Webinar Recording

Eliminate Passwords With Invisible Multi-Factor Authentication

Log in and watch the full video!

A high proportion of data breaches and ransomware attacks exploit stolen credentials. Eliminating passwords with multifactor authentication is an effective way to reduce the risk of unauthorized access to company networks, systems, SaaS applications, cloud infrastructure, and data. But not all MFA systems are created equal.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome to our call Analyst webinar, eliminate passwords with invisible multifactor authentication. This webinar is supported by, beyond that entity and the speakers today are Patrick McBride, who is the chief marketing officer at, beyond that entity me Martin Ko, I'm principal Analyst at Ko call Analyst. It could be called Analyst before we dive into our agenda and the topics of today's webinar, just a quick hint on some upcoming event. So we will have on March 23rd, we will have our virtually event on zero in on zero trust. So that's something where we discuss about how do we make zero trust, reality, how do we bring it to practice? And then in mid may, we will run our European identity and cloud conference 2022, which is the most relevant identity management you went in. I would say, even globally, which will be held in Berlin. So you can attend on site or you can attend remotely. It's a hybrid, fully hybrid. Don't miss to be there.
Housekeeping. We are controlling audio and nothing to do for you on that. We will do two polls during the webinar. We do a Q and a session by the end of the webinar. And so the more questions we receive from you, the better it is, the more lively, the more interactive to the webinar will be, and the slides will be available as well as the recording shortly after the webinar. So that's in a, in a nutshell, what we will more, what sort about housekeeping. And so before we look at the agenda item, want to start with, with a poll and I, I can really ask you to, to provide your perspectives on that, this policy about what are the most important topics. So is it modernizing your legacy, identity management? Is it MFA and password less? Is it replacing, standing privileges and moving to just in time access? Is it more policy based authorization beyond authentication or is it really more about making zero trust reality? So looking forward to your answers now, please try and to poll. We look at the results if time allows during the Q and a session.
So leave it open for another 15 to 20 seconds. So please click one of these options, select the one which fits best to your organization case. Thank you. And without further I do, let's go to our agenda for today. At the first part, I will talk about why we need passwordless authentication. That will be a very short talk, very few minutes. The second part, this is a little different than most of the other webinars we're doing. The second part, Patrick and, and me will talk about some of the aspects of the future of authentication and what we see as very relevant here to exchange our views. And then following that, Patrick also will bring up some slides and look at how do you implement an invisible password, less authentication, and following that, then we will do our Q and a session. So it'll be a little bit of a mixed mode webinar today.
Some presentations, some interactions, and the opportunity for you, as I've said to enter you questions and get the insights from O Patrick and me on the topics you have in mind where you like to get our insights and advice. So when we look, look at the topic of passwords, I I'd like to look at it from, from two angles in the next few minutes. The one is how is the entire sort of world of organizations of digital businesses evolving and why, where does identity authentication, password cetera come in? And why is it so relevant? The other is what is putting pressure on passwords? So the one thing is when we want to be successful, to my perspective, deploying digital services, when we want to be successful, sorry, it's an organization. We must get away from this notion of balancing security and convenience, balancing security and convenience is always about a trade off.
We must get to a world where we have security and convenience, because at the end, all of all organizations today are on a digital journey. It's about changing business models. So being able to compete in a changing landscape, which means we are creating digital services where the intellectual property in, where really sort of the differentiation the in the competition comes from this needs to be developed and delivered and operated fast, but also very available because if it's not there, we can't do business anymore. So delivery is important, but lastly is also about the identity and security. It is about attack. Resilience is one part, and that also has to do with secure authentication, but it's also about the customer journey. It is about this ability of organizations and of services to be very comfortable, very convenient for the user while yet being secure. This is what we need to do because when you look at the, the, the drop off rates during onboarding process, when we look at the churn rates of people not coming back also, because it's way too annoying to remember the last password, then I think it becomes very clear that this is part of the digital experience.
If we want to deliver a good digital experience and have a competitive differentiation, if we want to succeed, we must look at how these journalists run. And if we must think about it, not only for our consumers and customers, but also for our partners and our workforce, we must get better on this in the digital age. So all this is about how can we get better and what is the technology that helps us to be secure and convenient and fast. And there are many elements playing into that, but it's very clear to me that the way we authenticate users, we deal with users is an essentially element in that learning. So when we can look at passwords, say, everyone knows that there are charges with passwords, very clear. So I think since I'm, since I've co-founded call Analyst more than 15 years ago, there was this passwords are that statement around.
They are still here and I'm quite sure when I retire, they still will be here and probably way after it. But we also see that we have more interactions where we don't see passwords anymore. So in the last two or three years, we really had a level, usually from the passwords, the normal way to there are other normal ways. Sometimes the bigger part of what we do in our daily work, which are increasingly passwordless, we still have a lot of passwords, but just, you're also around e-commerce and so on where you still need frequently to register, create an account, create a password, etcetera. This is hopefully also changing. But when you look at the passwords, what is, what are the challenges? One is security passwords, and we all know it are insecure, can be more or less insecure, but they are a challenge from a security perspective.
