Webinar Recording
Modern Identity Management: Security Without Compromising Usability
In the digital age, effective customer, partner, and employee identity and access management (IAM) is essential to enable secure online transactions, collaboration, and other interactions. But finding the right balance between security and usability has traditionally been challenging and required compromise. However, this is changing.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Welcome everyone to our call webinar, modern identity management security without compromising usability. This webinar is supported by Okta zero and the speakers today are public S and to be as one from Okta and me, Martin I'm principle Analyst Analyst, copy our call Analyst. Before we get started a quick hint on some upcoming events and then a little bit of housekeeping, and then we'll directly dive into the topic of today's webinar. First, I'd like to hint on the upcoming European identity and cloud conference, which will run next week in Berlin's fully high event. So you can try an online or onsite in Berlin, and I'm absolutely convinced this will be a very great event. So don't, don't miss to be there. We will have a Casey life event. So purely our online event around mentioning complexity in cybersecurity in early June. And then on, in November, we'll do our cybersecurity leadership summit.
Our cybersecurity conference. Again, building is a fully hybrid event. Housekeeping, first, you don't need to control audio. We are doing this, so that should work well. We will do two polls during the webinar. I always appreciate your sort of active participation. The more people answer the better, the, the results are the more valuable, and we will time allows shares in the Q and a session. Q a will be at the end of the webinar, but you can enter your questions at any time in the go to webinar control panel, the right answer screen, you'll find the option to enter your questions. And as I've said, more questions make a more likely Q and a session. Last least there we are doing a recording and the podcast will be made available short term. So usually by tomorrow, and we also will provide the slide deck for downloads so that you don't need to take sort of exhaustive notes or so with that, let's proceed to the first poll.
And this is all about topics. And clearly we could list more topics, but I've picked some five topics here and I'm interested in which are, which of these topics are most relevant to you today, or which is the most relevant topic for you today? Is it more blueprint to have generic perspective than I am? Is it multifactor authentication, password, less indication? Is it trust in time access and getting rid of all these standing privileges and standing entitlements? Is it looking beyond education to authorization or is it more the zero trust journey from concept talk to reality? So please enter your responses so that we have hopefully a lot of answers here. I'll give you another 10 seconds or so.
Okay. Then I think we can close the poll. We will do a second poll later on, but for now let's get started with the content of this webinar. As for most of our webinars, we have a, we have three parts of our trend. The first part is short term. I'll give about combining security and convenience. And so how does cam sort of improve what we do in authentication? The second part that will be a talk by who will talk about how modern identity management delivers post security, usability, and they will mainly look, or a large portion of their talk will be about also looking at some other surveys or have done look the results and what it means. And finally, there will be already a Q a session by the end of this webinar. So without further I do, let's look at the, I'll talk about, I, I wanna talk about, or start with this talk was look at zero trust.
Zero trust is this concept we, which is around for, for quite a long time. I think it's more than 12 years right now, but in the past two years, it became way more prominent than before. But what is from my perspective important is that when we look at identity authentication, then these are core elements, which are the forefront of everything we do around zero trust. It starts with identity. So with zero trust, being this guiding principle for modern security and modern identity and for doing things right, we also have learned that it's more than the trust networks or something like that. It starts with the identity. So someone Martin is using device. So Martin authenticates uses the device, and this is frequently something which is, is point already because the device very frequently is part of the authentication procedure. It's our second factor. Traffic goes over the network to system, to an application or to a sad service, theres access to data and data must be protected.
Data must be governed and all this, for instance, software, we also have learned, I think the hardware over the past two years or two and a half years, we just can't trust software. We must verify as much as we can. We also must include so in our zero trust concept. And so in this world of zero trust, it's still the point. It starts with identity and with devices. And the authentication of the user is the very first touchpoint to sort of it towards the essence of zero trust, not trust trusting, but always verifying. And we need to do this good, and we need to do it convenient. And I think also what we have learned over the past years is it's not really the password, which can be at the center, which can remain at the center of falsification, that there are under pressure. There are good reasons that they are depression.
It's really time to act, to become passwordless, to become more flexible in what we do. And what I believe is very, what's also very important is to do this everywhere. So we talk a lot about passwordless indication both for, for workforce and for consumers. But then I look at my own daily experience in the internet. This is anything, but passwordless, I have so many passwords to remember because websites trust don't support when they purchase something. Or so don't support another approach than username password. We need to get rid of this because it's a security issue. Passwords, we all know are a weak element, security. It's a convenience factor dealing with all the passwords every day is not convenient. I just recently raised the question about how many passwords people have to deal with it. Sometimes really huge numbers. Some report they have more than 50 passwords.
They, they are at least aware of in their business life, not to talk about all the websites. It's a costing. We all know that certain share and significant share of the help desk work goes into password resets, password manly, NVF regulations, the C in the us a while ago, defined single factor authentication, sort of standard username password, for instance, being insecure. And we have a lot of regulations which mandate take PSD two and others, which mandate stronger authentication. So we need to get rid of passwords. We need to move to something which is password less and everything where you don't see a password is password less. And every everything which every technology that has declared to be a password less is really password less. So we could clearly spend quite some time about discussing when is something pass, but less or not. I think I'll, I'll make a very important distinction here for the purposes of this webinar.
And one that I think is quite good as a, as a distinction to use in practice. And that is about don't let passwords travel. Don't use passwords as the standard mechanism. If it's a fallback, we can discuss, there are some technologies to say we not even needed, but the point is, once passwords are traveling, then it's not passwordless. That might be still a single sign on. It might be something where the passwords sitting from the user, but it's not passwordless. And as I said, passwords, they are a risk. We need to have multiple factors and good a education to my perspective is multifactor. It is risk based. So we understand the risk of the access to risk of, of the user, where it is, which also it's context, where, so it's Martin really stood disease now, now, or has it be in a five minutes ago, right now he's somewhere totally different, totally different place.
That is a context information, which adds to the risk. It must be convenient and it must fit to the different use cases that different uses the different usage, the different devices. So we need to make it way more flexible than we did in the past. And that trusts say, okay, instead of username has what we now support this one other single approach. We need to be more flexible. We need to get broader in what we support because people want to have this convenience and this flexibility. And so in the traditional scheme, we have to username on the password and that's already good scheme because maybe not so traditional because most that with a OTP or so, but a password travels together with another factor to an Aion system that integrates a service, even worse could be that trust, username and password travel to a service and passwords traveling are sort of at core of risk because then they end up somewhere.
