Webinar Recording

Prediction #1 - Passwordless Authentication: Killing the Undead will become Mainstream in 2022


Log in and watch the full video!

The increased importance of a frictionless user experience as a digital business success factor on the one side, and a big wave of ransomware and similar attacks with user credentials as a main entry point are forcing us to rethink authentication and finally get rid of the password. Interview guests of this session will be KC Analyst Martin Kuppinger, Paul Fisher and Jochen Koehler from HYPR.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
I, I think we all know where this unde term comes from. So I think for no other technology or for no, nothing else, I've heard so much passwords are that, so this R debt, then, then it was for passwords. So I think since I'm in the identity management space, or at least for the last two decades, passwords were declared that. So Y why are we finally killing them?
Hello, Martin, first of all, thank you very much for the opportunity and also hello to everybody from my side. Why are we killing passwords? Because passwords are disturbing pass. If, if you ask anybody what you has most on your daily, on your daily way to work, then it's probably no longer the traffic jam because nobody drives to any office. It's the password, or actually the passwords that you have to type in before you're able to access any application and can properly start your work. So passwords are pretty much just the handicap, something in between me and my productivity. And for many years now, we've been kind of, we, we get used to no longer use password to just use our smart. We look at the smartphone. So many, many things in our daily life is already getting toward, getting rid of passwords
Could argue that that's true for my, my smartphone. Yes, I use the fingerprint or Salvas use the face recogni recognition. I think these days fingerprint sometimes more convenient because Facebook condition doesn't work well with been varying masks. But, but anyway, the point is when I, when I look at the other part of my daily life, which is whatever eCommerce or stuff like that, I'm, I always have to impression I'm light years behind. Not sure how Paul, how your experiences here, but for every other day, I'm asked for creating a new user account with a username and password. So are we really yet there, or are there, will there be so many and that still in, in 2022?
Well, well, Martin, I think as usual, the consumer applications or what consumers experience is ahead of what we experience in the workplace, I've noticed now, when I wanna log onto online banking or my mortgage account or something like that, it's increasingly doesn't need a username and password. What it does is send a two factor of some sort. So I wait for a text message that proves out here I am, and that to me feels safer and much more satisfying. And I think that's what we're not having in, in the corporate workplace. We're still wedded to passwords and usernames.
Yeah, but what I talked about is also, for instance, if I go to a standard, whatever, I go shopping for wine or for other stuff, then most of these, these sites are still in the username password problem. And I've been there to say that enterprise, we made some brokers last year and maybe the last two years or so, but what gives me the hope Johan what trip gives me the hope that it all gets better and that you're finally there.
Yeah. I mean, first of all, I second what Paul said, and you're also right with your, with your assumption that it's really a long, long journey. So when we say it's, it will become, how did you say mainstream in 2022, I might even disagree that it's going to become mainstream already. It's going to make a big, big jump in 20, 22, partly due to the fact that consumers are going to force their employers due to the reasons that Paul said that you are more and more getting passwordless excess. The other hope. I think that's just the products that are in the market. They haven't been many products in the market couple of years ago. And I think there's a very fine line. Also, you need to pay attention between what's, what's really password less, and what's just the passwordless user experience. And when you talk about banking or insurances, for example, you're both right, Martin, you said you everyday, you're asked to create a new account with the username and password.
I've recently got a, an invi, an insurance asking me to create an account. And they said, yeah, yeah, but it's password free. You can log on without a password. And when I went to their site, I did have to create a password again, afterwards I could activate, again, my mobile as a kind of a get around typing in a password, but that's not what I would call passwordless. That's just a, making a bit more comfy for the users. Passwordless really means eliminate the password, not just height, the password. And this is where solution providers only really came up in the last two, three years. Probably the first one to really come up in a broad way was UBI core. The UBI key that everybody knows that many users, many, at least many it pro it, security fanatics are using that. And I think more and more people like you and I might be using these kind of tools that don't require any password anymore for login situations more and more.
