Webinar Recording

The Path to Going Passwordless

Log in and watch the full video!

Password-based authentication is no longer fit for purpose. Passwords are costly and difficult to manage, they result in poor user experiences, and they are easily compromised. This has been widely recognized for some time, but going passwordless is also challenging and continues to be elusive for many organizations.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So good afternoon. Good morning. Good evening. Wherever you are listening to us in the world. My name is Paul Simmonds and welcome to this KuppingerCole webinar on the path to going to passwordless. And more importantly, what does it mean for your business? I'm really pleased to have with me in a little while Josh Green, who's the technical marketing engineer for Duo Security. I'm going to be giving us some real world feedback on what it means for businesses that they've been interacting with. So without further ado, quickly talk to you about the European Identity and Cloud Conference from KuppingerCole 2021. It's a hybrid conference. That's the world we're living in at the moment. It's going to be online and hopefully it is going to be in Munich, Germany as well. So we're hoping that that we'll go ahead. That's the plan at the moment, please join us.
We would love to see you either virtually or physically there present in Munich, great conference. If you've never done it before, just remember you are muted centrally. We're controlling this, so there's no need to mute yourself. We are recording this and it will be made available to you. And more importantly, you will see a go to webinar control panel. That is where you can put your questions for the Q and a session at the end. So, you know, make the most of it, pick Josh's brain myself as well and make the most out of this webinar. So what we're going to do today, I'm going to talk about the benefits and challenges. And this is really ahead of a white paper that will be published at the end of the week from KuppingerCole on the whole issue of passwordless. So that will be available end of the week.
Then we're going to have Josh talking about, you know, what happens inside organizations and what you should be thinking about. And then as I said, Q and a, so without further ado, Paul's words are broken. Look, we've known this for the last 20 years, the truffle dish, we're still using them and it doesn't get any better. If you look at the worst passwords, you know, 2018 to 2020, guess what? They're the same. They haven't really changed. If you look at the list of them, ultimately it's all down to this. The four PS people pick Paul Paul's words. Yeah. Complex passwords is an oxymoron. There's a great Bruce Schneier quote, coming up in a couple of seconds. And ultimately people have too many passwords to remember. You know, I looked at my password manager and I have only over 200 passwords personally to manage the crazy thing is at 84 years old, my mother-in-law who is not, you know, she has a tablet and she has a phone and she doesn't have an Amazon account or do anything online. She has 20 different passwords to remember, and that is crazy for a, you know, especially our elder generation who are technologically challenged. It just doesn't work for them. And ultimately passwords add huge amounts of friction into everything we do. And if you haven't realized this before passwords have binary authentication and ultimately, where should we go as a, as an industry, we should be going to risk-based.
So why passwordless so yeah, absolutely. The reduction of friction, the key one here is to eliminate the amount of personal information. Why do people keep asking for all that personal information from your age, your date of birth from your mother's maiden name, your inside leg measurement, or what, or what ever you have with within the system. We also have personal information. Why? Because it's the password reset password reset is a real nightmare at the moment. And it's all about, you know, how do we improve overall security? So we need to move to multifactor authentication. We are doing this to a large extent, but we also need to be able to do, bring your own identity for a lot of people out there. And obviously in organizations and businesses, we need the support for analytics and particularly machine learning, because that is how we moved to a risk-based a risk-based, you know, support for the whole password login thing.
And ultimately it's about these four W's. So we've done the piece now, the W's four W's it's about understanding context. So what, when, where and why, if we understand that about the person or all the system that is trying to log in, we can do a much better job of risk-based access to systems and information. And this is one of my favorite quotes from Bruce Schneier. Bruce Jenner is always really good for some quotes, but, you know, he talks about passwords about being an oxymoron. And he said, if just remember, it's something non-random like, Susan, individually random, it's something really complex. And therefore it's not easy to remember. And we've been fighting this with our users for many, many years. So why now a number of reasons why now, first of all, finally getting to the point where both business and users, except the alternatives we all are now carrying around.
If you'd have told me back in the nineties, when we started first noticing the fact that actually passwords will probably be on their sell by date, then that I be carrying around every day, every week of the year, it will be almost glued to me in glue tool. These users that we be carrying around a biometric device with us that provided multifactor authentication, I would probably told you that's absolute rubbish, but of course we do. And everyone does it certainly in the Western world, in large parts of the rest of the world out there, we carry around these things called phones, smartphones that provide multifactor authentication that have apps on them that also allow us to do biometrics, whether it's fingerprint, facial recognition or both pin authentication has become a reality out there with particularly Microsoft leading the charge on this. And we now have this ability.
We have an ecosystem with which we, which we can leverage to do it differently and hopefully better and more securely because it's no point moving away from passwords. If it's going to be less secure because you know, things are bad enough as, as it is. We have a lot more API is out there. So application program interfaces out there in both the applications that we are using day-to-day as organizations now allow us to bolt in various different forms of authentication, whether it's SAML, whether it's Fido, various other things and ultimately move on from, you know, what state of the art probably 15, 10 to 15 years ago, which is we gave all our people a token, which is of course, a device that you had to carry with you and remember to carry with you. And for a lot of us, actually, we didn't, we carried it in our, with, with our computer rucksack with our corporate laptop, as opposed to today, I carry my own phone with me the entire time.
