Passwordless Authentication: What, Why, and How

Welcome to the webinar, passwordless Authentication. What, why, and How. My name is Alejandro Leal. I'm a research Analyst at Helping Coal, and today I will be joined by Jeff Carpenter, director of Product Marketing at Forge Rock.

Thank you, Jeff for joining me today. I look forward to this webinar and I'm sure we'll have a fruitful conversation. But before we begin, just some important information for the audience. All of you are muted centrally, so there's no need to mute or unmute yourself.

Also, we'll be conducting a few poll questions and we will discuss the results at the very end. And also at the end we'll have AQ and a session so you can enter questions at any time by using the C event control panel.

And yes, we are recording the webinar and the recording as well as the slides will be made available in the coming days. So moving on, here's the agenda for today. I will begin by introducing the topic of passwordless authentication and I will also talk about the leadership compass report on passwordless authentication that we published last year. I think it will be important to talk about how we did the report, what were some of the main questions and things we're looking at, and then I will give the floor to Jeff to continue with the with the webinar.

And at the end we'll have time for questions and answers. So here's the first poll question and it's asking, what is your organization's current stance on Passwordless authentication? Are you considering adoption? Are you in the process of implementing it or has it already been implemented or you are not considering it at all? I encourage you the audience to participate. And then at the end of the webinar we'll be able to discuss the results. So here's the question of all the questions. So what is Passwordless authentication? What's all this hype around passwordless?

Well, passwordless, as we know, is becoming the new normal and passwords are becoming less and less relevant. I'm not gonna spend time talking about why passwords are bad. I think we all know that they are insecure, inconvenient and annoying. So what's the solution out there?

Well, there's passwordless authentication and the way we define it at coping air call, the way it was defined in our leadership, compass was a set of identity verification solutions that essentially remove the password from all aspects of the authentication flow and from the recovery process as well. Of course, there are many different flavors of passwordless and many vendors and individuals have a different understanding of what is passwordless. But I think something important is to talk about what is not passwordless.

And I believe that Jeff might talk about this later on, but essentially PASSWORDLESS certification means strong MFA. It should provide a consistent logging experience across devices. It should cover all systems and applications, and it should ensure that all that passwords and password hashes are no longer traveling across the network. So Passwordless certification can be used on its own or as part of a two FA or MFA strategy, and it's becoming an essential component of zero trust.

On this slide, we have some of the main capabilities that we take a look at when it comes to doing research and evaluating some of these vendors. We believe that most passwordless solutions should cover most of these capabilities, at least a good basic level. And in the report that you can find on our website, the Leadership Compass on passwordless certification, we go more in depth and we provide more capabilities. So we only chose a few, which I believe are quite important when it comes to looking at Passwordless authentication solutions.

So why, why go Passwordless? We often hear about the need to improve security and improve the user experience. So of course, one of the main aspects of password certification is that it improves user experience. It can also potentially save money. You can also avoid fines and penalties due to non-compliance. Password solutions also reduce the number of data breaches and compromise credentials. You can find numerous studies out there that talk about how compromise credentials are usually the main thing that causes data breaches. And that leads me to the next point.

Passwordless authentication solutions increase security. It can also propel organizations to embrace and adopt a zero trust security model, and it also provides innovation. Something that you, you guys will look at later on when I start to talk about the leadership compass, you will see that there are many vendors offering passwordless solutions. And even though they all provide their unique approach to it in one way or another, they are all doing passwordless. And some of them come up with very innovative features. And I believe it's a very, very exciting market to to be in.

Here are some market observations based on our latest research. For example, our Analysts predict that the compound annual growth rate will go up to 31%, leaving the password release certification market to reach $6.6 billion by 2025. When it comes to the competitive landscape, as I mentioned, our research indicates that the market is growing rapidly. Many vendors are offering mature solutions that support millions of users in various industries. And this has yielded a very dynamic and competitive space.

When we talk about adoption, I think the development of standards such as 5 0 2 and web bot are instrumental in driving further adoption. Also, lately we've seen in the news that the integration of passwordless methods such as PAs, keys by companies like Microsoft, apple and Google, is also gonna play a crucial role in the adoption of passwordless solutions. And I believe that Jeff will also talk about past keys at some point.

When we look at the geographical focus, the strongest growth, we find that in North America and in Europe, but we see an increase of adoption also in the apac and to a lesser extent in Latin America. I, I have this section on messaging because when we talk about passwordless, we often hear about this security and convenience, how both increase when you adopt one. But I believe that to effectively communicate the practical benefits that your particular solution brings to the table, you need to find the unique selling points.

