Unlock the Potential of Passwordless Authentication

Hi, welcome to the webinar, unlock the Potential of Passwordless Authentication. Today's speakers are Christy Paul. She's a digital product manager at Coer Coal and Alejandro L, that's me. I'm a research channel Analyst at Coer Coal. And today's topic is password less authentication. It's a big and exciting topic and we hope that you learn something new by the end of the webinar. So let's get into the topic, but first some important information. All of you are muted, but at the end we will have a q and a session. You can enter your questions at any time during the webinar and you can do that by using the go to webinar control panel. We will also run a few polls during the webinar, so I encourage all of you to participate. And yes, we will be recording the webinar and it will be available together with the slides for download in the coming days. So the agenda for today, I will begin the webinar by talking about the problems of passwords and then exploring the concept of passwordless authentication. And hopefully by the end of the presentation you will understand that by adopting a passwordless authentication solution, your organization can increase both security and convenience. And then Christie will go on and then we'll have time for q and a.
Before we start, here's a poll question. I'm gonna give you guys maybe 30 to 40 seconds to answer. And the question is, what is the biggest challenge your customers face in adopting password release authentication solutions? Is it all school mentality? Some people have no knowledge of what password release authentication means. Some people also don't really know about their risks associated with passwords. Perhaps it could be migrating from legacy systems. Some organizations both small and large, often struggle to modernize their systems or perhaps it could be having trouble selecting a product. And that's something Christie will talk later. So I'll give you a few more seconds and then we can move on.
Okay, we can carry on then. So before we deep dive into password authentication, let's do some contextual analysis first by asking the following questions, what is our actuality? What is happening in our present and where are we going? I know this sound like vague and even philosophical questions, but if we apply them to our industry, we can find some exciting developments. The acceleration of cloud adoption, the explosion of the internet of things market, the shift to remote and hybrid work and the steady growth of e-commerce are clear signs that digital transformation continues to gain momentum. So what is digital transformation? Digital transformation can be understood as a process that organizations go through to deliver digital services to consumers and customers in the digital age. Essentially, delivering digital services requires the management of digital identities of workers, customers, consumers, and partners in a secure and seamless manner.
As a result, in recent years, businesses and organizations are starting to modernize their systems by adopting new authentication mechanisms that go beyond the traditional username and password. While the elimination of passwords has been a goal for a long time, many, many people have been talking about it for years, if not decades. It seems like it's finally starting to gain traction in both workforce and consumer use cases. As we all know here, passwords are inconvenient and insecure. Passwords can easily be guessed, stolen and compromised, and relying for passwords has become increasingly risky for organizations and businesses. Numerous studies have shown that most data breaches often involve the use of stolen credentials and compromised passwords, making passwords. One of the weakest links in cybersecurity, for example, in 2021, i b M showed cost of a data bridge report and they found that the average cost of a data bridge in an organization was about 4.2 million.
While organizations that have a 80 to 100% of their workers working remotely, the average cost of a data bridge was 5.5 million. It's worth noticing once again that passwords play a crucial role in data breaches. Social engineering attacks and phishing attacks are targeted our users to obtain their passwords, account details and credentials so attackers can gain possession of them and use them for other purposes. If we go to the next slide, we can see some of the most common types of attacks and I think it's important to recognize why passwords are failing as an authentication system. In most cases, users use and reuse the same password or similar passwords across platform services and applications increasing not only the risk of having a vulnerability or of a password base attack, such as mobile SMS code, voice calls, push notifications, or one-time pass codes. When it comes to enterprise use cases, managing and resetting passwords can be very time consuming and very costly as well.
It is also important for employees to understand how cyber attacks can impact their businesses and how to protect themselves from day one. We believe that it's important for new employees to get cybersecurity awareness training during the recruitment and onboarding process. Fostering a cybersecurity culture is imperative in today's age. In our coping core research, we often talk about how m legacy MFA solutions, multifactor authentication solutions, they were once held as the ultimate solution to manage the identities. But the problem is that legacy Legacy MFA systems still rely on a password as a backup or as a first factor of authentication. Traditional MFA requires users to provide two or more factors to authenticate something they are, something they have and something they know. Unfortunately, some of these factors are prone to phishing attacks such as the ones on this slide. So by the risk associated with passwords and by adopting a passwordless authentication solution, organizations could drastically prevent password based attacks and increase their security posture. At the same time.