And whenever now, and then this list of the most commonly used passwords it's published, we all see, okay, that is maybe not very good to always use 1, 2, 3, 4, 5 passwords are not convenient. So remembering all the passwords you need to use is a pain. And the problem is that if you write 'em down, then it's the problem with security, right? It's more convenient if you don't write them down, CI yes, you can use password, password, managements, and other things, but it is a matter of convenience. It's a matter of cost. Resetting passwords is expensive, dealing those passwords. If you look within the organizations, handling passwords, handling things like that is, is really an expensive thing. And last of least we have regulations. We have more and more regulations and more and more guidance from governmental agency, such as the CSA in the us that say, okay, this is not a good practice anymore.
So there's the pressure on that. Cause if it's declared not, not being a good practice, it also means that you're when you look at self regulations, which say, okay, you need to follow good security practices. Then you have a have a challenge. So we need to act, we need to move forward and think about how can we get better and how can we get better without sort of adding a additional burden, but how can we get better in making it more convenient and more secure? And with that, I, we are already approaching our second part. And this is where Patrick and me will talk a little bit about the future for location. Welcome, Patrick, how are you today?
I'm very good. Thank you. I'm I'm dialing in from our New York, from my New York apartment. Now my usual home is Washington DC, but our, the beyond identity headquarters are up here. So this is where I, I work most often. And it's a, it's a nice, cool day in the city.
Okay, great. So maybe Patrick, you introduce yourself first and then we let started.
Sure. So yeah, Patrick McBride, I'm the chief marketing officer at, beyond the identity, which means immediately I'm. I like to, to joke about that I'm title challenged, but I have had a chance to sit in, in, in most of our viewer seats. I started off as a, as an engineer writing code and then was actually with an Analyst Analyst firm many years ago, company called me group and went on then and spent the last 25 years of my career being in, in cybersecurity, almost primarily. So everything from being a CIO and a CSO at some points to spending a lot of time at lots of different vendors in, you know, threat intelligence in industrial cybersecurity and a couple of scenarios, I was involved in the identity management space. So by the way, I would put in a plug for the, the may conference in, in Berlin. We'll certainly be there. It was a, it was a great conference. Last time I've been trying to get over to, to Germany for years to, to be involved in. It was, it was a very good conference last time. And we expect the same this time. So looking forward to that and now,
Okay, great. So let's get started. And Patrick we've, we've decided to talk about five topics, a few minutes each I, I, the first one I'd like to pick is simple onboarding. So what we see both from a user experience sometimes, and what we also see with advisory customers, we have that sometimes this matching of for instance, devices and many people have many devices with the authentication system to be quite challenging. So what I'd like to get from you is your experience on, on how do you, how, how can we better deal with this? How can we potentially simplify the onboarding process? And what, what, what is your perspective on that? Not that setting up a password is a, is a, is a easy or convenience thing, honestly.
Right? So, so yeah, there's a couple of aspects to it. One, I, I think about it in kind of two pieces. One is the, the end, the experience for the end user. You know, whether that end user happens to be an employee of a company that we're trying to onboard or happens to be somebody that's maybe a customer, an end customer consumer for an eCommerce app or a banking, you know, application, for example. So in, in both of those situations, the, the initial onboarding for them should be absolutely, you know, seamless, you know, right, right now, when we go in reregister user ID and a password, and then we particularly get a bunch of extra challenges, you know, often we'll have to go to an inbox, an email inbox or something like that to, to validate our email. So that flows not terrible, but it's also not good as, as, as Martin, as you said, there's too many organizations who see big drop off rates, is it, you know, on the consumer side of it or the customer side of it, you know, the people would like to make sure that if you're buying something that you do it with a registered account so that they can continue to send you information and, and market to you, or they, they get you to download the, the application so that they can, you know, continue to work with you and you can get the value out of the application.
And like, we like to say in, in that environment, the back button is, is your worst enemy. You know, if I, if I want to go buy something and it's particularly hard and you make me go through lots of steps to register, then I might just go back and choose some other service. And, you know, so rather than go,
And I think for, for the workforce, there's also that challenge because when, when you end up with the registration process, which cause it a certain percentage of your workforce to call the help desk, then something is wrong. And I think this is very important that we keep in mind when we move to, to pass with less, we must make it very easy, very seamless for, for, for everyone to, to use it,
Including the administrative staff. So, you know, a lot of the initial identity management infrastructure was built to make sure it was easy for kind of the HR team to provide access to all the applications that you needed. And, you know, over time we evolved that. So we now have things like standards. We, we put people in directories. Great. So we know, you know, that they're an employer or a contractor, et cetera. And, and for the administrators leveraging things like skim an interface that if you add somebody to a directory or take somebody to directory out of the directory, that that automatically takes place, it's not something that they have to go and, and adjust all of the time. So in general, for the administrative staff, using the standards that are available us to us today, that we've evolved over time, makes it easier for them similarly for the employee.