And that leads me to the, to the last section here, which is differentiator is key. Passwordless vendors should clearly communicate what sets them apart from other players in the market, whether it's security or user experience or some particular feature. These unique selling points can help you win customers. So the messaging must be clear now how to move forward. How can organizations take advantage of this? Sometimes it, it seems like we, we talk all about the benefits of passwordless, but many people ask, how can we start implementing one?

Well, we believe that the first step should be to identify the needs of your organization, specifically when it comes to security, the user experience that you're looking for, and also the technology stack of your organization. We recommend that following a zero trust security model will prove essential to then select the right password solution for your organization. And then it's all about choosing the appropriate deployment model based on the existing infrastructure of your organization.

Here on this slide, we have some of the prerequisites that from a technical point of view could be important when determining and selecting a passwordless solution. The first one is technical knowledge, which is I think a very important one because many people out there still don't know what passwordless authentication means. When I talk to some of the vendors, they tell me that sometimes they struggle to communicate the message and to, to tell them that these people sometimes struggle to, to convince their board to adopt some solutions like passwordless.

So knowledge and education are important. Also, legacy systems. Many organizations, no matter what size they are, smaller, medium or big, they often still depend on legacy systems. So passwordless vendors must ensure that the trans, the transition will be smooth and secure.

Also, the support of standards is important, as I mentioned earlier, and also selecting the right deployment. So if you're looking for something more agile or a hybrid deployment, it's all about knowing what your organization needs. And then the last thing here is scalability. So by carefully analyzing a password solution that you're interested in, you must know if this solution will be able to scale up and adapt to the business changes of your own organization. Now moving on, we will talk about the leadership compass on password certification.

I will explain the requirements and evaluation criteria that we did, and then I will, I will show the, the way we do at coping call this leadership compass. I will show you the procedure, how it goes more or less, and then I will show the results of last year's lc. But it's important to mention that we are gonna have an update on password certification starting in January or even starting in December of this year. So I expect many, many more vendors to participate in this lc.

I remember the EIC conference we had in May, I had a session on Passwordless and many of the attendees, they were telling me why we are not on that report. And I think many people are very interested in the topic of passwordless, and I believe that the next report is also gonna be very important. So moving on, these are the technical evaluation criteria that we used. So basically we gather hundreds of questions that we send the participants. So the vendors, they go through the questionnaire and then they answer the questions.

And the questions can be more or less, let's say, divided by these seven criteria or let's say seven sections. And based on the questionnaire, we start the evaluation. So for example, we have nine dimensions, we have five here on this slide, and then four on this slide. And by taking a look at these nine dimensions, then we assign ratings to each vendor on security, on functionality, on deployment slash integration, on interoperability, usability, innovation, market ecosystem and financial strength. So what we do is we assign ratings for each of these category.

And the ratings are strong, positive, positive, neutral, and weak. So depending on the questionnaire that we got and based on the briefing that we had with each vendor, then we use all of this information to determine the rating for each of these categories. So by the time we come up with results for the lc, we have four categories of leadership, product market, innovation, and the overall leadership. And this is a summary of, of the procedure. Like I said, we first identify vendors from this market segment, then we send out the questionnaires and we have briefings with them.

And then we evaluate based on the information that we got and we start writing the drafts. Then we have a fact check stage. So we can always have a second call with vendors in case anything was, let's say, not accurate or not, there were some minor Beatles. We can always have a second call with these vendors to adjust whatever we presented in the draft. And then we publish, and you can find our research on our website. So let's show the results of last year's lc. We rated 24 vendors where you can find them on the left side. And then we also have a section of vendors to watch.

So first we'll show the overall leadership in the password release certification market. The overall leadership is the combined view of product innovation and market leadership. And here we see a mix of established vendors, but we also see some small but very innovative companies. We also have product leadership category. And this one is mostly based on the seven criteria that I showed earlier, the account recovery, architecture and deployment, authenticator support, APIs, device trust, IMM support, and scalability. The next category is the one on innovation.

And here for example, we see that some of these small companies score quite high because they specialize in certain features or certain capabilities or use cases, for example. So something that I learned when I did my research was that many of these vendors, they, even though they provide similar solutions, they all have their unique approach and they have their own vision of what password should be. And I think that's quite fascinating. And then in the last category, we have the market one.

