against that particular identity and, you know, force the user through a new process. So I think there is a revocation mechanism, even in what you've done.
Okay, great. So before we convene next year and still kill the password, maybe to, to wrap this session up, what would all of the four of you recommend actually actionable real results that people could take away to make sure that there are less passwords available. Next time we meet, what would be your suggestions for once to start,
Move to windows 10 and use and use hello? And our phones actually have infrared cameras on 'em also. So, you know, you get the whole package here.
Okay. Thank you
Federate with all of your service providers start there, right? Let's get SSO involved and start federating with your service providers, then roll out two factor mobile out of band to everyone in your enterprise. That's the next step?
Make support for PHF
More or less the same with the, yeah. You know, Federation is now cheap. Just do it now. Great. It's a first step.
Thank you very much. Thank you for your contributions. Thank you.