So ultimately, if you are going towards a passwordless strategy, then it's really important that you treated as just that a strategy. So, you know, the little picture on the left-hand side of your screen is just to show you what a complex organization that most of us operate in today. And it's a whole mix of stuff that we own stuff that someone else owns, especially with cloud. Remember cloud is, you know, computing by someone else outside your perimeter generally, and a whole bunch of other stuff out there, including a lot of bring your own device, especially in the pandemic and post pandemic using bring your own device is a lot more common and actually a lot more acceptable for a lot of organizations. So ultimately it's, it's about strategy as you moved to a passwordless future. And the first one I would argue with you is this one, if you take away nothing else from, from my talk today, please remember bullet number one.
When you are looking at implementing a passwordless strategy, the thing you should keep in the back of your mind is what can you remove or retire because what you do not want to do implementing any kind of authentication strategy, whether it's password less or, or anything you do is add another authentication solution, because guess what your users are not going to love you for it, ultimately, where we want to go. And again, keep it at the back of your mind when you start thinking about strategy is a consistent approach. Can I do this once consistently in you're never going to get to a hundred percent in a complex organizations, but you know, it's the parameter rule. It's the 80 20 rule. Can I get to at least 80% of my systems and for a lot of my regular users, that will be a hundred percent of the systems they use on a day-to-day basis. Can you have a consistent method that they use once and properly to achieve authentication?
Again, this is one of those, you know, I used to have a boss who said, whatever you do with a strategy, don't try to boil the ocean. And she was a very clever lady and I, and she taught me a lot of really good messages to give you that's what I'll pass on. So ultimately, how do you not boil the ocean with any strategy? And the answer is you do this, you take the key systems and you'll find in most organizations that I've worked with, that there are probably about 20 or so key systems within your organization that your business cannot do without, that are prime to what everybody uses on a day-to-day basis, the obvious ones being email, but then you've got a whole bunch of other systems out there that if they go down or if they get hacked or if they lose data out of them, then they will probably, if, if you're a realistic company B share price effecting.
So if you're going to start a strategy, start with those 20 systems or 18 systems or 22 systems to define your rollout, new apps yeah. Have to be implemented. So define what apps are you're going to need to roll that out. End user training is absolutely key because rolling any of this out without end user training means that you'll get user resistance. And ultimately you want this to be as smooth as possible. And ultimately with the right solution, actually you'll get the users, tell each other, use this each much better, or actually count. I have this because these key people in the pilot are raving about it. So end user training is really important. Get the users on your side, target your existing solutions that use multifactor authentication. So if you're using tokens at the moment, make sure that actually you eliminate those tokens as part of your strategy.
If you're going to, if your strategy means we're going to replace tokens with something else, here's a good one. Leveraging free device certificates. One of the ways of actually understanding my devices and my devices, I might corporate devices is do they have a device certificate on them and actually for a windows shop, it's a one bit flip in active directory that allows you to auto enroll device certificates, via active directory onto those PCs generally. And most people don't use them. So again, go out, find out about these things, leverage biometric authentication. I said, most people are carrying around a biometric device with them. So use it pick upon them the covers, your key systems. So again, go back to that list of key systems that you've got, and then use that to go out with your request for quote or request for comment or whatever your process is within your business.
And say, here are my 20 key systems. Now tell me which ones you integrate with. And you'll find the, actually the, all, all the key players out there integrate with the major players out there these days, then think about interacting with third parties, joint ventures, because no business is an island anymore. We actually are made up of lots of connections and lots of authentication with other entities out there. A bit third parties, beer joint ventures, but whoever know the photo, you know, on the picture there, the photocopier provider. So how do you make sure that actually you can integrate with that photocopier supplier so that their engineers can come into your organization and deal with you with their photocopiers that they probably manage for you on an outsource contract. Think about how you're going to manage. Non-staff remember what I said about pull it point number one, what you can remove and retire.
Well, this one's really key because it's no good saying, well, I'm going to have a system in just for my staff. If I have to keep a totally separate system running because it doesn't cover non-staff and by non-staff it could be cleaners. For example, again, most people have that outsourced in a lot of places and ultimately, wouldn't it be nice if my authentication system also covered my door entry system, because again, we've removed or retired another system, but if you're going to do that, how the cleaners going to get into the building because you don't employ them. So again, it's strategic. Think about those kinds of things. And ultimately the final one is integration with people management. Ultimately, if you are thinking about an authentication system and you say, well, we are going to be the system of record for people's authentication. I think if you go and talk to HR and the HR board member, they will turn around to you and say, no, we are the, the system of record for people in this business. So as much as it think they might be for access to systems, you will get into an argument with HR very quickly. So again, my advice to you based on, on, on bitter experience is the first thing you should do when you're thinking about this strategy is go make friends with HR.
So issues to consider, will you be a strategic benefit to the entire business? This is, this is about being seen by the business as being a strategic benefit. So key systems. Yep. Absolutely. Or do you need a hybrid strategy? Are you going to support B bring your own device in which case, which devices are you going to support? Yeah. Which OSS, which legacy versions are you going to support? Are you going to want to add machine learning around analytics? And I'd argue with you, you are, because that is the future for actually upping the quality of the risk decision you make about whether you're going to let someone access systems is this part of a KM strategy. So what, what are you going to use for your consumers? Is it going to be a separate system or actually could we use the same system for both? That would be really nice because we've eliminated another system. The ultimate test is do our users. I'm going to turn this question around. Do I use this thing that we have reduced friction for them? So again, look at it from the point of view of your customers, your users, have you reduced friction for them and then look at it from the point of view, if you're not working in security, you're working in it.