So we have some smaller vendors that are targeting mobile operators or they just focus on small and medium enterprises. Other for other vendors focus on highly regulated industries like aerospace or government or finance. So you find a very diverse group of companies. And that leads me to the second poll question, which is, what is the primary driver for your interest in password authentication? Is it about improving security or about user experience or more with regulations and compliance? Or it could also be about cost reduction.

So if you could participate on this poll, that would be awesome. And that leads me to the end of my part of the presentation. So I will give the floor to Jeff and I will be back for q and a. Hello Everyone, Jeff Carpenter here. I've got a bit of a split identity today because ForgeRock and pinging identity are currently in the process of emerging. So I represent both of these organizations today and very good to be here with you. Very gratified to talk about Passwordless because it's always a good day to talk about passwordless.

Now, Alejandro mentioned the KuppingerCole leadership Compass for Passwordless authentication. That's kind of a mouth, a big long mouthful. He mentioned you can go to the KuppingerCole website and look at that. That's true. You can also get that report for free from for drop 'cause we have actually purchased that report from kc. So if you wanted to go to forgerock.com, you can actually download that report, look at how those 24 vendors performed. And pinging and ForgeRock are both gratified to be listed in there as leaders, as overall leaders in that report.

Now, Alejandro covered a lot of ground, thank you for that. We are gonna focus now on the, not the, not necessarily the what and the why 'cause that was covered very well. We are gonna focus on the how, because passwordless authentication perhaps is the hottest topic outside of ai.

You know, everyone wants to talk about ai, everybody wants to talk about password lists. Alejandro, I bet at EIC when you were talking about the password lists, you know your session, I bet it was standing room only because I know everywhere I go, every time I talk about it, people are full of questions and everybody wants to engage on this topic. So what are we talking about here?

And, and you know, what's, what's the ultimate goal of passwordless? And it's really kind of the twin towers of delivering that ultimate seamless and frictionless user experience, whether that user is a customer of yours or whether they're an internal employee. And the other part of this is making sure that it's secure as well. So that all of the things that we've experienced, the, you know, the last 70 years, yes, 70 years, that's whole.

The password is with, with phishing and, and the usability things and users sharing 'em in lockouts, you know that those are supplanted with great security and a, a pathway for users just to get to their applications and get on the network or perform that transaction as quickly as possible. So that's the ultimate goal, the user experience and strong security. And fortunately with the passwordless solutions we have today, we can accomplish that.

So as I mentioned, we're gonna focus on the how of everything here and give you guys some really meaty takeaways that you can use to make the case in your organization to advance the cause in your organization, to create that return on investment that those KPIs, you know, that you can use to advance this project along. I was really heartened, you know, when I saw some of the research there on the, the 31% CAGR growth of passwordless and the way it just hockey sticks next year.

And that dovetails with what we are seeing at ForgeRock and Ping because we see every organization we talk to has now committed IT projects and funding towards passwordless authentication. And what that means, we'll talk about that because, you know, what does a a PASSWORDLESS project look like? And it all starts with this slide right here, because at Fort DRock and pinging, we talk to a broadest, you know, probably the broadest cross section of customers in every industry across the globe. And they say, you know, look, we're, we're looking to get started on this passwordless thing.

Where do we, you know, plant our, our foot on this? And we say the use cases, look at your use cases, and are you trying to do enterprise authentication? In other words, looking at your Intel internal users, the, your contractors, your employees, you know, the people you generally have kind of the most control over from an IT perspective. Are you trying to make their life easier to access their applications and the network remotely to get access to the applications that they use to, to do their job on a daily basis? That's enterprise authentication.

Are you looking to make it easier for your customers or your consumers or your citizens to get access to your solutions? And this is kind of the external facing solutions to your company. In a identity parlance, we call that Siam, CIAM, customer identity and access management.

In this, in this space, what you're looking at is how do you make it very easy for those users to enroll and to get access to what they need from virtually any device so that you don't have things like abandoned shopping carts, lost transactions, user lockouts, things that would negatively and inversely impact your revenue. And then there's also, you know, your mobile applications. And let's not forget, IOT devices have outnumbered users in most organizations by a magnitude of five x for a long time now.

So don't forget those devices as well, because they can be part of that passwordless journey. Most iot devices use either a very simple password or X 5 0 9 certificates, and you can actually, with a lot of iot devices, substitute that with a, a truly passwordless approach that makes it easier to, you know, for those devices to get access. So start here and ask yourself, what are we trying to do? Usually it's those scenarios on the left.

