The Path to Passwordless is Paved with Orchestration

What an impassion presentation by Andrew about biometrics takes me back to me about 20 years ago when I worked in biometrics. And I just love to see that it's still there. I always love the guys from, I proof one of the best things about their technology is, and I don't know if you saw it, but if you're ever in a dark club at night and you need a disco ball, just turn on their verification. The different lights come on and it's really great, but they have really, really good technology.

I'm not, I'm not joking about that. It's just really good stuff there.

So here, I'm here to talk to you about Passwordless and biometrics is a part of getting to passwordless. There's a few other things as well, but why is it so important? It's so important that we have a trusted identity, whether it's for our, our shopping, whether it's for healthcare, whether it's for anything that we want to do. You know, the digital identity has become essential to everything we do. When you think about just five years ago, having a digital identity was nice. It was great.

I could get access to shopping, I could get access to my bank account, I could do all these different things from the comfort of my house. That was a cool thing. But if somebody stole it, it wasn't the end of the world. I'd go reset it.

Now, if you wanna do anything, whether it's from your utilities, your health, shopping, interacting with the government, as you just saw from Andrew, it, you need a digital identity. So digital identities are becoming hugely valuable. I think everybody knows that. And so what does that mean? That means bad actors are upping their game over and over and over again to try to get access to people's digital identities, right? And so there's a problem. And the big problem, the big scary stat of this presentation, because every presentation has a scary stat.

The big scary stat of this presentation, there's 24.6 billion username and password combinations available on the dark web. Just, you know, you get bored tonight, you don't wanna go to the award ceremony, look it up. You can buy 24.6 billion password combinations. So another interesting part about this. Who here we're all security people in this room? I would imagine who here reuses the same username and password for multiple websites? Raise your hand. And those that don't, I think you're lying.

But because of those 24.6 billion user and passwords that are available on the dark web, only 5 billion of 'em are unique. So obviously people are reusing them. So you buy 'em, you start firing and forgetting. You start doing stuffing attacks, you're gonna see where you can leverage those credentials to get access. So it's a big problem. Another problem, anti fishing malware group has said quarter after quarter after quarter, it's the highest amount of phishing attacks ever recorded. Q3 of 20 22, 1 0.2 billion. I imagine if I looked up Q1 of 2023, we're probably at 1.3 billion.

So the long story short is there are a lot of credentials. There are a lot of username and passwords out there that are available to fraudsters to take access on and to try to take over people's accounts.

So, you know, so what does that mean? It means we're all talking about your password. We've all been trying to get rid of the password password's bad. Five days ago we had National Password Day.

I'm like, who the hell has National Password Day? Why are we celebrating this archaic, insecure piece of technology? It should have been national. Kill your Password Day.

But, but I got ahead of myself 20 years ago when I was in biometrics, as I mentioned, I had said a lot of the same things Andrew did about biometrics. You can't share it, you can't give it away, you can't do all this stuff. And I ran around trade shows like this one with my company's shirt on or on the back of it.

It said, forget your password. We were gonna make it so everybody could forget your password. Used to be considered a bad thing. We're out encouraging people to forget their password. That was 20 years ago. More recently, people have gotten a little bit more upset with biometrics and now we're gonna kill the password, right? So now the angst, the anger, it's no longer forget, it's no longer, Hey, you don't need these things anymore. It's let's get rid of these things. Let's go kill them. And so I think that's a little bit too aggressive.

And so where I'm at is this whole concept of never log in again. And that's where Four Rock is, is how do we make it so that people never have to log in again? And that could be, hey, you don't have to log in again. Or it could be you just don't realize you're logging in because you're not typing in a username and password.

It's, I like to kind of think about it as the, the face ID on an iPhone. Like Apple actually had to put in a mechanism to slow the face ID down after Covid so that people realized they were being authenticated. Because before covid, it just instantly authenticated you.

So for me, the first time I used Apple Pay, I just pulled my phone up, clicked my credit card, and was like, cool. I just, it just worked. And then I'm sitting there going, where's the security in that? And then all of a sudden I put a face mask on and I, I couldn't get to Apple Pay, right? So Apple had to go in and put this little thing in there to slow it down because people need that friction to know that you're being authenticated, but you really want to have this feeling of never log in again. So the Passwordless promise, everybody wants to get here, so why aren't we here yet?

