Webinar Recording

The Compelling Case for Risk-Based Adaptive Authentication

Log in and watch the full video!

Consumers and employees are increasingly on-the-go, and that means that more transactions and more work originates from the mobile phone. Fraud and data loss rates have also been rising. A plethora of mobile-based digital identity technologies have entered the market over the last few years to help businesses and other organization meet these challenges.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome everyone. Good morning. Good afternoon. Thank you for attending our co Cole webinar on the compelling case for risk based adaptive authentication. I'm John Tolbert from co Cole, and I'm joined today by John McKinna, the product marketing manager from I global. So before we begin just a little bit about ourselves, keeping your Coles a global Analyst company, we provide a variety of different products and services. We do research. So we have executive uses on products, leadership, compasses, which are comparative reports of products and specific markets we take and give Analyst briefings. We do webinars like these advisory projects, conferences e-learning and, and meetups, and we're focused on identity and access management, cybersecurity and AI.
So, as I said, our leadership campuses, our comparative reports, looking at all the different products or services in a given market, executive views and overview on specific products or services. We also write research notes in depth ones. We call advisory notes and shorter ones called leadership briefs. On the advisory side, we provide strategy compasses for customers. We also look at customers portfolios, help them determine maybe what they're missing, what they need. We do tech tech compass, where we also do requirements analysis and help them fill in the gaps that they may have technologywise and provide project assistance as well.
On the event side, we've got a number of events coming up throughout the rest of the year. In fact, starting tomorrow, we have our consumer identity world in Seattle, which also happens in October and Amsterdam. And then in early October, we have the cyber next summit in Washington, DC followed by the cybersecurity leadership summit in Berlin in November, then also AI impact. And then next year cybernetics world and our flagship conference EIC happens in Munich every may. So logistically we'll take care of all the audio control. We will be recording the webinar and it will be available probably tomorrow for you to download and listen to. And then we will take questions and answers at the end, everybody's muted through the beginning, and then we will open it up as needed at the end.
So I'll start off and talk about modern authentication technologies. What we see as the risks and benefits, and then John McKenna will take over and address some other issues related to that. So risk based adaptive authentication, I think of there four major components to that start with analyzing, taking a look at various factors at runtime or at transaction time. So let's say every time a user wants to authenticate or authorize the transaction, they're various factors that should be taken into account to help determine whether or not such transactions should take place. They also need to be intelligent. And by this, we mean looking at up to date information about what the current threats are out there, patterns of fraud, if any of the factors that we talked about at number one, there happen to be present that might indicate fraud policy based so that administrators and individual companies can set their own tolerance levels for the, the threats and risks that are out there and choose what the follow up actions are. And then lastly, interoperable, we see more and more companies that are interested in augmenting their authentication services, but don't necessarily want to replace their entire identity management infrastructure. So interoperability is really important to them.
I think we also need to consider what do users want for authentication? Well, I think it's safe to say we're all tired of passwords. We're tired of hearing about how passwords are bad and there you see the middle knowledge based authentication. It's, it's actually worse than passwords in many cases, but then we have mobile apps, one-time passwords, social logins, various forms of biometrics, smart cards, us species. So there's actually many, many different options that are available today in terms of authentication methods that you can implement. But what do we need to think about in terms of businesses? So fraud is just spiraling out of control in many industries. So doing that transaction level analysis to minimize fraud is very important. There are increasingly a number of regulations around the world that are kind of driving authentication upgrades. And one really good example. There is PSD two in Europe, the revised specification that actually just went into effect last sort of demands, strong customer authentication, and that's defined in the same way that we typically define strong authentication. I'll go into that in just a second. It needs to be risk appropriate. So only apply friction to the authentication process as needed. Don't just keep making users authenticate because you have the power to do that.
