Hello, hello and welcome to this webinar with KuppingerCole and today Secret Double Octopus, where we'll be talking about Multifactoral authentication, how it can help against the fight with against fishing, and how that is introducing a new kind of authentication. I'm very happy to be joined today as well by Hario Zambrano, who is the chief marketing officer and cyber strategist with Secret Double Octopus. Hi Hario, how are you? Good, Paul, how are you? Fantastic. Okay, well I'm glad you're here with us. So you'll be speaking in a little while, but let's kick off with the little housekeeping stuff for you there, for you listening, wherever you are, you don't need to mute yourselves because we've done it for you. We've got a couple of polls coming up during the webinar and we'll look at the results during the q and a and there'll also be a chance at the end for you to answer questions, sorry not for you to answer questions, for you to ask questions and for us to answer them.
And you can enter those questions in the panel that you'll see in your control panel on the screen. And finally, we're recording this webinar, so if any of your colleagues wish to see it, they can, and it will be available on our website very soon after today. And also the slides will be available for Berg. So that's that. Here's the quick agenda. As I said, I'm gonna talk first a little bit about password passwordless, some of the background issues. Dana Hario takes over with his piece where he'll be focusing much more on some of the capabilities that you need for M F A and passwordless. And then, as I said, we have q and a wrap up at the end. So before we get started on my presentation, let's have a look at a poll. The first poll, which of these technologies will have the biggest impact on identity and access management in the next three years?
So your options are passwordless authentication, decentralized identity, consumer identity and access management and identity fabrics. Which of those will have the biggest impact on IM and an next experience? So we should be voting now on what you see, and once we have enough votes in, we can then carry on with the presentation. So D, password authentication, decentralized identity, consumer, I A M or identity fabrics. Okay, so I think we've probably got enough, you can still carry on voting, but let's carry on with my part of the presentation. So to begin with, this is pretty much how things are these days in IT networks, IT infrastructure and how identities flow and how we try to manage the flow of those identities as they go from their journey from the core business infrastructure to other resources available on that. And we, we've identified there probably six major types of identities now in, in usage.
So we have traditional administrators who would have and still do, have physical access to other machines, endpoints, et cetera, to do admin and upgrade task. But obviously these days identities also include people like developers, code development, other end users, machine identities, non-human, which is having an enormous impact on how we manage identities and access to resources and of course customers as well. Third parties, customers are also starting to get access to what was once considered well within the sort of boundary walls of an organization. Now everything is much more open, everything is connected to everything else. And we use, generally speaking, three main tools or two main tools, I should say probably for access, entitlement for access management, and of course identity and access management. And we've been using those for many years. But these recently have been joined by another tool specifically designed for the cloud, and that is cloud infrastructure entitlement management, which is a slight twist on Pam and I e m in as much that it focuses less on the authentication part and more on the entitlement and how we manage that entitlement into cloud resources. So there, there's a lot of development going on in those areas, particularly within Pam and also in C I m.
And what has driven, particularly c i M to emerge is things like platform service, software service, infrastructure service, and also private clouds where they exist. And finally, everything is looking to access, I think a file, servers, workloads, containers, you name it, everything you could possibly need to do a job. And the list of resources, excuse me, the list of resources is likely to get longer as fine goes on. And sort of a a as a kind of foundations for all of that is traditional areas of governance and computer management, IT management and things like sir trusts in i i integrated risk management, data governance, privacy compliance. And then recently we've seen endpoint detection and X D R start to emerge as a way of holistically managing everything within the sort of the, the network within, particularly at the edge. So that's a simplified, I must say is a, a, a simplified overview of networks.
And obvious, obvious, the reality is probably more complicated or less complicated. So let's see what traditionally we've used for all of these things to get our identity flow. We've tended to use passwords in one way or another to give identities access to stuff that they need. And we still do, we still do, we still use passwords overwhelmingly in our corporations, in our enterprises, in our companies. We may have added things like auth extra authentication, but we still tend to use as a first step to get into anything a password. And so here is what I put some good advice with a question mark is that this is actually taken from the UK National Psychia Cybersecurity Center website, and it's based really much on the kind of status quo that we use passwords. So it's got some things saying always make sure that passwords are unique and they're not shared. Make sure you review the user accounts and, and particularly that privilege and or admin access, ensure that desktops are all patched, including third party software, et cetera. Well, I mean obviously that's all great advice. It's simple advice. The, the, the funny one is ensure privilege accounts are carefully managed and where possible use multifactor access. Well, that's is good advice. The problem with that is that it's not actually done.
