Passwordless Primer

Hello everyone. My name is Alejandro. I'm a research Analyst at Copier Call, and today's topic is Passwordless. I see some familiar faces, some new faces, so that's good. And I'm guessing all of you don't like passwords. So I also hope that some of you want to learn more about what Passwordless authentication is about. But before I begin with the presentation, I'd like to say that we often talk about Passwordless journey. And that's right, it's a journey.

It's not a destination, getting rid of passwords, it's just one step to improve and modernize authentication systems an important and crucial step. So going passwordless is necessary, but it's not necessarily the holy grail. That being said, I will begin with the next slide. So here's the agenda for today. I'll just talk about passwordless and then explore some technical capabilities. Then talk about a zero trust model, how you can use Passwordless on your zero trust journey. And then at the end I'll talk about how to select the right password solution.

But you know, I don't wanna spend too much time talking about how bad passwords are, but I can maybe tell a story that we all faced yesterday. If you look at, if you look here, there's the wifi password and yeah, I believe one of my one, one, someone from my team missed the last character. It was an exclamation mark. So this demonstrates how passwords are problematic. They're inconvenient and insecure.

Yeah, we, we actually, this, this is on purpose for the sake of the presentation. I'm kidding. So this is the general definition that we use at coping a call. Passwords identification is a set of identity verification solutions that remove the password from the authentication flow and from the recovery process as well. And the latter point is very important because here we have the two main components of passwordless, but these again, are very, they're common sense.

What it's not common sense is to require users to put passwords whenever they want to recover their account or whenever they want to reset their account. And during my research on passwordless, I've had conversations with some vendors and they offer passwords as a way to recover user accounts. So I think that's a bit contradictory. Here are some of the common factors involved in passwordless modern device, such as a computer or a smartphone.

Then the secure element that each of these devices have, and this is used to bind the user and the device where cryptographic information is then stored and placed in the secure element or other options, of course, 5 0 2 keys, which are very easy and fast to implement. So organ is they need to choose between adopting a single identity platform or maintaining fragmented identity systems as they move to the cloud. So passwords should work across everything.

And if we tell, if some of you work in some of the passwordless vendors, when you talk to your clients and you tell them about how passwordless will increase both security and convenience, then it should work across everything. We need to be very clear with the message we give to people, because as many of you know, many people don't really understand the technical aspects of passwordless. So the messaging must be very clear. Here's some use cases. The most common use cases, of course, there's some vendors that focus primarily on enterprise use cases.

Some of them focus on consumer use cases. Ideally, and this is just my opinion, I like to see some solutions in the future that cover all use cases. That'll be, I mean, it's easy for me to say, right? But that'll be, that'll be really cool to see in the future. So now we will look at some of the technical capabilities. Some of them are not new, some of them are more modern. Let's say like the first one, risk based adaptive authentication. That's something that has been in the market for a while. It's a process of finalizing various intelligent sources and static attributes on runtime.

And I don't have a slide for each capability, but I, I wanted to highlight the ones that I consider to be the most important ones. The next one is the vice trust. I think it is essential for any password solution out there. The ability to constantly evaluate the security posture of multiple devices in a seamless manner at the exact time of logging addresses many of the security challenges. The next capability has to do with 5 0 2. So most 5 0 2 applications rely on the U S P type device.

But what we are seeing is that as smartphone technology is getting so good, we predict that the smartphone will become perhaps the most important authenticator capability in the future. As Apple and Google and Android, they improve their hardware environment and the security of the device. We expect this to become more widespread. So that's quite cool for consumer use cases. But there's some questions that arise for enterprise use cases because it means are you gonna let all your employees to use their device to access your resources?

Or are you gonna bring all the devices in your, bring your own device environment, right? So there are questions that enterprise must ask when it comes to 5 0 2. There are some additional capabilities. I mean most of you probably know this. Password solutions most have a broad range of authenticators, strong authentication, adaptive and step authentication, support for legacy applications and systems support for major standards, comprehensive set of APIs, API security, bring your own device support and scalability and performance, right? And I will talk more about some of these capabilities.

