Passwordless by Design ("~pbD"?) - Real-Life Experiences, Constraints, and Implications

Fantastic. So I anticipate I, I'm excited by this previous presentation, so thank you. I think you'll find that this next one is gonna rhyme with it very well based on the question. So, oh, next, next. What am I doing wrong? Can you advance the slide please? There we go. Yeah. So what do we mean by passwordless? There's a lot of folks who I would say, kind of throw the word around without being very precise. And in my conversations with CISOs, I find that it doesn't go down very well. They tend to be, well, we rely on them to be a cynical and savvy bunch. And they're skeptical. They're skeptical of passwordless because static shared secrets are everywhere.
And so, well, we, we don't need to establish why passwords are bad or why people hate them. I thought I would throw a statistic at you. I do find it useful when maybe when you're talking with your colleagues just to prove how bad it is in numbers for DR. Produces an identity breach report. And last year's report showed that just in the US alone, 4.7 billion records were compromised and that was up 37% from the year prior. So, you know, things are not getting better. So it behooves us to be precise if we're gonna have a path to passwordless. So let's get crystal clear. And I think that this very much is consonant with what you just presented. We develop some definitions in order to have these conversations and to be very precise. So we have sort of three buckets into which we put what might be called passwordless. The first is a passwordless factor. We all know about the three factors, and it's easy to define passwordless as not the thing where it's something, you know, it's the other two kinds of things. However, if in any one particular authentication journey that somebody is going through involves that plus a password, what you have is basically plain old mfa. And it's not like a bad thing necessarily. You can improve security for sure. You may be subject to all the frailties of having that password be part of the experience.
So maybe this is kind of the holy grail that people keep talking about or keep hinting at, which we call complete passwordless. Sometimes in my unguarded moments, I think of this as born passwordless. You don't have to worry about forgetting or losing or having stolen or typing a password because there never was one. And it's pretty easy to see where you could apply the word passwordless to that as, as you know, as a category. And what you're achieving in that case is, is truly improving security along with the user experience. However, it's really easy to say complete passwordless and it's really hard to do in certain circumstances. And I'll go into some details.
So we don't wanna let the perfect be the enemy of the good. And so I think this phrase, passwordless experience was just used in the q and a and we see Passwordless experience as any one journey that a user goes through where they don't have to touch sea taste, smell here, a static shared secret, there is one, but it's protected in particular ways. And so you are still improving security, you can improve experience. It's on the way to something greater. So keeping this kind of framework in mind, which we found, I, I've personally found it very helpful in conversations, particularly with CISOs, but I think with everybody. So what is required to increase maturity and kind of move to the right, if you will. So we see that there's three things that you really need to do a good job. The first one is the specific authentication methods that do a right job. And in that category I include the standards most particularly 5 0 2, there's, there's others for different technology backends.
It's important that these be implemented correctly, robustly, that you have the choice that you need. What do you do with all those choices? That's where it's incredibly important to orchestrate those specific journeys. And so that the runtime experience that somebody has, chooses the right path for them, gives them choice, gives you choice. And understanding what levels of assurance you need, that that design is really, it's a creative act and it can be different for lots of different contexts. Finally, you need integrations with all the applications that need the results of authentication. And there's just so many different ones in the world and they have different ages. Some of them are very new and fresh and you might have done a technology refresh and they have everything available to them, including, for example, built in 5 0 2. And some of them may be decades old and you've lost the code to the application and you need to now worry about how it's going to absorb what you have to offer it.
Just to go into a little bit of specifics, the way we sort of see this universe of the, these three categories, I happen to have stolen away the engineer who did our web implementation. And it's really, it's really good. It isn't the end of the story. A lot of different methods come into play. So, and our approach when it comes to ensuring that the latest and greatest and best among those who specialize in specific methods, those come from what we call our trust network, which is our technology partnerships in access orchestration. Our particular version of it is the trees capability, which is no code, low code drag and drop. And we pair that with ai. It's, it's kind of nice wine and cheese pairing I find to have those silent checks along with all of the overt checks. Application integrations get really int interesting, and this is where standards based integration really helps.
Sometimes you don't have that available of course from the OSS of the world and the devices and the browsers of the world. We got a leg up with Fido, but then it comes to that back office where it gets really messy and that affects different populations. So in terms of how this maturity curve can look, if you're talking about web apps and mobile apps, you're not talking exclusively consumers or customers, but this is where we do see complete passwordless authentication really shining because for example, retailers, particularly if they have embedded finance, which is just so exciting these days, if you allow somebody to make a purchase and you get to learn something about them and they're able to in interact with you on the basis of never having to, to, to assign a password, to use a password, to store a password, to care about, to hate a password, you've lost your moment forever.
You'll never be able to actually ask them to do that again, because now you're relationship building with them. So that's quite exciting. There are places where web and mobile app complete passwordless start to become possible at the edges for workforce members, for partners and so on. But in the main, when it comes to all of these other contexts, it is more challenging. And there you're looking at Passwordless experience. You can have a really optimized passwordless experience in the modern era for these. And this is where you are able to tackle what I would say we can now call classic challenges. I mean, honestly, 10 years ago I was at Forrester and I was writing skeptical things about Passwordless and I didn't believe it was gonna happen. And I've changed my mind. You know, I did a demonstration at RSA where, you know, two of us on stage onboarded to this was the connected car thing, if you saw it yesterday, where we just onboarded to a connected car retailer and a digital sales model, complete passwordless.
