Event Recording

Panel | The Future of Authentication


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Okay, I'll start. Thanks,
John.
You know, there are many different kinds of use cases on both sides, but what I think is interesting to note in the last few years is what I would call. And you'll probably, if you come to one of my talks later, you might hear this again, but the consumerization of it, everybody in the room's a consumer, we all know what consumer related technology is like when we go to work, when we, you have to log in for work, we know that there are better ways or more, you know, friendly user experience, ways of doing it than maybe we have done for the last 15 or 20 years. So I think that is a real driver. I think we see maybe more innovation on the consumer side for authentication these days. And that's finding its way into enterprise and workforce use cases
And largely agree the consumerization of it started before COVID, but without gone into latitudes, COVID just made a number of things really urgent. And in the past consumerization occurred because consumers have less tolerance for complexity. And so these in the workforce translated into productivity gains. But now at this point, instead, what we have seen recently is that consumers normally live in an unmanaged environment. And so the, the access control needs to adapt to the fact that you don't have a luxury to manage the device of a user and we've covered. And with all the remote access that suddenly was shoved on the desk of the it people. Now, the consumerization took this other flavor in which we added to truly walk the walk, instead of just saying identities, the new perimeter make it the new perimeter. And so I'd say that it's very hard to distinguish the two because they are converting both an internal of infrastructure and in Tamo requirements, this was way more serious than a non Maria. I usually did jokes, but this one was serious
Anymore for anymore on the panel.
I, I would take a different approach. I think that we've seen in the press the last week only that probably the big, big companies, Microsoft, Google, apple will do a lot for us. On the consumer side, we really Hopely. They have to motivate still the owners of the, of the portals of the website. So we need to authenticate to, but I think on their devices, they will do a good job for every consumer to do authentication without passwords in the future. We believe that the workforce is really need more. Innovation is more the driver nowadays because they are really suffering a lot from fishing attacks. They have, when, when we start from fishing attacks, credentials are being stolen. They are being used in Rensor attacks. If they suffer from ransomware attacks, they made in the press. And when the companies are pressed, this drives innovation. So we literally believe that the workforce is the area that requires really some, some more activity on that.
I have one. So yeah, this one of the panels where probably everybody agrees. Yeah. But I think what we see it's, it's not so much of a difference if you just look at the authentication methods themself, it's, it's almost the same. Yeah. Because we all consumers as well, as well as employees. So it's natural that, you know, we use the same methods, whereas the difference between the consumers and the enterprises, what Tony hinted at as already is the management of this, because in many cases in the, at the enterprise, you need much more rich controls around enrollment, exceptional access, as somebody loses their authenticate and so on, which you may not have as much in consumer world.
Okay. So we've been talking about authenticators. I'd like to know, do you foresee any radically new authenticator on the horizon or, or, yeah. Okay. Victoria.
I, I did want it after all. Yeah. So just last week, the final final announced that they, they adopted this idea of a multi device credential, which basically takes the classic platform authenticator, which normally was tied to one particular device and makes it possible to, for that authenticator to run. So that users or the particular ecosystem, apple, Google, or Microsoft, will be able to have a true cryptographic level authentication powers without the constraints that you have today, in which today, if you want to do that, you can have your phone or your laptop that are capable of doing this kind of authentication. But then if you lose that laptop, or if you buy a new device, you have a, an almost insurmountable problem for a consumer of managing a lifecycle. And inside this innovation will make it possible to have basically the backup of obviously in the cloud, so that you'll be able to access it from multiple devices. And personally, you know, that you have a classic S this is the year of UX on the desktop, or this is the year of language. Password will die this year. The passwords will not die, but this innovation is the most promising innovation that I've seen in my two decades of career in this space. I'm truly convinced that it will really change the way in which consumers authenticate, and it will bring other problems, but at least I think will raise the bar significantly in term of security and in term of usability.
Okay, great. John, I saw you nodding in agreement there. Do you wanna add anything?
