Analyst Chat #164: Trends and Predictions for 2023 - Passwordless Authentication

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Martin Kuppinger. He is the Principal Analyst at KuppingerCole Analysts and one of the founders. Hi, Martin.

Hi Matthias, pleasure to be back here.

Great to have you again back here. And we will continue our sub-series of this podcast talking about what I call trends and predictions. Maybe it's a bit different, but we are looking into the future. We want to make sure that we cover the most important topics around the area of identity and access management and beyond, when it comes to what needs to be done, what should be done is identifiable as open gaps. We want to look into IAM for the next two or three years in preparation of the whole New Year, the next years and EIC coming up in May in Berlin. What would be your next big trend when it comes to talking about IAM and where organizations should prepare for, should already have something implemented or should really plan for implementing something?

So I wouldn't say the big trend, but one of the really relevant trends I see is that passwordless authentication will continue to gain momentum. We have seen some significant uptake of passwordless authentication just in the past, I would say two or three years really coming to a point where passwordless authentication is becoming the new normal and using passwords of lesser relevance. But I think what is behind that and the continuing trend is that also for enterprises, we will see larger shifts in the way we should build authentication strategies, authentication architectures, the concept of authentication. I think this is something where it also requires us to sort of shift left the existing authentication strategies and make use of the potential of, for instance, the FIDO standards. So the standards provided by the FIDO Alliance, which is primarily FIDO2 and WebAuthn and some of the related standards we have here because they, also for enterprises, provide a huge potential. Still there's a few gaps when it comes to full enterprise support, but on the way towards that.

Right and I think if I consider how many organizations are spending lots of their time doing now security trainings, phishing, anti-phishing trainings, just moving towards Passwordless and just reducing or removing the risk of passwords spreading around really enhances security. And at least this could be or should be one big impetus for going there. Just reducing that risk does not fully mitigate it but it really eases the burden of passwords, right?

Yeah, that is absolutely true. And I think in a previous podcast and in some other occasions I talked about, I don't like, for instance, this notion of the human is the weakest link in security. So we blame our users for falling trapped to phishing attacks, giving away passwords. Is the user the problem? No, the problem is that they have an opportunity to give away passwords because there are still passwords. If there were no passwords, if IT would do their job right then they couldn't give away passwords because they just wouldn't have the password. So I think that is part of the story. But I think the other side of the coin is, that there is a potential. So in many organizations, we see that even internally there are a couple of access management solutions, frequently not only one. But there’s also access to partners and others. And when I look at what is the common denominator in authentication, then it is FIDO2. This is what we can use from our device to an access management solution, a common Access Manager. One of these, whichever vendor you take. We can use that directly via WebAuthn to services that support it, we can use that for connecting to a passwordless authentication solution, which then connects us to multiple different backends. Whichever way we take, it's always FIDO2 at the beginning. So if we make a better use of that, then we can build a system where we say, okay, basically the user has a device, and we run passwordless authentication from there towards either applications directly supporting WebAuthn, which requires a little bit of change in the way we handle access and authentication to these systems, or it runs towards a passwordless authentication system, which then potentially connects to other systems in the backend. And then things like FIDO2 move to the center of what we are doing and the way we handle things will fundamentally change, we could also then extend it to, how does decentralized identity play in there. But I think we leave this apart for this talk. That’s maybe a good subject for another talk, but this is something which means, the focus shifts from, the try to have one central access manager, towards saying, we unify the focus on FIDO standards and then we think about how we can give the user a common authentication experience across everything. So not different whatever partner solutions, etc, it's always the same. And even if you change something in the back end, it will remain the same because we use the standard based FIDO2 stuff for connecting to whatever changes in the back end.

Absolutely. I think FIDO2 is really a great example of standards done really well and really well integrated into the overall platform by talking to the right people at the right time. And now really there are the fruits of that that are really coming into existence in real life solutions. And you just mentioned that before, of course, blaming your users is the worst thing that you can do, but actually identity and access management, especially access management on a day to day basis, it's actually a service that you provide to your end users, to your partners, and improving the user experience by achieving that, getting rid of passwords, getting rid of password trainings, password changes and password resets. Just removing this burden is really a service that we can provide to our users. Maybe we can look at that also from that perspective. FIDO2 really supports us in getting better in user experience.

And it also helps us and really modernizing our entire architectures. I think when you when you're seeing through that, it also means, so if you say, okay, we have applications, digital services to support WebAuthn, then it means how do you manage the access to these and that leads you to, oh, you also should move towards more policy based access controls where you have the policies that are utilized by the various backends so that you have a different point of control, so you don't build, like we do as access management, where we build sort of a gateway approach and then we try to control the [...] level.

But I have to stop you here because this is really a topic for a different episode, policy based access, I think that this is a trend that we should continue in another episode. There is more room for that and much more application for that. FIDO2 standards and Passwordless authentication is one of the next big things that organizations should look at. Thank you very much, Martin, for sharing that with us. We've hinted at two other topics that we should look into, and we will do episodes on that. So looking forward to doing this and bringing that out over the course of the year. And one final reminder passwordless authentication is also a topic that we currently cover in our newly launched digital service called KC Open Select. Please just head over to our website and build your own shortlist of solutions that can help you in implementing Passwordless authentication for your requirements. This is a free service for end users and just use it and get to a selection of the right tools that could aid you on that journey. Just a short hint. Thanks again, Martin, for joining me here.

Thank you Matthias.

Thank you and bye bye.