Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide


Log in and watch the full video!

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but also cover the change management challenges involved when moving to a better (but different) authentication for thousands, hundreds of thousands, and even millions of users.

Topics they cover include

  • How to implement passwordless authentication without ending in a service desk nightmare
  • Remaining flexible: Building your passwordless solutions for continuous growth and innovation [this would be about allowing to add/replace tokens etc., but also scale]
  • Remaining strong: Flexibly adjust to the ever-changing threat landscape
  • Integration: Passwordless authentication as a good citizen in the IAM ecosystem
  • What to do beyond: Fraud Reduction, SOAR, and other approaches for identifying fraud and anomalies.
  • Convincing without overpromising: The internal marketing needed for successful rollouts of passwordless authentication.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our Cooking Cold Webinar, Making Passport Less Authentication a Reality. The Hiker Guide, the speakers today are Boim is c, CEO and CTO of Hyper and Me Martin. I'm Principal Analyst of Cold Analyst. This webinar is supported by Hyper. And before we dive into our detail or the details of this webinar, I quickly wanna bring up some housekeeping information. And I also want to start, and directly with the first poll, I hope everyone can hear me well. I trust that a little bit of an audio issue, but my system shows that it seems to be working well again. So for audio, you are muted centrally, so you don't have to care about, we are managing these features. We do polls, as I already mentioned. So we will have two pulses during the webinar and I'd love to, to have, see you participating in these polls.
The more people answer, the better it is. And there will be a q and a session. Again, the more questions we have, the more likely the q and A will be, and we will do this q and a session by the end of the webinar. And then there will be recording and slides available for download. So you, you don't need to do anything yourself. We will provide this, the recording for download to you. You don't need to take exhaustive notes because the slides you're showing will be for download as well. What we don't have today, as in, in many of our other webinars, is a standard agenda because this webinar will be more, more a conversation between Bo and me sharing our, our experience, sharing our perspectives on the market. So this will be basically what we are doing before we dive into the subjects of today's webinar, where we can look at how, how do we really make passport.
That's also the case for reality and, and the success. I, I wanna raise first Paul, which is a bit more high level, but looks at different areas of investment priorities around identity management and identity security. So the question is, which of these five topics is most important to you today? So is it really more sort of reinventing, modernizing the entire identity management? Is it multifactor and passwordless authentication? Is it just in time access, getting rid of standing privileges? Is it more policy based authorization runtime, or the, the main impact come from a zero trust perspective. So with that, I give you a couple of seconds to provide your priority here. Looking forward to see, as I've said, as many answers as we can gather to see where the trends in the market are going. So leave it open for another 15 seconds or so. As I've said, the more people answer, the better it is.
Don't be shy, pick one which is closest to what you, you see, and then we, I would say close it in a few seconds. Thank you. With that opening the microphone for, oops, for boen as well. Boen, you should be able to speak to hear you. Yeah. Perfect. Wonderful. And with that, again, a warm welcome to you. It's a pleasure to have you here in this webinar with all of your experience around passwordless authentication. So we have a bit, two different perspectives. One, me as the Analyst us, the, the vendor, but I think we, we also have quite some similar insights on this market and sometimes those different perspectives on the market. And as, as I've said, we, we wanna walk through a couple of topics we, we feel are really important when thinking about passwordless authentication. And the first one, the first question to look at from, from our perspective, from from my specific perspective, from what what we hear from the market is how to implement passwordless authentication without ending in a service desk nightmare. So background of that is that one of our customers also said, you know, the point is that's all nice, but then this device binding thing comes and, and when you then do then need to do the device binding for multiple devices, et cetera, then things sometimes should be become a bit more, more cumbersome, at least for certain users. And so surely it never likes the see CEO complaining about that his new newest gat needs to be configured again in a way he doesn't feel comfortable with. So, so boy, what's your experience on that?
Yeah, you know, I think two of the words that IT teams fear the most out of all of them are change management. And I think that us, you know, practitioners in the identity access management industry have to understand that oftentimes the people that we are speaking to about implementing pastor list or a new better, stronger multifactor authentication technology, these individuals may have been at their job maybe 2, 3, 4 years, but the average business maybe changes their authentication technology every five to 10 years. So the individuals that we're speaking to that we're discussing this change management process with, it's a high likelihood that they have never rolled out MFA at that company that they're currently working at. So it's a very daunting thing. And, and, and you know, the fear of rolling something out and being a service that's nightmare is very real.