Staff don't always ensure their passwords are unique. They do share them across other systems. They share 'em even with each other. Business systems are not reviewed as they should be privileged accounts or privileged access. It's not managed with a dedicated platform and devices are not patched or on kind of regular basis that they should be. So it's kind of good adverse in a perfect world. And it all comes down really to using passwords are as an authentication system, which is, is increasingly flawed. And this is why passwords are under pressure. Traditionally we use passwords because they are reasonably convenient.
They are relatively cheap to implement people, end users understand the concept of anti a username and then a password. The problem is that using passwords like this has made them extremely vulnerable to phishing attacks more than anything else. More phishing attacks are, are now done through stolen passwords than anything else. And in particular, privileged accounts are targeted by criminals looking at those access points to give them access to other parts of the network, other secret parts of the network and important data, et cetera. So phishing is putting and the rise of phishing and ransomware obviously even worse is putting passwords under extreme pressure now to carry on being used as they are. And the cost is being outweighed also by things like breach breaches happening and the company being penalized. And the fines that are now being handed out by national privacy officers or in information commission officers are pretty high.
Even for the biggest organizations, we're talking about fines of millions of dollars or euros. So that kind of completely undermines any cost convenience that you may have had by using a traditional password system. So passwords are under pressure. So we need to look at perhaps some other ways of doing things. And you've probably heard of mfa multifactor access with, with passwords. We, in their purest form, although people are already adding more than one factor in different ways, but a password on its own is very weak. It's, it's easy to find, easy to steal and easy to, to, to copy.
And that in fact is the worst case, which I put in the middle there, where literally users are allowed access to networks, files, et cetera, with just a username and a password. All of that travel travels without any further authentication in the clear as it were to the service. And that bit in the middle part where all this is the plane of attack essentially where any of that can be taken. As I said, we have now got identity access management systems that use a second authentication system where they might use another identity provider, a separate identity provider, which does give an extra layer of security for sure. Password is still vulnerable. And if the username and password is stolen, the authentication system doesn't necessarily know that it has been stolen, but it does give a better level of integration and trust. But what we're looking for in a more modern authentication system, or one that is more secure is where we use a second device or another factor.
So the device, the user uses the device to authenticate the key travels, but a second factor also travels and then it authenticates here and then just gives access to, to the service that they want. So the extra device here is doing the second layer of protection authentication to the user. And that's really what we're talking about today is sophisticated multifactor authentication that uses usually some kind of encryption, encrypted authentication or even something along the lines of Fido to, to make the, the process of authentication more secure. So good authentication becomes multifactor, it becomes based on risk. It should at its best be context aware. So it does understand what the user or the identity is trying to do. That can also be called attribute level. It still remains convenient. The, the thing about M F A is the best types of M F A only add one extra step normally for the end user and it should, if it's designed well, if it's well designed and thought out, it shouldn't be any major inconvenience, but it, as I said, it can be fit to the user, the usage or the device. So that's, that's still using passwords. So what we want to to get to is no passwords at all if we can.
It says here on this slow password authentication is becoming new normal. And that's probably a little bit wider, the mark at the moment. It's certainly becoming considered the way to go and it could perhaps become the new normal. And the way to do it is by using biometrics or device trust based on secure elements. It can be used, you know, windows hello type thing or even fingerprints. But either way the password bit is gone forever. So you're moving with the trade off before where the convenience outweighed the security to security is much improved, but the convenience remains the same, if not slightly better even. And also with, there is a psychological layer of all this that people don't often talk about, but employees, users actually sometimes feel better having some extra layer, something physical even that they use to authenticate themselves to get into systems.
So it it, it's not just about making it secure at the end point or in within the networks, but also just about making employees feel better about logging on. And they feel actually that the organization they work for cares about their security as well. So you could argue that convenience actually is even higher just as a a kind of just for a slight bit of dark humor perhaps. But not all MFA is gonna work. Two layers of security or two factors is only good if it's, like I said, if it, if it's well designed and well thought out and cannot be stolen or misused. Now an example or rather alarming example of a two factor was used in the early days of the Cold War when US nuclear missiles were, were protected I in a silo and an extra pin was needed to be launched in case of attack.