Is this going to improve overall security? Can you sell it to the CSO, the chief information security officer, and then to the board, how are you going to deal with privileged access management or Pam strategy? Again, those questions that you need to ask yourself is a big, if you put a system in, is he going to be a single point of failure? In other words, if it gets hacked or goes down, do you lose access to everything across your entire organization? So again, nasty questions you should go out and ask as part of that RFQ, how are you going to deal with bringing your own device users who upgrade their devices? And I don't know whether this translates, but in, in Britain we tend to call this a, a break glass strategy. In other words, if something goes catastrophic, really wrong, how are you going to break the safety glass and get access to that back end into your systems. In other words, if you're, if everything else goes down and you actually need to get into that server to let's say, shut it down. How are you going to do that? If everything else has failed out there. And ultimately in any system that you go out and purchase, understand what is actually at the back end? Is it something on premise? Is it a hybrid solution? Is it something totally in the cloud very quickly?
This is one of my favorites of how not to do it. This is, you know, we all know that people go out for a smoke. This was the escape fire escape door that everyone used for the, to go out for a smoke and guess what? They changed the code. So some joker thought, great, all these smokers need to get back into the building. So we taped to the door, the code. So it's very convenient. As you can see, passwordless done right, is more convenient than username and password. Yeah. It's more traditional than traditional to FFA. It allows leveraging of other authentication methods, built into many devices and ultimately it delivers you contextual access. This is the four W's and provide you the foundation for a normally detection. And I'm going to argue as an ex CSO from multiple large household names, it is more secure.
So in conclusion, greater flexibility for staff, absolutely frictionless. Is it ever going to be frictionless? It's certainly going to be reduced friction. So be careful of how you sell it within your organization. It's certainly going to be reduced fraction. And why, because of the, the fourth bullet on this list, step up authentication. We want actually to have a system whereby if we're doing risk-based access, then step up authentication is really key. In other words, our risk profile and what we're trying to do, NGOs are he's now to Al he, you know, Paul Simmonds is now trying to do something outside of our comfort zone. So we better actually step up the authentication and ask him for more validation that he is who he says he is. And we've already seen this with things like PDs too, and all the European legislation around finance, which is why I'm sure it's exactly the same in other countries, but certainly in the UK, if I want to log into my bank account, I can log in and I can look at how much money I've got.
But if I actually want to start transferring money, it's going to ask me for a lot more information, especially if it's to an account that I've never transferred it to before, can we do a continuous authentication? I think, you know, that's one of the key questions you should ask. So not only is it a one-time authentication, but actually if we keep monitoring what this user is doing, we can do continuous authentication and bring a lot of other attributes of that identity into play here, done properly. It reduces the compromised by a bad actor, because it becomes harder to impersonate you because not just knowing your password or not just knowing your inside leg measurement, it's actually about having the right device and being in the right place, the right time, doing the right thing that is going to work for you significantly reduce help. Desk calls helped us. Cause they're talking about somewhere around about, you know, 60 to $70 a password reset in true cost for help desk, which is crazy. So overall cost savings. Absolutely because ultimately if you want to be seen to the business as a partner and a player, then overall cost savings, if you can deliver, those are really key.
So with that, I'm going to hand over to Josh, Josh. Welcome.
Thank you very much. My name's Josh green and I may technical marketing engineer at Duo, which is part of Cisco. And we're gonna talk a little bit about the password, the story as, as, as we see it. And you know, we've already talked quite a bit, or Paul talked quite a bit about the problems of passwords
The, the real thing is if we agreed the passwords passwords are the problem and they need to go, what does password this really mean? Because not everyone actually has the same definition of that. Right? And in fact, you know, we really need to just get down to terms, right? So passwordless authentication for our point of view, removes the shared secret, the something, you know, factor from multifactor authentication and realize, instead on something you have and something that you are, right. So we talked a bit about biometrics, but also of course, you know, the device is potentially part of your identity because in fact, there are patterns to what we do in our day-to-day jobs, right? We may have more than one device that we use, but it usually doesn't change on a day-to-day basis that we're bringing in devices we've never seen before. And so, in fact, it is a piece of your identity.
And, you know, as, as Paul talked about, the, the moment is now not because the idea was first hatched now, but because it has dependencies, right, there are things that we need to have in place for passwordless to really be not just a flyable solution, but he can an economic solution in a user-friendly solution. So the ubiquity of smart devices be they smartphones, tablets, you know, things like that that are capable of now doing biometric based authentication, right? Fingerprint readers have been around for decades, decades, right? Most of us never saw them, never really thought about them. Never really heard about them because there were these proprietary solutions. And if you adopted a particular piece of a particular solution, you needed to buy a particular set of hardware that hardware only worked with a particular set of drivers, potentially only on that particular set of devices.
And so it'd be, it was a niche thing for a long, long time until suddenly apple put a fingerprint reader in everybody's pocket who owned an iPhone, Google of course, followed suit shortly after now, all of a sudden it's everywhere. And so it teaches us that, you know, in order for the solution to become mainstream the technology, it depends on has to become mainstream first. The other thing that was a problem with the earlier hardware was that, of course it was using their own proprietary standards instead, amazingly and thankfully, most of the solutions out there today are now relying on open standards. So Fido that Paul mentioned earlier has become pretty ubiquitous. It's being used in everything from, you know, touch ID on a Mac to, you know, fingerprint reader on Android to hardware tokens that you can purchase separately, that you can stick in your USB port and touch, right?
