Webinar Recording
It’s Time to Forget Your Password and Settle for Multi-Factor Authentication
The majority of security breaches and attacks can be traced back to stolen and compromised passwords. Mobile devices are often particularly vulnerable because many users tend to avoid long passwords and special characters.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our and cold webinar. It's time to forget your password and settle for multifactor authentication. How deploying MFA increases safety and convenience alike. This webinar is supported by Navis. The speakers today are Gregory Head of product management at Navis. Part of AVO inform me Martin I'm principle Analyst at a call before we dive into our topic, some quick information about a and some housekeeping information for the webinar. A call delivers a broad variety of services for executives in the area of identity access, cybersecurity, and digital intelligence. Part of that are reports such as the executive views and leadership compass. Our direct interaction with Analyst briefings and inquiries, our UNS such as webinars, conferences, e-learning and meetups, and our direct supporting advisory projects. Our reports include amongst other formats, the leadership compass, which our flagship format, where we compare vendors in certain defined market segments and their offerings, and rate them in a very detailed, very rough way.
It is an essential tool for making decisions about the tools you are choosing. We have our executive view reports, which focus on individual products and give a concise information about these, our advisory notes for more, more detailed background information on a variety of topics and our leadership brief documents with short condensed information, we publish roughly 150 reports a year. So there's always current information you can receive from just have a look at our website in advisory, we have our digital business complex, where we provide support for businesses in strategy development, portfolio management, decision, making such as product selection and guidance for projects. We don't do any implementation work because we are a neutral Analyst, but we support you in identifying your strategy and roadmap your product portfolio and selecting the right product. We also run a series of events. And this year we will have a couple of events in the autumn, such as our digital finance world, which is co-located as sub blockchain enterprise event, our cybersecurity ones in the us and in Europe and our consumer identity events.
We will run in both north America and Europe would be happy to meet you in person at one of these events, for the webinar itself, some background information. So for the audio control, you are usually centrally. We are controlling these features, so you don't need to manage anything yourself. We will do a recording of the webinar and you also will provide a slide text for download, and there will be a Q and a session by the end of the webinar. The more questions we get from you, the more lively this will be. So don't hesitate to enter questions right now. Let's have a look at the agenda for today in the first part, I'll talk about challenges that traditional authentication models face in a world where users have multiple digital identities on different devices. And the second part then Gregory of Navys at Novo will talk about wire transition to MFA services, not only security, but also user experience and why this can hub was reducing cost.
Finally, as I've already said, there will be the Q and a part of this webinar. So let's dive into the topic. And I think it's a good starting point to look at identity in the mind of the consumer. So when we talk about identity and there various types of users, employees, your business partners, your customers, your consumers, when we take the broadest, the consumer, I think it's important to understand what do these people expect today? What is it in the mind of the consumer? And this is something which then applies to a significant extent also to the employee, to the business partner, et cetera. So one thing is people more and more want to have few identities to use, not create an account for every single company they're working with. And they want specifically, consumers have also some freedom in deciding about which identity to use, and they want to have control. They want to have these identities working seamlessly from every device also when they switch to another device. And if there's another, a indicator on that device, they might want to use that. And all this would be easy and simple, but it must be secured privacy and control data become a must for some, and sometimes. So I think there's not a homogeneous thinking about privacy, but a lot of people are very privacy. I find others are less.
So that is something which should work. Then we have the payment and commerce. So for payment and commerce, it's more about that, that this one identity should work well and seamlessly with everything else. So that also should be one of the aspects to look at. There should be a seamless access. So no cumbersome registration, KYC process. It must be must work immediately. It must be work seamlessly. It must work simple. And finally there's more and more demand for, I would call it work life convergence. So there should be a seamless and, and well working way where you can use your own identity in various purposes. So this is the consumer, obviously for the employees, somewhat different, but anyway, it is, we have requirements that are, I would say that that send star contrast to the way we did identity before. And also when we look at how identity evolved over the past years, there a, a long journey from, from user management persistence, where you had accounts, persistence, manual administration, some username password also indication was sometimes rather weak and short passwords back in these days to identity management.
So where it's about. So in the initial days, initial days, synchronizing accounts, a lot of meta directory stuff back then focus on employee identities at some point, the first provisioning workflows, then there's the came the identity Federation to federate with business partners. Standard protocols also used by the cloud for singles and on towards consumer identity management, which is an important topic these days. So how do you manage the identities of your consumers? How do you enable your consumers moving from, from proprietary digital services to central consumer identity management? So the consumer comes more and more into mind. We, we are moving more and more towards something which we see as, as public shared universal identities that can be used in an seamless way in difference scenarios, which are so to speak bigfoots, providing, providing public universal identity providers, established standards for us, educational authorization, shared KYC and stuff like that.
So this, this world is, is continuing to change. And the where, where, where the single enterprise owned identity are about to change. And we are need to be flexible in supporting a broad variety of identities for different types of across different types of, and this becomes even more clear when we look at what is so to speak from an it perspective, the identity management has to solve. So from an it perspective, it is connect everyone to every service. It is having shared identities, shared services, and one thing in between which manages the success. And that means also we need to be more flexible in the way we authenticate move to new approaches here. And that also leads to automatically to the way, how do we authenticate? So what we have consumers, we have partners, we have employees using devices, things, whatever else. And on the other hand, we have the public cloud, we have federated services, we have legacy.
We have different types of identity of ways where these users come in. So from internal directory services to Federation with business partners or specific business partner services, building on identity API platform to bring your own identity, external ID, cetera, we federated to these service or use standard standard singles and on proper priority creation, whatever. And we need to provide services such as access management. So the authentication authorization piece, the administration governance. So administering the user and also constant privacy, more for the consumer. We need a set of services for that. And essential and essential element in that set of services is the way how we bring in the user. So how we either often indicate a user or how we accept something, another identity provider did before and to do that, right. We need a shift in our mindset, a very fundamental shift here, and that is, we need to stop thinking inside out, and we need to start thinking outside in.
So we need to take the customer's perspective. So the, the standard perspective, still what we see in many businesses that the organization thinks about what works best for us. So, so which information do we collect? How should the authentication run? What is the registration process? And so the expectation to the consumer is do what we want you to do. I personally believe that's not a good idea because we need to serve the consumer to so that he becomes a customer, that he leaves his money with our business. We need to change it to, we do what you want to do, what works best for the consumer. And one of the most essential elements in here is really authentication taking the perspective of the user and comes to authentication. And username. Password is one thing here, but it's not the best solution as we all know. So there are, there are masses of options for authentication.