Now strategic, a defense commanders perhaps not surprisingly thought, what if people forget the, the extra pin is then we won't be able to launch. So they set the launch codes to six zeros, which is kind of scary because whilst that would've been okay in in event of a live order, perhaps not so good in case of an error. So be careful when you think about multifactor authentication and indeed passwordless don't think, think that all types of MFA are going to be equal. So MFA is something that you really need to think carefully about and Christo will undoubtedly go into that a bit more. Some other things about M FFA that is worth considering, although I just said that I personally think that users quite like to have an extra layer of authentication, something physical, some may not and they may not have their phone with them, for example, for the extra authentication bit or they don't wanna use their phone.
You know, they consider their phone, their personal device, they don't want anything to work to do with it. MFA can be more expensive. I did mention the cost factor earlier. It can work out more expensive than a traditional password system and using tokens or biome devices in some way is also likely to be more expensive. But you have to balance that against the reduced risk and the total cost of ownership, et cetera. It can again can be complicated to set up and maintain, particularly maybe for some smaller users. But then there's plenty of M F A out there, which is designed for smaller businesses and is designed to be easy to use. There is MFA that is available as a service, et cetera. There is again some MFA method such as M mss, which actually are vulnerable to particular type of the cat cellular attacks such as SIM swapping. So you have to think about that. There is also mobile push bombing fatigue attacks, which also can be used against M F A that is based around a cellular device. However, that's still not a reason to not think about it because the level of threat, the level of risk with passwords is much greater than that. And if you're still using passwords as part of an mfa, then don't forget they could still be used and stolen.
So finally, access and management and MFA must evolve. So we need to just think about all these areas here. I'm not gonna go into everyone cuz we have runtime constraints, but MFA is probably more essential than ever before Passwordless. Well, because of what has happened in the last two or three years, we are now working anywhere. There's more and more cloud, there is more machine identities which operate on autonomously. We don't always know what they're doing, where they're going, et cetera, and customer identities. And then in the future we may see things like Metaverse or web three, whatever it's called, or the, the hype for that seems to have settled down a little ever since chat. G P T came along. Everyone's been talking about AI rather than the metaverse. So who knows, but decentralized technologies as well. Decentralized meaning stuff moving away from the central control of it, et cetera, into perhaps more departmental.
So that then really is my overview of MFA and the move perhaps to Passwordless. But before we hand over to , let's just ask another quick roll. What are the benefits of IAM to your organization? Is it one to improve security? Is it two to increase compliance? Three to save money, four to streamline user access management. So the main benefits you see of identity access management of any sort. I don't forget Im covers a lot of things, but what are the main benefits? Are they improved security, increase compliance, cost savings, or streamlined user access? So I'll just leave that on the screen while you vote and hopefully Hario is waiting for us to give us his presentation.
Thank you. Well it's a, it's a pleasure to be here with you and I'm glad that I can sort of give, share some of our thoughts here. I work, I'm the c m and cyber market strategist at Secret Double Octopus. If you don't know who we are, we've been in the market since 20 15, 20 16 helping companies, enterprises specifically modernize their authentication for their workforces. So we are one of the leaders in that space and we have a lot to say about passwordless, traditional MFA as well as what we think is the next evolution in in auth strong authentication, which is fishing. And so let me start by just bringing up some slides. I'm gonna go pretty brisk here cause I wanna show you a broad spectrum of things. First of all, we do believe the pastor authentication will be the new normal. We've done lots of surveys and we see that transition is gonna happen over the next, at this point, four years.
But we see a very high percentage of p folks that are defining the move on their authentication strategy to passwordless. The first thing to realize is that passwordless is mfa. Many times people think that it's not because it's, the word less is in there. So it's actually less secure. It's actually the opposite. Many of the solutions in the market today, I, I I say we're in passwords 2.0 mode, they've really sort of gotten to a level of completeness. But what they all come with is sort of a modern mobile architecture that they take advantage of that, which includes things like using the mobile secret enclave, the biometrics on the, on the, on the device, the cloud notification services that these Apple and, and Google make available. They're 5 0 2 certified. We have a Fido two server in our, in our backend. We can support things like Yuki and other many other types of phyto two certified keys.
We'll talk about that in a second. They're standards based, they build on standards. There's not a rip and replace. You can use saml, OAuth LDAP to basically plug these type of solutions in. So it's a very important value prop. And generally most of us have some form of adaptive MFA built in. If you've never seen passwords authentication. I'm just gonna give you a quick overview here. This is a demo of a Windows machine that's being run over VMware. You can see that the GINA has been changed and you can, you can use your mobile device and the authenticator that's on the device here. You see a geo geolocation, we're gonna prove it. This is a push, a mobile push, and then a biometric is, is done on top of that. So you have two factors there. So it is multifactor and then you're into your, your desktop.