They need to be compared to something. And that means we have somewhere database passwords and these databases of passwords, some, some share of these database of passwords and has, have ended up in the dark web because they got de leaked. And so, so you have these engines, which help you're looking up our passwords, you, you are using already somewhere in the dark web, which shows if we even have engines for that, how big the problem is. And so paths traveling and central repositories of passwords mean we are in trouble, the modern scheme, and they are differents. And I keep to the very high level here. But the modern scheme is about a, has a device binding. It's an authentication to the device. There's support for standards such as Fido. And what factually happens is that keys are kept in a secure element. So some piece of hardware, which secures secrets like keys on a device, like a trusted platform, module trip, and only that key or that key information and challenges they are traveling.
It's not that the password travels anymore, even if there's a pin, for instance, as a last for a second factor, that pin is not traveling, nothing which is held centrally ghost authentication system authentication system works with a risk engine. It looks at the risk. It looks at a context and then gives access or not for the service. It might ask for more, more verification to take the zero trust terminology here. And that is what's happening here. And this is a very different approach because it is avoiding this old challenge of passwords, traveling and passwords being held from where centrally,
We also need to make it flexible. And this is the slide right now to bring up, which is a little, maybe a little complicated, but what, what I wanna bring to your attention is we must that thing in authentication. As one thing, this is more, we have an authenticator, so we can use different types of devices, different types of a, some of you like me might have a notebook, which has a camera and a fingerprint reader. And so I can use both a biometric authenticators. It's the same device. So the authenticator, the device, the authentication system, where I work against the directory or records, the customer records, which are held in internal systems like line of business applications, like the CRM, etcetera. These are all different elements and we can do identity proving with different types of tools. We can do. The registration process should be issued really as a separate component.
And so what we have at the end, we have a user journey. We, at the end, we have two user journeys, registration and recurring authentication, and both consist of multiple steps involving multiple systems. And the more flexible we are in saying, okay, we can work with different authenticators with different IDPs. We can connect all the various business systems. The better we are. And what we to do is we need to understand that we need that we don't have just an registration or authentication, but this is something this journey consists of several steps. And we need to understand these steps. Cause we can have gather some flexibility in each and every of these steps. So we need to get rid of saying, okay, we shift. I mentioned this before from one authenticator to the next one or from one approach to the next, but to get more flexible because users have different requirements as old workforce for your business partners, for the consumers, we need to do it better and deconstructing the user journey and looking at the various elements really helps in getting better in this and getting more flexible and being better, able to change something when the world changes.
And what we also need is zero friction. Recurring Aion is the thing which happens again and again, and again, also take rate the drop rates during registrations are one of the things every retailer and e-commerce looks at and others as well. So how many of the people start doing it and drop off before they order how biggest our churn rates of people are not coming back. And I think everyone of us has experienced as saying, oh, ah, I'd like to buy something again there. And then you ask for the username and the password and you single God, what has this been? And then sometimes you say, okay, maybe then I go somewhere else where I'm know that it will work immediately where I'm not both by this. So zero friction is essential for everyone. And what we must get rid of is the thinking in balancing convenience, security, or sentences like that, this sentence is wrong.
It's a wrong concept. When someone comes up with, oh, we need to balance convenience and security, then we should step back and think about how can we combine it? How can we get both? Because balancing means if convenience goes up, then security goes down. If security goes up, convenience goes down. It's a trade off thing. What we can to do today. This modern authentication, I think this is the key message. We can combine convenience and security. We can make things more convenient and more secure. And that is where we should look for. Cause that is what our customers are expecting, what our employees are expecting, what everyone is expecting. They expect security and they expect convenience. And you can get both today. And this must be our strategy for modern security, getting rid of friction, getting rid of penalizing people for an increase in security with that. I'd like to look at the second poll for today. And that is a very simple question. Very easy to answer, which is trust, has your organization suffered an attack that was caused by breached passwords? Yes or no? So come on the more answer, the better I'll give you another 10 seconds. Please enter your, your response now. Okay. Thank you with that. I hand over to, to be as one and put against to be as your, okay.
Thank you very much also. I couldn't agree more. So also we, from a vendor side, absolutely having exactly that combination of security and convenience, making sure we have all the flexibility on system. This is exactly what we're seeing every day in our daily work, because what we did is we basically made a survey with our customers and we just asked our customers, how do you currently look at identity access management? We started this as a science survey. So focusing on the consumer side of things, but a lot of the learning that we made along the way are also applicable to workforce identity and any other case where users want to authenticate and authorize against the centralized system. So when we look at it, just a bit of a background on where we are coming from when we did the survey, we asked it decision makers to learn about where are they right now in their journey.
We just heard the perfect status quo. What we just learned is what we all have to get to, but what is it that companies are doing right now? And while we walk you through the key findings, just a few key takeaways we can already share is that a lot of companies currently are investing heavily in thinking about just security. And as we just learned, our consumers expect more and I wanna make an even bold thesis. We cannot secure a user who doesn't want to be secured. So by neglecting the user experience and the customer needs, we're actually making our system more insecure. And we're gonna get to that back later on where I provide a bit of insights on what we are seeing this that way. And yeah, basically to just dive right in, when we ask companies, what are your key criteria when you're thinking about an identity access manager strategy specifically for event users, what we can see is most of companies care about it, infrastructure and it security, which makes sense because in the end it is a security component of our tool securing our users, our users' data and our user access to the platform.
So coming from that, it makes sense that we care about the security aspect of things. Now, what we can see is that only 40 ish percent of users care about centralized data. That is something that will get in the way when we come back to the flexibility part that we've just seen. If we want to make context based decisions, if we wanna know that this user just sign in from shortcut and now five minutes later, he's signing in from London, then we need to have a central database of that user. We need to have central auditing central locks. Same when we come with consistent experience across brands, standardized access for customers using several services, you may also notice a single sign on, in some instances where even less companies are caring about, which is already a friction engineering wise and strategy wise, which will prohibit us because we forget about how will our system work for our end user.
And we're focusing too much on what can we secure from a back end? And it becomes even more striking when we look at functions like marketing, for example, product management, where we can clearly see companies still see the, let's say the responsibility and also the work of implementing identity access management system, purely in the it department or in the it developers department, maybe in a company, but very, very few companies are actually consider considering taking the input from the customer facing side of the house and building that in thinking about how can we not only use identity access management to mitigate our risk, but actively investigating, how can we use it as a business driver? How can we make our products better in order by using identity access management. And that is something where we see a huge gap and huge potential for our customers. And for that, I'd like to hand over to my colleague, Patrick, to walk you a bit more through why then it can also be an opportunity.
