Hello everyone, welcome to the webinar "Passwordless 360, a game-changing approach to authentication within your business". My name is Alejandro Leal, Research Analyst with KuppingerCole, and today I would like to welcome Haider Iqbal, Director of Product Marketing for IAM, with Thales. Passwordless is a hot topic, it's getting lots of momentum, so I'm looking forward to what Haider has to say. But before we begin the webinar, I'd like to touch a few points with you. I want to remind you that there's no need to mute or unmute yourself, we're controlling these features.
We're also going to be conducting three poll questions during the webinar. We will be discussing the results at the end, during the Q&A session, and you can enter questions at any time using the CEvent control panel. And since we'll be recording this webinar, we're going to make it available in the coming days on our website, as well as the slides used by me and by Haider. So let's just take a look at the agenda today. I'll begin talking about passwordless, I'll set the stage, and then Haider will talk about multiple things, including Thales 360 approach.
And at the end of the webinar, we'll have some time for Q&A, as well as discussing some of the poll questions. So here's some motivational quotes.
Of course, René Descartes did not say this. However, I think this illustrates what I want to discuss in today's webinar, because the topic is passwordless, but we need to really consider the origins of passwords. The origins of passwords, we can trace them back to the early 1960s, when some computer scientist at MIT created the compatible time-sharing system, which essentially is an operating system for multiple users that employed separate consoles to access a shared mainframe, and users needed passwords to access private files.
So if we trace back the origins of passwords, we understand that passwords were not created to provide security, but instead, they were created to keep track of the time that was spent on a shared mainframe computer. So with that being said, we could ask, why are we still using passwords? Why is our society so dependent on them?
For years, and if not, at this point, it's been decades. So the topic of today is passwordless authentication, and that leads me to the first poll question. I would like to know, what is the primary driver for your interest in passwordless authentication? So please take a look at the options available. These include improved security, enhanced user experience, regulatory compliance, or cost reduction. I'm going to give you 10 more seconds, and then we'll be moving on to the next slide. So for the next slide, these are not the results of the previous poll question.
I repeat, these are not the results, but we've been doing some research here at Copa & Ercol on why organizations are increasingly adopting passwordless authentication solutions. And according to research, it seems that the number one reason is enhanced user experience. Second is improved security. I would like to say that perhaps the poll question that was shown previously will present some different results, because I'm assuming that many people that are present now at this webinar are already educated in the topic.
So perhaps the results won't be the same, but I still think it'll be interesting to see that. I think many of the customers that I had a chance to talk to at the EIC conference in Berlin a few months ago, we had many conversations on the topic of account recovery. It was a topic that dominated lots of these sessions and conversations. And one of the things that I highlighted was that we tend to listen to what the customers want, which is of course a good thing.
But if customers, they still want you to give them the option to have password slash username for account recovery, either because they're familiar with that approach or because they like it. I think vendors should educate them and stop offering any feasible factor and instead offer alternatives. I'm sure that's something that Haider will probably talk about in this part of the webinar. But just to set the stage, we have to go back to the basics. So what is the user journey? In the real world, in our physical world, there are many unknowns and we have to deal with people in our real world.
But if you want to identify a person, you either have a handshake, you either say, ask a question like, what's your name? Or you can even recognize a person by looking at their face. But in the digital sphere, it can be a bit more tricky. Digital identity is a key to move from unknown to known. In the digital sphere, you have to ask yourself, can I share my identity? Can I store it? And more importantly, can I trust it? In the digital sphere, we also have more user groups.
So consumers, customers, partners, suppliers, employees, services, devices, and things, they all have to go through that interaction from being unknown to being known. An example would be onboarding. So identity verification comes in and it's a crucial aspect between making users unknown to known. So for onboarding, you can do a remote identity verification. You can take a picture of your passport or government credential, or you can do a live check, take a selfie. There are also federated options, or you can also do it through the wallet. The topic of today is, of course, passwordless.
So how can we ensure that all of these user groups are going to be able to not only be identified, but also to re-authenticate? So the question is, so why passwordless authentication? If we already discussed the importance of digital identity and the origins of passwords, how passwords were not really created to provide security. So is there an alternative? And the alternative is passwordless authentication. Here are some important reasons why it can really benefit organizations that want to embrace these new technologies.
However, I think that it's important to discuss that even though passwordless should work across all systems and applications, there are also differences in terms of expectations. This is not to say that in the enterprise, passwordless solutions should focus more on security and compliance, or those passwordless solutions that only target the consumer space, that they should just focus on having an intuitive interaction and have a nice design. The point is that users may have different needs and expectations when it comes to passwordless, but passwordless should increase both at the same time.
