Hi. Welcome to the webinar, Best of Both Worlds, Combining MFA and Passwordless Authentication. Today's webinar is supported by Entrust. And my name is Alejandro Leal. I'm a Research Analyst at KuppingerCole. And today I will be joining Rohan Ramesh.
Hi, Rohan. Hey, Alejandro. Nice to be here. Rohan is the Director of Product Marketing at Entrust. And we will be discussing the various types of MFA-based attacks and how to combine MFA and passwordless authentication to improve security.
Thank you, Rohan. Looking forward to it. OK. So before we begin the webinar, here's some important information. All of you are muted, so there's no need to mute yourself or unmute yourself. We are controlling these features. We're also going to be conducting a few polls, so I encourage you to participate. And at the end of the webinar, we will have a Q&A session. You can enter questions at any time using the GoToWebinar control panel. We're going to be recording the webinar and it will be made available for download in the coming days.
So the agenda for today, I will begin the webinar by introducing some of the most common MFA and password-related challenges that many organizations face. And then I will explore the concept of passwordless authentication. Then Rohan will begin his presentation, and then at the end, we'll have some time for a Q&A discussion. So here's the first poll today. The question is, does your organization offer passwordless authentication, MFA, and or risk-based authentication for consumers? I'm going to give you guys around 20 more seconds, and then we can move forward.
Okay, let's continue. So first, we have some of the passwordless authentication trends that we observed in our latest research. The first one is passwords are still widely used, and they will not quickly disappear. A lot of websites today still only provide usernames and passwords for authentication.
However, we see a trend towards utilizing passwordless authentication, and we also observe a significant uptake in enterprise use cases. But with all the legacy applications and systems in place that still expect passwords, and instead of supporting federation protocols, we won't be able to see complete elimination of passwords just yet.
However, the passwordless authentication market will continue to grow rapidly. Our analysts predict that the compound annual growth rate goes up to 31.1%, leading the market to reach US$6.6 billion by 2025. In addition, passwordless authentication will likely gain momentum in the enterprise based on the evolution of supporting enterprise-grade management of FIDO keys. In addition, we can also see that the growth of e-commerce and the continuing shift of hybrid work will contribute to further adoption of passwordless technologies.
So, why go passwordless? I think it's important first to address why passwords are failing as an authentication method. We all know that passwords are inconvenient and insecure. Passwords can easily be guessed, stolen, or compromised. And numerous studies have shown over the past few years that most data breaches involve the use of stolen credentials and compromised passwords. In addition, passwords are also very costly, and they are very difficult to manage for organizations.
And in many cases, employees and users use or reuse similar passwords across different platforms, which increases the risk of password-based attacks. I believe Rohan will talk more about this later, but MFA fatigue and MFA legacy solutions are also some of the main challenges that organizations face today. Legacy MFA solutions still rely on the password as a backup or as the first factor of authentication. Traditional MFA solutions require users to provide two or more factors in order to be authenticated.
Unfortunately, some of these factors are prone to phishing attacks, such as SMS codes, voice calls, push notifications, and one-time passcodes. So by removing the risk associated with passwords and adopting a password-less MFA solution, organizations could prevent password-based attacks and increase the overall security posture of the organization. Here are some of the most common types of attacks. And here at Topping Your Coal, we strongly believe that fostering a cybersecurity culture is essential. Organizations must understand the threat landscape.
They must know what the cybercriminals are doing, and they must cease supporting legacy authentication methods. We also understand that there are different flavors of password-less authentication, and there are different views on password-less authentication. But we define password-less authentication as a term used to describe a set of identity verification solutions that remove the password from all aspects of authentication and from the recovery process as well.
Password-less authentication solutions means that there is a strong MFA and no password or password hashes are traveling over the network. Here are also some of the main capabilities that we believe are essential.
This includes support for a broad range of authenticators, strong authentication, risk-adaptive context-based and continuous authentication, which is a very important aspect that I will explore in the next slide, adaptive and step-up authentication, support for legacy application and services, strong cryptographic approaches, integration with third-party authentication, device trust on multiple devices, support for all major identity federation standards, and a comprehensive set of APIs. We expect solutions to cover most of these capabilities, at least at a good baseline level.
Risk-adaptive authentication essentially describes the process of gathering additional attributes about users and their environments and then evaluating those attributes in the context of risk-based policies. The main objective of risk-adaptive authentication is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. MFA and risk-adaptive authentication can go hand-in-hand.