There's just a huge range of devices and solutions now all using this open standard. And why is that important? That's important because we also want to make sure that we don't just improve security. I mean, that's great, right? If we improve security, but we need to improve user experience as well. There's a great expression out there that, you know, when it comes to security nightmares, there's nothing more dangerous than an employee with a tight deadline and a credit card because if push comes to shove and the security solution is getting in the way of them doing their job, they're just going to go buy some other shadow it solution. They're going to share sensitive data with it. And then you'll never know, forget worrying about the password, right? The data's gone, right? So we need to make sure that we're constantly paying attention to both of those things or else. Unfortunately we lose.
And obviously there's, there's some, there's some other issues, which is that not, everyone's going to define this in the same way. There are other vendors out there talking about the fact that they can obfuscate the password from the user as being passwordless, even though in the background, there's a password stored in a vault or a hash is being passed around. And just like in the early days of MFA, right, there are various solutions that were being put out as MFA receiving SMS, text messages, good, old fashioned, hard tokens, soft tokens. And then there was push-based and Fido based MFA, not all equal, in fact, some far, far more secure than others, but unfortunately it required a bit of education in the marketplace to make customers aware of what the differences were and why they were important. And I think to some extent that would be the case for passwordless as well.
That it's really important to understand why truly switching to a cryptographic solution over one that is simply obfuscating. The password is very important. Also, of course, any solution we arrive on, any standard we adopt probably won't on day one, be supported by every system in a complex environment, right. As Paul said, right, you're not going to be able to boil the ocean. And any solution that claims do will either likely fail outright or we'll be far more complex than you than you ever hoped for. Right. So it's good to prioritize things of high sensitivity and figure out, you know, sort of one of the things we really want to migrate first. And of course the technology while becoming mainstream is actually still evolving really quickly. So we had 5 0 1. Now we have Fido two in web authen. And in fact, at the end, we'll talk about sort of where we're, where we think things are going next from a standards point of view.
So what's our vision for this and what this ought to look like. Well, obviously we want to be, you know, clear about use cases and capabilities. We want to make this easy for end users. And as a result, sort of the obvious, low hanging fruit for us is federated applications. And that's actually for, for a couple of reasons you might not think of, but if you were to ask an end user to, you know, what is single sign-on, what is a federated application, single signup, they would say, oh, what's that thing that means I don't have to sign in all the time. Right. It makes my life easier. It means I only have to log in once it's a convenience tool. Well, that's amazing because in reality it isn't, that's not what it was designed to be. It was designed to address the problem with passwords, right?
Because the, the world pre single sign-on was, I have a password on every single web application that I use. Right. And in an ideal world, they're strong and random and complicated, and I definitely don't reuse them, but of course, as Paul's research showed and as research shows time, and again, in fact, people reuse them all the time and the passwords, probably not that good. And so that created a challenge of my security is only as good as the worst place you reuse your password. And if that place gets breached, I'm in trouble. And the government of Canada had that problem just last year, where they were breached, not because of a vulnerability in their infrastructure or a port that they left open or something that was unpatched. But because someone did a password stuffing attack because they'd recovered the password from somewhere else and they were able to use it on their site.
And that was it. It was as simple as that. And so single sign on the idea was to say, I don't want to be sending passwords to all of these different websites and relying on them to protect it. I want to centralize that establish a cryptographic relationship with, of trust with the other third sites. And I want to be the one in control of the password in one place. And that's a fantastic, fantastic innovation, right? Our view on passwordless is first step into the market should be to just take it one password further, eliminate the centralized store password and replace it too. With a cryptographic relationship, users will be familiar with the workflow. Admins will be familiar with the infrastructure and the security benefit is huge,
We also want to make sure that we're identity agnostic. You know, Paul mentioned Microsoft's got some solutions out there. They absolutely do. However, they're very much tied to the Microsoft ecosystem and to not only to the Microsoft ecosystem, but to the windows 10 operating system itself. And if you happen to be a business that literally has never seen a Mac walk through the door or a Linux machine walked through the door, maybe that covers all your use cases. If it doesn't, we want to be able to play nice with that, but also be able to play nice with everything else, right? So you want to be able to make sure that we can roll it out regardless of what infrastructure we encountered. And of course allow you to create granular policies to roll that out to subsets of your population, as you see fit. And it needs to be consistent and easy to understand for users, right? So once you've registered, you know, it should work for all, you know, as many applications as possible. We want you to be able to register multiple devices, that if you happen to lose one, that doesn't necessarily necessitate a help desk call because today, somewhere between 25 to 50% of health help desk budget goes to dealing with password resets. We don't want to replace one problem with another right of the same magnitude. And so we want to make sure also that the, the ability to recover from a lost or stolen device is also a seamless
And easy as possible.
So let's take a look at what that's actually going to look like. So the first thing we have to do is enroll. And towards the end, I'll talk about sort of some things we think are coming in the future that will make this even better than it will be in version one. But the basic idea here is to have a workflow that the users relatively familiar with from the outset. So I want to access an application in this case, we'll say it's Salesforce really could be any federated application. Doesn't matter to us. And I go to sign in and I put in my username, I've not enrolled in password list yet. So right now the system expects me to log in with a username and password, and then it's going to prompt me for MFA. Once I've done those two things, we've got a pretty good idea that we verified.
My identity now is a great time to turn on passwordless. And what that's going to involve is either a device that's capable of doing something like touch ID, like a Mac or windows, hello, like a windows machine or a mobile device like Android or iOS that have biometric capability as well. The key thing we're really looking for here is a trusted platform module, or a secure enclave of some form, because what we're going to do is just like when you enroll for multi-factor authentication, a provider like duo, that does push based notifications. We want to generate an asymmetric key pair so that the user is the only one to ever see or touch the private key. And we're simply going to get the public key that allows us to have transactions with that user. So here we're going to offer the user a list of options based on the device.