Are we doing enterprise authentication for our employees, making it easier for them to get their applications and making them more productive, lowering our IT costs, things like that. Or are we doing something on the consumer side and, you know, really figure out, you know, we, we like at at four drop and ping, we like to talk to our customers about four different dimensions on KPIs. And those are, you know, things around security, cost savings, productivity and user improvements or user experience and figuring out what those are because they're, they're different for each of these audiences.

So for example, for enterprise authentication, you say, well, what's the cost of our password reset tools and our password synchronization tools? And if we launched on a passwordless project, could we at some point down the road, you know, look at sunset, those solutions for a savings of, you know, 200,000 euros a year.

You know, those are the, the KPIs that you'll want to come to if it's consumer. You wanna look at things like, you know, revenue, abandoned shopping carts, you know, when do users drop out of a a potential transaction? How easy is it for users to enroll?

You know, if I'm at point of sale, you know, maybe I'm, I'm at a store, a restaurant, or you know, out in the world and I want to download your app, your company's app and get access to something, you know, what does that journey look like? Can a user do that in 60 to 120 seconds or less? The passwordless journey is key to answering all that. So in the how category, this is number one, you know, assess those use cases, outcomes and requirements.

Now, shortly behind that is developing an organizational migration strategy because when we talk to organizations about passwordless, there tends to be an all or nothing mentality that goes on there. In other words, all right, we want to go to Passwordless next year. What do we need to do to have all of our users, all of our applications, consumers, enterprise, iot, everything on passwordless?

You know, we say, well, you know, we can get there, but let's, let's take it in, in, you know, in some smaller chunks here. And those smaller steps are represented on the screen here. The first thing we advise is that you not change the user experience very radically.

And this is a, a great message that your application owners, the people that are in charge of, you know, especially on the consumer side, on the revenue side of things, will be very receptive to, because, you know, if, if you have users already enrolled with passwords, why not just add a passwordless factor onto that user experience? And then you don't change what the user sees at login.

So today, if a user is logging in with username and password, you just add, you know, through a, an enrollment, you add the a passwordless factor. So you have username, password, and then the passwordless factor. So that's that first step is add that factor in there. Now you may say, but wait a minute, you said passwordless, there's still passwords there. And that is correct. You know, that's why, you know, Alejandro covered the definition in the what phase of our, our session today, what Passwordless is.

And you know, unlike other terms, maybe like zero trust that had kind of landed and people got that concept very quickly. Passwordless is is one of those things that, you know, doesn't have a, it's a term we're working with, you know, we didn't invent it. It's there, it's in the wild right now and we're just all dealing with it. It's a bit of a misnomer because at least in that first phase, you still have a password there.

But now we move into that second phase into the passwordless experience, and this is where you are setting up your applications or your network access, your logins to your desktops, your mobile applications with the, the initial enrollment doesn't even ask for a password. You know, you can just now take what you're doing in that step one, in that passwordless factor and now just remove that password field.

You know, again, the password is still there, it's in a database now, but you're not passing those hashes back and forth over the network. You're not relying on the shared secret. You have a now a passwordless experience. And when we say passwordless experience, we'll get to what those authentication methods are, but know there that there still is, you know, an improved experience, but a password somewhere there that is oftentimes used in a scenario where a user may be locked out and you need another factor to get back in. That password may be presented there.

And then thirdly, you know, the nirvana state, the complete password list. This is where from beginning to end in that whole workflow, there is no password ever enrolled, ever asked for, ever generated, ever stored. And you are truly going passwordless. And I would say, you know, if you had a little slider, you know, think about where your organization is. Most of the organizations that pinging and ForgeRock deal with are in that passwordless factor very quickly in the next 12 to 18 months.

Moving to that passwordless experience, you know, very few organizations, unless you're very small and you, you know, you're kind of born in the cloud kind of thing, really have that complete passwordless solution because look, you know, we're all in the cybersecurity IT space here. Look at our organizations, they're very complex.

You know, enterprises have hundreds of applications running lots of APIs, lots of different types of users and devices. It's a complex situation, but one that, you know, you can start down that pathway, but just remember the all or nothing thinking doesn't benefit us, doesn't benefit, you know, your organization. Take it in these bite-sized chunks and figure out where you are and how best to move to that next step. Now when we look at the integration requirements, this is really key here. I really like this.