Because the Passwordless Promise says it's easier for end users. You know, there's a study out there that says longer isn't always stronger when it comes to passwords as longer Sures sure isn't easier when you're trying to type in a long complicated password on a, on a smartphone, you have to shift between three different keyboards to do it.

I mean, that's just really annoying. And we all know the password list is gonna increase security because we know that password is the number one way that people gain access to people's accounts. So why are they still here? Why?

Well, first reason is alternative authentication devices are expensive. You know, some of us have been in identity management for a long time. We all remember RSA tokens.

Well, those were five to $10 a piece, right? So you lose one of those or users lose one of those, that's an expensive proposition. You can't really send them to your customers. So that didn't really work. So you have all the, you have some expensive authentication devices out there. Other thing you have is you have administrators and and users that aren't comfortable with the technology.

You know, because Andrew's here, I'll go back since he was here, I'll go back to another biometrics story. You know, with biometrics doing fingerprint biometrics. 15 years ago they came out with this gummy bear attack. So if you put your fingerprint in a mold and you made a mold, then you took a gummy bear and you stuck the gummy bear on that and you stuck it on the sensor you could get in. So people said, biometrics and fingerprints aren't secure. I'm like really? Really? I'm gonna help you do it. I might as well just give you my password. It's like the other one with biometrics.

What happens if someone sticks a gun to your head? I'm like, I don't know. You're gonna type in your password if someone sticks a gun to your head. But people didn't believe it. They don't know what people are gonna do with the technology. Another thing that's really interesting here is that you always used to have to be forced into one service, one solution. So you had people selling tokens, you had people selling smart cards, you had people trying to do otp, you have people trying to do biometrics, but you didn't really have an option. And you know, it's like not one type of authentication.

Technology is gonna fit everybody at every time. Like you can't do voice recognition on the back of a bus when you're going through the city, you're just not gonna be able to work. But on other things, you, you can't do OTP when you don't have a wireless connection. So there's a lot of different things that are out there. So all these things are why password is still here. So why do I, who used to be a password cynic say we're gonna be able to do it now?

Well, there's two reasons. Number one is all the signals that we have, and we have so much more context about a user today and about what they have available to them and about their personal choices, that we can actually use that context to figure out how to authenticate that user in a better way.

So, you know, are they on a smartphone? Well, if they're on a smartphone, I know they have a camera. So I can do facial biometrics or I can do a push, a push otp, I can do all these different types of things cuz they're on a smartphone. If they're on a laptop, I know they have different things available to 'em, right? So I know what they're doing, I also know what their preference is. I also know where they are. I also know it's gonna work. So have all these things on, on this side to be able to build a really good user experience. The other thing is, is we now have the technology.

We have a lot of different types of technology. We have otp, we have QR codes, we have biometrics as we just heard about. We have push sms, we have Fido, we're gonna talk a lot about Fido. And of course we have digital wallets that are coming up. And if you've listened to Eve Mailer today or yesterday, you know one of the things that that she says she's works at my company is that digital wallets may be the last thing we ever log into. That might be the last thing that we ever log into is with a digital wallet. So you have to have a way to incorporate all those in the system.

So the first thing that we mentioned is taking all these signals and doing what's called orchestration. So you do identity journey orchestration at Four Rock. We call it intelligent trees. I saw a presentation last night by one of our partners. It said orchestration is at the top of the hype cycle right now. We've been doing orchestration for five years at four drop. So I don't know where it was when we did it, but it's at the top of the hype cycle and it says it's doing too much. I guess if you listen to the hype cycle over inflated expectations, but we just keep making it better.

But what that orchestration is, it's all about doing choose your own adventure journeys, right? So whether some of that is done for you based on risk, based on device, based on location, based on what we know is gonna be best or given user choice of how do they wanna log in, what technology works best for 'em, what is gonna work for 'em in this environment? You can do a choose your own adventure story so that one size doesn't fit everybody when you're trying to do authentication. We know this, there's people who have disabilities that can't use things.