Risk-adaptive authentication systems can leverage MFA methods, especially for those cases where they do sense that something is amiss in the request context. Risk-based MFA can significantly reduce fraud and strengthen the security posture. During my research on passwordless authentication, especially during the Leadership Conference, risk-adaptive authentication was one of the capabilities that stood out to me in Entrust Identity, and I'm sure that Rohan will talk more about it later. Here are also some of the factors that are evaluated by risk-adaptive authentication engines.
These include geofencing, geovelocity, device history, device health, and this is just a short list, but there are many, many more options available. Organizations have different needs and requirements when it comes to adopting a passwordless solution, so although there are different flavors and different views on passwordless, organizations need to carefully analyze their business needs in order to choose the right passwordless solution, the one that shares their view on user experience, security, and technology stack.
It's important to consider talking with advisors in order to understand how to better integrate a passwordless solution with your existing infrastructure. In the next slides, I'm going to talk about the Leadership Conference that we published in October of last year, just to provide a summary on the main capabilities that we were looking at, some of the things that we took into consideration.
In these evaluation criteria, we considered account recovery as one of the main elements because there are some solutions out there that do not facilitate users when, for example, they lose their device or their phone or they lose their account. Solutions must make it easy for users to recover their account. We also looked at architecture and deployment. Those solutions that are based on microservices and the ones that are flexible are considered to be more desirable. We also looked at authenticator support, of course, APIs, device trust, which is a very important element.
For example, if you have multiple devices, you need to make sure that they can perform the...I think we're going to have to edit that. Device trust is another element that is very important to look at. For example, when you have multiple devices, they should all be trusted and authorized to perform certain tasks. We also looked at IAM support and how solutions can facilitate the transition from legacy systems to a more modern authentication system. And then the last one was scalability. And other solutions must be able to keep up with the number of customers supported, for example.
Here are some of the dimensions that we rated, some of the categories. These include security, functionality, integration, interoperability, and usability.
Of course, usability takes a look at the user experience. And additionally, we also have innovation, market, ecosystem, and financial strength. So these are the dimensions that we undertook when evaluating all the different vendors.
In total, we had 24 vendors in the leadership compass. Of course, there were some that were stronger in the market category than in the innovation, for example. But there were some cases with very small companies that were very strong in innovation but, let's say, not very strong in market. And to better understand how we ranked all these vendors, we had different categories of leadership. Product leadership that looks at functionality and completeness of the product. We looked at the market leadership, which looks at the partner ecosystem and the number and geographic distributions.
We also looked at innovation leadership that explores more the capabilities that solutions provide. And some of them have different approaches to passworders that are quite innovative. And then the last one is the overall leadership. In the next slide, you will see the overall leaders in the market. And like I said, there are 24 vendors. And during the research, we realized that this is a very competitive and dynamic market. Many vendors are excited to show their products and their capabilities. And as the market continues to grow, we expect to see more competition and innovation in the market.
And, for example, here we see Entrust as one of the overall leaders. And the overall leadership rating is the combined view of product, innovation, and the market leadership. And here's the spider chart of Entrust. And these are the categories that I mentioned in the first slide. Entrust has a very, very strong rating in scalability, in AIM support, and device trust. And also scoring very well in the other categories. And here is the second poll. How many passwords do you still have in use in business? First option is 1 to 10. The second option is 11 to 25. And the last option is 25 to 50.
I'm going to give you guys about 20, 25 seconds, and then we can proceed. Okay. Let's move forward. I believe that's now Rohan's time to talk about MFA and Passpolis. The floor is yours. Perfect.
Thank you, Alejandro. And thank you for your time, everyone. So we'll just talk a little bit about some of the MFA and Passpolis attacks that we're seeing in the news recently. But before I go there, let me just give you a quick background about who Entrust is and what we do. We've been in the business for over 50 years. Robust set of global partner ecosystem with about 1,000 plus partners, over $850 million in revenue, and 44 removal offices. We're pretty strong in the identity space. We have over 100 million plus protected workforce and consumer identities.
We support everything from workforce to consumer to citizen use cases as well. So you'll see here from a citizen perspective, over 200 countries, nationalities have their citizen identities verified. We're also in the payment and financial card industry, where we do payment cards and financial cards issuance as well. So with that, I'll jump into some of the things that we're seeing in the news of late. This is a headline that happened recently, right? 200 million Twitter users' email addresses leaked online. Why is that of significance, right?