We detect them being on here. We detected that the users on a windows device, and so they can choose to use their mobile with the dual mobile app. If it's biometric capable, they can choose to use windows. Hello, cause their devices, windows a low compliance, or they could use a Fido, two compliance security key that they apparently have plugged in as well. This user is going to choose windows. Hello. And so they're prompted with the native windows. Hello, pop-up here to verify their identity with windows. If they weren't enrolled in windows, hello, that would actually take them down the windows, ALO enrollment flow automatically as well. This user is already enrolled in windows. Hello. And they've been recognized. So we're simply going to set up a key pair based on that duo gets the public key and we're registered that's it. So now it comes time to authenticate, right?
And we come to the application again, it may or may not remember our username from last time. If we've been to this application before it will, we won't have to type a thing. We're not asked for a password. We're simply asked to authenticate biometrically, and that's it we're logged in. Before we go ahead with the slides here, I'm actually going to show you that that's not theoretical. We actually have that working in the real world. And I'm going to do that by going to Cisco umbrella, which is a very common federated app in the Cisco world and helps to put the right username. And we're going to put my username in here and we're gonna get passed off to do it. Now. It has received from umbrella my username. So I actually don't have to type anything into duo at all. In my case, I'm on a Mac.
So here I'm being prompted for a fingerprint biometric from touch ID. I provide it and that's it. I'm logged in that's the entire workflow and it actually works. So that's where we're going with that. And the idea there, right, is any user who's logged in with MFA. One will find this to be a familiar process, but additionally, we want them to feel that it's actually even easier what than what they were already doing. And we'll allow them to enroll other devices as well. So if one day they're on their phone, instead of their laptop, that's fine. As long as there's sort of a chain of custody where they can either do MFA or they can do passwordless to validate the new device and that's going to be fine, but we need to consider things a little bit more deeply than just being passwordless right. You know, we could take this current situation and just do that, right.
But then again, you'd be enrolling multiple times. The workflow for the user would be onerous. And there's the question of sort of, you know, that's all well and good, but we're, we're still entrusting the enrollment to each application. And we're saying, well, these all, all these applications have to support our standard. It could work, but it's not ideal. What we really want to do is this, right? This is where that federated use case comes in. We want to take it one password further and, and link those two together. And that way, essentially your entire identity, from the point of, of sign onto your corporate single sign-on solution, then we were relying on existing trust relationships there. And we really don't have to modify or expect anything of these downstream applications at all. Now we're not done there, right? Because we're saying, Hey, your device is becoming part of your identity here, right?
It's a secure enclave, securing your keys. We kind of need to know that that device is secure. So just doing passwordless, isn't quite enough. We still need to consider device trust, which is why we have a lot of robust tools within the duo solution to check, you know, is that a, is that a device that's trustworthy from a posture point of view? Is it trustworthy because it's a corporate device, you know, is it, is it done anything weird, like impossible travel or, you know, is this a device that we've never seen that user used before? Even if it appears to be a corporate device, that's kind of weird. And of course we want to be monitoring, you know, which app, you know, when we're coming to an application that that do is protecting, is that an application you should have access to? Is it an application you typically access?
And that brings us towards sort of a more continuous form of trusted access and, you know, that's also fantastic. That's great. But I think we would still probably all agree. It's not the destination. It's still just a step up on the journey. And so what we want to do of course is talk about what's coming next. So the first thing is, as we talk about, but the initial release is going to focus on federated applications in a number of systems that uses embedded browsers, even if they're using a single sign-on. And there are some issues in some operating systems with getting information in and out of the embedded browsers that we can verify device trust. That's something that we're, we're actually working very actively on so that we can support thick clients. We also want to be able to single sign, you know, single sign on you in all the way through, from the moment you log into your machine, into all of your cloud applications.
So that one password let's log on gets you all the way through. And again, there's really only one good solution out there for this at this point, it's Microsoft and it's completely dependent on absolutely everything involved being windows based and Microsoft based. We really want, as I said before, to be completely vendor again, fantastic about this. We've worked with Microsoft, of course, but we've also worked with Okta and ping and a whole bunch of others, so that when we launched this, it's going to be something that's really able to work with. Any infrastructure you have, you don't need to commit to any particular ecosystem in any ecosystem you happen to be committed to. Isn't going to be a problem for us. So that's really important to us. And of course, again, we want to add in those contextual risk bakes based factors. So things like, you know, we logged you in passwordless this morning and we signed you into everything, but you've suddenly changed networks where you've changed location that should be caused potentially.
And it would be up to you as an admin, but that should be caused for potentially doing a step up with an occasion. We think that's really important to have. And of course, by contrast, right, if you logged in this morning and nothing changed, you stayed on your trusted device all day. You used applications, you use all the time. We really don't want to bother you, right? The solution should be as invisible as possible unless we really need to do something to verify the user interactively, right? And so we want to stay out of your way. That's where we think things are going in, in sort of the near term. And we think it's a really important step towards getting us away from passwords. One of the things I think is interesting as Paul had a bit of a Freudian slip there that I think was really interesting.
