A Blueprint for Achieving a Passwordless Reality

Hello. Good and tag. Good afternoon. My name is Adam Price.

As, as I was introduced earlier, I'm the senior product and marketing solution manager for the me region. I've been with Ford rock for just under two, 10 years and sorry, two years, but I've been in a tech space for over 10 years, occupying a wide variety of different roles, ranging from product management presales to, to, to marketing. Most recently. Now I'm really excited to be here, but I get, I'm gotta be honest.

When I was asked to talk about passwordless, I was in two minds, we've talked about password list for so many years, and it seems that at times that debate has been hashed over and over again, but there are two sides to the story. So I started looking at the social hashtags last week, as you know, it was world passwords day on May 5th. I hope you are celebrated or not as the case may be. And I can really see that momentum around password.

Liz is picking up and again, you know, listen to the conversation in this room today after lunch, you can really see, you can really see that that's the case. So I think we are the Dawn of a, of a new passwordless era. And I can see that many of you thinking about how to, how to adopt this and move, move this forward. Okay. So as a show of hands who, who actually thinks that passwordless is going to be a reality in the next two years.

Oh, okay. Split crowd. Okay. Interesting. Okay. Right.

Well, let's, let's get into it. Shall we? I thought it'd be good to, to start off this presentation with acquired from our, from our, from team leader, Fran rush, our CEO, and, you know, Fran talks about creating smarter, better identity system can give you the access to eliminate passwords. And that's pretty much wired into our DNA at, for rock and into our product roadmap. So it's a really compelling for that. I wanted to really start off now, before I dive into solutions, I'm a big fan of the 80 20 rule. So I'll spend some time looking at the problem space.

So as we know, passwords and usernames create an extensive attack surface. And in fact, the 2021 for drug consumed identity breach report shows that password related attacks increased by are staggering 450%. Now this is really, really concerning. And as we know, since the onset of the pandemic, things are only getting worse. Passwords also are expensive to maintain. They require resources, workflows and extensive support mechanisms in place.

And so, as you can see here from this political statistic, you know, maintaining passwords is, is, is, is very expensive. And most importantly, we know that passwords create user friction. Okay.

So, you know, it's, it's staggering to, to learn that the average person own over 90 accounts during their entire lifetime, whether it's work based accounts or personal accounts. So you can imagine, you know, all the things that we have to go for to remember the passwords and have to manage them. So this is a, a significant, a significant problem, but that's not all, you know, passwords create a bad password security hygiene. And they're also the work odds with zero trust security.

I mean, after all, it's very difficult to enforce borderless security. When you have a mobile workforce, when your consumer touchpoints are proliferating on a, on a daily basis. And we are also seeing that, you know, organizations have a, a real problem with, with, with trying to manage these password related problems for orchestration.

So how, how do you actually manage this problem and be able to use, you know, interfaces that allow you to move rapidly to the password lift future. So all in all passwords, as we know, create, you know, customer attrition issues, they create workforce productivity issues. As we know, they create poor ROI on, on digital investments and that create an extensive attack surface.

Now, as we know in addressing this, this passwordless dilemma, many organizations have tried to increase and improve password complexity, but as you can see from this particular visual here, this has been a, a huge failure. And, you know, I, for what used my password managers, you know, I use apple key extensively across all of my apple devices. Doesn't really give me greater assurance and confidence that my personal data's being protected, that I'm being prevented from being compromised. Not really.

So again, this is not really a viable, viable solution. Now, when we talk about passwordless, we tend to dive straight into technology. And I think as we know, change of any sort is very difficult.

We, as human beings are not really that keen on change and implementing change is, is difficult and frustrating. And so when we're thinking about creating a passwordless reality in, in our view, this is about creating a passwordless vision and a strategy that can incorporate and align people, process and technology to best effect. And I think at times we've, I've certainly seen this in my career. You know, in certain organizational context, we just tend to focus on technology.

You know, I've seen this in particular, in the financial services industry where, you know, you've got good technology, you have the funding, you know, you have legions of people who are thinking about this change. You're kind of hoping to press us before into place. And you're hoping that your end users will come to the proverbial party and, and, and, and adopt. And that frequently just doesn't happen. So before I kind of dive into, into, into this blueprint, I just wanted to kind of take, take a step back.