Yes, passwords are there, there are ID cards, fingerprint, face recognition, Iris cans, external devices out of band authentication with pin codes or whatever else passwords are cumbersome. And we all know that passwords are not secure and never will be secure. To be honest, passwords are an element which is still here to stay for a while, but when we want to serve our use as well, we need to look at other options here. And that is where we need to, to move really to a more modern way for authentication. That is, we need also from a security perspective to support multifactor, we need to support different types of authentics. We need to support different types of combinations of authenticators. There are various business requirements to, for moving to modern authentication, which will allow us to balance the ease of use regulation, security policies and the risk.
So, so one is fraud minimization. Obviously, if we have a good, well working authentication, we can reduce fraud. We can understand it's just someone who, or a transaction, for instance, which is likely to be initiated by, by someone who's they're the correct person, or is it not, you know, that from certain online credit card transaction where this happens every quite regularly, it's also about regulatory compliance. So PSD two, for instance, requires strong customer authentication even while the, the, the supervisory authorities in certain countries, such as Germany are still a little lame in enforcing the PST two SCA strong customer, a syndication requirements. It will happen. It is happening and it makes sense.
It needs to be risk appropriate. So friction only even friction is needed. So modern a syndication is not to say, okay, because there might be a high risk. We always put a complex thing in front of that. It is about appropriate. It is about, and I have to say my online banking these days when I have a low volume transaction, I don't need to enter a pin anymore. It's only if the value is above a certain level, sorry, Euro, then I have to enter a pin. So when frictions needed, there's some more friction than no frictions needed. Makes sense.
Also makes sense. Not to always request the strongest, most complex combination of authentication factors, which is annoying to use. It's also about security policy compliance. So corporate policy may specify more than a regular compliance million months. We, we need to be careful with that. We need to be compliance with security policies, but I'm also big friend and saying, review you, we revisit your security policies. I still see a lot of security policies, which say, oh, for access to a certain type of information, you need definitely a two factor informa. You need, you need two factor authentication of that type. There are a couple of mistakes in such a sentence. That one is saying, it must be whatever RSA or whichever other vendor provides. ULE whatever else you can name, all of them. It's wrong to say it must be that one. The world is changing.
There are different devices, different types to indicate you need to be flexible. The second point is you need to be far more granular and you should relate it to the concrete risk, more granular than saying whatever internal information, only with strong authentication. A lot of that is not really sensitive. Some of that might require even more than the standard. Two factor of indication, ease of use better customer experience is generally more and frequent customers. And also users will less try to bypass security and the variety of tech in the field. That's probably the most important thing. There's so much change in that space. And you need to really reflect that. So what are the authentication trends it's getting away from just username password in a combination of mobile support, potentially social login, support, and risk adaptive authentication. So understanding the concrete risk of the current interaction, transaction, the current authentication, instead of doing everything and it's about continues so more frequently checking all that, what is happening here?
And that's also part of multifactor authentication. So the password is at least losing momentum. The mobile in that case becomes a very important element for MFA. So MFA commonly involves the mobile device for biometrics. So the device of dication on whatever your iPhone or your Android phone. So it is the, the something you are part of that it is something you have your device and something, you know, in which form, or which might depend, which might be a pass phrase, which might be something else. And this then leads to various combinations. Mobiles are highly relevant in there. So mobile plus pin mobile plus biometric, and there are variety of options for mobile authentication. If you look at that, so there is the mobile app. You, you can use also things like the secure laugh and at the iOS and other stuff, mobile push notifications. So wait, don't need to swipe to authorize different from the SMS ODP, which I have on the lower left edge, mobile biometrics, and in between there is five, two oh as a set of standards for mobile.
And second factor is an architecture, which allows you to rely on this device authentication as one of the elements in your entire authentication story. So what you really should do is you really should re rethink this and think about what is best. And the simple answer is there's not the best way. What you need to do is saying, okay, my customers and consumers and partners and employees, they want flexibility. Some might need that. Some might prefer that there's this new device. They want to use that. And my CEO comes in with that device and says, he wants to do it that way remain flexible. It's not about the best option. It's about something which works well for everyone. And that is what then enables you as a business to deliver your digital services. That if you take that picture ahead, before all these parties, employees, partners, consumers need to access all these types of services and they need to consume new AI services and whatever else.
And you need to create your services by orchestrating your legacy with AI services, with the cloud. So the consumers print the revenue and data, the partners, the channels, the employees, operations, the services are provided in different ways. They provide data. And then you create your digital services, which are UX and capabilities, but which are also customer identity. And only if you do it right, if you provide right experience, if you move to MFA, then you will be successful. And then it's about saying, this is better. It's more cost effective. It's delivering more revenue. It is more secure. And it is also if done right, significantly more convenient with that. I hand over to Gregory, who right now will talk about more in detail about how to shift, to MFA, how to do it, right. Craig reads your term.
Thank you very much, Martin, for the introduction, as you heard from, from Martin, the, we live in a world of passwords. That is the reality today. And so if you think about how people cope with that, clearly everybody has its own strategy. I am, for example, using a password manager, I have probably 100 or 120 services and, and I use long passwords, but most, most people do not. And for example, a study by Google showed that only one people in 10 use password managers with, with strong passwords. But the reality today is that the passwords are still at the center of today's digital experience. And to be honest, frankly, it's quite a terrible experience. And so in the next couple of slides, I would like you to show why the situation has become really unsustainable today. So we conducted a study in 2018, September, 2018 at a Novo.
The participant group was quite technical. So keep that in mind, for context, even this technical group, 85% said they are too lazy to change password often. So they create maybe a difficult password, but then they stick to it for years. So they prefer not to change it. And 33% said they reuse password for most accounts and honor, frankly, this is a, you know, these are people who should know better. 40% said they, they cannot log in for example, to the bank accounts when they are, you know, traveling because they only have maybe their mobile phone and they don't have their hardware token with them Thea token or the, you know, the, the cab. And, and we can say, therefore that even for experts, passport are, are real pain. And even they indulge in bad habits, even if they are aware of the consequences. And I think if, if you've been long enough in it, you know, that's been around 10 to 15 years where we are really trying to educate the people about, you know, using long passwords and, you know, using long passwords with words that you can remember entire phrases use special symbols.
You know, it's like there, there's always these trends about passwords. The reality is that, you know, situation hasn't improved. And if you look at the list of, you know, of all these password breaches and, and you know that you see the list of all passwords that are used, normally you can see that all of these education hasn't really bought us for what, unfortunately. Now, unfortunately the situation has gotten even worse today because of the rise of mobile usage in mobile authentication. So there is a study from already 2014 from a German university, which studied how the usage of mobile influenced the, the, the password choice. And they found out that users on mobile choose significantly, significantly shorter passwords than on pieces with fewer upper case letter, fewer symbols. And if you think about it, it's, it's clear because you on a mobile, it's more difficult to type, you know, searching for symbols.