You know, just kind of dovetailing on, on what I was talking about on that last, you know, slide there, the, you know, people ask where are we with passwordless authentication? And I, I like to say that we are at the end of the beginning with passwordless. In other words, you know, two years ago, three years ago, passwordless was a complete fog EV vendors, customers, everybody was just kind of walking through it and, you know, relying a lot on the platform vendors on Apple, Microsoft, Google, you know, and standards like Fido two and web offend optimizing around web and mobile first.

You know, and now we have, I won't say we've matured on that, but we are getting, like I said, to the end of the beginning, standards have been laid down, use cases have been put forward, and organizations are having a lot of success on that. First thing that you see there on the, the very left on this, this slide here where you see manage unmanaged applications, web and mobile.

In fact, apple estimates that the typical user, you know, unlocks their phone in a passwordless fashion 75 times a day. And that's not a surprise to anyone. So we're already u doing passwordless, we're already using it.

You can very likely utilize a lot of the applications, mobile apps you have on your phone using Passwordless to, you know, from start to finish to engage, to, to unlock your phone, to open up and authenticate yourself to the application, to perform a transaction, to do a payment and do it all, you know, using the security of the device, but doing it all in a passwordless manner. But now here's where things get a little more complex.

Look at what happens now when you start moving to the right and Alejandro, you know, he, he brought up the, the KC Carpenter, Cole Leadership Compass for passwordless authentication report. It's a, it's a mouthful, but it's very juicy and there's a lot in there. And one of the things that he mentioned was that vendors have different approaches here and that you should ask your vendor how they differentiate in the passwordless space.

'cause there is a temptation to think that, well, you know, passwordless is just Fido two, you know, Fido is the fast identity online, which is a consortium of vendors who came up with some standards like web auth end to, to basically do passwordless or it's just pass keys, which is, you know, the platform vendors being able to generate, you know, through the, you know, private public key pairs, those private keys, store 'em securely on the device, put 'em in the cloud, push 'em down to other devices on that platform. That's what pass keys are.

But in reality, there's, there are different approaches and differentiations here. And one of 'em is what happens when you start moving to the right and you start getting into all of the hundreds of applications that organizations are, use the devices such as different desktops. So you might say, well, you know, you can go with Microsoft Windows, hello for business, and that works very well for Microsoft desktops. And then once you start getting into Linux desktops, Linux machines, max, you know, does your organization have Max?

Well, 92% of us do. So, you know, once you start getting into those or you start getting into non windows, you know, domain join machines, workstations, servers, you know, those green screen applications that a lot of our organizations still have and mainframes, what about VDI, you know, if you're doing virtual desktop interface, yeah, once you start getting into those password list starts getting really gnarly because a lot of those applications, legacy applications that are, are very old, but still very essential to running.

Our businesses still rely on that pass password field and vendors like Ping and ForgeRock are able to essentially take that password field, secure it, so securely replay a password to that. That's, you know, we can get into the, the details of it, but basically make it like that Fido two experience that you would get if you're logging into your Windows, or sorry, your, your mobile or your web apps and a good passwordless approach will take into account all of this.

Because what we know is, you know, when you start seeing success on that left hand side of the screen with your mobile and your web applications, you'll very soon start to see users saying, why can't I use it for this application? Or I'm rolling out this new application. You'll have your app and your business owners come to you and say, let's put Passwordless on this. And then you're gonna start to see that you need a full approach that encompasses all of these different things.

And what do you need in your organization to start to have passwordless, you know, and we bucket it down to these three different items here. There's authentication methods, access orchestration and app integration. First bucket, there is authentication methods. Your organization is not one set of users. It is very likely dozens and dozens if not hundreds of different types of users, groups of users, different users doing different things, different users that need different security levels.

So for example, CIS admin might need greater passwordless security, then somebody who's just kind of a run of the mill employee. So you're going to need different authentication methods to support different users. And we'll talk about that on the next slide. What those authentication methods are. Access orchestration. So ForgeRock has a, an orchestration tool called Intelligent Authentication, intelligent I access, and there's also pinging Da Vinci.

Now what orchestration is, is it's the ability to design and quickly put into place no code, low code user journeys, and with a click of a button, test those journeys out, another click of a button, put 'em into play. And that's important because in your passwordless journeys, you are going to need to design what hap what if scenarios.

You know, what if a user has lost their phone or they temporarily don't have their phone in front of them, how do we support that user getting access to their applications? What if a user is outside of their cell phone reception, they can't, you know, complete that transaction, you know, on a mobile device, but they're on their desktop, their laptop on a hardware connection.