Thank you, device. Yes. Why? Oh, I can see. Perfect. Thank you device. Yeah. Why can yeah, taking users into account, be an opportunity for you and not a security risk? So what studies have shown in the PVC study from 2018 is that users actually look for applications that are intuitive. So what I saw also in discussions with my customers for example, is that they prefer to really a build up an authentication process, which is natural, which is made for not just users it's made for humans. It's something we saw also with the customer of us, it's called flow health who made, who made it to increases sign upright by 12.5 times by make, by creating an authentication authorization process, which is just more natural to humans than aesthetic user approach they had in, in the first base. So it's really this balance between convenience and security, where they pushed up both sides instead of just making up security and really lowering the, the user convenience.
And the same goes with the trust part. So users want to, to trust a platform if they don't trust you, they don't provide you as many information as you might need to. So for example, we have also, one of our customers is a big trading company acting on a, on a global space. And the biggest advantage they have is creating trust with the help of our solutions to really convince the users to yeah, provide all the information. Doesn't matter if it's a seller or a buyer, they need to trust each other and they need to build the trust to make it a really yeah. Collaboration platform for all of the participants acting in it. And yeah, last point is also the alternative. So if you're one of the vendors who alone I'm gonna market and yeah, for sure, you're lucky, but most of of us have some kind of competitors and users are likely to just change when they experience any kind of risks, any kind of negative experience. And that's what has study also shown that one out of three will leave the application. Doesn't matter if it's a B2C company or application or a B2B application.
Perfect. Thank you device. So now coming to, to the, to the next study, which is from, from last year, actually it was to command study from, from, and what we wanted to, to understand where the market is right now and what the users actually want. So this is a mix of, of B2B and B2C approach. And we saw that yeah, almost 50%. So 47% of, of the users preferred to really yeah. Use multifactor authentication, especially when, before signing up to an application and they want single sign on. So that's something we experienced quite often, especially when speaking with sales vendors who also experienced that companies are more and more requiring single sign on for, for their applications. And yeah, 42% of, of the users require biometrics. So they don't want to lock in again and again with a username and password, they just want to use their fingerprint as their way of an authentication, like we've mentioned before, they want just simple and easy to use authentication process.
Same goes with a social login followed with 34%. And yeah, last one is the password. Last option followed with 32% where people just want to yeah. Easily lock in into the application to don't really care too much about the authentication itself. They want to use your services or your, your applications, but whereas the market right now, so we see just 28% on of the applications are actually using multifactor authentication. So what we see or what I personally experienced is that most of the vendors still think that the data is not sensitive enough there maybe not in the right space as there are no fin company, cetera, cetera, but people actually require that amount of security as we saw in, in the studies, 45% of all the vendors already offer single sign on, which is pretty good, pretty common, especially on, on a German market. We see it quite often.
Yeah. People prefer it as option. Biometric is still growing, but there's still a gap. We are halfway there. Let's call like this. And yeah, only 26% of the companies believe in, in fingerprints and 52% of them believe as password. Yeah. As a, as a factor in there as well in the future, 31% of, of the companies are already providing social lock in. And just 20% of, of the companies are, are already offering passwordless authentication options, but we still have 11% offering none of the above. They still go just with username and password and don't see the points of, of using any other yeah. Login options so far. Thank you to be
Absolutely. And just to quickly chime in here, going back to my slides as directing up, let's put all of that back together with what we just learned about trust about the security needs to go password less. What this really shows is that oftentimes companies underestimate their users. And while it may seem intimidating to just throw password less, to throw biometrics, just throw we thin and all the cool tools that we would have at our users, what we can see is a lot of them actually would value that. And just wrapping that back together, just putting what customers want against the trust. That means that it's not only for your online banking, that it's not only for your healthcare records where we need strong security, but it's in everyday situations. And by the way, if you may be thinking right now, well, that's very retail heavy, or I'm thinking about it's my online shop, where I'm using MFA for my credit card change, something like that.
You're right. That certainly applies there. But what we're also seeing is in a B2B interaction. So when we're working with other businesses and providing services to other businesses, they have the same challenges because not being able to provide frictionless signal sign on is a literal say, it's blocker. There will be companies who are prohibited from using your service or at least where their security will make it significantly harder to sell into those services into those companies when you tell them, well, yeah, all your users would have to create a password in order to use our service. That is something that most modern companies don't want. And that probably you wouldn't want as well for your workforce, because then some the, you use control over all of your users and they're having their own passwords and their own things going on. So in B2B, even more, it became a standard to provide those services. And in B2C users are learning to adopt that as well.
But that's just the numbers and facts. Now, one thing we also want to talk about is how can you make it better? Because we've seen the perfect state we've seen where we are right now. How do we get there? And this slide maybe seems counterintuitive for two, what we heard before around not balancing, but combining user experience and security. But what this slide is really saying is that in every situation in our app, we want to make a decision about how sure do we have to be be that the user is really who they're claiming they are and how much friction do we want to introduce to proof who that user is. And this is not a one time decision. This is exactly where zero trust comes in. This is exactly where this authorization comes in. Whenever a user clicks on a button in our application, we want to think, are we providing the right security?
Are we sure enough about who that user is? And is it worth for the user to go through that friction in order to prove it is the data really that sensitive. And that's basically just a curve. You can keep in mind whenever you're designing new features to think about what's the sweet spot on the minimal assurance that a user will also support me securing them. And what's the friction absolutely necessary to introduce that, which the more we move to our ideal state, the better this ball will go, but we have less friction with more assurance, but for now, just keep that in mind. And when we look at current identity landscapes and the current ways we authentic can use this, there are lots and lots of tools on our toolbox. This is by far on everything we have. This is just, let's say the top five that we're seeing with two factor being kind of an odd one in here, but the idea behind it is that a lot of companies out there are currently here, they are maybe using email and password.
They are using social login C space, maybe single sign on when they're an enterprise place. And that can be a good start if you're then thinking about the risk that you have in your system. And we personally call these charts. So to say risk profiles, to think about when a user just wants to see my product store and in a workforce, when a user just wants to access the menu in the team, then letting them sign in with an email password, or even with a SMS password list code, which has its drawback as well would be enough because it's relatively unsensitive data. If this data got out, if the user isn't who they claim to be, that wouldn't be deal breaking. But then on the other hand, if a user travels through our application, if they maybe want to pay something and they change or even want to just see credit card information on a workforce scenario, if we maybe accessing the user directory in our company where we're seeing phone contacts, address and everything of our users, this is the case for multifactor.
And this is something you can do right now, thinking about NFA as something, we have something we are and something we know those three factors checking any two of those factors already gives you a boost in security, no matter what authentication method you're using. And these are the quick ones that you can have. This is where you can easily make your system more secure with just a few tweaks. And once you are there, this is stem where we can think to modernize this. So we've chosen biometrics as an example for modern passiveness, there are a lot more, they can be device bound. They can be maybe even database bound. We've seen biometrics that actually can travel ish still with a device context, but that are applicable of multiple devices. This is then where you can think about how can I have a better risk assurance with less user friction, which then means I can have more use cases which are easily accessible for my users without always having to fall back to multifactor, or for example, think about a push notification avenue on your phone.