I think he intended to say, bring your own device at one point. And he said, bring your own identity. And the reason I say that's a Freudian slip is because I think that's actually a really telling next step, right? A lot of things have changed around authentication in the last five to 10 years, but identity itself really hasn't changed, right? It's it like passwords has become centered, more centralized, right? You see now signing with apple sign signing with Google, sign in with, you know, whatever it is, but there's, there's still a centralized at any source. That's not really under your control. And one of the things I think that's really cool about what we're, where things go, where things are going now is towards truly digital identities, right? Digital identities are actually becoming possible. Now it's based on, you know, technology that, you know, you may have heard referred to as blockchain, but really what they are is distributed ledgers.
And the idea that essentially you as the user, just as you hold your private key for MFA, whereas before it was a shared key, right? Which is what led to the RSA breach. We had shared keys and the tokens and shared keys on RSA servers whereby when RSA was breached, you were breached, well, we don't do that anymore. Right? You hold your keys for MFA. And you're the only one that holds them. We think it's going that way for identity as well, where you will be the holder of your own identity. It will be certified by various different providers that you might want to use it with, but you will in fact, be able to bring your own identity cryptographically. Passwordless only to lots of different places. And we think that that's going to be the next sort of evolution in passwordless and the next step on the, the security journey, because what we really want is three things, strong cryptography, right?
Which we already have biometric verification, which is what we're talking about as the first step in, in passwordless. Right. And finally, we want it to be auditable, right? We want to have a, a track record that we can use to build a pattern of trust. Because of course, you know, if we start to see things that are anomalous, even if we know that it's you, right. Even if we verify your identity, for sure, if we can't trust the device, if we can't trust the pattern of activity, we actually still have a problem. We probably still shouldn't let you in. And so we think that's really an important step. That's coming down
The line as well.
And in reality, it doesn't change the model much, right? Every, most of the things we do today, when it comes to making a transaction in a store to making a transaction online, it looks roughly like this, right? We have a governance authority that issues some kind of a framework around which we're supposed to verify things. We have issuers who issue identities, you know, and that could be anything from a physical plastic credit card to a driver's license. Right. But they issued them to a holder who provides it to a verifier that could be giving a credit card to a merchant to be given your credentials to Cisco umbrella, to log you into the cloud service. And that verifier based on relationships with that governance authority and the issuer decides to either trust you or not. The key difference being though right now, all the things that should be really easy for the user are hard.
And all the things that should be really hard for the criminal are pretty easy case. In point, let's take that driver's license or credit card example, wouldn't it be really convenient if you could just make a couple of copies of your driver's license, that way, if you leave your wallet at home, you've got an extra one that you could use, or, you know, an extra copy of your credit card that you could have in case you forgot, you know, one in, in your pants one night. Well, that's really hard for you to do as a legitimate end user today. In fact, in some cases it's not even legal criminals on the other hand, do it all the time, right? They can swipe your credit card with a high gain antenna and an RFID reader, right? Really, it should be the other way around. If you think about it, you as a legitimate user should be able to create a digital copy of your identity that you can use on your tablet instead of your phone.
If you want to, you might need an extra copy of your credit card. In fact, that's come into play with apple pay. You can do that. Now, if you want to have your credit card digitized on your phone, you can do it. We think that's coming to identity, right? We think this is going to move into that space where you're the legitimate user as the holder of this cryptographic identity, we'll be able to do basically whatever you want with it, but it should also therefore be extremely hard for a criminal to do. If they don't have access to a private key, that's hopefully stored again in a trusted platform module on a device you physically control and that you can only unlock biometrically. So it's an evolutionary change, not a revolutionary change in the technology, but we think it will become a revolutionary change in how we think about identity, how we think about authentication and how it actually gets done in the real world.
And so from my point of view, that's really exciting and, and frankly really overdue. And so a number of different groups have formed around that. Very similar to the Fido Alliance. There were four or five of them floating around until about a year ago. When a group called trust over IP was founded. The Linux foundation, which is a nonprofit organization, was sort of the catalyst for that to bring together all these different groups. And they're working on setting up a, an open source, free standard to define how this is going to work. They've actually gotten pretty far along with it. They've recruited a whole bunch of partners. We've already talked about Microsoft they're involved. And very importantly, we also talked about apple and their role in touch ID and bringing biometrics to payment. They're also involved here and they've said that this standard is coming to iOS 15, albeit probably in their own slightly modified form because that's just the way apple does things.
But nonetheless, very exciting. They've gotten some governments on board. They've gotten a whole bunch of financial services involved, device manufacturers, identity providers. That's where we sort of think this is going. And you know, really this, the passwordless journey is, is the first step. So we think it's really important to get started on that because what's coming down the line is really, I think, going to change how things, how things get done overall. And it solves a lot of problems for us, right? It, it solves the issue of being dependent on passwords for enrollment. And passwordless, it allows us to validate transactions, not just authentications, right? Cause identity gets involved there. It allows us to remove our dependence on other identity sources for user authentication, right? We of course may want to consult other sources for authorization, but it really gives us some independence that we didn't previously have because of course we can independently and cryptographically validate you.
And it also allows for portability. And that's where that bring your own identity part comes in, right? If duo is a trusted identity provider and you can validate that our identities have been confirmed biometrically, maybe we don't need you to enroll in all these other applications all over the place. You could actually have this portable identity that you could bring with you. The other thing is that the standard defines that it will work as also be able to work as a virtual smart card. So it's another potential avenue for us to move away from having to be web-based and actually lets you deal with on-premise non SAML based applications as well. That part of the standard still being worked on. So that's probably a little bit further down the line, but the potential is there. So that's pretty exciting and it's really not speculative, right?