That is, you know, when you have an email address, when you have a profile, that is a starting point for many, many social engineering attacks that can then lead into other types of authentication attacks and ultimately to an account takeover. In addition, we're also seeing passwords, like Alejandro mentioned. Passwords are still in use. They're still being reused for a lot of services. In this example, billions of passwords leaked online from past data breaches are actually stored on the website and distributed and used by attackers in their attacks, in recent attacks as well.
That can lead to, you know, many different types of attacks from social engineering, credential stuffing, you know, where a user's email password has been compromised from one service. The attacker then uses that same combination across different services and applications, especially as password fatigue and password reuse is a big common factor for users. Brute force, password string, or other set of password-based attacks. Companies have started adding MFA, but attackers are getting smarter, right? MFA is not the same. It really depends on the type of authenticator you're using.
So I'll go into one of these examples here from an MFA fatigue or prompt bombing type attack and sort of walk through a live sort of example in terms of how that attack took place and how you could have prevented it from an identity and authentication perspective. So this was an attack that happened a few months ago. It was a large company. I won't go into details, but the attacker basically had the details of an employee and they triggered the multi-factor authentication from a push authentication perspective, using password as the first factor.
They spammed the employee multiple times over an hour, contacted the employee through WhatsApp, convinced them to accept one of those notifications if they wanted those notifications to stop, which he did. And that's when the attacker got it. So let's take a closer look at this particular attack and sort of how it unfolded. So if you look at the cyber kill chain, for example, the attacker first used social engineering to gain access to the employee's contacts, credentials, the initial password that was used, email, phone number, and other details.
Now, the attacker that actually did the social engineering attack was not the attacker that actually gained access to the system. So these details were then sold in the dark web to the attacker who actually then used this in the actual attack. So if you look at, you know, from a weaponizing perspective, this attacker used that initial information to log into the employee's account, triggering MFA notifications.
The employee was then spammed with a number of push notifications and was then contacted via WhatsApp, where the attacker posed as the IT team and convinced the employee to accept one of these to make these notifications stop. Once the employee accepted this, the attacker gained access to the network as well as the VPN. What they did then was to start moving laterally within the network. They scanned the network on a PowerShell script on a shared device that contained credentials for an admin user for a PAM solution, privileged access management.
And these credentials then gave the attacker further access to critical data on the network. Once they did that, they gained access to other data and then proceeded to exfiltrate confidential data out of the network into their own systems. So from a defense perspective, how does passwordless and MFA play here? So from a recon perspective, obviously eliminating passwords altogether. So not using passwords in the background, not using passwords as first factor adds a solid defense. Another one to note is to adding sort of notifications when your contact information has changed.
A lot of times attackers will go in, change contact details. So when they trigger MFA, they get the MFA notification and not the actual user. So being notified both from an IT perspective as well as from an end user perspective when any contact details have been changed is also pretty crucial. From a delivery perspective, using high assurance passwordless capabilities also adds a layer of defense. So when we talk about high assurance, a lot of times it means gaining physical proximity to the application device where the user is logging in from.
So for example, Alejandro mentioned the FIDO alliance and FIDO keys, for example, that uses Bluetooth to ensure that the user is in close physical proximity to the application or device that they're trying to log into. As well as sort of first time login from a new location device that sends a notification to the user. And then adding on layers, right? So cybersecurity is viewed from a layer perspective. So you strengthen the front lines with a strong high assurance passwordless, multi-factor authentication capabilities.
But then you also need to add on a risk-based step up layer to look at sort of contextual information, right? Did this authentication request come from a brand new device that the employee never used before? Did it come from a location where the employee has never logged in from before?
If so, then challenge the user with a separate MFA authenticator, right? Or if all these factors show enough sort of indicators that the account's been compromised, deny access completely, right? So adding that risk-based step up authentication helps solidify the defenses further. And then from an installation perspective, right? So once the attacker gains access, so when we talk about, when we look at, you know, from a zero trust perspective, for example, one of the key principles of zero trust is assume breach.