And then sometimes corporate security policies may actually be more restrictive than the local regulatory minimums or sometimes to make it easier to apply policies across an enterprise. Administrators will choose to put into place the least common denominator approach. So saying whatever the most restrictive regulatory jurisdiction is in, in which the business operates, that will be the minimum for all, all places around the enterprise. We also have to remember ease of use, especially in consumer facing situations. If you make it too difficult for customers or consumers to authenticate, then that actually turns business away. And the better experience that you provide more likely cut consumers will come back, but I'm gonna get into some other technologies specifically biometrics and you know, not everybody has the latest model smartphone and the reality is not every user will ever have the latest model smartphone. So we can't only build solutions that meet the, the latest and greatest technical specifications we have to build for, you know, what our customer base or user base has.
So about fraud back in 2015, it was a 3 trillion global business cyber crime. It's estimated that by 2021, it will have doubled. So obviously it's a growth industry and that's, that's not good for either consumers, consumers, or businesses. There are four major types of fraud in the online world, specifically affecting finance and retail. First off there's new account fraud, that's using synthetic information to create user accounts, maybe using a real username that you may have stolen from somewhere that's becoming increasingly prevalent account takeover fraud, just like what it sounds like using passwords that may have been found on the dark web and then running those against all sorts of common usernames until you find one that actually works, then there's two other forms that we're probably all pretty familiar with over the years, insider error and fraud. Again, just what that sounds like malicious insiders, trying to steal, steal money in many cases, or even, you know, in enterprise cases, stealing company intellectual property or customer context, things from a CRM database. And then, and you know, trying to use that afterward, still a big problem. And then lastly, there's gold fashioned ATM transaction skimming, and you see that to a gas pumps, things like that, where somebody will have put a different reader on front of the reader to steal people's credentials and credit card numbers.
So to counter that, we see a variety of trends in the authentication world. We want to get away from password, username and password and move to toward continuous authentication, which includes multifactor. And along the way, we see this bundle of increasingly using social logins where appropriate mobile is a huge part of it. And then risk adapt, which kind of gathers information from multiple sources. So mobile is really important for multifactor authentication today. Thinking back to the PSD two remark where we need strong customer authentication, typically in security, as you know, we've defined strong authentication as a combination of something, you have something, you know, or something you are, and mobile is important because it can be that second factor where you can combine something, you know, like a pen or something. You are the biometric. And even though everyone may not have the latest model smartphone people certainly do in large numbers have smartphone.
So it's a, it is a natural second factor that let's say in a consumer facing situation, doesn't really cost you as an online business owner. Anything to get those devices out there. It does cost a course to develop mobile secure mobile applications, which leads us to talking about what are the authentication options, mobile apps. I think the most common, or probably the, the best approach here is using an SDK provided by a IAM or authentication vendor, ideally protected with things like global platforms, trusted execution environment, secure element, or secure enclave for iOS. There are mobile push notifications. That's the popup that you may get, which I think have really swiped to authorize. Like you've already established your identity through a authentication event, but you gotta pop up. Do you really wanna transfer $10,000 swipe to authorize mobile biometrics branding wise? Everyone's probably familiar with things like touch ID, face ID.
There are Android and Samsung native biometrics as well. I'll go into that in more detail in a minute fi oh 2.0, Fido's been around for a few years, couple of different flavors, UAF for mobile and U two F for second factor. Usually, you know, some sort of a, a USB device, but photo two with the web often specification with W3C, I think has a lot of potential to go forward. And what I really like about it is this plugable architecture and the certification process that they have. And it definitely applies to both mobile devices as well as those second factor devices too. And then lastly, we see SMS OTP.