It's, it's sort of a logical step into the future just as we went from, you know, hardware tokens to soft tokens, to push base notifications to biometrics. This is just sort of the next step there. And what's really exciting is that because apple is bringing it to mainstream iOS devices, you know that Google's going to follow suit. And of course, the moment the hardware is in everybody's pockets, it becomes much easier to bring this into the, into the mainstream. So it's pretty cool. And with that, I think it's time to open it up for questions in a bit more discussion.
Fantastic. What a view of the future. Thank you. Thank you very much, Josh. I love the demo in the simplicity of it as well. That was really, really neat. So we've got a few questions come in for you. So the first one is, and I'll, I'll make it generic rather than the specific question that was asked for those of us who still have to use VPNs within our corporations. Is it possible to leverage passwordless on your, on firing up your VPN? Because I think that's the bane of a lot of people's lives is, is having to fire up VPN application, get out their token login with it every time they want to connect to the corporation.
Yeah. It's a hundred percent our goal to do that. As I mentioned on one of the slides there, some of the solutions use embedded browsers, some of them don't the ones that don't will be easier than others. So for example, Cisco is part of the password. This roadmap, any connect is going to start using your native browser instead of the embedded browser that it currently uses. And that will fully enable the ability to do passwordless through that VPN connection as well. And we're not the only vendor thinking of that. So yeah, that, that shouldn't be a problem much longer. Initially you may find if, if your, if your particular VPN is using an embedded browser, you might have some challenges there. Although if you have client lists capabilities, that will certainly probably work out of the box, but that, that should be something that goes away relatively quickly. If it is a problem at launch,
Fantastic, I'm going to have to read this one. It says I really liked password lists. I understand that the key is stored in the TPM for it to work or, or obviously the secure enclave, what is needed when a user needs to log on, on it onto a second PC in the company, assuming the username and password is needed.
Yeah. So I mean, it's, it's an interesting one because it depends on the use case. Obviously the device is part of your becomes part of your identity. And I certainly in terms of just best practices would strongly suggest that users consider having at least one mobile device amongst their registered devices, reason being, if you show up at that new PC that you need to use, and you've got your already enrolled device in your hand, dual is going to let you enroll the other PC too. Right? Cause all we need to do is validate you. So we validate you on your phone. We validate with the phone and we know therefore that you, who we recognize and the phone that we recognize are standing there. And you'd like to enroll this new PC that also we check the posture and we're happy with the posture and we check maybe that it's a corporate device and we're happy with that.
We're just gonna let you enroll that it's gonna be really easy and you'll snap a picture of a QR code or something like that, or you'll touch it. You know, if it has windows low capability or biometric capability built into it, you'll just, you know, touch your fingerprint to it or what have you. And you'll be able to enroll it. If you only had one device enrolled and you had a PC, you know, back home that you couldn't bring with you and now you need to enroll in this other device. What we're going to do is we're going to fall back on password plus MFA another reason which would be good to have, you know, a phone as an enrolled device. Cause we're going to send you say a push notification to your phone. Have you validate that? And again, we'll be able to follow the same process, but initially of course that means you will still need to know what the password for the account was to get that enrolled. That's one of the promises sort of, of the trust over IP technology. That's a little bit further down the line is even for enrollment. We may not need to have a password at all anywhere ever, but initially the easy fallback is to go back to the workflow. The user already knows, do password, do MFA and then allow to allow them to enroll the new device.
Okay. I mean, in terms of, of the, the trust over IP foundation and this whole password listing, I mean,
What, what timescales do we think?
Well, it's a fantastic question because if you had asked me, I mean they're only just over a year old and if you'd asked me nine months ago, I would have told you, I think it's four or five years out. The fact that apple at that point, apple wasn't on board. At least not as far as anyone knew publicly, right? They hadn't publicly done anything. The idea that it's going to be in everybody's pocket on top of that, the other thing they announced during WWDC was that they've partnered with all 50 us states to digitize driver's licenses. So when I was 15 comes out or very shortly thereafter, everybody in the U S is going to be able to choose their driverless license and start using it in the U S I find it very hard to believe that won't catch on relatively quickly, elsewhere. Obviously there are efforts in the Netherlands and in Germany to do similar things, although they're not using the open standard yet.
Although you may have noticed on the slide of people who involved, who were involved there, bank and commerce bank in Germany are involved. So they're developing their own solutions based on the standard as well. So I'm starting to think we're no more than two years out from this becoming pretty mainstream. There was another webinar that I think you guys actually did with a company called one cosmos, where they were started talking about at first, they think it's going to be different sort of slightly separate ecosystems that do this, sort of bring your own ID thing where they'll talk to other things in their little ecosystem, but the idea essentially over time, and this is what the Linux foundation is pushing for is to start using Hyperledger, which is their open source blockchain. It's not a cryptocurrency, it's just a blockchain to allow you to have interoperable networks where an ID from one place can be brought to somewhere else.
And if it needs validation, it can be validated Microsoft working on this Azure, Azure P two has a preview of something. They call verifiable credentials where they didn't get any government partners on board like apple did. So what they've done is they've gotten about eight different identity proofing partners out there that will go and check with the government for you and do whatever kind of process they would do to validate you. To me, that's a little bit more nebulous than what apple is doing, where they sort of went directly to a trusted government source, but you can see there's a lot of thinking going on in that. And so I don't think it's more than a year or two away.
And, and I've got a request in here. Can you just remind us where to go and find more information on, on the trust over IP foundation,
That foundation itself just trust over ip.org.