In research years, we see this new trend of password list authentication solutions. It became a very popular and catchy term. Essentially it is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow and from the recovery process as well. Password authentication solutions should eliminate the reliance of password as an authentication method by ensuring that no password or password hashes travel over the network. In the next slide, we will provide some of the main capabilities that we believe are important to have. We understand that there are different flavors of authentication, but these are perhaps some of the most important capabilities that we believe are essential. That's the support for a broad of authenticators, strong authentication risk, context based and continuous authentication. Adaptive step up authentication support for legacy systems, strong cryptographic approaches, integration with third parties, frictionless and convenient user experience, device trust on multiple devices, support for all major identity federation standards and a comprehensive set of APIs. We expect solutions to cover a majority of these capabilities, at least at a good baseline level.
In recent months, we publish a leadership compass On past dedication there were more than 20 vendors participating and I'd say that the majority of them have these capabilities. In this slide and during the course of the research on this leadership compass, we realized that the past release market is very dynamic, very exciting. Many of the vendors are very passionate about their own solutions and in a way they're all doing passwordless in one way or or another, but they have their own unique way of doing it and that's what makes this a very, very attractive market.
Usually the the common factors involved in passwordless certification are the smartphone and the user's biometric in the setup. A binding between the device and the user takes place where cryptographic information that is used to authenticate is placed in a secure element. Modern devices such as computers and smartphones have these secure element in place which can hold encrypted information. This binds the user to the device and with biometric authentication, enable other device such as fingerprint rearing or facial recognition. The user can authenticate without the use of a password. While the device binding provides a second factor, only if it is the specific user with a device associated with him or her only, then the authentication will be valid. Whether fingerprints or facial recognition is better depends entirely on your organization and the needs of your organization. For example, if we look at the healthcare industry, perhaps it may be more convenient to have facial recognition technology because workers usually have their hands full, they don't have time to put their fingerprints and authenticate the Covid 19 pandemic also accelerated innovation in this space. Biometric solution started to adopt new algorithms and technologies to properly identify users wearing masks. There are other options such as 5 0 2 tokens or smart cards that can be used for passwordless authentication. We also observe an uptake in the market for wearables such as wristbands and smart watches where biometric authentication even becomes continuous by for instance, striking the heartbeat.
In the next slide, we would like to emphasize that passwordless authentication should work across everything, all attack surfaces and identity sources, applications and devices, VPNs, single sign-ons ad the operating systems, workspaces, servers, and whatever your organization has in place. Some solutions in the market are using password less at a device and then federating it to other access management services or directly into the applications. Therefore, I think it's important that organizations must choose between adopting a single identity platform or maintaining multiple fragmented identity systems as they move to the cloud. Thankfully, the passwordless authentication market is driving and it's growing rapidly with vendors offering material solutions that support millions of users across different industries such as finance, healthcare, government, manufacturing, insurance, retail, and the defense industry. Essentially, there are two types of vendors in the passwordless market. These are vendors that are integrating to access management solutions and there are other vendors that are more specialized, provided by small but highly innovative companies, specialized passwordless vendors.
They are more focused on innovative approaches like for example, the use of blockchain technology or they're also more specialized in specific use cases, whereas integrated solutions serve every authentication to the access management solution and all the services around. We understand that picking a solution requires lot of thought, lot of analysis because you need to understand what are the specific requirements that your organization needs and a comparison of different products and features is essential. So it's important that organizations choose the right password solution that meets their unique requirements around their needs for security, user experience and technology stack.