This already has both, it has something, or it already checks two factors. It checks something we have or phone and something we are, for example, through our fingerprint through biometric factors. So this is really what you can then start modernizing piece by piece and start replacing your existing system wherever you are on the journey with more modern technologies in the right pace and with the right level assurance that your business needs. That being said, this was just a, let's say introduction to where we are in industry, how we can do it now, what we'd love to do. And I'm just handing back the work for Martin copy in a second is if you have any questions for this, please feel free to prompt to us. We're more than happy to answer anything you're interested in around that whole topic. And with that being said back to you,
Okay, you already said, this brings us to Q and a thank you very much for your insight for the presentation, all the data you've provided here. I think this was really very helpful. And as I've said, right now, we do the Q and a, we have already a couple of questions here. And again, my demand to the audience. If you have any questions, please enter your questions. No, so that to be as Patrick and me can provide the answers. The first question I'd like to look at is about how can those consumer management practices be applied to workforce identity measurement? I think this is an important point because we have more experience in good authentication state like this in the consumer space. Not enough if you look at many websites, but still some good examples. So how can we transfer this to the, to the workforce to be as in Patrick?
Yeah. So I can just quickly start on that. What we're seeing is the challenges are similar in this space. We have one let's call it advantage in our workforce safety management. We have a much better leverage in our users to force them doing things. So the threshold of a user leaving our service is a lot higher because a worker probably won't quit because they have to set a second password, but still we have to make exactly the same decisions which applications do need. What kind of assurance, where do I have to make it easy for my users to access services? And where can I afford more friction also what you mentioned before on zero trust, right? From what context can a user sign in, we need the centralized database, just the same way we need in the consumer identity and access management space. So what we're seeing is that most of the things that we're presented right now easily apply the same way to workforce access management. And in there can then be enriched with concepts that we already know, like IGA provisioning, et cetera, to enter even deeper level of security infuse by those authentication best practices we just looked at.
Okay. Thank you. Another question we have here is how would zero trust work with business partners? How can I secure users when my customers authentic themselves or them themselves?
Okay.
So more business partner side of things. So, so if your business partners responsible or indicating the B first, how can you trust the business partner? Whether it's a supplier or a customer in whichever end of supply chain? It is
Correct. So these questions are more into doing so I'll just, I'll just keep on talking and feel free to chime in. If I miss anything for us, this is a question we get a lot because the problem we're seeing is of course the user already has been authenticated. Now I don't wanna just by default reauthenticate them again. And this is really then about shared responsibility for the login journey. So of course there are technologies which can make it easier where basically identity systems talk to each other, tell each other, what have you already done? What do I still have to do? But usually companies are not that far ahead in that journey. So what we're seeing more often is that you, as a provider, just have to provide the right interfaces and the right capabilities for your customers to connect their own systems in a way that your business partners can control access because they have all their users, they know exactly again, your application, how sensitive is it? How much do I want my user to be secured before they can access your system? And this is something you can actually offload, or at least partially involve your business customers so they can manage that. And they just hand over users when they are fully authenticated. So you just have to worry about the authorization part, where again, then your business partners can support you by giving you the right information about what groups, the users, in what roles they have. So it's more about collaboration than handover in essay to fix this.
Okay, thank you. Maybe at that time, we, we have a look at the first of the two polls and the results of this Poland. I think it's not surprising that quite a significant chair of the audience of today is defining, implementing FFA and application as their sort of most important identity security topic or identity management topic. But you also see that authorization becomes more and more relevant. So that's something we see in the market. That's Analyst. There's more talk about authorization, not just saying, how do I let someone in, but how do I control what the person's allowed to do your trust closely following while they more conceptual conceptual things like creating a blueprint are somewhat lower down there and dealing with trust and time access, which is probably more future thing is still a little thank you for displaying the poll. And let's move to the next question. So we have one more question here. Maybe we'll get one or 1, 2, 1 or two more in from the audience. The third question is, is there innovation in the authentication space you see, and which are the new technologies emerging. This is probably a question where you can provide an answer and that I can bring in some of my perspectives as an Analyst.
Absolutely. I think you are the expert on this. What we are seeing a lot of demand on is twofold. One is authentication methods that make the user journey easier. So I mentioned before companies, which are, for example, building better biometrics where a biometrical factor doesn't have to be device bump means we only enroll biometrics once and can still with a lot of security and cryptography magic securely switch our right without having to re-enroll on that device. And there are lot of technologies dealing around that. And the other part that we're seeing is authentication factors, which raise the assurance. So the, yeah, the security of this is the user they claim to be. And once striking example, we are seeing a lot in the European Nordics, but also slowly shivering into the dark markets. And other parts of Europe is E IDs. For example, the capability to sign in with your government ID or with your bank ID, maybe. So some official yeah. Authority, which provides that proof that you are really who you claim to be because that opens a whole new set of personal opportunities. And we can be actually really sure this is to bias speaking right now in a legal way. Not only in a okay, we're pretty sure we perceived to bias as being the real person. So these are two.
Yeah, I think that's something I confirm. So what we see a lot is a trend around on one hand, getting better in identity, approving our identity wedding. So also making it simpler. So I think some of you, some of us might, and, and some of the audience might have gotten through video event approaches. They can be quite cumbersome sometimes. So we need to make it very convenient again here. And we also need to look at reusable identity. So how can we use reuses strong proof from different purposes and how can we integrate things like EITs or other strong identity proofs into what we are doing? How can we make it reusable? And for me, this is just one more approach to authenticate. It is nothing which says then the clearly totally changes. It is just sort of another idea, another proof we should bring in.
And this is definitely one of the things I would also agree with the need for a lot of innovation around it. Let's call it device roaming or using multiple devices, replacing devices, et cetera, in, in many areas without compromising security, because the bigger challenge here at the end of the day, but clearly one of the errors. And then I think that came up in the poll. We also see this going beyond trust the authentication to authorization. So using that, that level of assurance as an information that is provided further to, to for instance, line of business applications, to digital services, cetera, to consume that information and to make decisions within an application, so to relate your authorization. So what is someone allowed to do based on that risk and context is something we see in a broader use case. And I think one of the things is we need to keep in mind, some industry specifically finance when it comes to online banking, et cetera, is relatively mature in many of these things. But what we really see is we see this happening in more and more other industries these days. So it's something which goes well beyond retail and banking, and it's something we see also well beyond the consumer into the workforce. So we see this becoming more and Moret.