And I'm here to tell you, I love it so hard. It really works. So the expense of specialty authenticators is a barrier. And that's where you can in the modern era start to just prioritize as you increase your maturity. All of those passwordless ready ones. And that's something that, you know, we have that built in. So that's why we're able to sort of just throw it together for a fun demo. Complexity of integration with legacy systems, it's true, it's tough. And this is where it's possible to leverage professionally pre-integrated solutions. Our particular one is called Enterprise Connect passwordless through a partnership with Secret double Octopus. And that's where the Passwordless experience can get really better than you might possibly know. Because if somebody is not seeing, touching, tasting, smelling, hearing a password, there is one on the back end, but it's rotated out of sight, it's injected out of sight every time.
You have done a lot to mitigate risk and you can do a lot to mitigate experience risk, if I can call it that. Finally, complexity of recovery from compromised credentials. And this is where journey orchestration really is a creative act and I really like giving people choice within the confines of the level of assurance that you know, you need to hit. One of the big benefits of NIST 800 dash 63, even though it doesn't apply to private sector technically doesn't apply to non-US technically. It's such a good idea because it gives us the vocabulary for quality.
And this is my last slide. I wanna have a few moments towards the end here. How can you maximize success? And these were, you know, some hard worn lessons. If you're gonna be able to prioritize the things that are sort of ready, passwordless ready, then identify those apps that need to support web. And obviously single sign-on pairs very nicely with strong auth, particularly strong passwordless auth versus just passwords where it's kind of, I'm not gonna say it's a disaster, I've been in the business for too long. Pick your initial users and there's lots of different ways to cut this and you'll know for your own environment what makes sense. A communication campaign, I can't stress enough how important that is as as we've put MFA and as we're putting passwordless in place internally, it becomes really critical to do a good job and be very, very transparent with your users every step of the way. Deploy incrementally and don't disable your existing methods until you've finished, nearly finished your rollout. Because if something goes wrong and you just have to bust everything back down to pure passwordless, you'll be really sorry, like what was the point? And really add enough telemetry to collect those metrics so that you know when it's safe to move on.
So we do have a poll question for you in the app if you'd like to indulge us and take a look at that. Yeah,
I just opened the, on the app you can find, maybe I can also say it out loud. Which type of passwords are you focused on the most? A passwordless factor B, passwordless experience, C, complete passwordless. You can take your time to transfer. And meanwhile I can take a couple of questions and at the end maybe you want to discuss the poll results we are gonna share with you guys. Any questions for a moment?
One question there. All right.
Yeah. This time it's maybe not a question, but more of a remark. In the beginning you said that Caesars are scared of passwordless. I'm from the IT security point of view, this, that's why I've got a different opinion to that. They shall accept that passwordless is coming and because passwords are not then the most attractive for the attackers anymore, they should focus on securing sessions because the attackers will then look into session hijacking, the passwords are secure, now they're gonna look for the next attack vector, which will then be the sessions.
Yeah, I, I support what you have to say. I mean I what? I don't think they were scared. I think they just didn't believe it. They were skeptical because if you're talking about, let's say the consumer population, well it seems easier in that case, but they know the entire stack of secrets that are there in the back office for the employees and they may be, you know, despairing of actually excising them from the environment. And so I'm here to say it is possible, right? Like, you know, I was a skeptic. I, you know, last year I went to, boy, I hope this we can all pull this thing off. And now I'm like, let's go. It's, it's ready today. And that's the exciting thing. So maybe we can help spread the word together
For, for consumer there will be passwordless and password side by side for a very long time. And including the pass say, passwordless recovery process will be very complicated. How will will it be handled from the customer point of view when two complex processes are side by side and the customized to choose the right process?
It, it's a great question. One of the futures that I'm excited about is, I guess I'm gonna bring up the wallet topic. You know, wallet based credentials have a paradigm where we can imagine strongly assured passwordless born that way. And one of the things that we have been investigating right now, we've developed a POC, is simply a journey. So in my case it's the trees sort of journey just designed with trees and nodes and trees dragged and dropped to achieve a conversion from password based to retiring passwords and going to passwordless. And you can do that with today's passwordless. And if tomorrow's passwordless is wallet based, then you need to orchestrate that journey and you need to do testing with your users. But you know, the sooner we can make it possible to just go delete that stuff, the better. And, and I believe it's possible to design great experiences on the way to that.
All right. Yeah, maybe we can see the pull results. If you wish to say a few words about it, can we have the poll results please? Thank you for your participation by the way.
Ah-huh. Yeah, that's interesting. I think, you know, some people have called for the death of mfa, you know, there has to be the death declared of something and you know, maybe plain old MFA is on its way out. Really interesting. I think we can get a lot outta the passwordless experience started over 40
Attendees, by the way.
What's that?
Have 39 people attend.
Wow. Thank you. Thank you everybody for, for weighing in. Thank you for your time. I don't wanna stay overstay my welcome. Thanks.