It's been deprecated by N for a few years now because there's some security flaws, but as you probably know, it's very popular still. So let's talk about biometrics for just a minute. I look at five major categories here, biometrics fingerprint, which is works based on matching patterns in your fingerprint with a stored registered sample. You know, none of these things are panacea. So fingerprints don't necessarily work well with all populations face taking a selfie that matches the spacial geometry of your, your face from the time you took the original selfie to register, but problems arise, you know, whether or not you shave or use makeup wear hats or glasses. So it, it does have some operational issues, voice recognition, two major forms here that there's text dependent versus independent. In the dependent version, you would say a particular phrase that would be matched independent would be the biometric program would simply learn your voice and be able to authenticate that, regardless of what you say, Iris, we don't hear people talking about retina biometrics much these days, but Iris is actually a much better mechanism. Anyway, it has the most or 266 degrees of freedom or analyzable features. And the best thing there is it really doesn't change aging.
And then lastly, we've got behavioral biometrics, which is, you know, usually implemented as a program, let's say, on a mobile device or on your computer, it will analyze, you know, how you type or how you swipe on your phone, you know, counting, you know, the way in which you interact with your keyboard sometimes with, you know, the gyroscopic data from your mobile device. And then also looking at, you know, where you are, are you in a location? Are you using wifi SSIDs that you normally look at? And this can build up a pretty good picture of, you know, what's normal behavior for a particular user, but there are some concerns with biometrics as well. There are three concepts here, false acceptance rate. That's how often it is an imposter can gain access, false rejection rate, which probably all experience this too. If we're trying to get into our phone with a thumbprint or something, yes, it's your thumb, but it's not opening for you. So both our, our problematic, the equal error rate is where the false acceptance and the false rejection rate meet. And that's usually the best trade off between usability and security, but various biometric program makers will be able to tune this in one direction or another. And a lot of times that can be, you know, totally dependent on the kinds of use cases for which that authenticator mechanisms intended.
So we also have some other biometric security concerns, enrollment threats, and that would be, you know, sending an illegitimate person along with a legitimate person's credentials. So that in a sense you enroll, you know, the bad person's biometric samples or in the case of a phone stealing those biometric samples. Also, typically when we talk about information security, we've got the, you know, the three pillars of confidentiality, integrity and availability, and, you know, with passwords or other forms of authentication, confidentiality might be prime, but since biometrics aren't secret, you know, you're, we leave fingerprints everywhere we go, and our faces are, are readily available to be seen. They can't really be considered confidential. So integrity of the biometric samples is really key here, as well as local storage and local comparison of the runtime sample to the stored sample. And then availability also affects usability. Then lastly, we've got presentation attack detection, also known as liveness detection. We've probably all seen movies where people are able to bypass biometric authentication by showing copies or photos, or now even 3d printed molds. So various biometric makers will in build in liveness detections so that you can't be fooled with 3d printed mold, for example,
Excuse me. So I thought it would show a little comparison between the five major categories and then, you know, how do they rate in terms of things like false acceptance rate, false rejection rate uniqueness, persistence over time, how easy are they to use? So it turns out that things like fingerprint are actually, you know, pretty decent in terms of far and FRR, fairly unique. It's in general. I think the, the statistics I saw it's about one in 10,000. So, you know, probably like a six digit pin, they're fairly persistent. Again, it doesn't work for everyone, but in general, they're pretty operationally effective. What might surprise you is facial recognition? I think probably ones up as one of the least effective. It has problems with F R FRR, the uniqueness and especially persistence. If you wear a hat or glasses, as I was saying, you know, that can distort it. Voice recognition is pretty good across all those categories as well. And then taking a look, the Iris is actually the best. And a lot of that has to do with the uniqueness, as well as the persistence. It's pretty easy to do behavioral.
What's really good about this is it's not necessarily something that interrupts a user's path or, you know, adds friction. It can monitor a lot of those things like keyboard interaction, or location mapping silently without having to, you know, have a dedicated authentication even then. So on the risk adaptive side, I'll go too deep into each of these, but you can see there, this is just a subset of some of the most common factors that you will see risk adaptive, authentication engines, processing, location, geo velocity. Sometimes we call that impossible journey that would be saying that, you know, it's impossible to log in from Argentina and then, you know, an hour later log in from Norway. So that's one of the more basic and really essential kinds of factors that should be evaluated by risk adaptive authentication engines, continuous authentication. This is just performing these checks, including the behavioral biometrics and attribute lookups over time. So maybe you do an initial authentication event, you know, make somebody swipe their mobile app or use a biometric, and then just kind of track their interactions with your applications over time. If there are no major changes in all these factors, then, you know, depending on your risk appetite, maybe you don't challenge them again with an authentication event until something significant does change. And this is what we mean by continuous authentication.