You know, you have to switch to another keyboard. So it's, it's really unpractical. And so if, if you think about it, this completely invalidates years of efforts in establishing rules for more difficult passwords, on the other side, you see on the right side, that the, the amount of time spent on, on the mobile is really on the rise. So people spend more and more time accessing and using services on, on their mobile. And, and frankly, passwords are a terrible match for that. So the question is also what about other established multifactor authentication solution? We think that most of those solutions that we, we are using today, still in, for example, for banks, they, they are not really future proof and they have several issues. So how do solutions, if you think about it, most of them are tied to one service. So you have your card reader, but it only works with your bank.
You have maybe an RSA security token, but it only works with your VPN in the office. So it's, it's hardly a solution. If you are trying to access 120 services. The second thing is, is obvious people leave them at home. Nobody's traveling with those things. It's like everybody keeps them somewhere in a draw. Well, and in a mobile world that, that doesn't cut it. The other thing is they are quite expensive for the service provider. So the service provider has to, you know, buy each one of them, either for employees or for consumers. They are logistical difficulties. When you wanna change them, you have to send them, make sure that the right person gets them. They're quite a hassle. So even the service provider would like to find a better solution. One MFA solution has been very successful in the last 10 years, and this is the M 10.
So this is the SMS messages you get on your phone. But today this is absolutely considered insecure. And, you know, it's discouraged from, from, from being used. So I would like to, would I like you to take away as, as a takeaway, passwords are vulnerable, very vulnerable. They are vulnerable on the user side due to human nature, passwords habits are bad and they're becoming worse on mobile. On the provider side, we hear of security breaches every day, password vaults get compromised. They get stolen, you know, companies are exposed and they have, you know, each day in the newspapers. The other thing is this passwords today are inflexible for most of today's requirements. Mobile is the most used platform and passwords are just a bad match. The second thing is that in authentication, and I think Martin mentioned that is you want to, you know, to organize your customer journey around different authentication levels.
Maybe there are some activities you want your customer to do with a weak authentication. And some other with a strong authentication with passwords test becomes difficult. You would have to have a weak password and a hard password. And that would be very cumbersome for, for users to, to use something like that. And also vintage MFA solution suffer, unfortunately from unresolved financial and logistical issues. And so if this is a situation, how do we get out of this? There are many initiatives and ideas about reinventing multifactor authentication for a different world. And I too delivered here to steal for those that remembers a spot from airport from the, the nineties. I think I would like you to think of this new MFA as a sort of MFA for the rest of us. So how does this MFA for the rest of us look like it's first thing is, is very important to remember that this new multifactor authentication solution are trying to reach a much wider audience than the old MFA solution, which we're targeting high security scenarios, like for example, banks.
So this new MFA solution come in many forms. There is not only one. We personally call it intelligent authentication. And from our perspective, it's composed of three concepts. The first concept you can see at the center is what we call passwordless authentication based on smartphone capabilities. I will talk more about this in the next couple of slides. The second concept is what we call adaptive login authentication, where we try to remember if we saw you already coming from a certain device or from a certain location or the combination of both, and then steal the authentication mechanisms based on that, the third concept we call the continuous authentication. And it is about recognizing your user behavior beyond login, checking the health of your device is your device still okay? It's JBO and is there sum banking running on it? So making sure that, you know, your security posture is good and these three concept together from what we see as a sort of new wave of multifactor authentication, that when you mix and match these three concepts and capabilities, it opens up a lot of possibilities to which a much wider audience and cover many more use cases that the old MFA solutions.
So from simple eCommerce transactions to maybe high security crypto finance transactions. So let's start with passwordless authentication. What do we mean with that? As a caveat, there are several variants of passwordless authentication. I would like here to focus on one, which I think is quite widespreaded. Most people have already seen one form on and another, the idea is that you log in on a webpage with just a user idea or an email and no password anymore. And then you get maybe a push notification on your smartphone, and you approve that as a, for a second factor on, on the phone. So how is such a solution base is based on a smartphone, something you have the idea here is that your phone is registered as a second factor device with the service. And only that exact phone can be used as a second factor. It leverages smartphone, biometric capabilities.
That is something I am. And the idea here is that when you get that identification, you give a clear gesture or action from your side for intentionally approving the login. Sometimes you can see simpler scenarios. You can also see just a yes or no button. You don't need necessarily the biometric capabilities. What this solution strive for is simplicity of use for the end user and at the same time, a much higher security than passwords. And there's a last point. It's not to be underestimating above in consumer scenarios. When you have millions of consumers is significant reduction of costs and risks for the service providers. So why you might be willing to send out, you know, security keys like UBIs or Titan keys to your employees, maybe to thousands of people. This is hardly what a company with tens of millions of, you know, of consumer would like to do.
And so I would like to spend a couple of words on how biometrics fits into this passwordless approach in our study, which I mentioned in, in our first slide last year, we also asked the users about, you know, availability of biometric capabilities in the devices. And 92% of the people interviewed, said they have biometric in some form in their smartphone. We also asked them if they used biometric. And the last study that we did was in 2016, and it was two years before. And the use of biometric jumped just really doubled and jumped from 33 to 66%. And this is also confirmed in multiple studies. As more people possess smartphones with these biometric capabilities, and they also get more experience using them. They seem to grow really confidence in these techniques. And this really drives adoption of these techniques. Also, we ask which type of biometric capabilities they use.
And by wide by wide margin, the fingerprint reader is the most successful capabilities at the moment. So all others, including fashion recognition was, were really distant containers that might change with more usage of face ID on, on iPhones. But this is still to be, to be seen now biometrics above all in central Europe and in that region sometimes generates a certain suspicion in terms of privacy. So I would like to the next slide to give you an overview of how that is used in a typical passwordless authentication use case. And I would like here to take the Fido case like Fido is the first identity online Alliance standard. Our solution is based on this Fido standard, which Martin mentioned the key piece of information here that I would like you to, to keep is that new biomes never leaves the device. So the provider of the service you authenticating to never ever gets any biometrics information about you.