So how to move forward, how to start this password journey? Well, deciding on the right deployment model is perhaps the right approach. The capacity to support hybrid deployment across on-premises and cloud is fundamental. When considering cloud solutions, it's important to see if the vendor that you will select will also support on-premises and legacy systems. That's especially important for those organizations that continue to rely on legacy systems. Of course, costs are also an important factor. The vendor's licensing and pricing policies should be carefully analyzed, especially when aligning to your current and future needs. And perhaps another important element here is interoperability and the ability of the product to work with other vendors. Products, standards and technology should be seriously considered. Ultimately, embarking on a passwordless journey depends on your business model and your own specific requirements. Therefore, it's important that you look for trusted advisors and vendors that will support you along the way. It's important that you define your goals in measurable terms and understand them completely. I believe that this is my last slide and I will hand it over to Christie. She will introduce our new product that it's good for helping you select the right product that your organization needs. Thank you,
I appreciate it Alejandro. Thank you. As he mentioned before, my name is Christie Pugh. I am the digital product marketing manager or digital product manager at KuppingerCole and I'm very happy and excited to announce that we are releasing a new service for everyone. It's free and interactive called Casey Open Select. Alejandro mentioned that many of you may be going through some migrations and modernization at the moment, and so is Casey cupping our coal. Our goal as far as digital product is concerned is to meet you where you're at. We are also trying to figure out our way in providing you information that's consumable and meets your needs. So I will provide you a little short demo video and then give you an introduction of Casey Open. Select who Casey Open Select is for and how you can leverage it in the future.
So what is Casey Open Select? With Coppinger Kohl's intelligence, we really want to provide you our clients, our end users, as much information non-biased intelligence backed by our KC Analyst methodology in the leadership compass that Alejandro had mentioned previously in a way that helps you meet your cybersecurity and identity and access management goals. So when we were speaking to a lot of you, we wanted to get an understanding about how you consume this information, your interactions with the analysts, the the leadership compass by our compass, all the great content that our analysts provide and how you can leverage that in order to meet your goals, your business goals. So in talking to clients, we're, we're getting an understanding of what that process looks like. No matter where you are in your, your password list journey, how mature your organization is, whether or not your Greenfield just starting out, trying to figure out what your requirements are, or you're a very mature organization with a robust program you may be following, finding yourself in the midst of tools sprawl, or just wanting to modernize and revamp and meet your client's needs where they're at, meet your new business goals.
And so it all starts with a research process. How do you find and discover this information? And I know that KuppingerCole produces a lot of great content and there's a lot of other great research market analysts out there that also provide content. So how do you take all of this information and translate it into actual business items? Right. So with KC Open Select, you're enabled to not only discover what your project requirements are based on our intel on industry market trends. Best practices are specific use cases. No matter if your project is b2c, b2b, your main focus is user friendliness because you don't want to interrupt any kind of user interaction. Our Intel will allow you to aggregate all of that data into our signature KC KuppingerCole Spider Graph, provide a very good snapshot of all those requirements in generate a short list of leading vendors that match your requirements.
You'll be able to see the ratings of every vendor as well as against those different use cases, as well as the ratings towards the specific capabilities within that category. You'll also have a lot more consumable content, so videos from different vendors, product demos, interviews with analysts. So provide you a very easy way to find and discover information that might have taken you a lot longer in in previous practices. Cuz this process of of discovering which tool, which solution is right for your organization is more often than not very time intensive, resource intensive and costly. So how can Casey Open Select help you realize that value a lot quicker? Who is Casey Open Select for? Casey Open Select is for you. For IT professionals who are trying to make smart business decisions, this is a really good launching point for beginning a project. I've had many conversations with vendors, enterprise users who really just don't know what they don't know, and that's a very hard place to find yourself.
So with Casey Open Select, it'll help guide you through your journey and provide you with information that will either spark more questions within your process, answer some questions, guide you in the right direction. You'll have the ability to reach out to our advisors and and speak with analysts to answer any questions that might pop up. You'll also have the ability to reach out directly to those vendors shortening that sale cycle as well. And all of this, again, is backed by cupping your Kohl's unbiased intel. So utilizing Casey Open Select will help you translate data into deliverables and a lot of times you as IT professionals might start off with the best of intentions and you know exactly what you need to get done to reach your goals, but it's it's, it's difficult to translate that into a business case. So with Casey Open Select, you'll be able to display your business case in a way that makes sense and adds value to many different departments within your organization. So I am very proud to be a part of this launch, to be a part of cupping or coal and their forward thinking mobility within the mar market intel arena. So I would would like to hand it back over to Alejandro to speak a little bit about some of the research he's conducted with passwordless.