So when you do that, you start looking at how do you minimize sort of the blast radius when an attacker breaches your systems? So not only adding MFA and risk-based step up authentication, but also securing your high value assets. So a lot of times, you know, when we look at things like Windows servers, for example, within an organization's network, adding MFA to on-premises Windows servers, for example, securing your PAM solution with strong assurance MFA. All these add multiple layers from a defense perspective.
And then finally, adding all this together, as well as, you know, having sort of a continuous authentication from a risk-based perspective, provides a more robust defense against an attack similar to this one. And we'll go into some of these details in terms of different authenticators in the next few slides here.
So, you know, some of the common MFA authenticators that users typically use on a day-to-day basis, we all use SMS one-time passcodes, voice one-time passcodes, email one-time passcodes, mobile push notifications, for example, even, you know, time-based one-time passcodes from a soft token perspective. All these authenticators are still vulnerable to various types of attacks. So if you see here, you know, your SMS, voice, email OTPs are vulnerable to phishing or adversary-in-the-middle type attacks.
You know, your mobile push notification is vulnerable to the prompt bombing attack that we just talked about, as well as the adversary-in-the-middle. So how can we look, how can we sort of protect against some of these attacks here? So if you look at the spectrum of MFA, adding more factors helps make your authentication process more secure. But from a high assurance perspective, if you look at the authenticators here on the high end of the spectrum, you'll see that all of these have a proximity, physical proximity factor that's part of the authentication process.
So if you look at FIDO2 keys, again, the USB key that has the FIDO2 credentials needs to be in proximity to the device the user is logging into. I'll talk about the PKI mobile smart credential with Bluetooth proximity that Antrust offers.
Again, requires physical proximity using Bluetooth. The latest FIDO2 credential, passkeys, again, uses Bluetooth. I'll show a short demo here in terms of how that works, making it more high assurance to ensure that we can protect against the remote-based attacks like the one we walked through previously. From a mobile push notification perspective, another enhancement that we're seeing being added, Antrust also offers this, is mutual authentication, where you have a randomly generated number show up in the application that you're logging into, and you need to verify that particular number.
Again, it's not fully bulletproof because it is still vulnerable to adversary in the middle, but it is resistant to phishing and MFA. So one of the MFA authenticators that I briefly touched upon in the previous slide, grid cards. This is a low-cost multi-factor authenticator that Antrust offers. It's seen mainly in frontline and field employees where they're not able to carry a mobile device, for example. So it's just a grid card that can be emailed, printed out on a piece of paper, and can be challenged from an MFA perspective.
We've seen this in use cases where, for example, in a call center where an employee is not allowed to take their mobile phone into the clean room because they're handling sensitive PII data. Grid cards is an easy, low-cost alternative to offer multi-factor authentication by issuing a challenge. It can be revoked when needed. It can be regenerated. It's unique to every employee and easily distributable. So this is something Antrust offers as well. PKI-based mobile smart credential.
Again, we're seeing a lot of adoption with this particular authenticator. It basically uses digital credentials using certificate-based authentication. Installing digital identities using credentials on a mobile device. Converting the user's mobile device into a trusted device that can then use biometrics to authenticate the user. And then over Bluetooth, logs in the user to a device. And then adding in single sign-on gives them sort of a true passwordless experience by logging them into multiple applications from that initial biometric check.
One of the benefits here is email signing encryption, something that we're offering from a use case perspective. And PKI, again, uses public key infrastructure cryptographic mechanisms to ensure sort of strong authentication mechanisms. Passkeys.
Again, this is the latest offering from FIDO supported across multiple platforms from Windows, iOS, Android. Where the user initiates login and the application issues a security challenge to the user's smartphone through Bluetooth. There is a private key that's generated on the user's device that's then used to sign and send back a security challenge. And the application then verifies that challenge by using the public key that's stored on the application server.
Now, this is great because there is no reuse. Every application has a unique pair of public key, private key. The private key only stays on the user's device. It does not stay on the application server, so it cannot be compromised as easily as passwords. And it uses the physical proximity based factor to log in a user. So we'll show a short demo here. This is using our identity as a service platform. So you'll see here, you know, we click on passkeys. There is no user ID. There's no password. And we're logging in from a different device.
It will ask you to enable Bluetooth because that's how it communicates to your smartphone. And on the right, you'll see here, scan the QR code, authenticate yourself using facial biometrics in this case. And once you're authenticated from a facial biometrics perspective, you're automatically logged in through that Bluetooth connection to the device.