So when you want to access a service, you register your smartphone with the service provider as a second factor, your smartphone then generates keeper, a private public keeper, and the provider only has the, the public key. So the secret key stays in your trusted end cloud on your phone and never leaves that trusted end cloud. So what happens when you authenticate now? So authentication becomes a two-step process. The first step is where you as a user are using your smartphone capabilities, biomeds capabilities to show to the phone that you are the rightful owner, and you are unlocking the trusted platform module on the trusted end cloud on that phone, where the secret key is stored. Then the SI the phone can use that secret key, that private key to authenticate and to show to the service provider that you are the legitimate owner, and this solution elegantly solves on one side, the password breach problem, because now as a company, if you get the service provider, if you get breached and hacker steals your, the public keys of your users, while he cannot do absolutely nothing with them. And also it also makes life difficult for an attacker, because it doesn't only have to steal your biometric characteristics like your fingerprint, or maybe a photo of you, because that is useless without the private key. So you really need to have both. And that eliminates a huge class of remote attacks, which are, you know, the main cause of breaches breaches today.
I would like to spend some words on adaptive login. This is the second concept of the new MFK wave. So how does this work? Normally you log on a page and the service Porwal would register or would detect if you from logging in, from Firefox or with Chrome on a windows device or on a Linux device, it would look another IP address and say, okay, his IP address is from burn and Switzerland. I've seen the guys from there several time, and then it would keep a sort of database of combination that have already been seen. And then depending on having you already seen in that combination, he would then decide, as Martin explained, would, would have like a, a risk evaluation and saying how sure I, I am based on those factors that this is the right person while maybe I'm not so sure. So I prefer to do a step up to a second factor, or maybe, you know, this activity, the user is going to do weak authentication is enough. And therefore adaptive login is enough to just let him, you know, perform the, the action. So putting something in a cart or seeing the list of things you have maybe or not, and then a step up would only happen when you want to, you know, pay that card. You want to, to do a checkout.
Another concept, the third concept is, is less known and we call it continuous authentication. This is sort of a passive authentication technique that applies after the initial login. And the idea is that while you interact with the service, each one of your interaction is analyzed for so-called indicators of attack. So the service provider would check constantly that for example, there is no banking ions that has activated itself after the login happened. There are banking to that, behave like that. They are very stealthy until you log in and then they become active. It would look for example, if you are trying to authenticate from an infected or compromise device. So some banking application do not allow to be used on, on jail block device because their risk insecurity, people decide that, you know, they don't wanna take this risk to run an application. We should be highly secure on a jail block device.
Another case could be, for example, we had several cases in banking in, in Europe of, you know, where you get your Q codes to register. Your second factor sent home. Also, when you ask for a visa maybe of your second, second factor device, and those Q codes maybe get stolen. And so someone could steal this square code and try to, you know, his phone as a second, second factor, but then there are techniques, like for example, behavioral biometrics, we would look at how you type how you use your phone, how you swipe your phone. And with those techniques, you would be able to detect that it's not the same person trying to, to use the service and maybe you would block a suspicious payment. And so the idea is that the authentication technologies would check every high value interaction continually. So this solution today are more adopted in, in banks and high security, but we expect those to expand to many more use cases in the near future.
So what are the takeaways today? You can really offer security and convenience to use customers by replacing passwords with modern MFA techniques. The second takeaway is leverage smartphones. Smartphones are the modern tokens. Users always have them on them. They are secure with their trusted end clouds, many second factor solution only work on smartphone with trusted end clouds. And that makes them very secure. Passive authentication factors can increase security without impacting user user experience, evaluate them for your business case. It's really a question of what is your business case and do they fit into what you are trying to achieve with your customers? And also start to think about authentication, not only at something you do at login, but more along the whole customer journey. So think about, you know, when the customer interacts with your services, where does he really need to be strongly authenticated and where maybe just the weak authentication is more than enough because maybe user experiences is to be higher to rate it much higher. So thank you very much for your time and attention. And that's all for my side, Martin.
Thank you, Gregory. So I'll hand the screen sharing back to me and let's directly go into the Q and a session. I already have a couple of questions here. So the first questions we want to target a large consumer group, some may have for smartphone, some may not, or some may prefer to use smartphone, some not are, are you also supporting secure passwordless solutions for non smartphone users?
So I think that, that, that's an interesting, an interesting case in the sense that it's, it's, it's interesting because it's, it happens in, in, in many businesses where you reach a wide audience. Like, for example, if you you're a bank and you need to reach everybody in the country, you have people also that don't have smartphones. The only thing there I think is that you need as an authentication service to have something which is, you know, like not only widely available, but also being able to cover many more cases. So in that case, for example, our, our solution can cover a classical MFA where you can send out tokens, you can send out great list, you can send out a lot of different, different possibilities. You can also think about continuous authentication, behavioral authentication to be used as a, as a replacement. I think there, the big question is what is the acceptance by the users? So if you have some, some people are suspicious of things they cannot feel in touch and see. And so maybe for those people, it's better to still have, for example, an authenticate or solution with an OTP, which is not really passwordless in that sense, but it could go a little bit in, into that direction. So I would say to go back to what Martin said at the beginning, you need a service that has a lot of flexibility and can cover all bases.
Okay. And that is actually what you provide.
Yes.
Okay. So the second question might be a little bit more complex. Did attendee is asking, so we looked into 5 0 2 and saw that there are certain use cases where it's not supported yet. So like safari on the iPhone. So, so do you have experience on, on where to rely on 5 0 2 and where, where you come to limits?
Yes. So, so that's why two years ago, when we started building our passwordless solution, we decided not to implement in a first phase 5 0 2, but rely on the five UAF standard, which is a couple of years older, which has been Ajo to I F 1.1, because we could see already that apple wasn't completely on board. And we as a solution, we, we really need, for example, in Switzerland, 50% of users have iOS. So our solution that doesn't support iOS is out of questions. So we were probably very careful in choosing our standard. And so our standard, which is based on PHY UF functions perfectly on safari. So if function perfectly on iOS devices and on Android devices. So we were a little bit lucky, but we were also a little bit cautious and that helped us in our decision.
So, so, and, and of today, do you support fighter tutor as well or
So we are planning to support it, but because we are, we are focused raise focused on consumer use cases like for, for big banks and for big insurances for us until apple supports it for us, it's on the back burner. So we are completely, we need a solution and this is UF that, that supports iOS completely.
Okay. Got it. What is the device fingerprint based on?
Okay. Very this, so device fingerprinting is like a black art, I think, but I would have to have to ask our, our specialist that is based on a library called fingerprint to JS for creating the fingerprinting and for, for the location instead is based on special databases of IP addresses. And in the future, we are looking into maybe using information that is available on the smartphone about location, because the smartphone says even better location information, then, you know, just IP addresses of locations.
Okay. Got it. Which device is in Nevis access app run. Is it an Android and iOS?
It's Android and iOS today? Yes.
Okay.
And it only works on devices with the trusted and cloud and it's, we, we work together with a company called axon. So all of our solutions are hardened by this axon solution. And, and so, you know, we want to achieve very, very high standards. As I said, our typical industry is banking and insurance. So it's, it's hardened against attacks on the mobile, you know, external attacks being to, or, you know, compromised libraries and so on.