Yeah. And, and I think that there are two elements we need to look at. The one is what do we use? And the other is what is traveling. And, and to my definition, password less, first of all means no passwords traveling anymore. So it, it really means we don't have a username or password being transmitted. We don't have this, whatever 70 million passwords database that can be hacked and end up in the, in, in the dark, dark, dark retina. It is that we don't have this anymore. And, you know, I always say we never heard about 70 million records of whatever fingerprint data getting hack, because they are not in a central database. They are not traveling, but for what is traveling, I think this is important to understand is a cryptographic information and not, not credential itself.
Absolutely. I, Paul,
Go ahead. Y'all can,
No,
I was just gonna say in, in Pam, we are seeing moves towards passwordless and certification and just in time, but there is actually still, for some reason, resistance among customers who somehow feel safer with a password and they like having passwords and they like having a vault it's, it's, it's a strange thing. Somehow they don't want to let go of that sort of umbilical cord, which seems to them a username and a password is more secure.
I, I believe it has been well explained, you know, I have to admit, I, I, at some point that, yeah, but I I'm always using the same code onto different device. And they said, yes, then they, to me, yes, because you're entering the same code. And I said, yes, I do it for convenience. But I, I think the concept that the really important thing of passwordless doesn't have at the front end. Oh yes. It's important because it makes live more, more convenient. But the really important thing is the things are changing in the back end. It's not this working against the central set of patches of passwords or stuff like that anymore. It is really that there's no passport anymore traveling. And I think when people understand this also security people, and if we educate him right, then this will lead to, to a big update because it also makes easier to understand why is, and that's what I like with dication. Why is password less authentication, more secure and more convenient? So we are not balancing security and convenience. We are combining security and convenience.
That is absolutely. That is an absolutely strong argument that you're just putting down that, that, that when, I mean, I've been insecurity for all my life, all my working life, at least. And we are always talking about balancing, the more secure, the less are comfortable for a user, always the same thing. And here we are really, we are not balancing anymore. We're combining that. And the, we can talk a lot about passwords, but I like the term shared secrets as well. If we get rid of the shared secret. So like you said, Martin, there's no central storage, central database storage for passwords for lots of passwords anymore. If we take that away, we are simply shifting the economies of an attack. It can't happen anymore. You will still be able to compromise and account, but you have to go after each and every account individually by probably stealing these demises or the crypto you speak, he's kind of doing as if you were me with my face, with my fingerprint.
You can still do that. Nothing's hackable. We all know that for many, for many years now, but it's so much harder for attackers. It was so much easier for them and comfortable to just take a huge database and gaining millions, thousands, whatever passwords. And I think that's an important point is that when you ask me in the last question, why is the next year or the next years going to be the years for passwordless? It's definitely because of the ever ongoing rise of a tax that are caused by leaked passwords, by stolen passwords, by guest passwords, even. I mean, it's ridiculous that the most prominent password is still one, two free 4, 5, 6 it's it's can't. And yeah, there are possible politic in place, but it's yeah, it's a, it's, it's a war in favor to the, and what the likes of hyper and other vendors are trying to do with passwordless authentication is to, to shift these economies of the attack towards, to the favor of the enterprise.
Okay. One, one final path to you Johan what is your, your main advice to the users? So to speak the user sites, when it comes to portray towards password, less authentication, what do you look at in 2022? What to do in 2022,
It's actually an advice which exists, consists sort of two advices. The first advice is start your passwordless journey, right at the entrance store. If you have a way to do passwordless authentication, not only for a single sign on provider or for anything in the backend to an application, but if you can do that right at the desktop level, your first step into the network, your first step into the work, actually that is key because this is where most attacks start as well on the desktop. So if you are able to get rid of a password there, then it's a very, very strong thing. And the second advice combined with that, don't try to secure passwords with another password in, especially in central Europe, most companies really only introduced multifactor authentication to access cloud applications or VPNs or whatsoever in the last couple of years. And they are mostly password based, shared secret based. So in fact, you're also a pump system. You access a pump system from an administrators access point with maybe a multifactor authentication, but it's normally just another password. So you predict passwords or passwords that's most important properly. Don't try to predict your passwords just with another password. It's not going to solve the problem. Okay.
Thank you. Thank you. Thank you for taking the time. And I sum up, we believe and I, but less authentication and at least reducing the number of UN deaths significantly in 2022.

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00