So, you know, those types of things. Access orchestration is able to support those things. And then finally, app integration. Now back to, you know, access orchestration, that's important because, you know, Alejandro talked about vendors needing to differentiate in this space, and perhaps there's no greater differentiation than the access orchestration. Not all passwords list solutions are web offend FI oh two, you know, a lot of them are like we talked about those, those enterprise applications, those Windows machines and Linux and, and those things.

And you need a comprehensive approach where you can design those user journeys for all those applications and all those users who need access to those applications. For example, one of the ways that like pinging and ForgeRock differentiate there in access orchestration is being able to take those attestation signals that are generated between client and host. So user who wants to get access to an application, you know, we'll send back using that PHY oh two protocol, various signals. It can be like user location and what, you know, browser type you're using, et cetera.

We can actually feed those into our orchestration engine. And then based on that plot out that user journey in different ways to make sure that user gets access very quickly. Or make sure that if there is a another authentication factor required, that we're able to then present that and make sure that user can get access or be potentially be challenged if they need to. We don't like to do that, but security is important here. And then make sure that user, if they need to use another authentication method that they're already enrolled in, make sure that we can utilize that as well.

Let's explore these three things a little more deeply here, because we talk about the capabilities that your organization needs to have to be able to facilitate passwordless. These are really the three things that, that you need to have in place. Authentication methods, as Alejandro said, passwordless as a terminology, as a term really means just, you know, you don't have a shared secret, that's what it means. And you replace that shared secret, you know, increasingly with things that are pass keys, which are, you know, PKI or private, you know, public key pairs.

And in fact, a lot of our organizations, a lot of customers that ForgeRock and pinging talk to, they're actually referring to their projects that they're doing next year in terms of, not passwordless, but we have a pass keys project that we're doing. And I, I think that's interesting and I think it, it, you know, maybe we'll talk about this at the end of today's session, whether we think the term pass keys will eventually replace passwords. I think that's some food for thought.

But when it comes to authentication methods, that's just a sampling that you see across there, you know, from, you know, web auth to onetime passwords, OTP to push notifications, which are probably one of the more popular authentication passwordless, MFA and multifactor authentications that we see out there. But it could be QR code, it could be magic links, you know, and there's varying strengths of these authentication methods as well. And we've known that for a while.

NIST 863, you know, has laid out strength of authentication for a long time. So those are all authentication methods that need to be considered. But it's important to know that, you know, interrogate your users because we, we find healthcare workers or factory line workers, there's a whole different set of authentication methods that those users will have access to or they'll be comfortable using. So you wanna make sure that you have those authentication methods available that you can easily enroll those users and, and use those in their passwordless journeys.

We talk about access orchestration, you know, pinging da Vinci and, and ForgeRock trees or, you know, in intelligent access. And this is the ability, again, this is very specific to those two vendors that we're able to take these signals, put 'em into our orchestration engines, and then shape that user journey in very positive ways. So you can say, Hey, you know, that user has been strongly bound to that device because they authenticated using a pass key. So no further authentication is necessary.

You know, all the signals line up, the risk score is very, very low. You know, it's within acceptable range and have that user sale through on a frictionless experience. And that there's no reason why that frictionless experience can't apply also to the enterprise. You know, with single sign-on and federation, you can give your users access to the vast majority of applications that they need with a simple passwordless authentication applied at the start of their workday.

And finally, on the bottom there, application integrations, like we talked about, that there's a kind of a myopic view of PASSWORDLESS that says, well, it's web and it's mobile applications. That's what we can do passwordless on. But very quickly you will see that this is moving deep into the enterprise because of the benefits that are there.

You know, I mentioned being able to, you know, potentially down the road, disable those very expensive IT tools, you know, the IT help desk that is involved in these daily password resets, you know, password synchronization tools and, and things like that. The, the it, you know, overhead in being able to maintain those things and just providing that simple, elegant, super productive work environment for your users that is also more secure. And that is in that the, the application integrations.

Now, when we talk about supporting passwordless, there's really kind of two different approaches here. You know, the first is that, you know, we talked about this a lot. The Fido web often pass keys approach. This is standards based. It's well known, it's been out there, you know, the Fido web often standard has been around since 2018. Passkey has been around for a while, but it's now been adopted by all of the platform vendors. And the integration efforts on those are, are, you know, very closely reaching maturity stage.