Okay. So it looks already like we don't have further questions. So if there are no questions popping in right now, then we are at the end of today's webinar. Thank you very much to you Gregory for your insights provided thank you to all the attendees for listening to this call webinar. Hope to have you soon again at one of our webinars or see you at one of our onsite events in the autumn of this year. Thank you very much.
Thank you, Martin.
It is an essential tool for making decisions about the tools you are choosing. We have our executive view reports, which focus on individual products and give a concise information about these, our advisory notes for more, more detailed background information on a variety of topics and our leadership brief documents with short condensed information, we publish roughly 150 reports a year. So there's always current information you can receive from just have a look at our website in advisory, we have our digital business complex, where we provide support for businesses in strategy development, portfolio management, decision, making such as product selection and guidance for projects. We don't do any implementation work because we are a neutral Analyst, but we support you in identifying your strategy and roadmap your product portfolio and selecting the right product. We also run a series of events. And this year we will have a couple of events in the autumn, such as our digital finance world, which is co-located as sub blockchain enterprise event, our cybersecurity ones in the us and in Europe and our consumer identity events.
We will run in both north America and Europe would be happy to meet you in person at one of these events, for the webinar itself, some background information. So for the audio control, you are usually centrally. We are controlling these features, so you don't need to manage anything yourself. We will do a recording of the webinar and you also will provide a slide text for download, and there will be a Q and a session by the end of the webinar. The more questions we get from you, the more lively this will be. So don't hesitate to enter questions right now. Let's have a look at the agenda for today in the first part, I'll talk about challenges that traditional authentication models face in a world where users have multiple digital identities on different devices. And the second part then Gregory of Navys at Novo will talk about wire transition to MFA services, not only security, but also user experience and why this can hub was reducing cost.
Finally, as I've already said, there will be the Q and a part of this webinar. So let's dive into the topic. And I think it's a good starting point to look at identity in the mind of the consumer. So when we talk about identity and there various types of users, employees, your business partners, your customers, your consumers, when we take the broadest, the consumer, I think it's important to understand what do these people expect today? What is it in the mind of the consumer? And this is something which then applies to a significant extent also to the employee, to the business partner, et cetera. So one thing is people more and more want to have few identities to use, not create an account for every single company they're working with. And they want specifically, consumers have also some freedom in deciding about which identity to use, and they want to have control. They want to have these identities working seamlessly from every device also when they switch to another device. And if there's another, a indicator on that device, they might want to use that. And all this would be easy and simple, but it must be secured privacy and control data become a must for some, and sometimes. So I think there's not a homogeneous thinking about privacy, but a lot of people are very privacy. I find others are less.
So that is something which should work. Then we have the payment and commerce. So for payment and commerce, it's more about that, that this one identity should work well and seamlessly with everything else. So that also should be one of the aspects to look at. There should be a seamless access. So no cumbersome registration, KYC process. It must be must work immediately. It must be work seamlessly. It must work simple. And finally there's more and more demand for, I would call it work life convergence. So there should be a seamless and, and well working way where you can use your own identity in various purposes. So this is the consumer, obviously for the employees, somewhat different, but anyway, it is, we have requirements that are, I would say that that send star contrast to the way we did identity before. And also when we look at how identity evolved over the past years, there a, a long journey from, from user management persistence, where you had accounts, persistence, manual administration, some username password also indication was sometimes rather weak and short passwords back in these days to identity management.
So where it's about. So in the initial days, initial days, synchronizing accounts, a lot of meta directory stuff back then focus on employee identities at some point, the first provisioning workflows, then there's the came the identity Federation to federate with business partners. Standard protocols also used by the cloud for singles and on towards consumer identity management, which is an important topic these days. So how do you manage the identities of your consumers? How do you enable your consumers moving from, from proprietary digital services to central consumer identity management? So the consumer comes more and more into mind. We, we are moving more and more towards something which we see as, as public shared universal identities that can be used in an seamless way in difference scenarios, which are so to speak bigfoots, providing, providing public universal identity providers, established standards for us, educational authorization, shared KYC and stuff like that.
So this, this world is, is continuing to change. And the where, where, where the single enterprise owned identity are about to change. And we are need to be flexible in supporting a broad variety of identities for different types of across different types of, and this becomes even more clear when we look at what is so to speak from an it perspective, the identity management has to solve. So from an it perspective, it is connect everyone to every service. It is having shared identities, shared services, and one thing in between which manages the success. And that means also we need to be more flexible in the way we authenticate move to new approaches here. And that also leads to automatically to the way, how do we authenticate? So what we have consumers, we have partners, we have employees using devices, things, whatever else. And on the other hand, we have the public cloud, we have federated services, we have legacy.
We have different types of identity of ways where these users come in. So from internal directory services to Federation with business partners or specific business partner services, building on identity API platform to bring your own identity, external ID, cetera, we federated to these service or use standard standard singles and on proper priority creation, whatever. And we need to provide services such as access management. So the authentication authorization piece, the administration governance. So administering the user and also constant privacy, more for the consumer. We need a set of services for that. And essential and essential element in that set of services is the way how we bring in the user. So how we either often indicate a user or how we accept something, another identity provider did before and to do that, right. We need a shift in our mindset, a very fundamental shift here, and that is, we need to stop thinking inside out, and we need to start thinking outside in.
So we need to take the customer's perspective. So the, the standard perspective, still what we see in many businesses that the organization thinks about what works best for us. So, so which information do we collect? How should the authentication run? What is the registration process? And so the expectation to the consumer is do what we want you to do. I personally believe that's not a good idea because we need to serve the consumer to so that he becomes a customer, that he leaves his money with our business. We need to change it to, we do what you want to do, what works best for the consumer. And one of the most essential elements in here is really authentication taking the perspective of the user and comes to authentication. And username. Password is one thing here, but it's not the best solution as we all know. So there are, there are masses of options for authentication.
Yes, passwords are there, there are ID cards, fingerprint, face recognition, Iris cans, external devices out of band authentication with pin codes or whatever else passwords are cumbersome. And we all know that passwords are not secure and never will be secure. To be honest, passwords are an element which is still here to stay for a while, but when we want to serve our use as well, we need to look at other options here. And that is where we need to, to move really to a more modern way for authentication. That is, we need also from a security perspective to support multifactor, we need to support different types of authentics. We need to support different types of combinations of authenticators. There are various business requirements to, for moving to modern authentication, which will allow us to balance the ease of use regulation, security policies and the risk.