There's environmental factors that mean something's not available. So you gotta have that flexibility. So that's number one. Orchestration is really important to being able to enable passwordless. The second thing is Fido. Fido solution is really changing the game. Fido's solution is making passwordless something that the general consumer wants, not just security people. All of a sudden the general consumer wants it because of Fido. And we'll talk a little bit about that. But you know, one of the things about Fido is it's unfishable.

So an fishing, fishing attacks set credential never leaves the device, right? It's really fast at runtime. The credentials are kept on the device. Users have choice of how they wanna unlock that. Do they wanna do it with a pin? Do they wanna do it with biometrics? Do you need to fail over to a pin if your biometric isn't working?

Yes, yes you do. You have untraced trackable keys. And then as Eve said in my favorite reason why everybody choose Fidos, it is really cool. Passwords not so cool. Fido really cool, but Fido's been around. So why now? Why now with Fido? Because Fido's been here for 5, 6, 7 years. Well it's pass keys. And so the most amazing thing about PAs keys and the most amazing thing to me as to why I believe passwords are going to be a thing of the past soon, is that the Fido Alliance did something that I don't think any major government could have actually made happen.

They made Google, Microsoft, and Apple all work together and all say we are going to abide by the same standard when it comes to security and we're gonna have all the same kind of controls in our devices so that we can use pass keys. And so one of the things that was great about Fido, if I go back to the last slide is that credentials were kept on a device. That's great, that's really good for security, that's really good for making sure that they're, they're not exposed. But that's bad for is how many people in here have more than one device?

So what do you do when you get to your next device? Right now you have a problem and if you lose that device, how do you recover that account? How do you get access? This was the problem with Fido and pass keys solved that. So before pass keys, one device, one account, second device, second account, two accounts, same application access creates a whole lot of problems, creates issues for people, being able to move from devices, creates issues for account. Re account recovery creates issues.

If somebody wants to leave and and get rid of their service, you still have back doors that are out there. So that's before PAs keys. Now you have PAs keys. And so PA keys allow you to put a key in the password manager. And so when you go to the next machine, I mentioned QR codes built into the Fido spec. If you just implement Fido just straight out of the box, when you go to the next one and you wanna authenticate, type in your username, it'll pop up a QR code.

You take your device that you, you take your camera and you authenticate through that and now your pass key and your is all bought down to your other system. So now from your phone, from your laptop, from your iPad, from whatever device you can have, use one credential to get access to that application. And what's really, really great about this and what's happening now that hasn't happened before is that Google and Apple and Microsoft are advertising on TV about pass keys and passwordless. So before it was this great thing that we all wanted to push on our customers.

We all wanted to push on our employees. Now they're hearing about it on TV saying, hey, I want that, I want a secure way to access my bank account. I don't like passwords.

This is, this is ridiculous. Give it to me. So now you got that going on. So how do you implement Passwordless? First? Let's not do the wrong thing. So the first thing is, what do you wanna do? You wanna use standards, not just authentication standards. You want to use SSO standards like Sam Mall, like O os like Open Id connect because you wanna be able to use one authentication to govern access to all your applications. So that's number one. Second watch out for the transparency are those disused channels.

Like if you're thinking about an enterprise, you're thinking about employees, think about database access, think about VPN access, think about those things. You need to be able to have password list for those. I've already talked about Design your journeys to be responsive and and allow for different methods and different needs and then fold that fraud management into the identity experience, right? Cuz at the end of the day, that's where you're gonna catch the fraudsters as they try to authenticate. How do you do it?

First of all, you identify the apps that need to support Fido need to support Passwordless. If you're a bank, you look at your top, your, your top investors, your top customers. If you're a company, you look at influential, technical savvy people. That's what you want to do. When you think about our initial users, you want to communicate to people that this is coming.

Don't, no one likes a surprise. So tell 'em, tell 'em, tell 'em again and then even tell 'em one more time before you actually do it. And then implement by groups and by users. Don't do it all at once and collect those metrics. Cuz you know, one of the things I, I was in a, in a talk last night with a partner and they said, you know, we do all this and we, we do a lot of workshops and we figure out how to implement things, then what we have to do is we have to go watch and observe and see did we get it right and we never get it right the first time.