So to wrap up here, I thought I'd go back and take a look at, you know, high level categories of the authentication factors and say which ones I think are the best for, let's say workforce applications, BTE. So out of all this list, I think we, we commonly see things like smart cards, mobile apps, USB keys, biometrics is starting to make their way into BTE use cases, not so much and, and where it is. You mostly see fingerprint, but Iris is Iris is good too. And then if you're asking this question for what are, what are the best options for consumer facing apps? Then I think everyone is in agreement. We're not terribly excited about things like passwords or KBA, but we also know that people aren't really going to be issued things like smart cards or even USB keys that leaves us with mobile applications and reliable biometrics. And with that, I will turn it over to John McKinnis.
Okay. Thank you, John Tolbert. I really enjoyed your discussion. So I'm gonna touch on a lot of the things that John said. I'm gonna take it from a little bit in a little bit different order, and I'm gonna frame my discussion in terms of recommendations for organizations that are either upgrading or deciding that they need a stronger authentication, a model, maybe want to put some multifactor authentication in play and what sorts of things might they consider and take a look at and I'll base my recommendations just on what we're seeing customers do at I global my name is John McIn, by the way, I'm a vertical marketing director at, at H I global.
Okay. So I'm gonna begin with business requirements. And in terms of the picture here, I like to think of advanced authentication, strong authentication, or multifactor authentication, whichever term you wish to use as a central component in a resilient cybersecurity practice. And I think that's how we're building systems today. I think it's good news as the threats, as the ransomware and the malware rains down on us, we now know how to build our data centers and our systems, so that they're resilient in, in that we can quickly detect threats. We can remediate from any damage that was done quickly. And so it just becomes, you know, part of doing business, if you will. Now, in terms of what makes organizations wake up in the morning and say, let's go implement a new multifactor authentication solution across our environment. And what we find is the number one driver, there is usually compliance like John was mentioning not only achieving compliance, but maintaining compliance is extremely important.
And there are a, there is a laundry list of privacy and security regulations that companies need to adhere to. And John mentioned the PSD two, for example, and there's many more in finance and across the different countries and states in terms of privacy and so forth. And there's also internal security policies because as John mentioned, the number two driver would be the business liability of cyber damage and the cost effectiveness of being more resilient to those. So everyone sees in the paper, the high cost of breach, that's a place you never wanna wind up there's reputation damage. And as John mentioned, account fraud is rampant in, in all sorts of different industries. So that is a huge cost when it comes to maintaining compliance. Another great thing that John mentioned was interoperability. And one thing that a robust authentication system can do is in terms of those privacy security and security policies, the first thing is having good access control.
And that's what identity management does is, is bring your access control to the next level. But as well as the monitoring and the reporting, and with the modern authentication system, this will interface with your seam for detecting threats out of the data that you collect and these activity logs, or these can be fed into other systems to automate the audit reports. So a big part of maintaining compliance as folks know, is a security audit. And everybody loves to be told in the morning, Hey, guess what? You're gonna participate in this quarters security audit folks. Don't really like to spend their time and resources to do that, but these authentication systems can really help to automate some of the auditing tasks, saving people, just time and effort. So the most important thing, then, you know, I wanted to go back one second and mention one thing I forgot.