So, so one is fraud minimization. Obviously, if we have a good, well working authentication, we can reduce fraud. We can understand it's just someone who, or a transaction, for instance, which is likely to be initiated by, by someone who's they're the correct person, or is it not, you know, that from certain online credit card transaction where this happens every quite regularly, it's also about regulatory compliance. So PSD two, for instance, requires strong customer authentication even while the, the, the supervisory authorities in certain countries, such as Germany are still a little lame in enforcing the PST two SCA strong customer, a syndication requirements. It will happen. It is happening and it makes sense.
It needs to be risk appropriate. So friction only even friction is needed. So modern a syndication is not to say, okay, because there might be a high risk. We always put a complex thing in front of that. It is about appropriate. It is about, and I have to say my online banking these days when I have a low volume transaction, I don't need to enter a pin anymore. It's only if the value is above a certain level, sorry, Euro, then I have to enter a pin. So when frictions needed, there's some more friction than no frictions needed. Makes sense.
Also makes sense. Not to always request the strongest, most complex combination of authentication factors, which is annoying to use. It's also about security policy compliance. So corporate policy may specify more than a regular compliance million months. We, we need to be careful with that. We need to be compliance with security policies, but I'm also big friend and saying, review you, we revisit your security policies. I still see a lot of security policies, which say, oh, for access to a certain type of information, you need definitely a two factor informa. You need, you need two factor authentication of that type. There are a couple of mistakes in such a sentence. That one is saying, it must be whatever RSA or whichever other vendor provides. ULE whatever else you can name, all of them. It's wrong to say it must be that one. The world is changing.
There are different devices, different types to indicate you need to be flexible. The second point is you need to be far more granular and you should relate it to the concrete risk, more granular than saying whatever internal information, only with strong authentication. A lot of that is not really sensitive. Some of that might require even more than the standard. Two factor of indication, ease of use better customer experience is generally more and frequent customers. And also users will less try to bypass security and the variety of tech in the field. That's probably the most important thing. There's so much change in that space. And you need to really reflect that. So what are the authentication trends it's getting away from just username password in a combination of mobile support, potentially social login, support, and risk adaptive authentication. So understanding the concrete risk of the current interaction, transaction, the current authentication, instead of doing everything and it's about continues so more frequently checking all that, what is happening here?
And that's also part of multifactor authentication. So the password is at least losing momentum. The mobile in that case becomes a very important element for MFA. So MFA commonly involves the mobile device for biometrics. So the device of dication on whatever your iPhone or your Android phone. So it is the, the something you are part of that it is something you have your device and something, you know, in which form, or which might depend, which might be a pass phrase, which might be something else. And this then leads to various combinations. Mobiles are highly relevant in there. So mobile plus pin mobile plus biometric, and there are variety of options for mobile authentication. If you look at that, so there is the mobile app. You, you can use also things like the secure laugh and at the iOS and other stuff, mobile push notifications. So wait, don't need to swipe to authorize different from the SMS ODP, which I have on the lower left edge, mobile biometrics, and in between there is five, two oh as a set of standards for mobile.
And second factor is an architecture, which allows you to rely on this device authentication as one of the elements in your entire authentication story. So what you really should do is you really should re rethink this and think about what is best. And the simple answer is there's not the best way. What you need to do is saying, okay, my customers and consumers and partners and employees, they want flexibility. Some might need that. Some might prefer that there's this new device. They want to use that. And my CEO comes in with that device and says, he wants to do it that way remain flexible. It's not about the best option. It's about something which works well for everyone. And that is what then enables you as a business to deliver your digital services. That if you take that picture ahead, before all these parties, employees, partners, consumers need to access all these types of services and they need to consume new AI services and whatever else.
And you need to create your services by orchestrating your legacy with AI services, with the cloud. So the consumers print the revenue and data, the partners, the channels, the employees, operations, the services are provided in different ways. They provide data. And then you create your digital services, which are UX and capabilities, but which are also customer identity. And only if you do it right, if you provide right experience, if you move to MFA, then you will be successful. And then it's about saying, this is better. It's more cost effective. It's delivering more revenue. It is more secure. And it is also if done right, significantly more convenient with that. I hand over to Gregory, who right now will talk about more in detail about how to shift, to MFA, how to do it, right. Craig reads your term.
Thank you very much, Martin, for the introduction, as you heard from, from Martin, the, we live in a world of passwords. That is the reality today. And so if you think about how people cope with that, clearly everybody has its own strategy. I am, for example, using a password manager, I have probably 100 or 120 services and, and I use long passwords, but most, most people do not. And for example, a study by Google showed that only one people in 10 use password managers with, with strong passwords. But the reality today is that the passwords are still at the center of today's digital experience. And to be honest, frankly, it's quite a terrible experience. And so in the next couple of slides, I would like you to show why the situation has become really unsustainable today. So we conducted a study in 2018, September, 2018 at a Novo.
The participant group was quite technical. So keep that in mind, for context, even this technical group, 85% said they are too lazy to change password often. So they create maybe a difficult password, but then they stick to it for years. So they prefer not to change it. And 33% said they reuse password for most accounts and honor, frankly, this is a, you know, these are people who should know better. 40% said they, they cannot log in for example, to the bank accounts when they are, you know, traveling because they only have maybe their mobile phone and they don't have their hardware token with them Thea token or the, you know, the, the cab. And, and we can say, therefore that even for experts, passport are, are real pain. And even they indulge in bad habits, even if they are aware of the consequences. And I think if, if you've been long enough in it, you know, that's been around 10 to 15 years where we are really trying to educate the people about, you know, using long passwords and, you know, using long passwords with words that you can remember entire phrases use special symbols.
You know, it's like there, there's always these trends about passwords. The reality is that, you know, situation hasn't improved. And if you look at the list of, you know, of all these password breaches and, and you know that you see the list of all passwords that are used, normally you can see that all of these education hasn't really bought us for what, unfortunately. Now, unfortunately the situation has gotten even worse today because of the rise of mobile usage in mobile authentication. So there is a study from already 2014 from a German university, which studied how the usage of mobile influenced the, the, the password choice. And they found out that users on mobile choose significantly, significantly shorter passwords than on pieces with fewer upper case letter, fewer symbols. And if you think about it, it's, it's clear because you on a mobile, it's more difficult to type, you know, searching for symbols.
You know, you have to switch to another keyboard. So it's, it's really unpractical. And so if, if you think about it, this completely invalidates years of efforts in establishing rules for more difficult passwords, on the other side, you see on the right side, that the, the amount of time spent on, on the mobile is really on the rise. So people spend more and more time accessing and using services on, on their mobile. And, and frankly, passwords are a terrible match for that. So the question is also what about other established multifactor authentication solution? We think that most of those solutions that we, we are using today, still in, for example, for banks, they, they are not really future proof and they have several issues. So how do solutions, if you think about it, most of them are tied to one service. So you have your card reader, but it only works with your bank.