It, it's got to be as, as simple as clicking the link in an email so that, you know, I can get registered into a service. And, and you mentioned there's multiple devices, Martin, if I have to call the help desk. Yeah. If I have to call the help desk, every time I want to use, we're there a multi, a second device or a third device, if I wanted to register something, you know, that can be troubled. Now, this is also that challenge, right? I mean, and some of our customers absolutely wanna leverage only, or, or allow only work issued company, you know, issued devices that have a lot of controls in place into their environment. Some of our customers are fine with B Y O D devices in, in a lot of places. Most of them are somewhere in the center. They they'd like to enable that. Yeah.
And I think the reality is so, so I think there are two aspects to one is sometimes it is that. So I, we have to bring your own device reality in many areas, right. We also have this reality of sort of a sprawl of device types. So if there's something new, most likely your CEO will be the first to, to say, I'd like to have this because I've seen it somewhere else. And the other part of that is with the multiple devices, most have multiple devices. So when I just look at the number of devices I'm using, I would say regularly that I'm, I end office five because I have a desktop computer in my home office. And I have a desktop computer in my, my office. I have more than one notebook and tablet. I have a phone. And so there are quite a number of devices.
And so I think we, we also need to, to work on how can we make it very convenient to, to deal with multiple devices without having. And I think that's, that's the point where, where we're onboarding becomes very important. So if, if it's a little bit cumbersome to onboard one device, you might live with that. But if it's you do it at least twice, because phone and, and, and computer, maybe on average three times for some, you do it, it even more frequently. So I probably have ed it the average in use, but it means that there are the challenges multiply.
Yeah. And there's two challenges. The ease of it pieces is interesting. And so it's, it's not only easy, but in, especially for the second device, I mean, in the initial device, somebody's gonna be involved from, you know, the it department, you know, allowing you to, you know, register your work device for example, but extending that experience to another device should be self service as well. It, it should be something that the users can easily do themselves. And so we use things like QR codes and other, other things to be able to extend that experience. And there's other people that have tried things, but, you know, so one of the key pieces is, you know, the, the ability to support it and the ability to support the end user, you know, self-serving themselves, so that doesn't resolve in help best calls to the support team all the time. The, the kind of the other aspect is, is kind of a policy decision. You know, Martin, you know, should we let you log in from all five of your devices in your case, knowing you you've all taken all the precautions, you know, from a security perspective that, that you need to, but that may not be the, the scenario. So some of our clients re it's you can you make it by policy, which devices can be registered, which devices can't. And whether those devices meet some level of security post check,
Be that you say, yeah, so might be, I think there are two more aspects on the policy. The one might be that you say some devices I treat different than other devices. So, so you might say, I allow access from your, your, your, your private phone for certain use cases for certain things, but not for, for everything that might be, for instance, one of the scenarios where I differentiate between policies or you, you come up and say, okay, it it's quite logical that someone has the phone and the computer on at the same time, but having the phone and ex computers on at the same time might be a difference thing. On the other hand, when I look at, at what I do, for instance, in workshops, I quite frequently have one computer where I run my team sessions or zoom session, and I have my tablet, or my notebook flipped around and using the wide board.
So I have two systems in the same session, for instance. So it's also, we, we need to be very careful with policies because sometimes there are these exceptions you need, and, and it's challenging. And also when talking about policies and security, I think there's another scene, which is very verse to look at, which is what does path, but less really mean. And I think they're quite some, some levels of what you could define as passport less. So, so is it that your passport less when no passports or passports reveling anymore, that could be the, the one concept you have, you could be, could say, if I only use the password or a pin, a pin in some ways that are something like a password only for resetting, and it's only local to the device, it's a different thing. Or you say only if I have needs pins, her passwords, I'm really passwordless. And so I think the minimum requirement, at least from my perspective, is no passport's traveling, which also means, or not password hashes, which also means you don't have a central place where you store whatever, whatever 1 million or 70,000 of passwords, because at the end, when you look at big incidence, it's always about, oh, 3 billion passwords leaked or stuff like that. And this is what you clearly can avoid when there's no such thing as central password store anymore.
We look at the definition fairly strictly and, and, and our, it, it mirrors what, what your S Martin and, and the way I like to think about it is there's, there's nothing that tra no shared secret travels over the network in either the authentication flow or any of the recovery flows. That that's an important piece, because a lot of what attackers are, are, are going after they'll go after, you know, like stealing the password in flight, you know, we're stealing it at a database and, and, and using it as you pointed out. But the, the other way that they'll go after to try to get passwords, other than buying, you know, some of these billions of passwords on the, on the, on the dark web, that, that are just available now, cuz they've already been stolen is they'll they'll do fishing, but they don't necessarily always go after the primary authentication factor.