And this is an area that MFA traditionally has not down come down to cover in an area where many mandates today require admins to have support for their endpoint. Another important differentiation is that we also support a mac, which means heterogeneous environments. We support Linux, we support Windows servers. They're very different than a Microsoft Windows. Below here you have a Mac with a Fido key, the biometric that is logging in to the endpoint. So you, you begin to get MFA brought all the way down. And then we we're coming into a single sign-on Porwal where our, our applications are there and, and then there's a continued sort of passwordless experience, easy password experience for the user. So this is that better security and the better user experience that passwordless authentication passwords MFA can bring to the table. So we particular, in particular secret double octopus have been in the market for a long time, sort of known as the the guys who can do it all.
We, you know, for us the value of passwordless is that the user never has to remember the password, but to make that work, it's gotta happen across all of the touchpoints that that user has during the day when they're logging into things. And so we support, I think the broadest range of, of use cases in the enterprise because of the, the choices we made in our architecture. We, we are the only vendor and that has a patented rotation based approach. And what you can see with that is that we're able to handle what's in the middle section there. A lot of the remote access to V P N vdi, I R D P S, ssh, a lot of the admin use cases. And then most importantly the custom legacy apps, which many people believe is not doable with passwordless because of this architectural post where we're passwordless with your password directories, which many of those legacy apps are tied into, you automatically get that, that unified experience for the end user when they're going across all of their, their different resources.
And this is different than Windows, hello for business, which, which is a, a device bound biometric, it's not gonna get you that heterogeneity. It's different than AER based passwords approach, which is also very secure, but has its limitations in terms of being able to, to support some of these legacy apps or something like a VPN over radius. A lot of difficulty in particularly doing that kind of stuff. And then 5 0 2, which is really what we all live up to as, as part of a standard and a, and a vision for the future of Passwordless. It's a Yuki, you know, that's gonna depend on the platform that you use and how that's enabled. So I just wanted to give you that background if you haven't, are you not aware of password lists? But let's really talk about what we're here to talk about, which is phishing resistant.
How does MFA come into the, the picture for phishing, because that's always been the domain of email security gateways and other types of investments that have come about in the last five years. Or to stop this, what I think is the number one problem in and security. You, you know, it's amazing that you know today the, the number of sites that have, that have popped up from just before the pandemic to now is, is off the charts. This is a stat from Google. And, and the reason this is ha there's a reason why this is happening now, it's important that to note that, you know, a few years ago you could do a DDoS attack through a script kit. He could just buy a kit in the dark web. Well, phishing has become sort of like that. Like somebody with, with not too much sophistication can run, run a more automated approach to Phish.
And it's very powerful when you combine it with other types of attacks like, like business email compromise, which many folks are doing attackers, and they combine that with phish. 90% of ransomware started with fishing and really some from very interesting stats around the fact that most cyber, 90% of breaches are coming with a phishing involved at some point in the process. And so this is a, a big, a big sort of trend in the last few years. And I think we used to worry about zero days, but actually hackers don't need to get a lot of zero days today to get into your, your your enterprise. What they worry about is just what they try to do is just log themselves in by finding one of these credentials that's on the dark web, the billions of of credentials. So why is this problem getting worse?
So let's talk about the evolution. This cat and mouse game that happens in all cybersecurity has happened here too. You know, the, the attackers knew when we were using usernames and passwords that they could fish passwords, they could find leaked passwords on the dark web. There used to be even dumpster diving at one point, but this was, this was one of the early ways that, that attackers tried to get into the account. Of course, over time there were vendors like rsa, if you remember the, the, the, the moving the, the, the OTP token. This was expensive and, and in many cases, inflexible, one of the, actually one of the, the knocks on YubiKeys today is that they're a little bit more expensive and you have the provisioning problem. Okay? But we did that and then we moved into, we wanted to make that a little bit more easy to use for the user experience.
So we, we we, we had soft tokens and mobile authenticators, which didn't introduce the ability of voice, SMS, email and emailing OTP codes. Of course then the attackers got smart to that as well. And they have been able to come up with things like SIM swapping where they actually call the carrier and, and and are able to, to swap the SW sim in your, into your telephone number and use that man in the middle. This is, I'm talk not talking automated here, I'm talking about sort of a, a, a fake, a fake website, which, which in it's worst in incarnation is, is a very clearly, you know, clumsy website that looks like something else, but has a URL that's similar. This was not a, this was more of a manual process of a man in the middle attack. But, but some people get, get taken by that.
