Analyst Chat #171: Trends and Predictions for 2023 - FIDO2

Welcome to the KuppingerCole Analysts Chat. I'm your host. My name is Matthias Reinwarth, I’m the director of the Practice Identity and Access Management here at KuppingerCole Analysts. This is for now the final episode of the trends and predictions sub-series of this podcast and for this final episode I have invited Graham Williamson. He is a Fellow Analyst for KuppingerCole, usually working out of Australia, but not today. Hi Graham. Good to see you.

Hi Matthias, good to see you too. And I'm very happy to be contributing on this podcast about FIDO2.

Exactly. One trend, one prediction that we see is that FIDO2 will be an increasingly important topic and aspect for authentication. And the topic is, for today, The Reason to Shift Left Your Authentication Strategy is FIDO2. What does that mean? Why do you think we need to shift left in everybody's authentication strategy?

Okay. Yes, that's an interesting term, shift left. We're basically talking about making a pretty fundamental change in our authentication. The importance of that is because in my opinion, you ignore FIDO2 at your peril. The technology is supported by all of the major vendors. So we've got in the FIDO Alliance, virtually every hardware, software, and those companies that do both, are supporting Fido, which means that we're going to see it increasingly deployed in their products. So if you want to take advantage of it, it's important that you position your organization to do just that. And there's some interesting things like... FIDO2 represents passwordless authentication. You know, most organizations desperately need to be doing that. Now with the problems we've had over the last few decades with passwords, we can now say goodbye to that. Then there's the phishing resistant capabilities. A lot of attacks occur through email and if you are logging people on via a phishing resistant technologies such as FIDO2, you are making yourself more secure. So there's so many benefits for doing this that we really need to be going in that direction. And I've even heard the term post quantum come up. A lot of the organizations, companies that are developing authenticator capabilities for FIDO2 are designing them such that, they are even going to be resistant to a quantum technology, which of course can be used to break encryption and assigning keys. So this is a major trend and we need to make sure that we pay attention to it.

Right, I get the point. If I think back, FIDO2 started for me more in the consumer space, so that is where it started out. But this has changed. So what impact does FIDO2 now hold for enterprise authentication environments? Is it capable of dealing with that as well as of now?

Very good question. And that's at the crux of what we need to talk about in this podcast. Yes, FIDO2 is very much moving into the enterprise space, but the enterprise must be ready for it. So there's some decisions that the enterprise must make. So for instance, one of the major technologies in FIDO2 is WebAuthN. WebAuthN gives the capability of you implementing your web applications in a very secure way. But in WebAuthN is the application - or the relying party, that’s a better term, could be a database - the relying party is now making those decisions as regard to access. So organizations that have spent many years putting together an identity provider, they've got their entitlement environment all sorted out, they put their authentication environment all sorted out in a centralized fashion, now must realize that they're starting to get distributed. And we need to make sure that we can transition from that corporate environment we know and love to an environment where the relying party has more control. So when somebody initially sets up their access to a web app, there's a registration with that application that must occur prior to the then authentication events that the user will undergo in order to access that application. So we're saying now that the relying party is in control, we need to implement things and we need to decide how that implementation needs to happen. And you need to understand the various operations you have. Like you can control the identification of a vendor accessing an application very strongly, but you need to, as an enterprise decide, is that what I want to do and how do I want to do it? One last thing. I see this is a big benefit because finally you're going to be able to go to your various business units and say, you guys are in control now. That entitlement silo that we set up in our corporate environment, they're not going to have any control over who will. They'll have influence, but no control over how you are going to allow users to access your application. So the business units now are being given that capability of better control of those people that are accessing their... could be an application, it could be a database or whatever the resource is.

Right. So it is really a change also in policies and processes within the organizations required to deal with that. When we come to the actual authenticator factors, the devices. What are your predictions for these FIDO2 devices? Will it be more the mobile device, the phone, or will there be... How will they look like in the future?

Yeah, again, a very interesting question. Most FIDO2 applications are using at the moment a USB type device. So they have a device that holds the private and public key pair on this device. It gets generated on the device and stays on that device. And then you plug that into whatever client that you're using to access the corporate environment. And then that authenticator authenticates you. What we're seeing increasingly now is the smartphone technology getting so good that my prediction will be this will be the more important authenticator capability in the future. So you will have like, I mean, Apple has done an amazing amount of work in making sure that you got a very secure hardware environment on your phone that allows you to generate your key pairs on the phone. And Google is following the same approach, like Android is getting extreme capabilities in making sure that the security of the device is satisfactory for the technology. However, that means that the enterprise must make decisions. Are you going to let users use any device to access your resources? Are you going to enroll it in your BYOD mobile data management environment and put controls on what the user must do? Are you going to give corporate funds to your people? These are the decisions that the enterprise must make in order to use the FIDO2 environment in a useful sort of way.

Okay, great. So we see FIDO2 and the emerging of this also in the enterprise as a major trend. And this is a prediction that I would really also endorse. This is really something that we will be seeing in the future. Nevertheless, EIC is just around the corner, so if there are any questions, comments regarding that topic, regarding that trend and that prediction, you can either leave it in the comments below that YouTube video or you can reach out to us by email or in any other form you can find us on our website, kuppingercole.com, or you talk to Graham and me during EIC in May in Berlin and we are really looking forward to seeing you as the audience there and I'm looking forward to seeing you, Graham there as well. For the time being, thank you very much for sharing your thoughts on these trends and predictions about FIDO2. Looking forward to see you.

Super. Thanks Matthias.

Thank you. Bye bye.