So make sure that we're cap capturing that usage and making sure we're adjusting and tweaking what we did to provide those best user experiences and that high security. So last thing I want to talk about when it comes to Pastor list and why are we here?

We, we hear a lot about credentials. We hear a lot about credentials can be shared and this, that and everything else. And we hear a lot that maybe Passwordless isn't strong enough, people still believe in the password, although there's so many out there. Well how do we solve this problem of account takeover? How do we solve the authentication issue? And a lot of it comes down to context. And so if we stop and think about where we were 20, you know, 10 years ago, we had very little context on a user. And this is like when Zero Trust came out, right?

And zero Trust is this principle that I don't trust somebody. I inherently don't trust the end user. So I'm gonna authenticate 'em every time they want to do something, I need to make sure that's them. And so Zero Trust is kind of a friction model. And 10 years ago, the only context we really had was how valuable the asset was. So that was what Zero Trust was based on. It was step up, it was reauthenticate before you hit a valuable asset. Then we got up more context. And now today we have this 40 to 50% idea of who you are before you authenticate. And we know the risk that's involved.

We know if the phone's been hijacked, we know you know where you're located. We know if this is where you normally are, we know a lot of things about you. So we can do different things. We can challenge for different authentication levels. But if you really think about where we're going, we have this much data on people in identity management systems. We know where they travel to, we know where they access from, we know who they talk to.

And you really, you know, one of the things you think of when it comes to account reset, it's not only just a help desk saying can you answer these five questions. What you can really do is you can do peer and trusted network reset, right? You can say, hey, especially think about it in an office situation. I lost my laptop, I lost my phone or whatever. You go to your boss, your boss sends an email to somebody and says, Hey Matt just lost his phone. And then that help desk person can contact me and I can say, yeah, I lost my phone. And then they can actually do a reset.

And they know it's true because my boss knows who I am. The person on the other end of a customer support line, they don't know who I am. And you think about generative AI is real easy to figure out how to answer my reset questions because you go scan, you know, scan my social media, you can do all that. So there's a different way to think about things, but think about where we're going and I'm just gonna leave you, leave you on this.

And one last thing is, as we have all this context and as we add AI to it, we're getting to the point where we almost know 80 to 90% who somebody is before they actually authenticate. So we know who they are and also with all those credentials out there, whether they're passwordless or whether they're passwords, and before we, but until we get to standard passwordless, we can't trust somebody right after they authenticate cuz they could have actually taken over an account.

So what I really think about is once somebody authenticates and they have all this context and we know the applications they use, we know where they come from, they know where they're going. We know all this about 'em. As soon as that session started, I can keep monitoring them and as long as they're doing all the same things they normally do, my confidence level goes up that I have the right person and my risk level goes down.

And so instead of having your standard account timeouts, I'm bored, I've been, I've been inactive for too long or I've just been authenticated for too long, I can take those away and I can just say that risk level is still there, that session is still confident and I can start removing authentication events and this is how I can get to never log in again.

So as you think about identity management, and we're all here to talk about that and cloud computing, think about combining AI with your identity management and taking all of your intelligence and including into your identity management system. And basically bring your fraud, your security and even your customer intelligence to identity. Because your identity is not only the exterior but it's the interior. It goes from the exterior of your organization to the interior. Cuz it's your customers coming in, it's your employees on the inside and you can go from one to the other.

And that's where I say just bring all that identity, all that intelligence into identity management. And with that guys, I think I'm, I don't know if I'm over or not, but thank you guys ever very much. Enjoy your day. Any questions for me?

All right, what do you do when you represent clients, which that, that have compliance requirements and they're enforcing passwords and they, they still want you to have a password policy in place. What do you do in that situation and when your clients are military or the government?

So I, great, great question. So what do you do? I I think you just have to give people choice, right?

And I, I think that's the whole point when it comes to authentication is if there are organizations that really believe passwords are the way to go, they're gonna want other ways to authenticate for different, different various reasons. But if they're still based on that, you create the password policy they want, hopefully it's about 25 letters and you know how many different characters and it's really long and you say, Hey, you could do that, or you could do Fido and you give them the option.

But you, you, that's the great thing about orchestration is that you give people choice and that's how you handle those types of things. So, all right, thanks Matthew.

Yeah, thanks. Thank you.