Absolutely.
Okay. I think with that, we already done with our questions to be Patrick, thank you for giving your insights, providing your insights today. Thank you very much to Dr. And our zero for supporting this coping call webinar. Thank you to the entire audience for listening to our call webinar. Hope to see you next week in Berlin. It's the place to be, and you've learn a lot about your future there. So thank you. And hopefully have you soon back in one of our upcoming events. Thank you.
Thank you very much.
Our cybersecurity conference. Again, building is a fully hybrid event. Housekeeping, first, you don't need to control audio. We are doing this, so that should work well. We will do two polls during the webinar. I always appreciate your sort of active participation. The more people answer the better, the, the results are the more valuable, and we will time allows shares in the Q and a session. Q a will be at the end of the webinar, but you can enter your questions at any time in the go to webinar control panel, the right answer screen, you'll find the option to enter your questions. And as I've said, more questions make a more likely Q and a session. Last least there we are doing a recording and the podcast will be made available short term. So usually by tomorrow, and we also will provide the slide deck for downloads so that you don't need to take sort of exhaustive notes or so with that, let's proceed to the first poll.
And this is all about topics. And clearly we could list more topics, but I've picked some five topics here and I'm interested in which are, which of these topics are most relevant to you today, or which is the most relevant topic for you today? Is it more blueprint to have generic perspective than I am? Is it multifactor authentication, password, less indication? Is it trust in time access and getting rid of all these standing privileges and standing entitlements? Is it looking beyond education to authorization or is it more the zero trust journey from concept talk to reality? So please enter your responses so that we have hopefully a lot of answers here. I'll give you another 10 seconds or so.
Okay. Then I think we can close the poll. We will do a second poll later on, but for now let's get started with the content of this webinar. As for most of our webinars, we have a, we have three parts of our trend. The first part is short term. I'll give about combining security and convenience. And so how does cam sort of improve what we do in authentication? The second part that will be a talk by who will talk about how modern identity management delivers post security, usability, and they will mainly look, or a large portion of their talk will be about also looking at some other surveys or have done look the results and what it means. And finally, there will be already a Q a session by the end of this webinar. So without further I do, let's look at the, I'll talk about, I, I wanna talk about, or start with this talk was look at zero trust.
Zero trust is this concept we, which is around for, for quite a long time. I think it's more than 12 years right now, but in the past two years, it became way more prominent than before. But what is from my perspective important is that when we look at identity authentication, then these are core elements, which are the forefront of everything we do around zero trust. It starts with identity. So with zero trust, being this guiding principle for modern security and modern identity and for doing things right, we also have learned that it's more than the trust networks or something like that. It starts with the identity. So someone Martin is using device. So Martin authenticates uses the device, and this is frequently something which is, is point already because the device very frequently is part of the authentication procedure. It's our second factor. Traffic goes over the network to system, to an application or to a sad service, theres access to data and data must be protected.
Data must be governed and all this, for instance, software, we also have learned, I think the hardware over the past two years or two and a half years, we just can't trust software. We must verify as much as we can. We also must include so in our zero trust concept. And so in this world of zero trust, it's still the point. It starts with identity and with devices. And the authentication of the user is the very first touchpoint to sort of it towards the essence of zero trust, not trust trusting, but always verifying. And we need to do this good, and we need to do it convenient. And I think also what we have learned over the past years is it's not really the password, which can be at the center, which can remain at the center of falsification, that there are under pressure. There are good reasons that they are depression.
It's really time to act, to become passwordless, to become more flexible in what we do. And what I believe is very, what's also very important is to do this everywhere. So we talk a lot about passwordless indication both for, for workforce and for consumers. But then I look at my own daily experience in the internet. This is anything, but passwordless, I have so many passwords to remember because websites trust don't support when they purchase something. Or so don't support another approach than username password. We need to get rid of this because it's a security issue. Passwords, we all know are a weak element, security. It's a convenience factor dealing with all the passwords every day is not convenient. I just recently raised the question about how many passwords people have to deal with it. Sometimes really huge numbers. Some report they have more than 50 passwords.
They, they are at least aware of in their business life, not to talk about all the websites. It's a costing. We all know that certain share and significant share of the help desk work goes into password resets, password manly, NVF regulations, the C in the us a while ago, defined single factor authentication, sort of standard username password, for instance, being insecure. And we have a lot of regulations which mandate take PSD two and others, which mandate stronger authentication. So we need to get rid of passwords. We need to move to something which is password less and everything where you don't see a password is password less. And every everything which every technology that has declared to be a password less is really password less. So we could clearly spend quite some time about discussing when is something pass, but less or not. I think I'll, I'll make a very important distinction here for the purposes of this webinar.
And one that I think is quite good as a, as a distinction to use in practice. And that is about don't let passwords travel. Don't use passwords as the standard mechanism. If it's a fallback, we can discuss, there are some technologies to say we not even needed, but the point is, once passwords are traveling, then it's not passwordless. That might be still a single sign on. It might be something where the passwords sitting from the user, but it's not passwordless. And as I said, passwords, they are a risk. We need to have multiple factors and good a education to my perspective is multifactor. It is risk based. So we understand the risk of the access to risk of, of the user, where it is, which also it's context, where, so it's Martin really stood disease now, now, or has it be in a five minutes ago, right now he's somewhere totally different, totally different place.
That is a context information, which adds to the risk. It must be convenient and it must fit to the different use cases that different uses the different usage, the different devices. So we need to make it way more flexible than we did in the past. And that trusts say, okay, instead of username has what we now support this one other single approach. We need to be more flexible. We need to get broader in what we support because people want to have this convenience and this flexibility. And so in the traditional scheme, we have to username on the password and that's already good scheme because maybe not so traditional because most that with a OTP or so, but a password travels together with another factor to an Aion system that integrates a service, even worse could be that trust, username and password travel to a service and passwords traveling are sort of at core of risk because then they end up somewhere.
They need to be compared to something. And that means we have somewhere database passwords and these databases of passwords, some, some share of these database of passwords and has, have ended up in the dark web because they got de leaked. And so, so you have these engines, which help you're looking up our passwords, you, you are using already somewhere in the dark web, which shows if we even have engines for that, how big the problem is. And so paths traveling and central repositories of passwords mean we are in trouble, the modern scheme, and they are differents. And I keep to the very high level here. But the modern scheme is about a, has a device binding. It's an authentication to the device. There's support for standards such as Fido. And what factually happens is that keys are kept in a secure element. So some piece of hardware, which secures secrets like keys on a device, like a trusted platform, module trip, and only that key or that key information and challenges they are traveling.