You have maybe an RSA security token, but it only works with your VPN in the office. So it's, it's hardly a solution. If you are trying to access 120 services. The second thing is, is obvious people leave them at home. Nobody's traveling with those things. It's like everybody keeps them somewhere in a draw. Well, and in a mobile world that, that doesn't cut it. The other thing is they are quite expensive for the service provider. So the service provider has to, you know, buy each one of them, either for employees or for consumers. They are logistical difficulties. When you wanna change them, you have to send them, make sure that the right person gets them. They're quite a hassle. So even the service provider would like to find a better solution. One MFA solution has been very successful in the last 10 years, and this is the M 10.
So this is the SMS messages you get on your phone. But today this is absolutely considered insecure. And, you know, it's discouraged from, from, from being used. So I would like to, would I like you to take away as, as a takeaway, passwords are vulnerable, very vulnerable. They are vulnerable on the user side due to human nature, passwords habits are bad and they're becoming worse on mobile. On the provider side, we hear of security breaches every day, password vaults get compromised. They get stolen, you know, companies are exposed and they have, you know, each day in the newspapers. The other thing is this passwords today are inflexible for most of today's requirements. Mobile is the most used platform and passwords are just a bad match. The second thing is that in authentication, and I think Martin mentioned that is you want to, you know, to organize your customer journey around different authentication levels.
Maybe there are some activities you want your customer to do with a weak authentication. And some other with a strong authentication with passwords test becomes difficult. You would have to have a weak password and a hard password. And that would be very cumbersome for, for users to, to use something like that. And also vintage MFA solution suffer, unfortunately from unresolved financial and logistical issues. And so if this is a situation, how do we get out of this? There are many initiatives and ideas about reinventing multifactor authentication for a different world. And I too delivered here to steal for those that remembers a spot from airport from the, the nineties. I think I would like you to think of this new MFA as a sort of MFA for the rest of us. So how does this MFA for the rest of us look like it's first thing is, is very important to remember that this new multifactor authentication solution are trying to reach a much wider audience than the old MFA solution, which we're targeting high security scenarios, like for example, banks.
So this new MFA solution come in many forms. There is not only one. We personally call it intelligent authentication. And from our perspective, it's composed of three concepts. The first concept you can see at the center is what we call passwordless authentication based on smartphone capabilities. I will talk more about this in the next couple of slides. The second concept is what we call adaptive login authentication, where we try to remember if we saw you already coming from a certain device or from a certain location or the combination of both, and then steal the authentication mechanisms based on that, the third concept we call the continuous authentication. And it is about recognizing your user behavior beyond login, checking the health of your device is your device still okay? It's JBO and is there sum banking running on it? So making sure that, you know, your security posture is good and these three concept together from what we see as a sort of new wave of multifactor authentication, that when you mix and match these three concepts and capabilities, it opens up a lot of possibilities to which a much wider audience and cover many more use cases that the old MFA solutions.
So from simple eCommerce transactions to maybe high security crypto finance transactions. So let's start with passwordless authentication. What do we mean with that? As a caveat, there are several variants of passwordless authentication. I would like here to focus on one, which I think is quite widespreaded. Most people have already seen one form on and another, the idea is that you log in on a webpage with just a user idea or an email and no password anymore. And then you get maybe a push notification on your smartphone, and you approve that as a, for a second factor on, on the phone. So how is such a solution base is based on a smartphone, something you have the idea here is that your phone is registered as a second factor device with the service. And only that exact phone can be used as a second factor. It leverages smartphone, biometric capabilities.
That is something I am. And the idea here is that when you get that identification, you give a clear gesture or action from your side for intentionally approving the login. Sometimes you can see simpler scenarios. You can also see just a yes or no button. You don't need necessarily the biometric capabilities. What this solution strive for is simplicity of use for the end user and at the same time, a much higher security than passwords. And there's a last point. It's not to be underestimating above in consumer scenarios. When you have millions of consumers is significant reduction of costs and risks for the service providers. So why you might be willing to send out, you know, security keys like UBIs or Titan keys to your employees, maybe to thousands of people. This is hardly what a company with tens of millions of, you know, of consumer would like to do.
And so I would like to spend a couple of words on how biometrics fits into this passwordless approach in our study, which I mentioned in, in our first slide last year, we also asked the users about, you know, availability of biometric capabilities in the devices. And 92% of the people interviewed, said they have biometric in some form in their smartphone. We also asked them if they used biometric. And the last study that we did was in 2016, and it was two years before. And the use of biometric jumped just really doubled and jumped from 33 to 66%. And this is also confirmed in multiple studies. As more people possess smartphones with these biometric capabilities, and they also get more experience using them. They seem to grow really confidence in these techniques. And this really drives adoption of these techniques. Also, we ask which type of biometric capabilities they use.
And by wide by wide margin, the fingerprint reader is the most successful capabilities at the moment. So all others, including fashion recognition was, were really distant containers that might change with more usage of face ID on, on iPhones. But this is still to be, to be seen now biometrics above all in central Europe and in that region sometimes generates a certain suspicion in terms of privacy. So I would like to the next slide to give you an overview of how that is used in a typical passwordless authentication use case. And I would like here to take the Fido case like Fido is the first identity online Alliance standard. Our solution is based on this Fido standard, which Martin mentioned the key piece of information here that I would like you to, to keep is that new biomes never leaves the device. So the provider of the service you authenticating to never ever gets any biometrics information about you.
So when you want to access a service, you register your smartphone with the service provider as a second factor, your smartphone then generates keeper, a private public keeper, and the provider only has the, the public key. So the secret key stays in your trusted end cloud on your phone and never leaves that trusted end cloud. So what happens when you authenticate now? So authentication becomes a two-step process. The first step is where you as a user are using your smartphone capabilities, biomeds capabilities to show to the phone that you are the rightful owner, and you are unlocking the trusted platform module on the trusted end cloud on that phone, where the secret key is stored. Then the SI the phone can use that secret key, that private key to authenticate and to show to the service provider that you are the legitimate owner, and this solution elegantly solves on one side, the password breach problem, because now as a company, if you get the service provider, if you get breached and hacker steals your, the public keys of your users, while he cannot do absolutely nothing with them. And also it also makes life difficult for an attacker, because it doesn't only have to steal your biometric characteristics like your fingerprint, or maybe a photo of you, because that is useless without the private key. So you really need to have both. And that eliminates a huge class of remote attacks, which are, you know, the main cause of breaches breaches today.