Yeah, I think the, the Fido development is, is significant and certainly can assist with usability in those cases, you know, account, recovery's always been a problem just like authentication itself has been. So this, you know, has some promise for making that much easier for, for either consumer or enterprise use cases.
Okay.
Yeah. I was just gonna add to that. I think it comes down to choice. I think that's as much as anything else, the idea that passwords will go, it's kind of a fallacy, there's a generation alone. That's never gonna adopt anything other than passwords. Right. So when we kind of look at the evolution, the trends as we go, it's about consumer choice. So it's a multitude of options that are available very much dependent upon the user journey and that balance between risk and friction.
But now a couple of years ago, when we were looking forward to things, we were talking about retina scaling and voice recognition and all these kind of things. And, and John, I mean, Richard alluded to them in his presentation. What happened to those? Like, why haven't we got voice recognition everywhere? Why aren't we scanning our irises? Like James V
I have a very personal view for that because I, I like to sit in restaurants and coffee shops. And I think just the voice as a recognition is a horrible user experience. You don't wanna sit in a coffee shop and use your voice to be recognized, just doesn't work. And I think actually fingerprint face have been the winning methods to authenticate and are probably going to be, you see it from many movies. You don't wanna use your eye for readiness. These are just things that aren't so natural. My finger to put my finger, some fingerprint fingerprint reader to use my face as a recognition. It's just a very natural, very, yeah, very natural.
Yeah. I think I'd add to that. I think the idea of, I, it feels like someone's almost going into your brain. It, it feels wrong. And I think I'd add also that a lot of the devices just don't have that capability and it hasn't been rolled out, which is why we've not seen that adoption. So, so voice obviously is appropriate on any device. And that's the key thing is having the capability to do it across device in whichever manage, manage you're gonna authenticate.
Okay. So let's look at the next question is what do you think about the future of risk based authentication? Are there new factors that need to be evaluated?
So risk based will be used more in the future because it's a natural addition to whatever else you do as an authentication step. It doesn't necessarily have to be the only strong form authentication can be. In addition to anything that we just talked about, and it will include more and more of the, the user behavior and user context nowadays, you know, many risk based authentications to do take a lot of the user context into account, but there's more, so things like geolocation device fingerprint, that's like, you know, standard now, but we can do so much more around this one. Yeah. Device poster, for example, is, is getting more and more popular as well, as well as like the behavior of the user across general, the usage of the applications and inside the applications will pair a bigger role as well.
Okay.
I want to disagree actually. Sorry. I have a different view that I, I think that the risk-based authentication is quite popular today because we still rely on the past being the main factor of a multifactor authentication of the authentication itself. So in the future rely more on public key cryptography and hardware backed authentication. I, I see that diminished more and more actually to no longer have the risk base as a big,
Big issue. No, no, no. So, I mean, again, thinking as a consumer, how many times, well, how many times have you sat down at your computer or on your phone and you think, you know, nothing has changed in this context? Why am I being asked to log in again? I mean, I think that a dozen times a day, you know, so I think there are signals that we give off or can be collected and used for risk based authentication. It should be much more pervasive than it is now. MFA is great when you need it, but, you know, we don't, there are lots of times when you could simply make a risk based decision and, and not have to bother the user.
Finally. Ha sorry. Okay. So agree mostly with you and disagree with you guys. And the, the main reason is I believe that risk based authentication is not ible with strong authentication, because authentication is a moment in time. And then there is your behavior in what is allegedly your session. So there is all this talk about mask and Twitter, and people saying mask wants to authenticate all humans because it wants to, without bots, it won't work. Let's say that you have seen like people in click farms playing Pokemon, go on behalf, a rich Westerners. You can have exactly the same model of people authenticating as humans, and then just handing back the access tokens to a bot. And so if you wanted to, without things you do need risk based authentication or in general behavioral things that check things out so that you realize that at least the person that did the vet authentication, which I agree will more and more go to stronger methods, public is and similar, but that doesn't absolve us from the need to do behavioral check.