And it, it's, it's about pass or about authentication necessarily. Hopefully not about passwords, it's about authentication when you go password as it's not about passwords, but I think this is the point. So if things go wrong, then they go wrong at the very beginning of the daily journey of the users.
Yeah, I think, I think what we have to do is every single capability that we roll out has to be communicated properly. So when I spoke to one of our larger customers recently and he said, you know, that that technological effort that we put in place to eliminate passwords was, you know, fairly significant. We needed to integrate it with our VPN and our single sign none and our operating system, so on and so forth. But then he said, we put in place an even bigger marketing effort internally to drive passwordless because at the end of the day, people are naturally hesitant to change even when it's a positive change. Yeah, I remember, you know, for myself personally, you know, I, it took me a while to move away from a phone that had the physical keyboard to a purely touch screen and I work in technology, you know, I was hesitant to make that change myself, but once I did it, I realized, okay, this is certainly better.
Yeah, I just, for my, my, my new smartphone for iPhone E to Frank on that, because it still has the fingerprint sensor, I also truly not the one who has always the, the newest gadgets to, to, to be honest. But, but I think there's a reason to do that, to do that shift. And in our case, in our topic, it's a, it's an something we must do because I think one of the, you you brought, brought with you is that one hacker laugh passwords. So, so we need, we need to work on that. I think this is, this is, this is the reason regardless of how care we are of the change processs, at the end of the day, there's, from my perspective, no way not to do it.
Yeah,
We must get multifactor passwords and better and get rid of passwords because passwords cause problems.
Yeah. And, and on this concept of simplicity, right? When we think about MFA and every single innovation quote unquote in MFA for the last 15 years or so, we kind of understood a while ago that the password itself is fundamentally flawed and we can't rely on it for security. And what we've done over the last 15 years is we've just added layers and layers on top of the password. So we've built our house on a very weak foundation, you know, we've added OTP codes and push notifications and risk signals, you know, all these different capabilities like, oh, if it's 2:32 AM and you know, the person is in Singapore, they can't log in, you know, and, and what users really hate what is not simple for them is a disjointed user experience. You know, so they use a password for this service, but they use a push notification approval for this service, but they use an OTP for this one. You know, maybe they use the fingerprint reader on their Mac for this service and it becomes very complex and that's what actually results in a lot more help desk and service calls. So the simplicity has to exist and I think what open standards like Fido and public e cryptography based systems allow us to do, which is shown in this diagram, is have a very simple authentication flow, but have it also be very secure that isn't just an additional layer on top of a password.
Yeah. And, and, and I think a couple, couple of things I I always tell here, So, so the, the one thing, and I think this is probably the most important one, is we have this notion of balancing security and convenience. Honestly, this is a sentence. If you, if you say that, then you better stop and think about does it make sense? No, because what it means is balancing means security goes up, convenience goes up, goes down, or convenience goes up, security goes down. MEER of that is a good thing. What we, we have, and I think this is the, the charming thing with, with many of the passwordless solutions today, or at least some of them, is we get both. We get an increase in convenience and an increase in security, and I'm fully with you. So we need that and we need that convenience aspect.
So, so one of, I trust, I think last week I had had a call with the customer and they said, Yeah, no, we have some really strong authentication in place there, but for our admin use cases it gets cumbersome because they would need to do two different of these devices then, and then some of the, they so to speak, really high security use cases end up being relatively weak in, in authentication done with that insecurity just because it's not convenient. And I think the simplicity thing is super important and what you, what you show here is, is this device binding thing where we have a device and everyone has it and it's one of these elements that what we have seeing lot bit of biometrics what we are. And it's still easy.