I would like to spend some words on adaptive login. This is the second concept of the new MFK wave. So how does this work? Normally you log on a page and the service Porwal would register or would detect if you from logging in, from Firefox or with Chrome on a windows device or on a Linux device, it would look another IP address and say, okay, his IP address is from burn and Switzerland. I've seen the guys from there several time, and then it would keep a sort of database of combination that have already been seen. And then depending on having you already seen in that combination, he would then decide, as Martin explained, would, would have like a, a risk evaluation and saying how sure I, I am based on those factors that this is the right person while maybe I'm not so sure. So I prefer to do a step up to a second factor, or maybe, you know, this activity, the user is going to do weak authentication is enough. And therefore adaptive login is enough to just let him, you know, perform the, the action. So putting something in a cart or seeing the list of things you have maybe or not, and then a step up would only happen when you want to, you know, pay that card. You want to, to do a checkout.
Another concept, the third concept is, is less known and we call it continuous authentication. This is sort of a passive authentication technique that applies after the initial login. And the idea is that while you interact with the service, each one of your interaction is analyzed for so-called indicators of attack. So the service provider would check constantly that for example, there is no banking ions that has activated itself after the login happened. There are banking to that, behave like that. They are very stealthy until you log in and then they become active. It would look for example, if you are trying to authenticate from an infected or compromise device. So some banking application do not allow to be used on, on jail block device because their risk insecurity, people decide that, you know, they don't wanna take this risk to run an application. We should be highly secure on a jail block device.
Another case could be, for example, we had several cases in banking in, in Europe of, you know, where you get your Q codes to register. Your second factor sent home. Also, when you ask for a visa maybe of your second, second factor device, and those Q codes maybe get stolen. And so someone could steal this square code and try to, you know, his phone as a second, second factor, but then there are techniques, like for example, behavioral biometrics, we would look at how you type how you use your phone, how you swipe your phone. And with those techniques, you would be able to detect that it's not the same person trying to, to use the service and maybe you would block a suspicious payment. And so the idea is that the authentication technologies would check every high value interaction continually. So this solution today are more adopted in, in banks and high security, but we expect those to expand to many more use cases in the near future.
So what are the takeaways today? You can really offer security and convenience to use customers by replacing passwords with modern MFA techniques. The second takeaway is leverage smartphones. Smartphones are the modern tokens. Users always have them on them. They are secure with their trusted end clouds, many second factor solution only work on smartphone with trusted end clouds. And that makes them very secure. Passive authentication factors can increase security without impacting user user experience, evaluate them for your business case. It's really a question of what is your business case and do they fit into what you are trying to achieve with your customers? And also start to think about authentication, not only at something you do at login, but more along the whole customer journey. So think about, you know, when the customer interacts with your services, where does he really need to be strongly authenticated and where maybe just the weak authentication is more than enough because maybe user experiences is to be higher to rate it much higher. So thank you very much for your time and attention. And that's all for my side, Martin.
Thank you, Gregory. So I'll hand the screen sharing back to me and let's directly go into the Q and a session. I already have a couple of questions here. So the first questions we want to target a large consumer group, some may have for smartphone, some may not, or some may prefer to use smartphone, some not are, are you also supporting secure passwordless solutions for non smartphone users?
So I think that, that, that's an interesting, an interesting case in the sense that it's, it's, it's interesting because it's, it happens in, in, in many businesses where you reach a wide audience. Like, for example, if you you're a bank and you need to reach everybody in the country, you have people also that don't have smartphones. The only thing there I think is that you need as an authentication service to have something which is, you know, like not only widely available, but also being able to cover many more cases. So in that case, for example, our, our solution can cover a classical MFA where you can send out tokens, you can send out great list, you can send out a lot of different, different possibilities. You can also think about continuous authentication, behavioral authentication to be used as a, as a replacement. I think there, the big question is what is the acceptance by the users? So if you have some, some people are suspicious of things they cannot feel in touch and see. And so maybe for those people, it's better to still have, for example, an authenticate or solution with an OTP, which is not really passwordless in that sense, but it could go a little bit in, into that direction. So I would say to go back to what Martin said at the beginning, you need a service that has a lot of flexibility and can cover all bases.
Okay. And that is actually what you provide.
Yes.
Okay. So the second question might be a little bit more complex. Did attendee is asking, so we looked into 5 0 2 and saw that there are certain use cases where it's not supported yet. So like safari on the iPhone. So, so do you have experience on, on where to rely on 5 0 2 and where, where you come to limits?
Yes. So, so that's why two years ago, when we started building our passwordless solution, we decided not to implement in a first phase 5 0 2, but rely on the five UAF standard, which is a couple of years older, which has been Ajo to I F 1.1, because we could see already that apple wasn't completely on board. And we as a solution, we, we really need, for example, in Switzerland, 50% of users have iOS. So our solution that doesn't support iOS is out of questions. So we were probably very careful in choosing our standard. And so our standard, which is based on PHY UF functions perfectly on safari. So if function perfectly on iOS devices and on Android devices. So we were a little bit lucky, but we were also a little bit cautious and that helped us in our decision.
So, so, and, and of today, do you support fighter tutor as well or
So we are planning to support it, but because we are, we are focused raise focused on consumer use cases like for, for big banks and for big insurances for us until apple supports it for us, it's on the back burner. So we are completely, we need a solution and this is UF that, that supports iOS completely.
Okay. Got it. What is the device fingerprint based on?
Okay. Very this, so device fingerprinting is like a black art, I think, but I would have to have to ask our, our specialist that is based on a library called fingerprint to JS for creating the fingerprinting and for, for the location instead is based on special databases of IP addresses. And in the future, we are looking into maybe using information that is available on the smartphone about location, because the smartphone says even better location information, then, you know, just IP addresses of locations.
Okay. Got it. Which device is in Nevis access app run. Is it an Android and iOS?
It's Android and iOS today? Yes.
Okay.
And it only works on devices with the trusted and cloud and it's, we, we work together with a company called axon. So all of our solutions are hardened by this axon solution. And, and so, you know, we want to achieve very, very high standards. As I said, our typical industry is banking and insurance. So it's, it's hardened against attacks on the mobile, you know, external attacks being to, or, you know, compromised libraries and so on.
Okay. So it looks already like we don't have further questions. So if there are no questions popping in right now, then we are at the end of today's webinar. Thank you very much to you Gregory for your insights provided thank you to all the attendees for listening to this call webinar. Hope to have you soon again at one of our webinars or see you at one of our onsite events in the autumn of this year. Thank you very much.
Thank you, Martin.
Stay Connected
Related Videos
How can we help you