It's well known if you have a mobile app, you know, that you can utilize those platform vendors to help with the, you know, the already, you know, enrolled user, they already have their device, they're already known to that platform vendor. You have an application user can enroll, generate those private keys, which are stored there. Public key can be shared out anywhere. So that approach is, is good, but remember that the, you know, vendors like ForgeRock and pinging, we build on top of that Phyto standard as well.

So it's standard based approach, but it's one that says, Hey, you can take those signals and you can do a lot of different things with them, you know, and then similarly on the right side is now users are coming forward and saying, I want password lists, but not just for mobile and web applications. I want them to be able to log onto my desktop in the morning.

You know, I have a Mac for example. I wanna use Passwordless.

You know, I want that same experience that I have when I'm using mobile apps or I'm on my, my web browser and, you know, providing those as a little more complex. Because what we do here is, you know, here's the, the use case here for supporting enterprises is being able to do that same thing, provide that Fido two experience to users using virtually any type of, of application legacy application.

So what we do is we, you know, the quick summary of it is we take that password field, we intercept that password, we put it into a, a situation where we will lengthen and strengthen that out to almost like a password manager out to, you know, 40 to 70 different characters and shred that password and replay it securely every time that user logs in. So that's nothing that is seen by the user that's behind the scenes, what the user is.

What happens there is that kicks off a Fido two like sequence of events where the user can use their mobile phone and through an app authenticate using their, you know, touch ID face ID to then get access to that application or to do a single sign-on to get access to multiple different applications. So it's a very innovative approach that we're using here and invite you to check it out because enterprise password list is more than just your web and your mobile applications.

It can be virtually anything that you have today and the benefits of it, keeping your users productive, keeping your users happy, and most importantly, lowering the cost on your IT help desk and the tools that you're currently supporting today. And y ForgeRock, and I would extend this also to pinging identity as well, is we talked about today going at your own pace.

Passwordless is a bit of a misnomer in that those passwords are still gonna be there for a while, but they will be, your organization will increasingly use and rely on them less new applications that are rolled out won't even ask users to enroll in a password any longer. It'll be a pass keys world that we're entering there.

You know, I like to use a, a funny analogy, I thought of this one. So if somebody steals it out there, you may have to attribute it to me, but, you know, I let, I, I looked at, you know, the, you know, you, you have people who study the human anatomy, and there is an organ that humans are born with called the appendix. And virtually the only time you hear about the appendix is when somebody needs to have their appendix out, right?

But the, the appendix is an organ that at one point in our evolutionary cycle was important to us, but today, people who study anatomy aren't sure what the appendix was ever used for. They, they really aren't, they really don't know what the appendix was. It was some organ, it did some function at sometime, but we're just, we're just born with it now. And I look forward to, you know, the, the time when a junior IT person starts in an organization and they, they're, you know, they're looking around and you know, they, what's this storage over here for?

And then, and some senior person says, well, that's a, you know, a more, you know, that's our password database. It's encrypted, we have it around, we're not sure what it's used for, we're we just haven't gotten rid of it yet.

You know, so think of it, it's like the, like the appendix, you know, it's there, don't know what it's used for. It's increasingly less important and, you know, eventually we'll be able to get rid of it.

So, but passwordless at your own pace is really important because that, yes, the passwords are gonna be around for a while, but they will become increasingly less important, less used and less of a target for those attackers. Secondly, y ForgeRock is the broad passwordless coverage. We talked about virtually anything that you have today, not just the web and mobile, which is, is kind of what everybody knows Passwordless has right now, but creating that passwordless like experience in those other applications that you have is now possible today. And not every vendor has that.

And also the orchestration, you know, that, that third thing on, on, on the slide here, the no co no code orchestration, being able to quickly design those journeys and you're not hiring developers, you're not having spend, you know, months testing those user journeys. You can create those, put 'em into play and, and change them when the security situation evolves. So that is that. And you know what, we've got some stuff for you. So in addition to the, the KC Leadership Compass for Passwordless authentication, which Alejandro and I both mentioned, it's available on for Rock's website.

Got a couple other resources for you here. The how, we talked a lot about the, the why, the what and the how, the how. Seven steps to Passwordless authentication. If you zap your QR code there, you can get that similarly on the, the FA ForgeRock Pass Experience center. Very cool web app that we have going on there. You can also zap that here or just go out to forgerock.com and take a look at that.