It is, and it has to be easy because people will circumvent security controls and they're extremely good at it. You know, I remember back when, you know, before hyper I worked in finance and you know, there, there was a quad of, of desks and there was a table in the middle around table in the middle and in the middle of that table taped to the center of it was a RSA token just taped to the table so that now the four people working in this squad, whenever they need to access this account, you know, they would just roll back in their chairs, look at the code and go back to their desk and punch it in. And that stayed there permanently. You know, and so for users find very creative ways to circumvent security control. So we have to keep it simple for them. I think the, I think the, you know, any security executive or any security team that's like, oh, you know, we'll just, we'll just make it more friction because we absolutely need the security needs to think of a different approach
And I'm full of issue. I think we not only need to make it simple, my perspective is also we need to keep it flexible because we see new technology appearing again and again and again. So scrolling back 15 years or so, did we have smartphones? Well, maybe just, just arriving or, so I would really have to, to look back when the first one was introduced and I'm long enough in the industry to, to have seen so many, so many technical innovations. And the one thing we can share about is that it's res for now, there will be something different being hyped than today. So, so how can we, how can we build something that's, that avoids constant change management, but it's still ready to adapt to what the people want to use. And in addition, we rarely can use one approach for everyone. If you take the admin and the CEO or the OT environment and the office workers, etc. They are not all the same.
Yeah. One of the things that, you know, I I found really fascinating over the last decade or so of this industry is we have had an explosion in the popularity and growth of identity as a service products. You know, a couple of decades ago, most organizations just had a single directory and everybody authenticated and accessed, you know, a single directory, typically active directory or some l d a store or something. But in the last 10 years now we have all these identity as a service products that every single business has, you know, gone out and purchased, whether it's a ping or an Octa or a for Rock or something else. And many businesses actually have multiple, because one line of business likes to use Octa, another line of business likes to, likes to use Ping. You know, internally they may be using Azure active directory and then eventually they realize, hey, you know, we have a lot of users who access all of these sources of identity and their authentication experience into all these sources of identity is completely different. And so this is where the flexibility needs to come into play and, and really where what we see happening in the industry is the authentication piece itself because it is so user-centric, it is so critical to have flexibility there is being separated out from the core identity services layer. So there's companies like hyper for example, where most of our customers have multiple sources of identity, but their authentication experience is hyper and it's consistent across all those sources. And
So you bring in another angle of flexibility and, and sort of speak adaptiveness. The one is more, more the authentication factor and device you're using and stuff like that where I started. And the other is, if you have many, many services, it's wonderful if you have a password that's authentication for whatever your, your daily productivity apps. But if the other areas you need to work with don't support it, or if you first have to log into a, so, so my wife is working at German government agency and she has to go through a, I would say a quite cumbersome experience every morning with multiple passwords and OTP tokens and stuff like that for the VPN and for BitLock and for that and that. So it's not fun, it doesn't make sense and yes, we need to do it better. And and that world also is always sort of under change. We see the shift from traditional VPN to zero trust, network access solutions, et cetera. And yeah, I'm fully with that is a very important aspect because the, the individual solution might be super convenient, but the sum of solutions might be cumbersome to
Use. Yeah. And, and on our last topic of help desk, right? Where let's say, let's say my single sign-on provider or one of them that I'm using as an employee every single day has passwordless capabilities. That's great. It makes it easy as you said, but now that's one less place I'm using a password, but I'm still using it in in these other areas. And what sometimes happen is happens is when people use a password less, they forget it more. So if they use it less frequently
Get
Password more. Exactly. Because
They are used, Oh, I don't need a password anymore and then when I need it then Oh,
And they call a help desk. Yeah. Right. And then that ends up, so, so this concept of coverage use case coverage is critical for any passwordless deployment. It has to, it has to work for your vpn, your single signon, your operating system, virtual desktop infrastructure, you know, your bit law access, all this stuff. It has to work everywhere.
Maybe let's raise the second poll then, then continuous our conversation. So the second poll is one, and we will not direct who answered what I have to say for that question. We're just curious what happened. So has your organization suffered a cyber attack that was already, already, that was caused by or related to breach passwords? A yes or a no. So come on, maybe next time I add the option, hopefully not or I don't know to that, but yeah, another five seconds or so. So if you haven't responded yet, please, please enter your response here.