They'll, they'll kick off some sort of a recovery flow and try to grab it there. So, and, and, and it's an important position. There's a lot of things out there that call themselves passwordless there's and we, we call those passwordless for convenience, but not security. And, and what we mean by some examples are, you know, one time codes, there's a lot of e-commerce poll layers now that are, instead of making you log in with the password, they send you a code, you know, every time, well it, to your definition, it traverses the network. It's easy to steal and use. So it took the, it made it more convenient for the user. I didn't have to remember a password. Didn't have to write it down or put it in my password, say or change it. However it doesn't change the risk profile at all. So an account takeover is, is still an easy thing. So, you know, the way we think about is a very strict definition, if it's any kind of a shared secret that traverses over the network, it's, you know, not only in my head or written down, but it's in a database somewhere and I get a match it up in the middle, then, then it doesn't that doesn't meet the, the definition of, of, you know, whether it's actually pass this
And what we see. So we have always closely watching what is happening in the cybersecurity space and in the attack space, we see more and more targeted attacks on MFA. So it is really that. And I think that that's totally normal once there's something new in protection, there's also something new in sort of attack. And these attackers are smarter figuring out new ways to attack this sometimes very sophisticated depending on the targets they have. And so we need to be to, to, to post good. We need to, and that's what I said at the beginning. I think the importance thing, and if you do password let's ride and just think this is the big value proposition, then we are combining security and convenience. We are not balancing. And I think this is so I always say, when do you start saying balancing security in convenience trust, step back and say, oh, there's something wrong.
We're we're conditioned, right? We're, we're, we're so conditioned as users at a, in a workforce or customers of a bank that it has to be in. It has to be inconvenient to be secure. And that's just not the reality anymore. You, you, you can actually, we, we like to say, you can have your cake and eat it too, a famous expression. You can, you can do both things now, but you know, there are solutions and, and, and techniques out there. Yeah. That don't, they'll, they'll raise one high, but you know, have one low or, you know, there's lots of ways you can make lots of things really secure. I mean, back in the old days, we used to joke about just, you know, you know, unplugging yourself from the internet is the way to make your, your, you know, the CISOs. And I I've been interesting. And I, I would assume you're seeing the same thing, Martin I, in the last two years. And it's you I've been doing cybersecurity for 25 years now. And in the last two years is the first time that I've heard chief information security officers actually talk about user experience as an important element. You know, it used to be kind of do it my way and you have to do it, you know, whatever way. So it's that balance you're talking about just isn't us, the Analyst in the community.
That's, that's also part of where, where, where cybersecurity has evolved within the organization. So cybersecurity is not just some department somewhere the basement or so where, where, where the people, like you said, which always make life hard are, but I think every CEO, every CFO, every leader has understood how important it's to be good in cyber security to be tech resilient and so on. And that means that also the, the way we look at cyber security has changed. And that you also understand, like I started my talk that this is part of the customer experience because yes, people want a convenient experience in onboarding, but they also want trust and trust is about security. And at least automatically this conversation to our next team, which is fishing resistant. And I think this is what you already brought up, that there are the attacks also on stuff that traverses the web sort of demand in the middle of the broader sense type of attacks, where, where, where really someone in checks and, and conversation and fishing at the end fishing is the problem still. Number one, because fishing is where most attacks start. So basically we have ease, we abuse a known vulnerability or an unknown vulnerability in the zero day context, or we are going for fishing. This are the most common sort of ways. And fishing is probably the biggest one here. So, so what makes from your perspective, password less authentication fishing resistant?
Yeah, by the way, if you look at the Verizon data breach report, which I is a really illustrative report in many ways, because it looks at actual attacks that have happened and tries to trace it back to the root cause in, in their estimation, 80% of attacks, emanate from, you know, some sort of a credential compromise, you know, type of thing. So, you know, it, it, it is exactly, as you say, it is the big issue. It's not the only way that attackers choose. The one thing I've learned in my career, by the way in cybersecurity is the attackers, even state sponsored attackers. Since that's a big issue, you know, right now we'll use the easiest method first, they, they don't wanna burn their zero days and stuff like that, you know? So it,
It is, it is also a matter of economics. You know, I think what we see in cyber attacks is that this is a very, very sort of economical domain because it is about what do you invest for which outcome? And so the easiest way at the end is sending out a number of mails and hoping that someone clicks the wrong link or opens the wrong attachment and usually a few fall trap to that.
Yep. So what makes fishing resistant in, you know, kind of in a simplified way, there's, there's a couple of, of things, but mostly is that a token or a credential isn't traversing the network and you know, whether, so, as we said for just a password and, and unfortunately, and I'm gonna dig into this a little bit in my section, there's, there are lots of, of methods that we talk to convenience method, you know, that are not fishing resistant. So sending, you know, something over anything that goes over the public telephony network, you know, is, you know, can, can be compromised, you know, fairly easily, lots of different methods that that can happen. I'll splash some up on the screen, you know, so a one time code or, you know, a, a magic link that traverses either, you know, SMS or email things that can otherwise be compromised is, is just makes it really difficult.