If you're interested in what that passwordless experience looks like, both for your consumers, your, you know, customers or for your internal employees, that experience center is for you in four minutes or less. You can go through the steps and look at what an enrollment, look at what a logon looks like, look at what different authentication methods are, and you can experience what your users could potentially be experiencing at some time in the future. So we have those two things available.

And you know, Alejandro, I gotta tell you, looking forward to our poll results, maybe we have something like that going on. Yeah, that's right.

Well, thank you, Jeff, for sharing your experience and your insights on this topic. Yeah. How about we take a look at the poll results, Look at that. What is your organization's stance on passwordless? That's a good sign, don't you think? I think so.

You know, and I, I think the most interesting thing here is the d you know, the 14% not considering adoption, but since they're on the call today, probably passwordless curious, wouldn't you think That's right? And that was at the beginning of the webinar, so maybe they changed their mind. Let's see. Right. How do we go to the second question? All right, I like this one here.

Yeah, look, look at that. You know, when I see this, first of all, I'm not surprised. Are you surprised Alejandro? I'm not. But I think it depends on the context. Don't you think some might be looking for improve user experience based on the use cases they have?

Yeah, right. Yeah. But you know, here, here's an interesting thing that we found out at ForgeRock, which I don't know, kind of blew our mind a little bit, blew mind, but I, I have a simple mind.

So for passwordless, the, the key driver in the consumer space, in other words, I'm a company, I want to provide that passwordless experience to my customers when they get access to, you know, their accounts or through their mobile app, obviously that one, we expected to be enhanced user experience and that was true, but when we started going to the enterprise, we thought it would be about improving security. And guess what, you know, what we found, we found it was still enhanced user experience.

Okay, For, for the enterprise, which blew our mind because we thought it would be about, you know, first improving security. Secondly, you know, regulatory compliance, which is starting to have a little bit of impact on passwordless. But then thirdly, we thought it'd be about, you know, the user experience and no user experience is, is absolutely paramount even in the enterprise. Absolutely.

Good, good. Now I'll quickly share my screen now and we'll go to the q and a just before that few marketing from my side, we have a new product called KC Open Select and we have Passwordless one, so you can take a look at that and it will facilitate your selection for the right vendor. We'll also have a cyber revolution event coming up next month in Frankfurt. We'll be covering lots of these topics that appear on the screen and yes, the things that we do at kc and you can find more research on the following links. You can take a look at it when, when you get the slides in the coming days.

But how about we take a look at some of the questions, there's a question from the audience and they wanted to ask you, Jeff, the question is, is MP part of Forge Rock's authentication methods? Can you repeat that question? The is what part of, for MP Ming, Like, like the pin codes, the, the audience, are you saying I am interested in M pin authentication? Can we have an explanation regarding forge drugs support?

Yeah, I, I'm not sure about that. I, I would, I would wanna say yes because we can support, you know, almost any authentication method, whether it's our own native, whether it's through, you know, your platform vendor or whether it's, you know, like YubiKey tokens, those Fido, you know, devices. That particular one. I don't wanna say yes because I'm not that familiar with it, but come talk to us is what I would say about that because I, I'm sure there's, there's something or some use case you have for it that, that we could probably support that for. Okay. We have couple more minutes.

So maybe one more, more question someone from the audience is asking, neither of you talk much about managing user experience, communicating change to them. Yes, I think it's critical. Am I overstimulating its importance? You are not. That is very important and thank you for bringing that up. We talked a lot about the technology today, Alejandro, and I think that that, that participant brought up a really good question.

You know, it, it's about people, process and technology and the people element of that is very important. What we're finding out with Passwordless is the user experience. Users are generally receptive to it because they're using it in their personal lives, but you have to look at use cases because somebody on a factory line is not gonna want to pull out their mobile phone or use that in a work environment. I mentioned healthcare workers, their different use cases and what they can and cannot use in different healthcare scenarios and theaters.

So user acceptance testing is very important for Passwordless. And we did talk about, I had that one slide of the authentication methods and we said that, you know, one size doesn't fit all that. You have to look at not just the methods, but how users are getting access today and then change that in different steps.

So today, username and password, can you add a passwordless factor on there as the first thing so you're not disrupting that user, you know, workflow very radically yet, and then move, you know, over to the right to a more complete passwordless solution over a period of, you know, months or years. Good.

Jeff, I think we finished right on time. Awesome.

Yeah, so thank you so much for your time today for sharing all your insights and I look forward to catching up soon. Fantastic, thank you. And thanks to our audience. Goodbye everybody. Goodbye.