Okay, thank you. So, so one third yes, two thirds. No, I, I would have expected from, from what I see happening around cyber attacks that it's a bit more on the yes side maybe, but we, on the other hand, it still means there are so many organizations out there which have suffered from password related breaches attacks. And that is a problem. And that means we need to also ensure that this remains strong. So because I, I think that's the other side of the coin. So a lot of things we perceived as being very good have shown up as being maybe not as good in general or might have suffered from a certain attack. So I think many of us, at least the ones who are in the industry for more than decade, remember the RSA secure idea attack back then. We, we have, we are still and and have seen a wide product of, of SMS based authenticator sandwich. When I look at what the C is telling in the US are not perceived as a really secure method anymore. So how, how do we, how do we ensure that organizations can stay strong? What is, what is what we need to do to sort of continuously evolve and improve our, our environment?
Yeah, I think, I think there's a few things that, you know, any business can do. And this is very much aligned to the CISA guidance that came out recently, which is passwordless in particular can be done many different ways. It can be done correctly and it can be done incorrectly. And we have seen implementations previously where, you know, they will implement passwordless by doing password camouflage, right? Which is, there's still a password being used behind the scenes, but the user is just approving a push notification or something else, right? So any sort of passwordless initiative has to be combined with technology that inherently builds phishing resistance into place. And so for us, you know, when we look at the user experience and the security controls, you know, any sort of password initiative has to eliminate fishable factors. So if it's reliant on push notification, doesn't matter if it's passwordless, it's going to be less secure, right?
And, and any sort of authentication control that can be abused to annoy users into authenticating or make them easily fall victim to social engineering as to not be a part of that technology implementation. And so this is where we really focus on this concept of user initiated login. For me as the user, I should be able to, I should be the one initiating the login into my login into my services. You know, when I go to unlock my car, for example, I am the one pushing the button on my car, on my, on my key fob to unlock the car. The car is not sending me a push
When I, when I go close to my car, the car starts opening the, the, the, the rear mirrors. So, so the car awaiting me, isn't it in some, but, but I get your point. So I don't want to play devil's advocate here. I get your point. I think it is a couple of important things. I think this this push fatigue or, or in general this, oh, you need to click here so that you can do that, that you can continue, if you do it too frequent, you don't take care of it anymore. I think this is a total, totally normal behavior is it's just psychology. Oh, oh yeah, I have to click here, I have to click here, then something comes in which you shouldn't click, but you, your trusts so used that you don't look at details anymore and then then you, you, you, you allow something to happen which you don't want to to happen. The other thing is yes, I, I think it's a good point that you say, okay, I want to use that and then something should happen. So you trigger it and I think it's definitely a fair point. Yes.
Yeah. And I think the car itself is inherently a single factor device, right? Because you have to have physical access to it. You know, if I could log into your car from here and drive it, right? There were probably additional factors involved for authenticating it, it couldn't, it would not rely on just the key fob.
Yeah. That will happen the more we go to move tos driving, won't it.
Well that's, that's part of what you said earlier, which is, you know, how technology has evolved in the last 10, 15 years, you know, 10, 15 years from now. Like it is very feasible that, you know, like you could drive your car from your desk if you needed to, you know, do something with it.
Yeah. You, you, you whatever outlook or to your car, okay, Martin has to leave, come out of the garage.
Exactly. You know, or, or if you work from, or if you work in an office and you want to have a single car, no longer double car, right? You get to the office and the car drives itself back to your house for your spouse to use it or somebody else.
Yeah. Okay. That, that's an area we already touched a bit. Integration, it has to do with what we discussed before, flexibility because password has, so we have so much technology and we have so much technology to often indicate and there are things which will not go away, which are there to be used. You talked about these companies which have ping here and Okta there and whatever somewhere else. I also believe that when we bring in something new, specifically when it needs to be convenient and, and work across a lot of use cases, ideally all it needs to be sort of a good citizen in that space. And so this is also one of your slides around where to integrate. And I think this is something which, which maybe is sometimes a bit bit underestimated when, when looking at the, this entire space. So that the main point is, okay, how can an office worker access the main applications, the productivity apps, but it's modern depth. And I think this is something, and also also the, the, the tricky use cases. Maybe you can elaborate a bit on some of the more, more advanced use cases where we don't talk that much about a standard office worker, but, but different types of users.