It's not that the password travels anymore, even if there's a pin, for instance, as a last for a second factor, that pin is not traveling, nothing which is held centrally ghost authentication system authentication system works with a risk engine. It looks at the risk. It looks at a context and then gives access or not for the service. It might ask for more, more verification to take the zero trust terminology here. And that is what's happening here. And this is a very different approach because it is avoiding this old challenge of passwords, traveling and passwords being held from where centrally,
We also need to make it flexible. And this is the slide right now to bring up, which is a little, maybe a little complicated, but what, what I wanna bring to your attention is we must that thing in authentication. As one thing, this is more, we have an authenticator, so we can use different types of devices, different types of a, some of you like me might have a notebook, which has a camera and a fingerprint reader. And so I can use both a biometric authenticators. It's the same device. So the authenticator, the device, the authentication system, where I work against the directory or records, the customer records, which are held in internal systems like line of business applications, like the CRM, etcetera. These are all different elements and we can do identity proving with different types of tools. We can do. The registration process should be issued really as a separate component.
And so what we have at the end, we have a user journey. We, at the end, we have two user journeys, registration and recurring authentication, and both consist of multiple steps involving multiple systems. And the more flexible we are in saying, okay, we can work with different authenticators with different IDPs. We can connect all the various business systems. The better we are. And what we to do is we need to understand that we need that we don't have just an registration or authentication, but this is something this journey consists of several steps. And we need to understand these steps. Cause we can have gather some flexibility in each and every of these steps. So we need to get rid of saying, okay, we shift. I mentioned this before from one authenticator to the next one or from one approach to the next, but to get more flexible because users have different requirements as old workforce for your business partners, for the consumers, we need to do it better and deconstructing the user journey and looking at the various elements really helps in getting better in this and getting more flexible and being better, able to change something when the world changes.
And what we also need is zero friction. Recurring Aion is the thing which happens again and again, and again, also take rate the drop rates during registrations are one of the things every retailer and e-commerce looks at and others as well. So how many of the people start doing it and drop off before they order how biggest our churn rates of people are not coming back. And I think everyone of us has experienced as saying, oh, ah, I'd like to buy something again there. And then you ask for the username and the password and you single God, what has this been? And then sometimes you say, okay, maybe then I go somewhere else where I'm know that it will work immediately where I'm not both by this. So zero friction is essential for everyone. And what we must get rid of is the thinking in balancing convenience, security, or sentences like that, this sentence is wrong.
It's a wrong concept. When someone comes up with, oh, we need to balance convenience and security, then we should step back and think about how can we combine it? How can we get both? Because balancing means if convenience goes up, then security goes down. If security goes up, convenience goes down. It's a trade off thing. What we can to do today. This modern authentication, I think this is the key message. We can combine convenience and security. We can make things more convenient and more secure. And that is where we should look for. Cause that is what our customers are expecting, what our employees are expecting, what everyone is expecting. They expect security and they expect convenience. And you can get both today. And this must be our strategy for modern security, getting rid of friction, getting rid of penalizing people for an increase in security with that. I'd like to look at the second poll for today. And that is a very simple question. Very easy to answer, which is trust, has your organization suffered an attack that was caused by breached passwords? Yes or no? So come on the more answer, the better I'll give you another 10 seconds. Please enter your, your response now. Okay. Thank you with that. I hand over to, to be as one and put against to be as your, okay.
Thank you very much also. I couldn't agree more. So also we, from a vendor side, absolutely having exactly that combination of security and convenience, making sure we have all the flexibility on system. This is exactly what we're seeing every day in our daily work, because what we did is we basically made a survey with our customers and we just asked our customers, how do you currently look at identity access management? We started this as a science survey. So focusing on the consumer side of things, but a lot of the learning that we made along the way are also applicable to workforce identity and any other case where users want to authenticate and authorize against the centralized system. So when we look at it, just a bit of a background on where we are coming from when we did the survey, we asked it decision makers to learn about where are they right now in their journey.
We just heard the perfect status quo. What we just learned is what we all have to get to, but what is it that companies are doing right now? And while we walk you through the key findings, just a few key takeaways we can already share is that a lot of companies currently are investing heavily in thinking about just security. And as we just learned, our consumers expect more and I wanna make an even bold thesis. We cannot secure a user who doesn't want to be secured. So by neglecting the user experience and the customer needs, we're actually making our system more insecure. And we're gonna get to that back later on where I provide a bit of insights on what we are seeing this that way. And yeah, basically to just dive right in, when we ask companies, what are your key criteria when you're thinking about an identity access manager strategy specifically for event users, what we can see is most of companies care about it, infrastructure and it security, which makes sense because in the end it is a security component of our tool securing our users, our users' data and our user access to the platform.
So coming from that, it makes sense that we care about the security aspect of things. Now, what we can see is that only 40 ish percent of users care about centralized data. That is something that will get in the way when we come back to the flexibility part that we've just seen. If we want to make context based decisions, if we wanna know that this user just sign in from shortcut and now five minutes later, he's signing in from London, then we need to have a central database of that user. We need to have central auditing central locks. Same when we come with consistent experience across brands, standardized access for customers using several services, you may also notice a single sign on, in some instances where even less companies are caring about, which is already a friction engineering wise and strategy wise, which will prohibit us because we forget about how will our system work for our end user.
And we're focusing too much on what can we secure from a back end? And it becomes even more striking when we look at functions like marketing, for example, product management, where we can clearly see companies still see the, let's say the responsibility and also the work of implementing identity access management system, purely in the it department or in the it developers department, maybe in a company, but very, very few companies are actually consider considering taking the input from the customer facing side of the house and building that in thinking about how can we not only use identity access management to mitigate our risk, but actively investigating, how can we use it as a business driver? How can we make our products better in order by using identity access management. And that is something where we see a huge gap and huge potential for our customers. And for that, I'd like to hand over to my colleague, Patrick, to walk you a bit more through why then it can also be an opportunity.
Thank you, device. Yes. Why? Oh, I can see. Perfect. Thank you device. Yeah. Why can yeah, taking users into account, be an opportunity for you and not a security risk? So what studies have shown in the PVC study from 2018 is that users actually look for applications that are intuitive. So what I saw also in discussions with my customers for example, is that they prefer to really a build up an authentication process, which is natural, which is made for not just users it's made for humans. It's something we saw also with the customer of us, it's called flow health who made, who made it to increases sign upright by 12.5 times by make, by creating an authentication authorization process, which is just more natural to humans than aesthetic user approach they had in, in the first base. So it's really this balance between convenience and security, where they pushed up both sides instead of just making up security and really lowering the, the user convenience.