And then the Phish OTP as well, phishing the O T P code. Now the industry has moved since the days of duo and, and two factor authentication to using our mobile devices for mobile push. And, and the attackers realized, well we can just keep pushing a lot of notifications and exhaust the end user maybe at one in the morning even to just have them and they only have to miss one time and, and accept the notification. That's not them. Of course, we've, we've adapted our, our solutions to have things like verified push when we notice certain things. For example, if we notice that two, not three notifications happen in 10 minutes, we can start to u do the mobile push with a code and, and of course the, the attacker would not have the code or we can lock out the account if we see certain suspicious activity.
So there's a, the vendors have have moved in that direction, but now attackers have this new thing that has emerged in the last two to three years, which is this ability to do automated mobile mobile in the middle man in the middle attacks. And this is, this is a numbers game, you know, this is how lapses got into Uber and I, I forget the other two or three high tech companies, big unicorns that are on the public soft market. If they can get into those companies, then they can get into anybody. And this is really a numbers game. So just to dissect it, it's still a man in the middle attack where they're able to create a website that visually looks like the, the site that the, the user wants to go to, but they're in the middle of it and they can still a password and a, and a username as well as a session token.
I'm gonna show, we're actually gonna show you what that is. This, this product Evil GenX, which has come out recently and there's a couple other kits like this. It's, it's really quite remarkable. They can get this up and running very quickly. So what we're gonna show here is GitHub is evil GenX reproducing a GitHub. So here it's actually screen scraping. The attacker is screen scraping, a real GitHub website that then presents it to the user and they're gonna get a URL here. You're gonna see at the bottom of the screen, that's the URL that looks sort of like a GitHub, but it's actually different and they're gonna fish the attacker, the user. So now the phished victim, this is what they're seeing. If the url, if you see the url, I'm gonna stop this for a second. This looks like GitHub, but it's actually the, the e the evil Gen Xs sort of scrape site that they're, they're logging into and behind this is the attacker.
And so now they're putting in their password. This is the phish victim thinking, they're logging in. They actually, we, we don't have, we didn't show the code coming to the mobile device, but there is MFA here through being used. And so now they're putting in the code and, and this is all being captured by the attacker. Now we're gonna move. So now even the login looks authentic to the end user, but now the attacker over here is actually able to show that he's got the username and the password and he's actually gonna show the, the session cookie as well. Here. All he, and now at this point, the attacker just copies the session cookie and now on their own endpoint, they're gonna go to, to the real GitHub, which is here, which looks just like the, the one that they scraped. And now they're gonna, they're not even gonna put in a username and password.
They're gonna inject the cookie onto their endpoint. And the, the browser itself is gonna believe that this is the original user into GitHub. And then they're gonna be able to log in to GitHub. Now they refresh the screen and now they're in as the, they've been phished and now they're in as the user. So this is a big development in the fishing world and that the reality is that traditional MFA cannot stop an automated man in the middle attack some. So this is the big change that's happened in the last two or three years. And, you know, government organization standards bodies have realized this. And in early 2022, you know, president Biden's ex mandate to all of the, the government agencies in the US and the critical infrastructure was that they needs to move to zero zero trust architecture and phishing resistant MFA was called out explicitly.
NIST has not necessarily called out phishing resistant MFA as much. They have 800 dash 63 as a, as a sort of a guidance rule. And in that they talk about a form of resistance for impersonation, for replay attacks and man in the middle attacks. CISA WIL show in a second has, has definitely sort of talked about phishing resistant MFA and Anisa itself in Europe is also, has also put out some MFA mandates and, and discussion about this. CSUN particular has put out this table of what is the most lax type of mfa, which is SMS voice, which the, at least in the American, the US government has, has, has said that this is not a good way to do MFA because of sim swapping and other types of attacks to, to an application based mobile, mobile sort of soft token. Then you go up to the next stack, which is app based authentication using one-time password codes and token based otp.
And then lastly, phishing resistant being the strongest form. And they call out two ways of doing it. Phyto MFA using phyto web and PKI based certificate based. Now they're, they're actually, this is where, where we have innovated and sdo, which is doing a rotation based approach, supports phishing resistant through a desktop to app pinning mobile push. So you don't have to, to pay the price of a certificate based approach. So what we offer across to solve this problem is one for the, for the, for the push bombing, we offer adaptive passwordless mfa. And these are things like a verified push where you have to bring in the numbers. You, you, you obviously are using biometrics, which the atta on the phone, which the attacker wouldn't have and geolocation. So we're trying to stop push bombing and account takeover log attacks this way. Now this is not phishing resistant, but it is a stronger form of, of strong authentication, if you will.