And, and some people think about, well, if I just add enough factors, you know, to the equation, then, then I, you know, solve the problem. But if it's a factors, if it's a set of factors, it can be manned in the middle. It's kind of like, you know, if you think about your own home, it's like putting a screen door in front of another screen door, you know, I've got something that's easy to get through. And then the next thing that's easy to get through. And, and it's a little, it, it's interesting. This concept of fishing resistant is, is kind of a new thing in the industry, even for, you know, deep, you know, cybersecurity professionals, they, you know, they're standing back and saying, well, wait a minute, hold on. You know, I, I thought if I just, you know, did multi factors, then I was okay,
Let's wait for details in, in your presentation and whatever, three or five minutes and a final topic in, in our conversation, let's pick up integration because at the end of the day, we have audit stuff out. So many of us are working with Microsoft 365, our office, Microsoft 365 or Google cloud platform. We have a lot of business applications out there. We have so, so many different services at the end. Clearly we, we need to ensure that things work seamlessly and that we don't end up with, you know, once we start having the need to, to reregister for every service for a new path, for less approach, again, something would go wrong. So integration is, is key from my perspective, what is you take on that?
Oh, oh totally. And, and I think it starts with the identity stack. I mean, companies have spent a lot of time, you know, whether you're in the Microsoft ecosystem and use, you know, ad and ADFS to extend to the cloud, or you're now using, like you said, office Fisher 65, and you're using Azure ad, which, you know, if, if you're an office 365 company, you, whether you know, it or not, you've got an Azure ad implementation that kind of, you know, fronts that, but there's single sign on, you know, products there's, you know, lot, lots of other pieces and having, you know, making people rip and replace that stuff is, is just a non-starter. So any authentication thing that's gonna add value has to not only be fishing resistant, all the other things that we've talked about, it also has to integrate with the technology that's in place and the good news.
And I think in, you know, Martin, you've talked about this for years. I mean, the good news in the identity space is that we've really come up with some good standards from SAML, you know, is the way to, you know, extend our authentication out to lots of different SAA applications. O I D C and OAuth, being able to let these tools integrate with each other there's things. I, I mentioned earlier, things like, you know, the, the, the, the standards that allow you to integrate directories and things like that. So we've made a lot of progress here, you know, so any vendor that would come along and say, oh, you have to, you know, throw all that stuff away and use something. I it's just, it's a non-starter for most organizations. We, you know, we would say that, yeah, yeah, you're gonna, you know, you do need a strong authentication, you know, it's, it's critical as you pointed out, but it shouldn't be, you know, you have to throw all of the, the old stuff away, leverage the best pieces of that and, and extend it with, with a stronger authentication method.
Okay. So Patrick, thank you for in your insight. So far, I quickly launched one Paul, and then I hand over to you for your part, for your presentation. So when we look at the second polls, very simple questions, which is just about how do, how do your, how does your identity management or identity security budget change in 2020 to compared to last year significant growth slide growths, more or less stable, or is it decreasing? So I'm looking forward to your answers. Okay. I'll give another 15 seconds. Perfect. So thank you very much for participating this Paul, with that I hand over to Patrick for your part of the presentation.
Yeah. I wanted to put a couple things in context as, as we went in and went into this, it, you know, and, and we we've started already, you know, Martin, you started a great discussion on, I think we've, we've all discussed passwords and the issues of passwords and they, you know, very compromised. So the logical next step, okay. If I've got a password problem, a logical next step was to put in multifactor authentication, I've been a big back advocate for years of, of multifactor authentication. I've implemented it. I've been actually the, the, the guy that, you know, walked into the CEO's office and said, Hey, you know, we need to implement this. You know, it's a, it's a big risk. I'm not spending all this time and effort building up a, a great brand for a, you know, a cybersecurity company, just, you know, if we get hacked, that's a really, really bad thing.
So we've gotta do all the right things too. And I, I literally have had, you know, two different times or two different jobs and been the guy who walked in and made the it department do this just to improve our security. But the traditional MFA that we've implemented is, is unfortunately just to state it plainly not, not good enough, it, it was okay. It was a good solution. You know, it would, it improved the situation for a while, but as Martin pointed out the adversaries, you know, adjust as you put new controls in, in place, they figure out how to breakthrough. So we'll talk a little bit at how about the insecurity of some of the modern MFA, but also let's face it, you know, the, the current MFA that's in place where I have to fish out a code or do a push notification, is isn't exactly easy for end users.
And, and as Martin said, weighing, you know, or, or not having to balance high security versus, you know, good usability is, is the other problem that, that we see, and we'll dig into that a little bit. And the, the last it's not even really a problem. And it's funny, I've, I've had discussions and even arguments with some of the, the Analyst in this space. And, and I say, Hey, you know, MFA doesn't do anything for device access control. And they, the answer is, well, it wasn't designed to do that. I'm, it's like, yeah, but it, but it should be because if we think about the way users are using our resources, now they're accessing cloud-based resources or on-prem resources from anywhere from lots of different devices, as we've talked about. And some of those resources that we, they would, they would access or need to be highly secured.