So again, very simple. It's taking off a lot of friction in the authentication process. But it's also adding in security from a proximity based multi-factor authentication perspective.
Now, lastly, you know, we talked a little bit about adaptive risk-based step-up authentication. Looking at different sort of factors, right, like time of day, day of week, geolocation, velocity, for example, right? Like if I logged into an application from New York at 10 a.m.
Eastern, and then five minutes later, my account tries to log in from London, UK. We know that that type of travel velocity from a user perspective is not really possible.
So then, you know, the risk score goes up, and then you can add and configure based on your use case. You can configure different weights, and you can configure whether you want to challenge the user with a different type of authentication or block the user's access output.
Now, this is really important because it helps you achieve a balance between friction and security. If a user is logging in from the exact same phone, exact same IP address, exact same time of day, you know, the risk score is very minimal. You can get them logged in with, you know, the first MFA authentication mechanism that they use. But if you see that the risk score is higher than a set threshold, you can challenge them and add friction, you know, by challenging them with a second MFA factor authentication, authentication mechanism.
So it's fairly, it's very configurable and sort of adds a layer of sort of trust and security to the authentication process. Another sort of fun fact from an interest perspective is we're opening up a risk engine to input various sort of risk inputs from different solutions to sort of further enhance the risk engine. And finally, I'd like to sort of end with sort of our platform here from an interest identity and access management perspective. We support all three use cases from workforce, consumer, and citizen.
You know, we have high assurance credential-based passwordless authentication. We provide identity proofing, adapter risk-based authentication. We help fulfill several of the regulatory obligations like KYC, DSD2, TDPR, and so on, make it easy from a single sign-on perspective. We also have a flexible sort of deployment option where we have our cloud-based identity as a service, but we also offer on-premise as well as hybrid modes of deployment. And our mobile SDKs are easy to use to enable you to offer authentication services using our platform into your own applications.
And lastly, we have a comprehensive set of integrations. We have multiple partners, and we play well into the broader ecosystem of applications that many users encounter on a day-to-day basis. So with that, I'll end the presentation there, and I'll turn it to Alejandro to see if you have any questions.
Thank you, Rohan, for sharing your view on Antrust's approach to passwordless. There are some innovative features that you mentioned that were shown in the report that we conducted last year. I don't know if I mentioned this, but other than you guys being an overall leader, you were also in the innovation and market leadership categories. So Antrust also provides, like you mentioned, support for different deployment models that can help organizations that still rely on legacy systems. So thank you once again for sharing this information with us.
And now I think maybe we can jump into the Q&A session. The first question here that we see is asking, what should be considered when choosing a passwordless authentication solution? So if I can take this one, Rohan, the spending on the right deployment model is an important and crucial factor. The capacity to support hybrid deployment models, as Rohan mentioned, across on-premises and the cloud is fundamental for any organization.
Of course, costs are also important to consider as well. The vendor's licensing and pricing policies should be carefully analyzed to make sure that they align with your current and future requirements. And last but not least, I'd say that interoperability is also important. The ability of the product to work with other vendors, products, standards or technologies should be seriously considered.
Let's see, the next question says, what is the importance of passwordless and MFA in the context of Zero Trust? Maybe you can take that one, Rohan. Sure.
Yeah, that's a great question. So we hear a lot about Zero Trust. If you look at the three main tenets of Zero Trust is verify explicitly, offer least privilege access, and assume breach. So if you look at the first two, verify explicitly. To do that, you need to be able to verify that an authentication request is from the user and they are who they say they are. For example, ensuring that account takeover attacks are prevented. Ensuring that adding high assurance passwordless MFA-based authentication strengthens that initial policy from a Zero Trust perspective.
And ensures that only authorized users are logging in, authenticating themselves, and accessing services. If you look at the third tenet from assume breach, again, adding those MFA and high assurance passwordless perspectives, like let's say to like Windows servers on-premises or to your patent systems.
Again, further limits those lateral movements within your network when an attacker breaches your systems. Okay, the next question is asking how can organizations migrate from a legacy to a passwordless solution? If I can take that one, I'd say that a common issue with legacy systems is their inability to remain agile and to adapt to new business requirements and challenges. So in order to transition to a more modern authentication method, a modern architecture is essential. One that is based on microservices because organizations require high flexibility.