The two other ways we do get into Phish resistance is through the support of Fido two tokens and, and through what we call an MFA mobile push, phish resistant mobile push. And this is really innovative and different I think in the market. Let me talk about each of those very quickly. So Fido, Fido has defined a standard, which in these u in these YubiKeys and in these security keys, they're taking advantage of a TPM to store a private, a private key. So they have def defined a public key in cryptography where there's a public key that is held at, at a, at a relying party, sort of a server in the cloud or in the backend. And then the key that you hold has your private key. So when you log into something, there is a binding as to where where you're actually going, whether it be an ssl Porwal, whether it be a web app.
There's a, there's a binding to that that is authentically the domain you need to be at. And then there's a challenge that this this server, which is, which is is talking to that, that binded sort of domain is sending to the endpoint or to your, to your security key and that only that key can sign. So a a person that's attacking doesn't have the key physically. So they won't be able to get in, in a, in a Fido MFA authentication, they won't be able to get into the site. And what we do, I'm sorry that the, the, the words have been sort of changed here with the, with the accents and all this is English actually, but it looks like Czechoslovakian or something. So, or some of the slavi language. But here we're, we, we have the endpoint now we have a desktop agent on the endpoint to be able to do our, our MFA on the desktop and we can support the phyto token because we become the idp, double octopus becomes the idp, whether we're working with Okta Ping, there's a, there's sort of a delegated IDP function that can be set up.
We have our own single sign-on Porwal, but typically in an enterprise applications are going to be corralled in the single sign-on Porwal and access through that. Now, this is very good, phyto is very good for web applications, but what we're able to do is extend that web often and that sort of, that security of a phyto MFA to the other resources that we talked about before like vpn, vdi and even custom legacy apps. So we are a bridge secret double octopus because of our architecture can be a bridge for these and for these type of use cases. Now, when we do it from our mobile authenticator, what we're doing is actually creating a tpm we're we're actually creating sort of a, a secret enclave in our desktop agent to hold a private key in a certificate. And so we're able to to, to establish so that what we call an origin biding, because we're using our single sign-on Porwal or or Okta, that that's the domain that you're trying to register into to get access to your applications.
And so that we, we didn't create a channel binding because the endpoint itself has to have this, this private key and and similar to the Fido key, we're actually able to issue, to issue a challenge and get through the challenge from our, our desktop endpoint. I'm gonna show you how that works. Now what's interesting here is that this is sort of, we can actually do this and, and bring that to all of these other resources as well. We can bridge over to the VPN to the VDI with this phishing resistant MFA that we can implement into that broad use case coverage. And so let me show you actually, well, let's look at very quickly how this affects the automated man in the middle phishing attack that we showed. So effectively the attacker does not have the pin, the pinned certificate that's on the desktop or they don't have it on the Fido key.
So they're, they will not be able to, to get into the GitHub or whatever solution they're trying to get into because they don't have that channel binding. And if the, the actual, the the actual fake site does not have the backend Fido server that is actually, or, or that's, that's actually verifying with the public key that's making the challenge to, to the endpoint. So this, this breaks as well the ability for them to, to steal a session cookie or the username and password. And so I'm gonna show you very quickly what we can do here. So here we're gonna en enforce when you see here enforce launch from the agent, that's our desktop agent. So this is gonna create the pinning that we need for this fishing resistance. So we're gonna enforce that and what you're gonna see from the admin console that we're gonna publish that out to, to our enterprise.
And then, then you're gonna see the attacker here, try to, well here first is the user just getting in with the phyto key and some of the phyto keys use a pin. So he's logging in. But this, this first we're gonna go to the, to the, to the website where the, what the attacker would try to do is go to this website and just type it in, whether it be GitHub or what have you. But they're gonna get, the login is disabled because you need to use your desktop agent. And if you're not using the, the the endpoint where the the octopus agent lives, then you're not able to access this sec. And in this case it's gonna be your, your SEC secret sign on Porwal. So you're Notta Porwal, which has all of your apps to get out to the, in all of your services like vpn.