What kind of multifactor authentication you put into your organization? All depend also depends on what it is you're trying to protect and the complexity and the differentiation in your compute environment. So for some small businesses, they might have a very simple environment where everyone's got windows 10 or the latest MacBook computers, and they're all running cloud apps, maybe office 365. And so a very simple cloud based authentication system, maybe you would even take advantage of Microsoft. A zero in this case would satisfy. However, a lot of customers that we have tend to be really large, more mature organizations. And like John said not, everyone's got the latest device, there's B Y O D devices. There's different generations of PCs, and there might even be green screen applications and backend applications that are running on various flavors of Unix or Lennox operating systems. In those cases, you need an authentication system that can be applied across that complex and distributed environment.
And now let me talk about users because they're our most important thing here. And one thing our mantra is it needs to be easy. It needs to be natural for people, for humans to use one of the big mistakes with complex passwords and knowledge based authentication. Besides the fact that they just don't work is we put the onus on users to protect systems by managing their complex passwords and what we really wanna do. And what we're doing today with modern authentication solutions is protecting the users, using the intelligence of the system and the ease of use of these new factors to protect the, the users and to make their life better rather than the other way around. And why MFA? We know that like John said, account fraud, the different types of fishing malware, 71% of attacks over the last few years have been due to stolen or misused credentials, you know, internal user error. Sometimes things are just misused or lost or, or, and so forth. And it's a huge problem.
So from users, we go into trends and, and isn't it amazing that for 60 years we struggled along with the password and in the last, you know, what has it been five, six years. There's just been rapid adoption of new technologies, including biometrics and mobile. And part of the reason is obvious, right? Biometrics are natural to use. I don't need to thank it's the system recognizing me versus me telling the system what my credentials are. So very natural to use as well as mobile apps on our cell phone. Are we glued to the cell phone or what our universe practically revolves around them today? So it's very natural that I would want to use that as a second factor. The other neat thing about biometrics and John mentioned by favorite diagram from engineering, the far Furr chart, where you're trying to tune your biometrics to find that, that sweet spot between false reject and false accept.
The other important thing is these technologies have become cost effective. Now, I don't recall exactly how long I've been using my face and fingerprint to log into my phone and PC, but, you know, if I go back 10 years or so ago, these things were prohibitive just in their costs. So now we're able to use them and their accuracy is getting better and better, and they'll continue to evolve. Like John said, facial is, is going into the next generation. We don't see a lot of Iris scanning yet, but expect that to be showing up as well.
I'm not gonna get too technical, but I'm gonna talk about a couple of specs because customers often ask us, there's some confusion out there on the difference between, you know, newer, emerging specifications versus older mature specifications. And I'll use the examples here, 5 0 2, like John was talking about out of the Fido Alliance and PKI public key infrastructure, which has been around for quite some time, but yet continues to see demand. So the beauty with Fido, I think, and it's really popular with the large cloud platform providers and tech companies, the Microsoft Googles Amazons, if you will. And the beauty of it is there's no password or login information to store. I go to site.com and essentially register my device. The only thing that's stored is a public key. So there's really nothing to steal. And so there's no active directory to hack. There's nothing to hack to get, to dump millions of users of passwords.
It completely eliminates the password. The other thing that it does is there is no central management of the credential in the 5 0 2 spec in and of itself. And that's good and bad. It works for privacy and security, but you lose trust and accountability in some cases. Anyway, this is being rolled out. I'm seeing it now in consumer applications. And some tech companies are using it as a two second factor for their employee authentication. So you'll see more of it and it's good. And if it works, it works, but it doesn't work for everything. Like I said, because some organizations want that central management that you get with, with a PKI, because PKI relies on a publicly trusted certificate to do the identification and the signing and encryption. And so you wanna be able in many cases to enroll an employee, for example, manage his credentials throughout the life cycle is, is employment his or her employment, be able to terminate and reissue credentials in the case of loss or stolen credentials and things like that.