But here there's the part where I disagree on the premises. I don't know if it's gonna be all that easy because sensors are getting better and AI is getting better, but privacy, that Pasky thing is actually starting to have an impact. So I'm biased because I spent the last two years fighting with browser people that are trying to block truckers for good reasons, because we don't want people to be trucked without them giving consent. But at the same time, the measures that they are applying are breaking our identity flows. And so in order to be able to do effective collection and an effective behavioral checks and similar, you have to be able to collate some of his information and both from a technological perspective and from the normative perspective laws and similar more and more, they will be an attempt to prevent this from happening. We'll keep trying, it's gonna be an arms race. But the thing is that we are both on the good side, because like, we want good authentication, but we also don't want privacy violation. So the like predictions are particularly difficult, especially about the future. So who knows what we have
Actually just one final remark from my side. I think we're not that far away from each other. Yeah. I think risk based on ation as a strong factor, in addition to a password that will not be as used as much, but in addition to MFA, MFA will be compromised at one point in time. Yeah. Not MFA itself, not the, you know, they won't hack your PHY token and not the individual one because that's not where they want to will attack. They will attack registration flows, exception flows like lost authenticators and all this. And this is where then the risk based part is another layer that may catch the attacker. Yeah. So it's not going away. It will be used, but it will be used differently than it is today. So you are right and you are right as well. Oh,
No boring. That's so acceptable.
Oh, no agreement. How awful I've got some, I've got some questions here. To what extent is 5 0 2 supported for workforce enablement? Do you have an opinion on that?
I actually gave one entire representation about it at authenticate the five oh conference. And it was months ago. So I promptly forgot, but I can provide the link at the end. And the thing is the main high level observation was that when platform authenticators are available, administrators will flock to it. And we go there. And if you do a bit of usability studies and you help the user, like for example, you detect that the, the machine is capable of doing platform authenticator and you offer it as an enrollment option. People will go for it, but it's something that doesn't necessarily happen organically. You need to create incentives for people to do so
Great. And at the risk of running over time, I've got a really long question. How do you currently rate the maturity of 5 0 2 for enterprises, especially when focusing on the workforce, coming from a heavily managed PKI I world and the plan to use P I V on Fido two tokens, as well as it looks like for vendors, at least take one or two years to develop all the necessary lifecycle processes, standard Fido support, even when certified usually does not cover this.
Yes.
I mean, give an answer, trying to give an answer. First of all, it's there already. The first question was, is it there? It's there already the fighter two for enterprises for workforce authentications there already, when it comes to web authentication, there's nothing to do. Even, even there sometimes when it comes to Azure ad only join systems authentication. So it's nothing which is particularly new, but it's still early stage. Is it suitable for enterprises? I would say clear. Yes. The idea of the whole final principles are very similar to PK. I principles the whole idea behind the public key crypto. The mechanisms are very similar. It kind of getting more difficult now with the what's been announced last week that keys can be exported, can be back up. This is something which obviously is putting some risk to the, to the, to the fight, two, to fight or general approach that we've seen up until a week ago. It's great for usability, but as always a balance act, I mentioned in my presentation, security goes a little bit down while usability goes big time up. And I think most of people, especially consumers out of workforce, again, especially consumers would probably opt in for a solution where they can transport their key material to a new device, to another device, whereas workforce probably better not. So I think they will always remain differences between needs of workforce and consumers, especially in terms of high level security.
Okay. Unfortunately, we've kind of run out of time just as a by way of a closing statement or a comment. The last question was what do the panel think of continuous authentication? So just two words on that or closing statement from each of you go,
Well, I look at continuous authentication as just continuously doing the risk adaptive and deciding, you know, has anything changed? Do you need to have an explicit authentication event? I think it's, it's a good next logical step for risk based.
Continuous authentication is inevitable. If we want to have a decent level of security and usability, that means their acceptance of our user base.
I agree.
Thank you. That gives me a little bit more time. I would always vote for building a root of trust with the initial authentication, but certainly I'm in agreement. Continuous authentication is part of the whole story, but start with the rule of trust with the very first authentication every day you do. I would agree.
Okay. Thank you very much.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00