And the same goes with the trust part. So users want to, to trust a platform if they don't trust you, they don't provide you as many information as you might need to. So for example, we have also, one of our customers is a big trading company acting on a, on a global space. And the biggest advantage they have is creating trust with the help of our solutions to really convince the users to yeah, provide all the information. Doesn't matter if it's a seller or a buyer, they need to trust each other and they need to build the trust to make it a really yeah. Collaboration platform for all of the participants acting in it. And yeah, last point is also the alternative. So if you're one of the vendors who alone I'm gonna market and yeah, for sure, you're lucky, but most of of us have some kind of competitors and users are likely to just change when they experience any kind of risks, any kind of negative experience. And that's what has study also shown that one out of three will leave the application. Doesn't matter if it's a B2C company or application or a B2B application.
Perfect. Thank you device. So now coming to, to the, to the next study, which is from, from last year, actually it was to command study from, from, and what we wanted to, to understand where the market is right now and what the users actually want. So this is a mix of, of B2B and B2C approach. And we saw that yeah, almost 50%. So 47% of, of the users preferred to really yeah. Use multifactor authentication, especially when, before signing up to an application and they want single sign on. So that's something we experienced quite often, especially when speaking with sales vendors who also experienced that companies are more and more requiring single sign on for, for their applications. And yeah, 42% of, of the users require biometrics. So they don't want to lock in again and again with a username and password, they just want to use their fingerprint as their way of an authentication, like we've mentioned before, they want just simple and easy to use authentication process.
Same goes with a social login followed with 34%. And yeah, last one is the password. Last option followed with 32% where people just want to yeah. Easily lock in into the application to don't really care too much about the authentication itself. They want to use your services or your, your applications, but whereas the market right now, so we see just 28% on of the applications are actually using multifactor authentication. So what we see or what I personally experienced is that most of the vendors still think that the data is not sensitive enough there maybe not in the right space as there are no fin company, cetera, cetera, but people actually require that amount of security as we saw in, in the studies, 45% of all the vendors already offer single sign on, which is pretty good, pretty common, especially on, on a German market. We see it quite often.
Yeah. People prefer it as option. Biometric is still growing, but there's still a gap. We are halfway there. Let's call like this. And yeah, only 26% of the companies believe in, in fingerprints and 52% of them believe as password. Yeah. As a, as a factor in there as well in the future, 31% of, of the companies are already providing social lock in. And just 20% of, of the companies are, are already offering passwordless authentication options, but we still have 11% offering none of the above. They still go just with username and password and don't see the points of, of using any other yeah. Login options so far. Thank you to be
Absolutely. And just to quickly chime in here, going back to my slides as directing up, let's put all of that back together with what we just learned about trust about the security needs to go password less. What this really shows is that oftentimes companies underestimate their users. And while it may seem intimidating to just throw password less, to throw biometrics, just throw we thin and all the cool tools that we would have at our users, what we can see is a lot of them actually would value that. And just wrapping that back together, just putting what customers want against the trust. That means that it's not only for your online banking, that it's not only for your healthcare records where we need strong security, but it's in everyday situations. And by the way, if you may be thinking right now, well, that's very retail heavy, or I'm thinking about it's my online shop, where I'm using MFA for my credit card change, something like that.
You're right. That certainly applies there. But what we're also seeing is in a B2B interaction. So when we're working with other businesses and providing services to other businesses, they have the same challenges because not being able to provide frictionless signal sign on is a literal say, it's blocker. There will be companies who are prohibited from using your service or at least where their security will make it significantly harder to sell into those services into those companies when you tell them, well, yeah, all your users would have to create a password in order to use our service. That is something that most modern companies don't want. And that probably you wouldn't want as well for your workforce, because then some the, you use control over all of your users and they're having their own passwords and their own things going on. So in B2B, even more, it became a standard to provide those services. And in B2C users are learning to adopt that as well.
But that's just the numbers and facts. Now, one thing we also want to talk about is how can you make it better? Because we've seen the perfect state we've seen where we are right now. How do we get there? And this slide maybe seems counterintuitive for two, what we heard before around not balancing, but combining user experience and security. But what this slide is really saying is that in every situation in our app, we want to make a decision about how sure do we have to be be that the user is really who they're claiming they are and how much friction do we want to introduce to proof who that user is. And this is not a one time decision. This is exactly where zero trust comes in. This is exactly where this authorization comes in. Whenever a user clicks on a button in our application, we want to think, are we providing the right security?
Are we sure enough about who that user is? And is it worth for the user to go through that friction in order to prove it is the data really that sensitive. And that's basically just a curve. You can keep in mind whenever you're designing new features to think about what's the sweet spot on the minimal assurance that a user will also support me securing them. And what's the friction absolutely necessary to introduce that, which the more we move to our ideal state, the better this ball will go, but we have less friction with more assurance, but for now, just keep that in mind. And when we look at current identity landscapes and the current ways we authentic can use this, there are lots and lots of tools on our toolbox. This is by far on everything we have. This is just, let's say the top five that we're seeing with two factor being kind of an odd one in here, but the idea behind it is that a lot of companies out there are currently here, they are maybe using email and password.
They are using social login C space, maybe single sign on when they're an enterprise place. And that can be a good start if you're then thinking about the risk that you have in your system. And we personally call these charts. So to say risk profiles, to think about when a user just wants to see my product store and in a workforce, when a user just wants to access the menu in the team, then letting them sign in with an email password, or even with a SMS password list code, which has its drawback as well would be enough because it's relatively unsensitive data. If this data got out, if the user isn't who they claim to be, that wouldn't be deal breaking. But then on the other hand, if a user travels through our application, if they maybe want to pay something and they change or even want to just see credit card information on a workforce scenario, if we maybe accessing the user directory in our company where we're seeing phone contacts, address and everything of our users, this is the case for multifactor.
And this is something you can do right now, thinking about NFA as something, we have something we are and something we know those three factors checking any two of those factors already gives you a boost in security, no matter what authentication method you're using. And these are the quick ones that you can have. This is where you can easily make your system more secure with just a few tweaks. And once you are there, this is stem where we can think to modernize this. So we've chosen biometrics as an example for modern passiveness, there are a lot more, they can be device bound. They can be maybe even database bound. We've seen biometrics that actually can travel ish still with a device context, but that are applicable of multiple devices. This is then where you can think about how can I have a better risk assurance with less user friction, which then means I can have more use cases which are easily accessible for my users without always having to fall back to multifactor, or for example, think about a push notification avenue on your phone.