Do you want to let you know, Martin in, you know, from, you know, his, you know, his secondary device or maybe his wife's or, or, you know, you know, siblings, you know, device to a really important application, maybe not, I certainly don't wanna let it in, you know, unless I've checked a level of security. So the way we think about this is, you know, there's two issues, the three issues insecure, it's not convenient enough, but it doesn't do a job that we think is really important. Also, as we progress, we talked about this fishing resistance. I, I you'll get the slides here. I won't make you read all of this. You know, you know, too many words on this, this, the screen, but this was a really interesting thing. Our federal government, you know, the us government is obviously, you know, like many of the governments, you know, internationally are much, very much targets of attack, both for financially motivated attackers, but more often from, you know, sophisticated state sponsors.
And this is the advice that our agency just gave in January 6th. You need to discontinue support for authentication methods that fail to resist fishing, and they go and call some of the specific ones out, you know, things that, you know, use SMS or voice calls or one time codes or push notifications. What we talked about later, this is literally language that I copied and pasted right out of, of that report. If you wanna find it, it's easy. If you, if you Google federal zero trust strategy, you know, January 26 or something, it it'll take you right into it. And then go on to say that make an important thing. It's not that these are theoretical attacks. They, these, these attacks now aren't kind of something that we think that could happen. It's our government is actually seeing them. And they're, they're seeing, you know, that attackers can do this at, at scale, you know, and in a fully automated way, I won't spend a lot of time here, but you know, this is just some of the, on the left hand side, some of the different multifactor authentication techniques, you know, there's the password, you know, is usually the first factor.
And then one of these things as, as a second or third factor, and there's just multiple different hacking techniques that that can be made here. We'll send this over to you. You could take a look, but, you know, it's the conventional wisdom for a long time was, well, this was in the realm of really difficult stuff to do. You know, it was, you know, something that, that wasn't easy. It took a very sophisticated attacker, and that's probably the thing that's changed most markedly recently. And that's why our federal government was very, you know, the us central government and others are, are very worried about it. In fact, if you go back and look at that zero trust strategy, not only are they worried about and said, you ha the, the agencies had to stop using that. They said they had to do all this stuff within two years, which in a federal agency thing, you know, it's usually five or six years, they give 'em a long they're.
They're like really worried about it. You have to do it, you know, kind of right now in, in federal time. But the point is these, you know, don't, you know, stealing one time codes, stealing session cookies and credentials is, is patently easy with man in the middle types of attacks. And there's actually kits widely and freely available. You know, it's not even that you have to go buy 'em, you know, from a, a hacking group on the dark web. I left the web address for this particular one that's in GitHub, in a public GitHub, evil engine X. And, and it is kind of almost like they say, painting by numbers to, to create a fishing kit that will allow you to, you know, for example, masquerade as a, as a bank, you know, and, and have somebody, you know, think that they were resetting their credentials and, and just provides all the pieces to do this.
You know, it's basically, they got little widgets and you just fill in the little widgets and it looks like, you know, a bank or financial or an e-com site, for example. So a again, this is not now left up to sophisticated adversaries anymore. This is in the realm of me, even me with my rusty old coding skills can do. And, and, you know, network knowledge could, could pull this off fairly easy. I'll a we'll know that people that were on this, there's a really interesting hacking MFA set of webinars. We did. I'll, I'll make sure that we send those out in advance. So you can just see some of the techniques that, that are done. All right. So that's the backdrop, you know, we've got work from anywhere, access, anything wanna be able to support multiple devices, wanna have unfishable or non fishable factors. So, so how do we think about doing it?
And I, I like to start with what we think an ideal solution looks like. So it first has to confidently authenticate users. So anything using a password and fishable factors clearly doesn't make, you know, doesn't meet up to that. So, you know, and, and, and Martin asked a great question. We think you have to eliminate the passwords, not only from the authentication flow, but also the recovery flow and the directory itself. So they, they can't be stolen and reused in any one of those flows, which you have to eliminate all the Fisher factors. And there's a technology out there that we use. We all use every day. There's a public private key cryptography that we use every day. You guys know it in the form of TLS, the little lock iner browser. So leveraging TLS and X 5 0 9 certificates to do this, and being able to use a public and private key thing model, you're exchanging something over the network, but the only thing you're sending over the network, it wouldn't matter if everybody saw it's, it's a, a certificate sign by a private key, and I'll go into more depth on that.