Yeah, it's fascinating to me because right now there's so many point solutions implemented within every single enterprise for specific things. And so this concept of coverage for pass list is critical. So you have to be able to access all of your typical applications or productivity tools or whatever else using a pass list capabilities. Sure. But then there are, you know, activities that every single employee at a company typically will perform that hi, require a higher level of assurance and oftentimes they'll have a separate point solution for that. An example of this is if I'm a technical administrator at a company, I may have to carry on a separate, you know, hardware dole to access AWS infrastructure or cloud infrastructure that that has, that requires privileged access or something similar. If I'm a, if I work in finance at my company and I'm making money movement of significant value, it requires, you know, a maybe a completely separate application or a separate tool to do the approval of that money movement. So these are now point solutions that people have to be trained how to use and ultimately those point solutions can be abused. So when we look at the passwordless capability for any organization, the authentication control that they have to log into their computer or into their single sign or their VPN should be able to translate into those other use cases.
So so you're talking also about using that for instance, for transaction control?
Correct.
Okay. That's, that's a cool thing because, and, and, and I think we all know these things become more, we frequently sometimes yeah, use it because we do it day by day by day, but sometimes it doesn't have, I remember the first time I, I was sitting I think in some tank international trying to connect to that at that point of time, still not free wifi using the corporate credit card and being asked for the bank account number or for the final num final numbers of the bank digits of the bank account number of my company. Do I know when I'm sitting alone in the same pancreas international rail station? Do I, do I know the bank account number out of my, my mind? No, surely not. And so in that case, for instance, saying, okay, transaction proof would have been very, very convenient that way. It wasn't
Exactly. And oftentimes what I've seen at organizations is, you know, the line of business or the individuals responsible within a company that work on, you know, the transaction approval capabilities and the high, you know, high login that's typically a completely separate part of the organization from the people implementing the multifactor authentication controls. Yeah. It, that's bizarre to me. I think these two wor two worlds are colliding more and more every single day. I think that businesses will start to come around to the fact that, hey, if we have a strong authentication capability within our organization, we can actually use that for transaction verification or for higher level capabilities.
Well, I like, I like that concept. Before we move to our final talking point, maybe the, I'd like to remind the audience, you can ask questions, we another q and a session. So use the opportunity to ask your questions to, and me so that we have a lot of questions here. So final thing rollout. So how do we make the rollout access? What do we need to do so that this thing works? We started with this at the beginning to a certain extent talking about change management right now. Maybe let's look at a few use cases from your, your company about how this could look like.
Yeah, we, we selected one of our customer deployments to, to talk for this. And, and this is a really fascinating business. So this business is in the manufacturing space and, and they have about 77,000 employees around the world in about 200 countries and 1400 offices. So as you can imagine, a global large business, you know, and more than half of their employees actually never come into an office. You know, they're out there in the field repairing equipment or distributing equipment. And one of the most interesting parts here is that they, these are not very technical people, you know, they work with their hands every single day. They're not, you know, they're not knowledge workers who sit in an office. So for them using passwords and having to do things like change a password every 90 days was a major undertaking. And what what ended up happening was 40, 41,000 people who never come into an office, they just never even used corporate services.
They never logged into their email because it was just too much trouble. If they wanted something as simple as their paycheck stub, they would pick up the phone and call their manager who is in an office and say, Hey, can you please text me that, you know, or send it to my personal email. It's too hard to access my company stuff. And that's, that should never be the case for any business. And, and so for us, you know, what they ended up doing was they rolled out Passwordless first to all of those people and they said, Okay, you know what, just download this app on your phone, you'll never have to type in a password again. And it became particularly useful for them in the onboarding process. And this was of course during the pandemic and, and even for their knowledge workers who do usually come into an office now, all these people work working from home and they were hiring hundreds of people every single month.
So what what ended up happening was when they would hire a new person, they would shift them a company laptop, but in order for that person to change their default password on their computer, they had to be on the corporate network. Well, to get on the corporate network, you gotta type in your password. So chicken egg scenario. So what they ended up doing was when they brought on people, they would first enroll them into pastor list for their VPN access that then enabled them to get on the corporate network and then they could do everything downstream. So that was their first foray
To do it the right way.
Yeah.
At the end. So, so maybe, maybe one more case study from your end before we we shift to the q and a.