Thank you Christie. So here we have some related research. We've done, as I mentioned before, we have the, the leadership compass that was published last year and we had many vendors that, you know, focus on different use cases. It was the one vendor that focused on small and medium enterprises in North America, another vendor that has a background in in research and corporation with universities. So they were all very interesting cases and it's a very dynamic market and I expect them to continue growing. Then we have a blog post that Principal Analyst Martin Kuppinger wrote recently and then more blog posts as well. We also have podcast recordings and other material that you can find on our website and of course you can always reach out to us in case of any question or comment. Yes, we have events and webinars. We will have the European Identity Conference in May, 2023 and we expect to see you there. And we also offer advisory services and I believe it's time for q and a.
So, oh, here was the slides, the, the slide on on the E I C. So here's information is from May 9th to May 12th hybrid event in Berlin. We have plenty of topics and we will have lots of topics on password list that thankfully I'll be there to participate and looking forward to that. Yeah, perhaps we can take a look at some of the questions. So there's one question that says, for consumer Im is, is it a cost security or increased sale conversion that is the main driver? That's a good question. I'd say that in my opinion, security continues to be the main driver because if you have a secure organization, not only you prevent any password or data breach attack, but you can also maintain the reputation of your organization, which can al always lead to increased and conversions in in the long term. Of course if there was no scandal or, or your reputation was damaged because of a password compromised. But of course I'm, I'm sure other people have different opinions on that. Sure. Another, there's another question, is passwordless authentication safe? I think that's a good question. Of course, don't write passwordless authentication can drastically increase security in your organization, especially compared to the traditional methods of username and password. But saying that it's 100% safe, that it can be problematic but it does increase security on a very high level.
I'm seeing a question to Alejandro, and this could probably be answered with the use of Casey Open Select as well, but we'll go ahead and throw it out there. What should be considered when choosing passwordless authentication solutions?
Okay, yeah, so I'd say that the scope and the breadth of authenticators are important things to consider. The more flexible that is addressed, the more use cases the organization can serve. Also it's important to taking into consideration the account recovery options. For example, there were some vendors in the leadership companies that they require the, you know, changing the device in case a user loses a device. And so that was a bit problematic because it wasn't very convenient for user, so I can recover it. That's very important thing to think as well. I think there's another question here. When will passwords finally die? Well I think that's the ultimate, the ultimate question, the question of all questions, well, many people have argued that passwords are gonna be dead I think since the mid two thousands, but I think passwords will still are still common. Many people still use passwords to authenticate in applications and services, but I think in this decade we're gonna see an increase in adoption with password solutions. I think it's likely that password solutions are going to replace passwords, but that might take, it might take years if not decades. And I'm sure that passwords are still gonna be used in some place or another. Lemme see if there are any questions. Maybe Christie, you'll see some.
I do. Let's see. Okay, so how can organizations migrate from a legacy system to a Passwordless solution?
Yeah, I think that's, it was one of the questions in the poll and I think that many vendors often find this as a challenge when they wanna talk to their customers, think migrating from legacy systems to a more modern notification system. It, it requires organizations to, to have a more, more flexibility to have fast solutions, to have comprehensive set of APIs and if they're container based and based on microservices. So of course many organizations are small and, and they, they cannot do all of these things, but that's why as well as certification solutions out there need to address this challenge and try to support organizations of all sizes to successfully migrate from traditional systems to a more modern notification platform. Let's see if anyone has any last questions. So I think this is a simple question for which use cases are dedication solutions targeted, usually workforce and consumer use cases also partners and, and then there's one I'm trying to, yeah, for some reason I cannot check the other questions. Oh, okay. Here's one. What is your view on password list demarcation? That's something actually I haven't really done much research, so I think that's a very interesting question. I will, I will for sure take a look at that. And
You know, I cannot see who asked the question, but I would like to talk to you about it. Maybe we can go back to that at some point.
Alejandro, if, if anyone of the viewers wants to have a continued conversation with you, how might they reach out to schedule that?
Sure. Well they can find me on the copier call website. They can reach me via my email, al coppinger call.com or they can just find me on LinkedIn and send me a message and I'll be very happy to talk to them.
Beautiful.
And I think the same for you, Christine. Yeah,
The same for me. 100%. Whenever anyone is using the website and there might be some sort of feature that you would like to see in the future, please let me know. I, I would love to have a conversation with you.
Great. Well I think there are no further questions. We can close the session.
Okay, great.
Thank you everyone.
Yeah, I hope to see everyone on KC Open Select February 14th.
Thank you everyone
Inviting me. Have a nice day.