So anybody could see it. They just can't do anything with it. And, and we send it over to the network to our cloud. So first step is you gotta be able to confidently authenticate the users. We also think you need to positively identify the device, whether by policy, you're only allowing a user or a consumer to register one device, or you're allowing to register lots of different devices. You know, as Martin said, depending on the risk and being able to cryptographically, bind that user to that device gives you a very high trust way of establishing that. Yep. They're trying to log in, you know, it's, it's Patrick and Patrick's trying to log in from a device that we know we've authorized for him to use, but then we can't be satisfied with that. I is the device secure enough to let in. And, and this is where during the authentication traction, or even in the enrollment transaction, you know, you wanna check the device and make sure that the appropriate security controls are turned in.
So I might wanna let Martin use his, his, you know, personal phone to log in, but before I allow him to register it, or, or every time he tries to log in with the phone, maybe I want to check some things. This is firewall turned on. Is it encrypted? Is he, you know, have his biometric or his pin code enabled or not. If he loses it in the cab, will somebody else be able to get in, you know, to, to his stuff and then get into the resources, but there's other things would we want to let him in if he's got a phone that's jail broken? Well, maybe we would, but, but maybe we, we wouldn't. So the idea of not only doing, you know, doing both the, is it an authorized device, but is it also secured? And we've showed the model here, it's a bit like going through the airport check, you've gotta use your passport, which is a good way to authenticate the user, but they don't trust you to go out to the plane.
They're gonna send you through the magnetometer or the, the scanner, and you put your hands up and they're gonna put your bag. So we're gonna check everything. Now, nobody would call that convenient or easy to use, but in a digital environment, we can. So th this is the ingredients that, that, that we've used for it. So we've got an advanced authenticator that lives on, on the device itself. So you don't have to go find a second device. We store a private key in something called the trusted platform module that's available on all modern hardware. It's where pin codes and biometrics that allow you to get into the device are stored. Again, they, they don't traverse the network. They stay there locked in, in the device, in the TPM. And with the TPM, if you store a private key in there, it's, can't be moved. It can't be accessed, you know, et cetera.
So it's actually dedicated hardware as part of the device, and you see it on laptops. And, and ever since candidly ever since kind of the iPhone four came out and we had the fingerprint code. So what we do as a first factor is leverage this possession. I do either a biometric or a strong pin code log into the device, which proves that, that, you know, I'm allowed to get into device. And on the backend, then we send an X 5 0 9 certificate signed with the private key. That's locked in the device. And we send that to the, to our, our cloud environment. Our cloud environment checks that device and makes sure that the X 5 0 9 certificate that comes across was actually signed with the corresponding private key. And we know that cuz the public private key cryptography, we use math to figure that out. And so we're sending something over the network, but we're sending something that even if it's stolen, it doesn't matter.
In addition to sending the certificate, we also package up all that device, posture context, information, the security checks, and before our policy engine, you know, and we process that with a policy engine, make sure that the device meets whatever security standard that you require for the application or resource that somebody's trying to get to. So, you know, as, as Martin pointed out, in some cases, if I'm getting to an application that doesn't require a lot of high trust, maybe I don't, I only run a couple of policies or, or maybe not at all, let anything in, but if a, if it, the level of application or resource that you're trying to get is, is much more critical, then maybe we check a lot of things. For example, I'm gonna, I'm not gonna go all the way through this flow, but we, we like to call our, our MFA invisible because it, most of the stuff happens behind the scenes.
So what the user sees is they log into their device and they select an application, the two things in green here on the screen, and they log into the device either with the biometric or the pin code. We have to support both as, as, as all of you know, sometimes you, you know, when you reboot your machine or turn your phone on and off your log, you know, back in with the pin code, again, that's not the same as a password, cuz it's stored locally in the device that doesn't traverse the network. And then they, the user chooses the application behind the scenes. And this is kind of a workforce scenario. You know, the application is if it's federated, you know, using a single sign on and, and SAML, you know, it, it invokes, you know, for example, in our environment, we're not to shop.
So, you know, it invokes Okta and Okta says, Hey, wait a minute, Patrick's enrolled the beyond identity thing. I'm not gonna make sure it's Patrick, I'm gonna send that to beyond identity, delegate that to beyond identity they'll look at at that and make sure you know, that, that, you know, beyond identity, we'll make sure that it's actually an authorized user device. So our cloud talks back to our authenticator running on the device, we sign that X 5 0 9 certificate. The challenge we talked about, we collect that device posture, send it to our cloud and our cloud checks that and make sure everything is good. And if it is, it tells the single sign on system he's okay. And, and lets you log in. We've got scenarios that we can support, you know, not only the workforce scenarios we talked about, but we can also support, I'm just gonna go past that slide. We can also support, you know, a Siam or a customer identity management, where we would take all of that same technology and typically embedded either into a web application or embedded into a native mobile application. So you can get that same frictionless and unfishable MFA in, in either the flavor that will work and integrate with your workforce identity environment or the flavor that will work, integrate with your application and the identity stack that you might have supporting your app. So that's all I had for prepared
Back at our end agenda. So we we've done three out of four parts for this webinar. Now it's time for our Q and a. And so we already have a couple of fashions that came in and if you have questions to Patrick or me, so I think it's very important to get these questions. I already have to have one here, which I like to pick. And this is targeted with Patrick, which is about Patrick. How would an onboarding look like in a consumer identity scenario for the customer or consumer?