And PKIs been used forever. It's been in our lives for many years. Maybe some of us forget to make those secure HTTPS connections, websites depend on trusted public credentials to make that work. And also in an employee use case or a vendor use case, it extends itself very well to digital signing, encryption of documents and secure encryption of email. So both solutions are good and it depends on what you're trying to protect and what kind of control you need on that. And finally, I think to round out the plethora of authentication options we now have available, it's just amazing. It's a great time to be alive. My two favorite topics that John mentions are risk-based and continuous authentication. These are really exciting now because we are beginning to leverage the intelligence that we're building into these machines. And I am not an expert on AI, artificial intelligence and machine learning.
So I won't get into that, but that is the principle that we're leveraging for behavioral analytics is we're able to take a long list of data. Like John was mentioning geolocation velocity, geofencing time of day, where am I, what network do I seem to be coming out of? And this is non disruptive. Also it runs on machines in the background using smart analytics and interoperability because then threat metrics can be fed into the seam or into some other intelligence systems to be able to take action. So just really fantastic innovation in identity management. So which options are best. We've only touched on a handful in this discussion, and there's many more to look at which options are best, which are best for your workforce apps, which are best for your consumer apps. What will your users want to use? And my answer to that is try all of them.
What you're really looking for is an advanced, strong authentication platform. Today, you need a vendor that can provide all these different options in a single console with that interoperability, you know, as well as that flexibility, to be able to work across these diversified and distributed compute environments. So it's all taken together. Then the biometrics, the behavioral analytics, we think of that as an advanced authentication platform. And will it change over time? Yes, it will. Because like John said, we're gonna have all these great new devices and capabilities coming over the next few years with IRA scanners improvements and fingerprints improvements in the facial scanning improvements in the analytics. So you also need a platform that will work for today, but give you a way to grow into the future and satisfy the needs that you might have down the road, or be able to utilize newer technologies.
And I'm gonna pause here for a second because we've been talking about authentication and multifactor authentication and strong authentication, behavioral and analytics for authentication. So I'm wanting to take a, a look at all of these threats that are raining down on us that we're trying to protect against, and C does authentication help with any of them. And I think that out with the exception of high security administration costs, putting a, just a second factor authentication can reduce the risk from these other types of attacks by up to 70%, according to the experts over the last few years. So the answer is, yes, it seems like we have made a good dent in creating a resilient cybersecurity plan. The good news for the administration cost is we we've just gotten to that sweet spot now where, like I said, some of these technologies were prohibitive five, 10 years ago are now much more cost effective.
So that re the return on an investment is greater than the cost of these technologies and authentication services are available on subscription models from the cloud, for example. So the ease of, of deployment and a total cost of ownership has gone down, ease of deployment has gone up. So it's a good time to take a look at MFA and, you know, authentication isn't panacea into it of itself. It needs to be part of a, of a comprehensive plan, but at the end of the day, the experts at nest and ISO and the, the advisory bodies all tend to agree that at least second factor authentication is, is mandatory. Okay. I wanted to talk about, you know, one more trend for me as a technologist for many years in the Silicon valley. This is just one of the most exciting things we've seen in a long time.
And we're at the emergence of high speed, the next generation of high speed wireless computing. We've talked a lot about 5g in computer space. I've been to seminars lately, and her experts speak on different forms of fast wireless. And the point is we are going to the next level of the amount of data that we can transmit. And the amount of processing that we can do over wireless networks is, is really going to change our lives. And we're seeing an explosion of intelligent devices, the internet of things, and one example that most consumers can relate to are the, the virtual assistants that are starting to appear in our homes, on our phones, in our cars to make life easy for us. Web servers are an intelligent device. That's been in our life for many years now. And maybe we, the, you know, identity management of web service has gotten so sophisticated.
We don't really think about it that much anymore as consumers. We certainly don't as admins. Of course you do, but that's gotten extremely scalable and efficient, but as 5g comes online and there's faster wireless networks, we're gonna see more and more of the experts talking about edge computing and how some of the compute itself is actually moving from the cloud into the, let's say the Milky way of the edge, if you will. I don't know if that phrase has been coined yet. So I'll call it the Milky way off the edge. And it's just, you know, a plethora of different types of devices could be from servers down to routers down to smart meters from utilities, substations that do some processing for large online games. It's just, it's an endless number of things that are gonna show up. And these IOT devices also need to be identity aware.