So here we're gonna show a different use case and I think I just, where, where we're gonna show the opposite, where the user goes down to the citra down at the bottom, and this is our agent and they're saying launch the single sign on Porwal. So here we're pinning the origin, which is the domain we're really going for, which is our single sign on Porwal and the desktop, which has the certificate stored in sort of a, a, an enclave there securely. And so now that we're able to get access to the real site, so this means, this is because of this desktop to app pinning, the attacker's not going to be able to do this and, and be in the middle. So, you know, we, we pride ourselves in the number of use cases that we can cover across desktop applications, including legacy applications and VPN and privileged access for admin.
And what we do is we can provide all these methods, mobile push 5 0 2, we even support smart cards now and then we have the traditional MFA to get people started and then slowly get people to passwordless. And now we've we're able to introduce with this pinning, this phishing resistant ability to get to a lot of these use cases. So really what we, we think that we're, we're unique in the market. We've been out there for, you know, since 2016. We have a lot of customers now in the hundreds and we're industry proven, we've won awards for our technical death. We think that this approach is easier for, for companies to deploy. It's different than a certificate based approach, but as you can see, we actually can create some of the same levels of, of, of strength around fishing resistance. And then because we work on your password directories, you know, everything that you've got set up, we're really rotating the password, we're able to onboard users very quickly. Our, our cloud-based backend we've shown, we have a video on our website where we show that you can get up and running in one hour. This is remarkable. You can also run it on premise if you wanna do that. So this is, this is some of the value prop and I'm happy to, to take questions or emails at any time in the future. Thank you.
Thank you for that excellent presentation. Just gonna relaunch my deck and then we'll have a look at some of the questions and also the poll answers that we have. So you should now see this on your screen, the agenda, et cetera. So now I've gotta find the, the questions that are also on another window and I dunno if I can do that without, well let's just see what happens here. So I apologize, we're using a new platform, this is the first time we've used it live, so please bear with us a little bit. Okay, I'm gonna leave you on screen for a minute there. I hope you don't mind because it's the only way I can read these questions. But first of all, let's look at the poll results, which were the first one, which of these technologies will have the biggest impact on IEM in the next three years?
Well, you'll be very here, happy to see that Passwordless authentication. 50% was the top answer followed by decentralized consumer. Im, and then again, let's have a look at the benefits of I am and well, I guess not surprisingly, improved security was the top answer. Interesting that no one really cared about cost saving or even increasing compliance. But the two kind of fundamental issues, security and user access management were certainly the highest. So there you go. We do have some questions so I'll, I dunno if you can see them, but I'll write, I'll read them out anyway. And this is a, does your solution support Windows core server operating systems? So that's a technical question for you.
I'd need more information on the core server operating systems that they're, what they're referring to there. But we support obviously Windows 10. We actually go back to Windows seven as well way back, but Okay.
Yeah, well if that person could perhaps elaborate in while we're still on air or if they could follow up with an email. Well,
So we also support Windows servers. Yes, we do support Windows servers, Linux, Linux through PAM module on that, you know, rdp, s SSH passwords, RDPs s SSH password to pseudo. We have support for all of those sort of admin things. If it's, if it's, if that's what they're referring to. Yeah.
Okay, well hopefully to answer that question. Okay, this is interesting. What is, what is differentiating the ES S D O password solution from Windows? Hello? For business? In other words, should it replace, augment or compliment windows? Hello.
I think fundamentally, fundamentally we are made for a heterogeneous enterprise and we find that increasingly executives, different vendors have, are bringing in Mac Mac devices, they may be using Linux servers as well. That's not something you're gonna get from Microsoft that, that type of coverage, at least not to the degree of, of a universality and, and sort of feature parody that we're doing across all those resources. The legacy is another one because we can bring our architecture of rotation to those legacy apps that are already tied to a directory. You don't have to change them, you don't have to p k I enable them, don't have to, Sam will enable them, but we can also do it with, with legacy applications that just have their own database that, that are not tied to directory. So that, that is a very innovative approach for us that I don't think that Microsoft has potentially focused on that.
So as specialists for passwordless, we really spent a lot of time with big corporations that have, our largest customer has 150,000 employees logging in every day mission critical with our solution. That took us a long time to build all these, these customized features and, and ability to deal with that. So we, if you're an all Microsoft shop, you know, you have an E five license or, or and, and you got MFA out of the box, we often see people try that. They just go that direction but, and if they use Windows, hello sometimes their users are docking the machine, they're closing it. So Windows hello doesn't work there. So the user has to still type a password, there's really a password under the covers in Windows, hello for business on the endpoint. We can actually, we're rotating that password so we remove that risk, we remove the need for the user to ever remember it. And so in Windows, hello for business, sometimes you, you cold reboot the machine, you still have to remember it but you're unite typing it as often so it's actually worse because you're probably gonna put it on a yellow post-it in that case. So I think that there are nuances here that would require a longer discussion on Microsoft, but we have seen people go the direction of Microsoft and come back to us nine months later and then are able to do what they want to do with us. So very technical nuanced differentiation here.