And also the importance of API support is crucial in this aspect as well. And there are many other things. I'm not sure if you would like to add something on that.
No, that's a great question. Great answer. Yeah. So instead of making sure, again, from a deployment perspective, from an adoption perspective, making it easy using APIs, using SDKs to allow organizations to adopt these high assurance, to adopt these MFA authentication mechanisms within their applications. And also making it easy for users to register and sort of onboard from an onboarding perspective also helps with that migration perspective. Absolutely. I think the next question is for you. Does Entrust's identity as a service support offline authentication?
Yes, we do. Short answer, yes. So one of the use cases that we're seeing more recently, again, I kind of mentioned this from a Windows server perspective. We see a lot of times when users want to authenticate into Windows servers that's within their own private data centers, for example. We do support offline authentication when they're not connected to the Internet because some of them might be air-gapped, for example. In those cases, we do support offline authentication. Okay.
Next question is asking, since you guys know a lot about the passwordless market, in your opinion, when will the passwordless finally die? I think that's the ultimate question. Like we said at the beginning, unfortunately, passwords are still widely common and they will not quickly disappear. So I'd say that passwords will be here for at least a decade, perhaps, maybe less, hopefully. It will be necessary to convince old school mentalities to switch to, let's say, a passwordless authentication because it's hard for people to stop using something they are used to.
And that's for both workforce and consumer use cases. So perhaps with the adoption of passwordless authentication solutions, we're slowly going to be eliminating passwords. But I think somewhere there will be a password around. Not sure what you think.
Yeah, no, great point. Again, we've been hearing about passwordless for a number of years now. And we're still nowhere close to getting rid of them. But I will say this, that with the advent of fast keys, for example, where multiple big platform vendors like Microsoft, Apple, Google, with their iOS, Android, and Windows are supporting this natively, for example, within their platform. And then converting the user's phone as the vital authenticator makes it more seamless, more easy.
So we'll see a more rapid uptick in adoption from passwordless with the growth and adoption of fast keys, for example. But again, like you mentioned, it will take a few years because now applications need to go and enable this within their own applications to offer this capability. So that will take a number of years. So I would say within the decade, we should definitely see the elimination of passwords and the adoption of passwordless. Another one is, you have this slide up here, so I'm going to mention it, decentralized identity.
Another aspect where greater privacy based on public key infrastructure, cryptography, for example. If you look at a number of the passwordless solutions that we've talked about from a high assurance perspective, most, if not all, use some sort of cryptography, use some sort of PKI-based technology or Bluetooth, for example. So we'll see more and more adoption of this in the next few years. The next and final question is somewhat related to what you just said. What are the main challenges that fast keys are facing? Sure.
Yeah, I mean, that's another great question. So I kind of already mentioned one of those challenges. Now organizations need to go and reconfigure their applications to offer the fast key mechanism from registration to authentication, for example. Like other users onboard and register a fast key without a password in the first case.
Secondly, we'll see greater adoption on the consumer side, mainly because one of the things with fast keys is the private key that's stored on the user's mobile device, for example, is also synced to the user's, for example, from an Apple perspective, it's synced to their iCloud account. So from a workforce perspective, this might go against a lot of policies, right, where companies don't want their employee credentials to be synced on a third-party cloud device, cloud account. So that might be another sort of policy-based challenge that we'll face somewhat option on the workforce side.
But I think we'll see greater adoption on the consumer side with fast keys. Well, thank you for sharing your thoughts.
Now, just to conclude the webinar here, we have next month, we're going to have the European Identity and Cloud Conference. It will take place from May 9th to May 12th in Berlin, and it will be a hybrid event in Berlin and online as well. So we're going to have various topics, including passwordless. So I hope to see you all there. And here you can also find more related research by Copenhagen Call on the topic of passwordless authentication. We are also planning to do an update on the Leadership Compass on passwordless authentication by the end of this year.
And I believe that it will be a very exciting and competitive Leadership Compass. And some of our services, we have these events, the one coming up in May. We also offer advisory projects and research. So that's all for us for now. And thank you, Rohan, for joining me today. I really enjoyed your thoughts on passwordless and sharing your view on how Antrust does passwordless. Any final thoughts?
No, thanks for having me. I appreciate it. And you kind of mentioned the EIC conference. Antrust is going to be there. Stop by the booth. Come see our presentations.
And yeah, happy to be here. Thank you. Thank you.