Easy-peasy okay. There's
A whole bunch of all of the, all of the underlying organizations still exist as well as the distributed identity foundation. There's the global legal entity identity foundation, which is a bit of a mouthful, but I kinda like it anyway. There's the sovereign identity foundations, a lot of different groups working on this, the Linux foundation itself so much like Fido, right. Which has been super important. Like Dua was a founding member of Fido. We've been really involved in that as well. I think these kinds of open alliances that lead to sort of interoperable standards are really, really cool and really important. And so, you know that that's also exciting. I'm glad it's not a proprietary technology.
Yeah, no, absolutely. So just look at some of these questions here, how do we handle password lifetime expiration and password update? And I'm, I'm going to throw into that. How do, how do we rotate keys?
Well, it's an interesting question. You know, it's the, the, I guess the trick is how do we, how do we arrive at the trust really is, is, is the most important thing, right? We've had this, this has been going on since way back when SSH keys came into being right, because there was the issue of, well, anybody can create the owner SSH key and they can provision it to a server and it becomes your single one and only credential and, and that's it. And so we got to have these systems to rotate the keys and to manage the keys and to make sure that people can't just push their own keys onto the server and give themselves access and you know, a bit of a mess, right. And the same is true, sort of, you know, with, with certificates, right? Obviously if, if an authority is compromised, you know, that would be a huge problem.
And so we want to make sure that, you know, they don't last forever and things like that, vis-a-vis password lists it, you know, some of the same challenges apply, but some of the same challenges don't apply because the key itself is not your only piece of authentication, right? It's also your biometric. And certainly one can envision a threat model for certain users where somebody might come and steal your device and cut your thumb off. But because we're still, we're still doing multi-factor authentication, right? The certificate that the key involved is not your only access credential. We feel the threat models different. So at the moment, there's no real intention to force you to rotate the keys. You'll certainly be able to write, do you want to re-enroll users, you want to force a user to re-enroll, you'll be able to do it, but we don't see necessarily the urgent need to force you to do it the way we would in the circumstance of like an SSH key, because in that case, it's your only credential. If somebody grabs it, they've got everything they need in this case. They won't. And so we think it's a little bit safer, but it's a good thing to consider.
Yeah. Yeah. So if you're in row, if you're rolling this out within most typical larger organizations, they've got a huge amount of legacy. How, how do you deal with somewhat? Someone's also, how, how do you deal with a very old application built in, for example, to cobalt?
So it's a great, it's a great question. Our solution is that obviously we're not gonna be able to get you to modify that application the same as if you've got a system three 90 in the basement, right. It's not going to happen. So the idea is to wrap it in a layer of protection. And so the way that we plan on doing this, and this is going to work basically from the initial release, once we released the, the updated version of our reverse proxy is to use our river a reverse proxy so that the application is accessible potentially even without VPN, right? Cause that's the promise of reverse proxy from anywhere. But before we let you even dare connect to that server, we want to have you verify it already. So you'd reach the reverse proxy reverse proxy would do. Passwordless authentication on, you would verify the trustworthiness of your device and then it would establish a tunnel to that application for you and the new version of the dual network gateway.
If you've not seen it before, it's going to be able to do all TCP ports and protocols. We've tested it with everything from file shares to Minecraft. It works great. And so the idea would be, you'd have to pass those checks before you could connect and a little bit further down the roadmap, because we talked in the slide deck about continuous access. Is if anything changes, maybe we cut off that tunnel. We, we break your access to the system, right? And as a result, you know, you can continue to rely on those legacy applications, knowing that if the users even made it there, we checked them out already.
So the, the, the user, the, the future is password less than the future is risk-based authentication.
Fantastic. Josh. It it's been really enlightening. Thank you very much for your time. And thank you very much for the insight. I've, I've certainly learned a lot listening to this, and I hope everyone else on the, the webinar has just leaves me to give you a couple of quick plugs, the first one about KC plus. So it's our content and research easily searchable directly available, pay once, read it all. There we are, can't say better than that. Just remember that the, the white paper from us on passwordless is going to be available towards the end of the week. So please watch out for that. And final reminder, please join us in Munich or online, depending on how the pandemic is calming down. So in September, we'd love to see you there. And yeah, here we go. This is the, the KC digital advisory. So again, another offering from, from KuppingerCole you get expert knowledge in, in particularly identity and access management, cybersecurity and beyond, and a series of masterclasses.
So again, these, these are, these are actually really fun. I've been involved in a couple of these, you know, the all day virtual classroom and, and other, such things up-to-date research, join us for the Casey masterclasses and lots of research out there. So please join us for lots of things. Take, take, take us, take as much as you can. Yeah. Use the, use the analysts out there to, to build your knowledge within your particular businesses and with that, we are up to the hour. So thank you very much for attending. Thank you to Josh. Thank you to a duo for helping us with this. I hope you have learned an awful lot. I know. I certainly have, and we hope to see you on one of these very soon. Goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #153: Passwordless and Biometrics - Balancing UX with Security and Privacy

Alejandro and Matthias continue their conversation about passwordless authentication. This time, the topic is the use of biometrics (and possible security and privacy concerns related to their use) as an authentication factor.

Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but…

Analyst Chat

Analyst Chat #148: How to Improve Security with Passwordless Authentication

"Passwordless authentication" has become a popular and catchy term recently. It comes with the promise of getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure. Research analyst Alejandro…

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Fixing the Way the World Logs In

Passwords are quickly and easily compromised, they are costly and difficult to manage, and they result in poor user experiences. Many organizations are looking for alternatives, but find it challenging to identify appropriate passwordless and phishing resistant authentication solutions that…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00