Okay, well we can, any of you can follow up with more detailed questions and we can make sure that Hario sees them. I, and I guess that's okay with you Hario, but so that if we want to go into a deep deeper dive with you on how it might suit their particular infrastructure or setup, I dunno if we kind of answered this already, but it, it says, how does secret double octopus c pa, past keys solving authentication issues, you mentioned also certificates as in it's better than certificates as well. So interested in your view on that.
So we wrote a blog, there's a blog on our website that we wrote when the Google, apple and Microsoft announcement came out for PAKEs and we didn't have a lot of information on the enterprise strategy there. It seemed to be more consumery. And when I read it, you know, really trying to read into it, we didn't see the, the articulation of of of a strategy for PAs, phyto, Pakis from those big vendors for the enterprise. All of the different use cases that we have to support, like I said, six years of working with these big customers and lots of feature requests for this and networks and you know, VPN over radius and LDAP and different types of scenarios. We didn't see that the PAs key concept had that articulated. I do believe that Fido is, we don't believe Fido is completely ready for the enterprise.
We do believe Fido is the passwordless future. I actually, what I showed you on our slides is our ability to bridge, to bridge to getting to legacy apps. You can't, you can't take a Fido passkey or a Fido key today and and and distill make it work with a legacy application and potentially some types of VPNs configurations. We can actually take the Fido accept it as a, as a having our server and bridge over to those, those those other resources. And so we see ourselves as a bridge to a Fido future. We don't think all the elements are there the yet concept of Paske is nice. It actually, for us, we don't like the idea of take who are very se heavy security oriented companies. We don't like the idea of of securities being certificates being portable because you do lose security with that. It's not as secure as a YubiKey as a security key PA keys sacrifice some security for the convenience of being able to have portability.
And I think that now Fido is starting to put out white papers on their strategy in the enterprise. So it is developing, we have some of our competitors who are are using the word PAKEs but it's not exactly what was what was announced. And so we are actually looking at it as well. I think Paske for us means higher convenience across portability and what are the trade-offs will make to, to be able to support security as far as certificates. I'm not saying that our approach is, is more secure, certificates are very secure. I'm saying that you can still get the, the fundamental goal of full passwordless, which is the user never has to remember their password. And with our approach you can get it across more use cases that they're gonna touch throughout the day and you're gonna be able to deploy it faster because you all your password resets and things that you already have built syncing between directories. You don't have to change that because we're working fundamentally with a password directory. When you have a a certificate based approach, you have to think about how that the, the password gets deprecated and you now have to, to possibly, you know, set stand up a whole new infrastructure for, for your endpoint around P K F. There's just more work involved around it and we think it's more seamless to go our direction, our way we did it.
Right, right. Yeah. And actually for those interested, the Fido Alliance has a very good website full of blogs and technical data as well, which keeps you abreast of developments in Fido. So let's just end with the classic question, which is, will we ever get rid of passwords altogether?
I mean if you're saying a hundred percent I don't think so. I mean I think there's always gonna be some, some straggler out there that's gonna, but I think the majority of the market will move to passwordless in some form or other because there's so much confusion between, you know, biometrics on the device and things. It, it, it may be difficult to get us to get everybody off of a real password, but, and you can see supply chain attacks, you know, you've got the small, the long tail of small and medium business businesses that are gonna take a while to get there and so the threat of password infiltration will be there for, for a long time, maybe forever. So
Yeah, I I, I reckon so. Some people just like passwords. So what can we do? So Mauricio Hario, sorry, it's been a pleasure having you on today and as I said these slides, someone asks question, are the slides available? Yes they are. They will be available from KuppingerCole website under the webinar section. Give it a day or two for them to be uploaded, but you'll also be able to see the recording of this as long along with the slides. If you do have any extra questions then please feel free to email koka call and we should do our best to answer them and I can also afford anything onto Hario as well. So with that, thank you so much for listening. Thank you for being with us. Thank you also especially to secret double lock to us for supporting us today and especially to Hario for that excellent overview of Passwordless and its potential. So with that, I'll say very good day.
Thank you. Bye-bye
Bye.