Oh, that's a great, that's a great question. So the sign, so there's a couple things, you know, if, how to answer this simply. Okay. So if you're there's companies are making a couple different choices very often when you go to fill out the form, some companies will want to use like social, you know, logins or social media to try to help fill out some of the forms. Some organizations were actually deferring the login to the social media provider and a lot of folks are backing up from them. They don't wanna entrust the social media guys, but you know, one of the steps is onboarding can be, Hey, if filling out the form, if I can, you know, talk out to the, the social media provider, but typically it's, the registration is, is as simple as I, I either download the application. If it's a, I'll give you a native, a web application or a native application example, I download the pizza delivery application or my food delivery application.
And then I also get a log. I get an email in the inbox. I click the link and what that, that activity does is it binds that application on the device and, and sends the public key back to our cloud. So that's the registration process. We have to do a binding, you know, somehow, you know, and the idea if you're already, you know, have something in place, somebody might log in with their user ID and a password and, and your existing multifactor authentication and then select, I want to use the passwordless feature. They get, you know, the application already has the passwordless capability. They get an email that would do the binding and then subsequent logins are as easy as login, logging into the device and choosing the application. So it's making both the sign up for, and then sign into the service really simplistic. You know, the, the there's derivations on that. If it's a web based application, you know, that that's pretty easy as well. You could use that from, you know, from anywhere we've, you know, just embedded that into the, onto the server side.
Okay, great. Maybe before we move to the next question, let's have a look at the results of the first poll we have been racing. And so, so when don't we look at these polar results, I think, okay. It's it's, I think it's done very surprising in, in a webinar, which is focused on pass authentication that quite quite a number of attenders say, okay, MFA and password less is really one of our most important topics, but it's also, and I think this is the 0.0 trust is also something we, where a lot of people are interested in how to make it really work, how to make it a reality. And I think there's also decent share of people who are saying, okay, we, we really need to get beyond what we had in identity management and make it more modern, which also has to do with the type of authentication with the way we also indicate. So that trust to, to show you where, where this poll ended and then maybe go back from the poll and have a quick look at another question. So may maybe one of the other questions is, can you repeat what some of the device security checks you do are
Oh yeah, that's a great question. Yeah. So, so the, the, the answer is there's we have dozens of them available out the box and I'll I'll list a couple, but we, we worked really hard not to limit that. So any check that you want do, if you want check that something's installed or there's a running process going that, that sort of thing, you know, can you check registry settings, can you check processes running? So it's, you know, it kind of whatever our customers can conceive of, but right out of the box, the kinds of things that, that, that, you know, we we've got turned on, you know, is the firewall enabled, for example, if it's a mobile device, is it jail broken or rooted? Is, is encryption turned on or is the pin or biometric turned on? It wouldn't be good if I gave everybody easy access, you know, to everything.
If it was also easy for somebody to get into the device, like if you turned your biometric or pin off, which, which happens, you know, people will do that. You do that, leave it in the cab or leave it in a restaurant. Somebody picks it up again into yourself. That's no good. So it's, it, it's just a range of, of those kinds of things. The operating system version numbers, it patched, etcetera. And, and then again, we've done a lot of inter direct integrations with things like MDM tools. So if one is, is the MDM running at the time, are the MDM policies on and, and turned on? So we can interrogate that. We've also done integrations with EDR tools like CrowdStrike. We can check there's zero trust score, or a number of other things. So we don't think, you know, we've solved all of it. We think there's other technologies that are out on the end point, but in B, Y O D devices, people don't wanna buy, you know, an MDM and, and, and, and sometimes, you know, are not gonna be able to install things on a, B Y O D device. So whether you've got a, you know, whether you've got that stuff installed or not, we can still get all kinds of settings outta that.
Okay. So before we come to announce, we don't have talk much time left. Maybe we'll quickly look at the poll number two and the results. And I think it's very, very much in line with other pulse we did around this. It's very rare that security, batches and identity batches decrease these days. We see quite quite a number of organizations where we have a very significantly increase, but also a lot with, with a lower increase, but five to 20% 20 is not that low and the usually remains stable. So this is, I think also very much in sync with what you observe have observed out of surveys, not pulse on that. So thank you very much for showing this with that. And I think in the interest of time, so we have quite a couple of other questions open, but I think we're very close to the end of the time.
What I would propose is Patrick, via and over these questions then to you sure. And you can follow up directly and provide a response on, on these questions to, to the audience. So thank you very much for everyone listening to this webinar. Thank you very much, Patrick, for your insights on the discussion and also for beyond identity supporting this a cold webinar. And hopefully you see you soon again in one of our webinars already European identity conference in Berlin. Hope to have a lot of people there on site, because it's really way more fun to do events on site, and it's a different time of exchange. So let's meet Berlin. Thank you.
Absolutely. Take care. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00