And as we've heard earlier on today, we, we all know that passwordless is inherently intertwined with identity, and I've taken this, this pretty amazing slide from our VP of Siam at, for rock Mary Ritz. And I think this kind of tells a really powerful story. You know, we saw identity evolve over time, you know, during the early two thousands in the first wave we were in era of get me access as this called here on the slide.

So, you know, we were just concerned about getting access to our services as quickly as we could. And as users and as workers, we were prepared to tolerate usernames and passwords. We didn't really care. We just wanted access as soon as possible. And it was really around eight to 10 years ago that we entered the second wave of low friction identity. So progressively as a number of accounts started to proliferate, we started losing patients. We wanted to minimize the friction and, and we wanted to ensure that we are being protected. So we currently find ourself in this wave.

I would say we are at an advanced stage of, of this wave and modern IM solutions have really tried to address this by rolling out a wide range of capabilities ranging from, you know, progressive profiling, but give you the capability to reduce how much information you have to enter at specific stages of, of the, of the registration journey, privacy controls, third party delegation controls.

So we are now in the stage where effectively, you know, we're trying to ensure that we can access our services and passwords, you know, kind of annoying us as least as possible, but we are in a Dawn of a, of a new era of invisible identity. And as we have heard today earlier on, you know, we are seeing that we are very close to the reality where passwords might still exist and will still exist, but will be consigned to the back. And in some cases altogether removed.

So in this reality, you won't have to ever touch a password or very, very infrequently have to touch a password when accessing services. Okay. So let's kind of get into this kind of blueprint as I called it for a passwordless reality. I think that the first step I would say in thinking about passwordless is really about identifying the use cases.

And I think the panel that we had earlier on made some very interesting points about whether you should prioritize workforce or consumer identity use cases and how to mix them to best effect, classically speaking, password letters started really in a workforce use cases. And as we know, this is not just about thinking about authentication, but also about authorization frequently. We believe that starting with workforce and the right user group gives the organizations the ability to create a critical mass required to create buy-in.

And that buy-in's very important because we don't necessarily want to be diving to consumer use cases to start off. Because as we know the moment we start rolling out passwordless technologies across consumer use cases, we significantly increased the risk in the short term of customer attrition and defection when things go wrong. So starting off with internal workforce use cases, creating that internal critical mass required to sustain as investments is, is, is always idea.

And that creates a great opportunity then to, to, to moving on to consumer use cases, building on learning and experiences. The next step is really to think about how one phase phases, the implementation process for passwordless future.

Now, as we know, many organizations are get really excited about going to 5 0 2, moving into behavioral authentication and access journeys, but it's really important to take a step back, you know, and again, I've seen this, I've seen this in my career. When, when rolling out healthcare offerings in a, in, in the UK, there is always a temptation to introduce great SN tech. But I think if the process is not managed correctly, creates significant risks of, of, of defection and, and resistance.

So many organizations that are traditionally used static, two factor authentication workflows, move on to then creating static multifactor authentication workforce and also authorization workflows. Now the next natural step in this journey is to really move from static MFA to what I call dynamic MFA dynamic MFA uses contextual signals, such as browser type IP and others. Now come onto that in, in just one second, but that uses context to, to, to make the authentication journey much more seamless and much more secure.

And that then creates the opportunity for organizations to think about what they want to do with the passwordless agenda. So we heard quite a lot of conversations in the panel today about continuous risk assessment. I think fair to say that the audience is split on, on the future of that particular option. We've also heard a lot about 5 0 2. You probably have heard last week's announcement from apple, Microsoft, and, and Google about their commitment to eliminating passwords with fiber Pasky.

So that's a, a huge development that enables organizations to deploy fiber standards across any mobile device, any web browser, any platform. So again, that, that's, that's one way of going forward as well, but there's also an entire kind of avenue of behavioral authentication authorization to think about as well.