They need to have trusted digital identities for the internet to work. Otherwise, you know, the whole thing will break down, but it's being done in very innovative and, and exciting ways. So just wanted to talk about that as well. That winds up my discussion. I wanna thank you for your time and thank John Tolbert for his participation and keeping your call to close out. I would just like to say that when it comes to implementing an advanced authentication platform, that's what you're looking for a platform that's flexible and can be designed for your business, because it's about your business requirements, what you need to protect, what kind of environment you have, who are your users, what options do they want, what works best for your business and your security policies, your mandates that you have to cover. I know there are a lot of confusing solutions out there for folks that are looking there's a lot to take in. We barely touched on the subject. So as you're shopping, I certainly hope that you will give H I a chance to demonstrate what we can do for your business. We do believe that we are the best in the industry at advanced authentication solutions. And we do believe we are the only end to end advanced authentication platform provider with that. I'll turn it back to John.
Okay. Thanks, Joan. And we are able to take some questions. So if you have any questions, there is a question blank on the control panel for go to webinar, feel free to type those in. Let's see, we've got one here that says, what advice would you give to both CISOs or it security, execs and cybersecurity solution vendors on effective ways to form working partnerships? You know, that's, there are a couple of major, well, I let's say three ways that we could address that or ways in which I've done this in the past. Some of the larger solution vendors out there will actually form customer advisory boards and invite some of their key customers. You know, the largest ones generally to get together, at least on an annual basis and talk about where their product's going, where their, you know, roadmap wise and then give customers on the advisory board, an opportunity to influence that.
I think, you know, that's, that works for both larger vendors, as well as their larger customers. I think there are also standards bodies. Like, you know, we've talked about Fido, there are a number of others. Canara Oasis. I ETF getting, getting things codified into a standard is an, is another really excellent way. So if you can show up to standards, bodies that help steer the evolution of standards that pertain to your business use cases that does a couple of things. It, it sort of seeds where the vendors need to go if they want to be interoperable. And it also makes those standards that you help develop all that more useful too, that way you can, you know, you've got good reason for telling vendors to support the standards, because then it definitely embodies your use cases. And then lastly, I guess I would say, you know, how, how for end user organizations to work with their cybersecurity solution vendors, one on one has to be a part of it too, you know, using the support infrastructure, working with your account manager, making sure that you get your needs directly heard by the vendors that you are really entrusted with your business.
Any thoughts on that, John McKenna?
No, I, I like what you said there. I think that's exactly right. Sometimes it's tough. I think to cut through the noise and I know that's true on both ends are so much marketing. So I think it's really important. Those engagement points where we can really just sit down and, and talk technology and, and business, and really just partner versus trying to sell to each other.
Okay. Next question is what is the next big thing in digital human identity? And do you see distributed ledge technology coming into the picture? You know, I, I think there are bits and pieces of that that are already becoming quite relevant, especially around decentralized identity. I find more and more people at conferences. And then also on the vendor side are talking about, you know, what can we do to get ready for decentralized identity, you know, and simple things like the D I D decentralized identifier, I think, is something that's applicable and, and useful even outside of the distributed ledger context. And I think it will definitely be an important next step along the evolution of, I am. Any thoughts on that, John McKenna?