This already has both, it has something, or it already checks two factors. It checks something we have or phone and something we are, for example, through our fingerprint through biometric factors. So this is really what you can then start modernizing piece by piece and start replacing your existing system wherever you are on the journey with more modern technologies in the right pace and with the right level assurance that your business needs. That being said, this was just a, let's say introduction to where we are in industry, how we can do it now, what we'd love to do. And I'm just handing back the work for Martin copy in a second is if you have any questions for this, please feel free to prompt to us. We're more than happy to answer anything you're interested in around that whole topic. And with that being said back to you,
Okay, you already said, this brings us to Q and a thank you very much for your insight for the presentation, all the data you've provided here. I think this was really very helpful. And as I've said, right now, we do the Q and a, we have already a couple of questions here. And again, my demand to the audience. If you have any questions, please enter your questions. No, so that to be as Patrick and me can provide the answers. The first question I'd like to look at is about how can those consumer management practices be applied to workforce identity measurement? I think this is an important point because we have more experience in good authentication state like this in the consumer space. Not enough if you look at many websites, but still some good examples. So how can we transfer this to the, to the workforce to be as in Patrick?
Yeah. So I can just quickly start on that. What we're seeing is the challenges are similar in this space. We have one let's call it advantage in our workforce safety management. We have a much better leverage in our users to force them doing things. So the threshold of a user leaving our service is a lot higher because a worker probably won't quit because they have to set a second password, but still we have to make exactly the same decisions which applications do need. What kind of assurance, where do I have to make it easy for my users to access services? And where can I afford more friction also what you mentioned before on zero trust, right? From what context can a user sign in, we need the centralized database, just the same way we need in the consumer identity and access management space. So what we're seeing is that most of the things that we're presented right now easily apply the same way to workforce access management. And in there can then be enriched with concepts that we already know, like IGA provisioning, et cetera, to enter even deeper level of security infuse by those authentication best practices we just looked at.
Okay. Thank you. Another question we have here is how would zero trust work with business partners? How can I secure users when my customers authentic themselves or them themselves?
Okay.
So more business partner side of things. So, so if your business partners responsible or indicating the B first, how can you trust the business partner? Whether it's a supplier or a customer in whichever end of supply chain? It is
Correct. So these questions are more into doing so I'll just, I'll just keep on talking and feel free to chime in. If I miss anything for us, this is a question we get a lot because the problem we're seeing is of course the user already has been authenticated. Now I don't wanna just by default reauthenticate them again. And this is really then about shared responsibility for the login journey. So of course there are technologies which can make it easier where basically identity systems talk to each other, tell each other, what have you already done? What do I still have to do? But usually companies are not that far ahead in that journey. So what we're seeing more often is that you, as a provider, just have to provide the right interfaces and the right capabilities for your customers to connect their own systems in a way that your business partners can control access because they have all their users, they know exactly again, your application, how sensitive is it? How much do I want my user to be secured before they can access your system? And this is something you can actually offload, or at least partially involve your business customers so they can manage that. And they just hand over users when they are fully authenticated. So you just have to worry about the authorization part, where again, then your business partners can support you by giving you the right information about what groups, the users, in what roles they have. So it's more about collaboration than handover in essay to fix this.
Okay, thank you. Maybe at that time, we, we have a look at the first of the two polls and the results of this Poland. I think it's not surprising that quite a significant chair of the audience of today is defining, implementing FFA and application as their sort of most important identity security topic or identity management topic. But you also see that authorization becomes more and more relevant. So that's something we see in the market. That's Analyst. There's more talk about authorization, not just saying, how do I let someone in, but how do I control what the person's allowed to do your trust closely following while they more conceptual conceptual things like creating a blueprint are somewhat lower down there and dealing with trust and time access, which is probably more future thing is still a little thank you for displaying the poll. And let's move to the next question. So we have one more question here. Maybe we'll get one or 1, 2, 1 or two more in from the audience. The third question is, is there innovation in the authentication space you see, and which are the new technologies emerging. This is probably a question where you can provide an answer and that I can bring in some of my perspectives as an Analyst.
Absolutely. I think you are the expert on this. What we are seeing a lot of demand on is twofold. One is authentication methods that make the user journey easier. So I mentioned before companies, which are, for example, building better biometrics where a biometrical factor doesn't have to be device bump means we only enroll biometrics once and can still with a lot of security and cryptography magic securely switch our right without having to re-enroll on that device. And there are lot of technologies dealing around that. And the other part that we're seeing is authentication factors, which raise the assurance. So the, yeah, the security of this is the user they claim to be. And once striking example, we are seeing a lot in the European Nordics, but also slowly shivering into the dark markets. And other parts of Europe is E IDs. For example, the capability to sign in with your government ID or with your bank ID, maybe. So some official yeah. Authority, which provides that proof that you are really who you claim to be because that opens a whole new set of personal opportunities. And we can be actually really sure this is to bias speaking right now in a legal way. Not only in a okay, we're pretty sure we perceived to bias as being the real person. So these are two.
Yeah, I think that's something I confirm. So what we see a lot is a trend around on one hand, getting better in identity, approving our identity wedding. So also making it simpler. So I think some of you, some of us might, and, and some of the audience might have gotten through video event approaches. They can be quite cumbersome sometimes. So we need to make it very convenient again here. And we also need to look at reusable identity. So how can we use reuses strong proof from different purposes and how can we integrate things like EITs or other strong identity proofs into what we are doing? How can we make it reusable? And for me, this is just one more approach to authenticate. It is nothing which says then the clearly totally changes. It is just sort of another idea, another proof we should bring in.
And this is definitely one of the things I would also agree with the need for a lot of innovation around it. Let's call it device roaming or using multiple devices, replacing devices, et cetera, in, in many areas without compromising security, because the bigger challenge here at the end of the day, but clearly one of the errors. And then I think that came up in the poll. We also see this going beyond trust the authentication to authorization. So using that, that level of assurance as an information that is provided further to, to for instance, line of business applications, to digital services, cetera, to consume that information and to make decisions within an application, so to relate your authorization. So what is someone allowed to do based on that risk and context is something we see in a broader use case. And I think one of the things is we need to keep in mind, some industry specifically finance when it comes to online banking, et cetera, is relatively mature in many of these things. But what we really see is we see this happening in more and more other industries these days. So it's something which goes well beyond retail and banking, and it's something we see also well beyond the consumer into the workforce. So we see this becoming more and Moret.
Absolutely.
Okay. I think with that, we already done with our questions to be Patrick, thank you for giving your insights, providing your insights today. Thank you very much to Dr. And our zero for supporting this coping call webinar. Thank you to the entire audience for listening to our call webinar. Hope to see you next week in Berlin. It's the place to be, and you've learn a lot about your future there. So thank you. And hopefully have you soon back in one of our upcoming events. Thank you.
Thank you very much.
Stay Connected
Related Videos
How can we help you