And that's really the future where we are not touching into passwords in any way, shape or form, but actually our behaviors, our key strokes, our particular engagement with, with our, with our, with our service providers determines whether we gain access or not, and then presents the appropriate level of friction relevant to that context. And as I mentioned, you know, the Fido Pasky development is, is, is, is a really exciting kind of time in a, in a fi standards space. So this is the, the roadmap from, from, from Google passwordless journey.

And as you can see it naturally culminates over here on the right hand side, in the past key passwordless future. So I'd be very interested to see how this plays out over the next year or two, but you can see these big tech organizations are, are, are investing in this heavily. And actually when, when speaking to our former chief evangelist about this earlier on today, he believes strongly that this is a means of increasing the assurance and trust that organizations and consumers can vest in these big providers to help to manage passwordless reality in the future.

So again, again, a future, a future past woodless reality, and a blueprint needs to take account of this and, and beg that in appropriately. But the other important thing to think about is a choice of factors.

Again, another interesting topic that came up earlier today, consumers want choice, consumers want choice. They want choice because they feel they're in control. And also when things go wrong, they have something to fall back on. And so it's really, really important when thinking about passwordless to bake in appropriate backflows and alternative authentication methods to give consumers and also workers the choice.

So for example, if you're authenticating into a work based account using a biometric, and that biometric is reliant on life conditions in, in a room where you're authenticating, for example, when trying to authenticate via face ID, there needs to be a fallback. And this is not just important from a kind of a user perspective, but it's also important from a kind of from a, from a, from an organization perspective, because if there isn't a, a sufficient backflow built in into the journey, then as we know, users will pick up the phone or they'll, they'll start engaging with the support services.

And every time there is that contact with a support service agent that creates additional costs and, and, and friction, which we're trying to avoid. So again, giving choice of factors, possession, knowledge, and adhere factors is really, really, really important.

And I talked about context before now, when we think about context, you know, we have historically thought about this as, as, as being the browser type IP, the device type that you might be using, but actually context is much more pervasive than that context really shapes and determines, or, or reflects your consumption patterns, your relationships, whether that's in, in your, in your household, whether that's at work, whether that's in your leisure time.

And so, as, as was mentioned earlier, before, you know, this creates a wide variety of contextual signals, and it creates an opportunity for organizations to think how they can bake those contextual signals into their passwordless journeys, whether that's for authentication or authorization use cases. Now that also presents organizations with another challenge, having such a big myriad of contextual factors can ask, can lead organizations to think, okay, how do we then utilize those? How do we make our overstretched teams utilize that data to best effect?

And as we know, the answer to that is AI and ML. And we are really at the Dawn of a new era with this technology. And this technology will enable these particular signals to be automated. And you know, where there is higher degree of risk presenting, an appropriate authentication or authorization challenge to the user, or flagging up with the, with the internal enterprise team. So context is, is, is really important in this journey as is self-service.

So, as I mentioned, users should be able to preconfigure their authentication journeys and in some cases, authorization journeys using portals where possible, again, that moves the reliance on, on, on organizations from, from, from having to pick up the call and, and speak to the service agent. I think I'm running outta time here. So I'll wrap up in a second, but just to say, it's really important within that change mentality to manage expectations.

So when thinking about that kind of route towards passwordless adoption, one ought to be thinking about the psychology of how users are behaving, and then making sure that we're not introducing undue change where users might be pushing back. The other thing I would say very quickly as well, is that, you know, third party integration is very important. So we want organizations to be able to have interoperability with a wide range of biometric identity proofing providers, to be able to give that big choice of credential factors.

So again, we want to be able to give people the opportunity to do that out the box. And the last two points I wanna make is orchestration orchestrating passwordless journeys via low code, no code authentication journeys really, really helps to reduce time to value. It helps to reduce costs. And we are seeing certainly from, from, from our engagement with our customers and partners, that's really the way to go forward. And as you know, the key IM vendors in the space are providing these capabilities.

The final thought I had with you is that, you know, password list is also by integrating multiple identity stores. You don't want to be rolling out password lists across one range of consigned systems. Eventually you want to go across the piece.

So again, IM modernization and integration of those identity stores is really important to that agenda. So I'll stop there. If you want to continue the conversation with us, please come, come to stand 25, look forward to talking.