Event Recording

Frances Zelazny: Enabling the Future of IAM with Zero Knowledge Authentication

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Great. So, so I I've been listening in, on, on some of the presentations already this morning around the conversations of trust and automating IAM. And now I wanna pivot to something more futuristic that, that where we're laying the foundation and the seeds of, of today, and that's called zero knowledge authentication. But before, before I get there, I wanted to, to start with this survey that really intrigued me every year, this organization fine biometrics.com puts out a survey when will biometrics replace the password as a primary method of user authentication. And anybody who's been in the biometrics and authentication space will say, you know, this is the year of biometrics and this is the year the password will die. And I think this survey actually says a lot 25% say the password will never die. And another 40% say it won't happen for another three years or beyond four years or beyond.
And I think there's a lot of that. There's, there's something very telling behind these numbers, especially when we see the growth and the importance of identity and access management and all of the effort that the, the participants in the conference are gearing towards. Why, why do we see these numbers persist? And I want to argue that there are significant privacy and security issues that are inhibiting adoption and making it difficult to have these passwords go away and to accelerate the usage of biometrics in the enterprise and these privacy and security issues, I think can be viewed as trade-offs. On the one hand, you have security oriented central honeypots where personal data and biometric data is typically stored. And the essential honey pots are, are, are beneficial in the F in the respect that the organizations that are enrolling people have more control over who's in the system.
They can vouch more towards who they're enrolling and who's actually being authenticated, and they may feel more comfortable that they control the process around the circle of digital identity from the enrollment to the, to the issuance of credentials, to the provisioning, the orchestration, and ultimately the revocation, because all of this is, is like in a, in a closed loop. But obviously the problem is there's a huge risk of data breach and exposure. And so that's not a really a solid solution given the state of data breaches that we're seeing today, that the prior speaker did a good job of, of talking about. So on the other side, we see a lot of companies saying, okay, well, we'll just, we'll just flip it. And we'll rely on biometrics that are stored on devices. These are the face IDs and the touch IDs. There are other tokens and, and keys that entities and enterprises are giving out.
And from that re from that regard, they're more privacy friendly because the, the biometrics are localized and the templates don't leave and they're convenient because you can use them across different applications. If I enroll on my phone, my face ID, I can use it, you know, pretty much anywhere, but we have very significant security risks associated with those solutions, cuz you actually do not know who's behind the device. And the whole process of authentication is easily circumvented. And my friends that are on the conference from all, you know, the orchestrators and the solution providers that are here, they are taking the yes, no from these devices and, and managing the orchestration. And they do a very, very good job with that. But ultimately again, as I said, nobody knows who's exactly behind the device. And the fact that the face ID can be circumvented either with a passcode after one or two failed attempts or by calling a bank or enterprise using known information about a person to circumvent the process and send a one time password to a new device makes that very weak from a, from a security, systematic security standpoint.
And there's no easy answer when it comes to biometrics because of a reliance on a template and everybody's feeling the pressures of GDPR and CPR and all of the other data protection regulations. So the real, the only, the only real way out here is, is a new framework that doesn't center around either a mean, you know, central honey pot or a device based solution. And what we found our discovery and our breakthrough essentially is that zero knowledges combined with multiparty computing concepts provide a good framework for, for solving a problem. You can leverage peer-to-peer networks in a decentralized manner to give consumers more control and accountability over where their personal information is stored. And you can minimize the security and privacy trade offs that enterprises are currently making today and still enable strong authentication. And so the question is how so the Achilles heel for all of this has been the biometric template for, for those in the industry that are familiar and, and those nod, you're probably all seen like a map of like a, either a fingerprint that has like a map of the minutia or a face that has like a map of the features on the face.
So generally that becomes the, that mathematical representation becomes the template. And in order to do matching the template has to be in a, in a holistic form, which is why we have ended up with this trade off of, okay, do you put the template on the device or do you put the template in essential honey pot? But in fact, using these new concepts and these new principles, we, we actually can break up the biometric data. You don't need, you don't need a template and you can break up the biometric data and distribute them over a system of nodes and different nodes handle can handle different functions. And if you do it this way, then you can not only distribute the biometric data or storage, but you can also use that distribution mechanism for matching and never bring anything back together again, at any point. So you can essentially have your cake in either too.
You can enable strong authentication without having essential honeypot of information. And what's really interesting about this kind of framework is that you can, you can now do what's called zero knowledge authentication. You can borrow the concepts from zero knowledge proofs and apply it to biometrics and incorporate this framework into any IAM or consumer facing authentication solution where this kind of framework becomes an additional authenticator in the cloud, but it's not device oriented and it's not, and it's not a central honeypot than an enterprise now needs to manage or store. And further, once you think about this framework, you can also support non biometric use cases as well. There are enterprises that have to manage other types of secrets. As we said in the very beginning passwords aren't necessarily going away so quickly, but password managers have also been targets of breaches. So if even if, even if people do use password managers or there are ways to, to retrieve or invoke those passwords, how do you know that it's the person, you know, behind that, that, that inquiry, that request.
So these kinds of frameworks can decentralize storage of secrets like master passwords, like crypto keys. Somebody was talking about DDS before, like the private keys for, for verifiable credentials. When you wanna reissue or validate DDS that that are on a device. There are many, many ways to leverage this kind of infrastructure for authentication for zero knowledge authentication. And in my opinion, this is the kind of approach that will ultimately drive the future of IAM. And I think this kind of approach will complement a lot of the other capabilities that are already in play and close and close the loop. There are, there are issues around malware. There are issues around social engineering. There are issues around passive and ongoing continuous authentication that have to be addressed in, in a holistic IAM environment. But zero knowledge authentication combined with the zero trust that, you know, is, is the hottest thing right now will, will really close the gap.
And what zero knowledge authentication does is takes away the dependency on devices and enables any device at any point to just be used as a capture, but you don't need to rely on, on the device as the authenticator and you don't need to fall back on, on weak authentication solutions when the device is not available. So you can have always on always on biometrics, always on authentication in a way that is completely GDPR compliant, CPR compliant and fits very nicely and neatly in the Fido or Fido equivalent frameworks. And most importantly, I think within that context is that there is no, there's no single ownership of any of this personal data. For example, I was talking to somebody the other day and in, in the, in the developing world. And they were saying that one of the big problems is that you need to be able to transfer credentials between different organizations or across states in order to manage humanitarian aid distribution.
And it's always a problem of who actually owns the data and privacy and control of the data is a, you know, a very, very, very big concern. So having a way to enable strong authentication without having this information sitting or held by any single entity helps us resolve a lot of those problems, which also do dovetails into the world of DDS. And from an enterprise perspective, building this, this circle of identity in the digital world, you need to be able to address multiple use cases. So today a lot of the authentication, our capabilities are sitting and, and they're siloed from KYC processes or from downstream. Let's just say ongoing monitoring and bringing that together is really only possible. If you have a cloud based authentication solution, where, where the main source of truth on the person is biometrically enabled, but it's tied to, to the different processes in the, in the circle. So this is my vision for the future of IAM. I think I I'd like to use the remaining time for discussion and questions. I, I think it'll probably, this probably raises a lot and the audience.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00