I have an a next session, I think it's in like an hour where I'm gonna talk about the market overview of passwordless authentication. We recently published a leadership compass last year where we evaluated around 25 vendors. So I'm gonna present that to you, the findings in that session. So here's some of the functionalities that we look at during our rating and assessment, right? We look at account recovery, like I said earlier, that's an important step. Then we look at architecture and deployment, authentication, support, APIs, the base trust and support and scalability.

Of course there are more categories that we can use, right? But these are the ones that in our research, we pay attention when we evaluate all the different vendors in the market. So how does passwordless help if you wanna go on a zero trust journey? So zero Trusts is not only about networks, but it's also about identities, devices, systems, and applications. Zero trust starts with a clear vision with targets. And once these components are in place, then one can implement processes and policies.

So zero trust begins with a long-term business strategy and a step-by-step implementation of existing technologies or new technologies such as password authentication. So you can improve the security, the user experience and business practices, but it's important to avoid adding more complexity into your architecture. So of course the question is how to choose a passwordless solution. And like I said earlier, I'm gonna talk more about the market later on. So you can see all the different vendors that we evaluated.

But the right pathway solution must meet the unique requirements and needs of organizations regarding security, user experience, and technology stack. Here are some prerequisites that if any of you are not in a company, but you are maybe wondering how to adopt a Paso solution, think this some important information that you could consider yourself.

You, you need to ask what's the level of technical knowledge of the people in my company, right? How many legacy systems and applications do I have in my infrastructure, right? Do I support industry standards? What kind of deployment is better for my organization? And how scalable, right? So how to move forward. First you need to know your organization, you need to know your business needs and requirements. Then you need to have a zero trust model in place, like I said earlier, once you have the main components in place, then you can start adding new technology to leverage what you have.

And then it's about selecting the right password solution There remain in the market. They specialize on different aspects, there are different flavors of passwordless, right? So it's about finding the right one, and in the end it's about choosing an appropriate deployment model. So when migrating to Passwordless, you should consider talking to your IT vendors and understand their vision for passwordless because like I said, everyone has a different way of doing passwordless. So it's important to know what their vision is.

And here's some marketing, I'm not really a salesperson, but here's Casey Open Select. It's one of our newest products. And the first one we did was on password list. So we have the vendors that we rated on the Leadership Compass. And you can use these products to know which solution is best for your own organization. So I encourage you to check it out. I know we have a candy bar upstairs where you can get some passwordless popcorn and you can also get more information about Casey Open Select. So that's all. I think I'm almost on time, maybe. Yep. We have two minutes left. Okay.

I wonder if you have any questions if we can fit into those two minutes? Yeah, I know. If there's no one here, then I can ask one question. Sorry. Alright. Sorry we prioritized the questions from the attendee here first.

Yeah, Yeah. Thank you for the presentation. It was a nice introduction to password list 1 0 1, just one topic that I'm missing is the definition or maybe the differentiation between passwords, password list, and first, most people are selling as password list, but it's rather just a passwordless experience. You didn't go into that topic, Right. I touched on, on that point when I talked about the account recovery, how some vendors out there, they claim to be passwordless, but in reality they still offer passwords or pins when you want to recover your account.

And I think there's a a difference there. And I think that's why we need to be very clear about what we are, really, what we really mean by passwordless. Is it only about a passwordless experience or is it really passwordless when you look at the backend and the technical aspects of it. So that's a really good point that you bring. And I think we need to educate users and also the passwordless vendors, like I said, I see some familiar faces here.

So people who work in the industry, that's a good thing to, to do, to educate more of the users and to really make it clear what you mean by passwordless. Alright. Any question?

No, I think, I think, yeah, it's, it's okay. Yeah. Yeah. We are right on time. Yeah. All Right. So thank you.