Yeah, so for this one it was really fascinating cuz this is a customer facing use case. The previous one was for their employees, this is for their customers. This is a Fortune 50 insurance company based here in the United States. But you know, as an insurance company, the way that things work here is when you, you have an opportunity once a year to enroll into your healthcare benefits, it's typically October, November timeframe. And so what would happen is October, November would come around and millions of people would call into the service desk saying, I forgot my password. Cause guess what? They haven't logged into their health insurance since the last time they had to enroll a year ago. And so they would actually, this company would actually hire teams of people before October just to answer phone calls and reset passwords and then they would let them go afterwards. I kind of like, you know, shopping centers higher for the holidays. And so what they would do this and, and when they deployed pastor list authentication capabilities for their customers, they realized that the cost went down significantly and it also had an added benefit because they reduced account takeover fraud, which is a major concern for them for password.
Yeah. And I, I think that that's an interesting point because when I take the example of my, my utility company, maybe not a super critical use case, way lower risk than, than that, then they are sending me a mail once a year with link embedded where they say, Okay, please enter whatever the current state of the gas or, or the, the power counter the meter and, and, and that's it. And because they, they, they exactly know that it, it'll not work with the password based authentication. But on the other hand, it always leaves a bit of a bad impression here saying okay, the right way, the way to secure it or not. And and here you're, you're talking about a use case where, where you can do it in a very simple manner without that complexity of dealing with passives, which you surely don't know anymore if you don't, haven't noted them down, you don't anymore one year later. Okay. Yeah, go ahead.
One of the, one of the other interesting things here is everybody talks about this job shortage in cybersecurity. And what this company found out is that a lot of their incident response, people who are on their security team spent hours every single day investigating phishing incidents. So one of their customers would get fished, incident would get investigated closed, but when they rolled out passwordless, the number of phish incidents they had to investigate reduced so much that they were actually able to repurpose those individuals to do much more important tasks, which was just another side benefit of deploying pastor list that we frankly didn't envision when we started this deployment with them.
That's, it's a fair point. Okay. Q and a, William, it was already very interesting conversation and as I've said, I'm, I'm looking forward to receive more questions from the audience. So we already have a couple of them here. So sort of the one one I like to start is, is a very interesting one and that is about what if you have applications that no anything, don't know anything else, then usernames, passwords. So, so in many legacy environments we have this, this situation that there are many, many of these applications. So how do we deal with that?
Yeah, this is, you know, mainframe applications or legacy applications that have direct LDAP connections, things like that. And these are applications that for whatever reason have not been converted to a single sign on capability, right? So what we see our customers as doing is doing is they will actually take those applications and they will, instead of, instead of having a username and password that a user remembers for accessing them, they will put the, they will move the access for those applications into a privileged access management capability.
Could be probably a bit the same when we go to some of the
Yeah, typically, typically companies at this point have already moved the applications that they can to their enterprise single sign on. But if they haven't, they'll use their ed access management tool and then they will protect the access to the privileged access management tool with a pastor phish resistant method. And this is really interesting because many of our customers that we work with, they think they maybe have 10, 20 applications that are using this legacy method that, you know, have not been converted. And afterwards they actually uncover many more that are just kind of sitting there and nobody's even aware of them. So it's much better for the security team to then have visibility into these applications,
Which again goes back to you need to be able to integrate, you need to be a sort of a good citizen of flexible solution in these environments. Another question is about, so, so when, when you compare what we talked about, we use five two device binding as part of that after the physical device use a biometric authentication. How, how does this relate to this cloud managed sort of credentials? We, we are using, starting with a browser to specialized solutions. So, so why, why should we go? I'm sure you have a very good answer that why should we go for the passwordless approach?
I think, you know, cost is the big one. Passwords just in general costs a lot of money and, and I think there's a lot of hidden costs associated with passwords. I think it is very difficult to exactly quantify the productivity loss when it comes to a password based authentication. You know, everybody at your company has a salary, any amount of time that they're sitting there remembering their password or having to change it or anything else has a cost associated with it. And it's difficult to quantify, but it's very easy to quantify the costs when it, when it comes to a security perspective, from a security perspective, you know, a individual gets breached, it has this, you know, ransomware tax cost this much, you know, and, and, and paying ransoms is, is obviously a different thing. And then also when we think about cyber insurance in particular, if you're able to prove to your cyber insurance provider that you have a strong fishing resistant authentication control, you can argue a much lower cyber insurance premium. And we were talking to one of the big banks here in the United States and they said if we go from level of assurance two when it comes to NIST to level assurance three for our authentication, we can save more than 10 million a year on our cyber insurance costs alone.