Yes. I, I, I totally agree with that. I think that human identity in the, on the planet in general is a huge problem here. A lot of people say how a large percentage of the, the world doesn't even have a usable identity. And I think there's a natural evolution towards decentralization as well. I think Fido is an example of how that's beginning to evolve. And I think the idea of universal identity, the D I D like you mentioned, is, is inevitable that we move in that direction. I think it's really exciting myself and happy to be along for the ride as we watch it,
You know, and user identity is just one, one piece of the puzzle. I think, you know, we all, we, we see various kinds of IOT devices, whether they be smart home devices, or, you know, even increasingly now in the business world, whether they're, you know, smart speakers that are used for business ort devices in industrial settings, SCADA nodes, you know, connected cars, device identity is going to quickly overtake user identity as, you know, the most prevalent thing that we have to worry about. And then being able to build not only good schemes for device identity, for which I think, you know, distributed ledger technology might be very appropriate, but, you know, how do you deal with this increasing number of ice devices? What are their technical capabilities? And can you use those perhaps to create even more rich authentication context that can then actually serve user authentication even better?
Yeah. That's amazing, amazing conversation there into the future.
Next question is what's the major difference between authentication using Fido versus PKI and how would I go about choosing one over the other, you know, I guess I would say, well, one of the things that I have said about Fido in the past is that I think in a way it is like PKI light or PKI without the infrastructure, even though that's part of what PKI means, you know, because you get a lot of the same benefits with, you know, creating a per private key per user, per private key per application. Every time you go register with your fi authenticator to a new pH service. So you get a lot of that without the overhead of the certificate authority. So I think, you know, that makes it easier to deploy phyto. You get some of the same benefits as you get with PKI, but again, without needing all the overhead and infrastructure for four, how would you choose one over the other?
I think that, you know, it, there are definitely places where PKI has advantages and, you know, the, one of the slides that you had up about HTTPS that's, that's a great example. I mean, so PKI is everywhere and it's, it's not gonna go away. So it's really not a question of either, or, you know, Fido's not gonna replace PKI and PKI is not really a threat to Fido's longevity either. I think both cover very different kinds of business cases and both are very useful, but wouldn't in the context of just user authentication. I think Fido probably has, you know, a good long life ahead of it specifically on the consumer side, PKI user authentication has been around for a long time and smart cards, you know, personal certificates, 6, 5 0 9 and then USB and things like that as well. So in, in, in many ways they're very complimentary, they can serve different kinds of use cases. And I think both of them have a very important role to play in the future of authentication. What's your take on that, John?
Yeah, I, I think you hit it right on the head. The, the nice thing about the final is the lightweight and the ease of use for, and I think that con for consumer identification, it's a natural fit at the same time. You're right. It doesn't solve every problem. And we're continuing to see demand for PKI go up, especially in OT. And I think that, you know, PKI has a bad reputation of being costly and over complex to implement. And that was probably true in the beginning when, you know, vendors had to, to design their own proprietary systems a lot of times in order to get it in place, but with, you know, modern authentication systems, the ease of deployment ha and the has really improved and the cost is much more efficient than it used to be in the old day. So I, what the feedback I get from a lot of customers after they've put it deployed, it is they were surprised at how easy it was to deploy and how non painful it was to manage and actually saw, you know, decreases in their help desk costs and things like that to, to putting in the PKI system.
So like you said, I think they both will be around for a long time to come and they'll continue to work hand in hand in different scenarios.
Yeah. I think that's a really good point. I mean, 20 years ago it was difficult to implement PKI, but now, you know, and, and this goes back to one of the, the questions that we got, you know, people have been working with their PKI related vendors for, you know, a couple of decades and now it has gotten much easier to implement, you know, the vendors have been responsive, they've made it so that it's, it's just not as difficult as it used to be now. Yes. There's lots of care and upkeep that needs to happen on PKI, but yeah, it's, it's really foundational. And I think right alongside that Fido will grow to have a role that's, that's quite important specifically on the, the end user or consumer facing side too, just because of ease of use. I think that kind of hits the nail in the head with all of this around authentication. I mean, you can design very secure systems, but if people don't want to use them, then it's not really improving your security. So I don't see any more questions in the question blank. So thanks John McKenna, and thanks to everyone else who attended today. Like I said, we will have this recorded and available to listen to, or download most likely by tomorrow. So again, thank you everyone for attending and look forward to speaking with you again soon. Good.

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00