Yeah. If you still, which is, is so you pathless, multifactor oration for some time. So what have been, so to speak the, the most significant changes you've been seeing material materialized over the past year or so?
The most interest, the, the biggest changes that we've seen is the shift, the shift and the focus towards this concept of fishing resistance. It is, you know, it's a massive change that has been, that has been happening and it is because the hackers have always been able to bypass MFA controls, you know, using social engineering and things like that. They've been able to do this for over a decade now, but in the last year in particular, the bypass of those traditional multifactor authentication controls like OTP and push and SMS has become fully automated. And we saw this with the lapses attack against Okta and all that type of stuff where they were able to compromise over a hundred companies, you know, within a very short period of time. So the hacker hackers have innovated where we, you know, the industry generally hasn't. And so it's driving a much bigger percentage of organizations towards a pastor list future.
Okay. Yeah. So one more question, which I also feel is an interesting one, maybe one you started and I I have my perspective on that, which is any words of wisdom for how organization should approach evaluating as footless vendors?
I think that in today's economy, in a macro environment where we have every single business, every single security team has to be very, you know, very good with how they spend their resources. I think that when you look at a pastoralist technology and a pastoralist vendor, you have to look at their successful deployments and their references more so than ever and really prosecute those references. Say, how many users have you rolled this out to? How did the rollout go? How long did it take you? What was the feedback from the leadership team and from the general population? Like getting answers to those questions is going to be critical because in today's economic environment you maybe don't have time or the resources to do POCs of three products. Maybe you have time and resources to do one POC and you have to use this other
Data. I think it's also still important to, to understand, for me one of the biggest challenges is requirements. So in many cases I see that the requirements are, are only partially defined, not fully understood. And this is what I believe is one of the most important things when, when looking for a new technology. So what, what are your specific requirements? And I think our talk brought up some, some very interesting areas like does it work with all the different technologies you have in your organization? Does it work for transactions, etc. And talking with the, with a couple of vendors and, and maybe other types of experts like analysts about what could be requirements, what, what will be future things you see on the horizon on, I believe it's very important. And then to prioritize this and to, to look at what is the right approach of solutions.
What I always recommend is also taking a bit of a sort of a diverse lender subset of vendor subset, a subset of vendors. So, so not just saying, okay, I have the three biggest ones, which are all a bit similar. So look at alternatives, because that always gives you, gives you at least some, some ideas about what, what might be missing for the, the biggest ones or what Innovatives bring and all these things are important. And then I think a bit of RFI makes sense if we do it writing it can be done fast. There are tools to support like our leadership, et cetera. And these are things I think you should do. Finding a good mix at the end of the day of different sources and understanding experiences, understanding requirements, bringing all these things together to make it a success. Because at the end of the day it's, it's, that goes back to the beginning of our conversation. If your change project fails around authentication, then you're in trouble.
Yeah. Make trouble. And, and I think that the pass this technology that the pass this industry overall is in a much more mature state than it was 3, 4, 5 years ago. And I think today there's, you know, really good capabilities and we have proof of businesses deploying this at scale around the entire world and, you know, five, six years ago that didn't exist.
Yeah. So, well thank you very much for, for all that information and thank you very much to all participants going cold webinar. Thank you very much for hyper for supporting this webinar. I think this was a very interesting and insightful conversation. I hope you after one, rather take away from listening to us. Hope you this you soon back in one of our other upcoming webinars. Thank you.
Thank you all.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #148: How to Improve Security with Passwordless Authentication

"Passwordless authentication" has become a popular and catchy term recently. It comes with the promise of getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure. Research analyst Alejandro…

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Effective Threat Detection for Enterprises Using SAP Applications

Determined cyber attackers will nearly always find a way into company systems and networks using tried and trusted techniques. It is therefore essential to assume breach and have the capability to identify, analyze, and neutralize cyber-attacks before they can do any serious…

Webinar Recording

Fixing the Way the World Logs In

Passwords are quickly and easily compromised, they are costly and difficult to manage, and they result in poor user experiences. Many organizations are looking for alternatives, but find it challenging to identify appropriate passwordless and phishing resistant authentication solutions that…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00