Security and user experience must go up, and one of them should not go up at the expense of the other. Both of them should be a priority. So when we look at some of the emerging trends, our analysts predict that the compound annual growth rate goes up to 31.1%, making the passwordless market reach 6.6 billion by 2025. We are probably going to do an update on our market sizing to estimate how the next years are going to look like. But what we see is that there's market growth.
There's multiple vendors entering this exciting arena, from well established companies to new small companies, but highly innovative. We see that there's a lot of competition. The evolving nature of the market allows for small companies to just find a niche or target specific use cases. Two months ago, I published a leadership compass report on passwordless for consumers, and many vendors, they just focus on specific industries, for example, the financial industry, or others target mobile network operators.
So this is a very competitive landscape that reminds me I'm also going to publish a leadership compass on passwordless, but for the enterprises in the coming month. So I encourage you all to stay on alert to see the report on that topic. There's also regulatory influence. We see the publication of memorandums and cybersecurity documents in the United States. We also see the development of standards like FIDO2, which I will be talking about in the next slides.
And then we see the adoption of passkeys, for example, which is playing a huge role in the adoption of passwordless technologies, because when you talk to someone on the street, someone that maybe is not part of this industry, they may have never heard of passwordless, but they probably used passkeys before. And I think that's something that will continue to drive the adoption of passwordless. And despite the increase in passwordless options, I believe that we're still going to be using passwords. Passwords are not going to go anywhere.
I'm afraid they're going to stay here for some time, but they may become less popular. But in the end, passwords will still lurk in the shadows and they will still have the risk that they bring.
So what's, let's say, preventing the adoption of passwordless? What are the main challenges?
One is, of course, user adoption. Many people remain reluctant to abandon traditional methods. Some of them, they don't really understand the technology behind. They don't see what passwordless solutions will bring to the table. Even if you speak to someone with a technical background, it's all about how this passwordless vendors will deliver their message. Because in the end, it's the people making the decisions in organizations, they maybe are not very technically oriented. So the point is that when vendors have conversations with people in the field, that they are not very technical.
They must ensure that they're delivering a good message that can be understood by anyone. There's also a challenge regarding costs. So it's another aspect which vendors need to work on to really tell their customers that passwordless is not only going to increase their security, but also their productivity. And in turn, it could also lead to more profit, right? There are some interoperability issues. So we see an increased use of wearables, for example, wallets of different systems and applications. So for passwordless to truly work, there needs to be interoperability across all these systems.
There needs to be some vendor adaptation, something that I discussed earlier, that if we really want to move to a passwordless future, vendors need to work more on offering other alternatives on educating their customers and to stop offering username slash password or any other visual factor. And as I've been saying, the future promises a landscape where fewer passwords are needed, but passwords are still going to be somewhere. So how can we navigate some of these challenges?
Well, an interesting actor in this space is the FIDO Alliance. The FIDO Alliance has been working on this for more than 10 years now. What they are trying to do is to offer an alternative to passwords. They aim to protect organizations from employing these feasible factors. And FIDO's adoption is also expanding by being supported by tech giants and organizations in the industry. And something that I wanted to discuss in this webinar was the topic of post-quantum cryptography, which is something that the FIDO Alliance has been working on.
As we know, quantum computers pose a significant risk to the cryptographic foundations of not only the FIDO specifications, but of any system that has a symmetric cryptography. And the FIDO Alliance has been trying to engage in a conversation to transition. They want to align with other global initiatives like those by NIST, which are exploring post-quantum cryptographic solutions. And essentially what FIDO is working here, they really want to embrace this concept of crypto agility.
Crypto agility is the ability to manage multiple algorithms for the same function and to be able to shift from one algorithm to another. And the FIDO Alliance is also exploring how post-quantum cryptography is developing, how it's evolving. And they want to make sure that they remain active in tracking all of these developments to increase not only the messaging that they want to deliver, but also to raise awareness on how the future could look like.
And that leads me to the next slide, which is if organizations are now dealing with multiple challenges from the evolving threat landscape to dealing with user expectations, not only in terms of consumer versus employee, et cetera, but also if we look at the younger generations, the ones that are using social media platforms like TikTok, there's been studies saying that many of these younger generations are struggling in attention span because of many of these social media platforms and this bombardment of information and content.
So it's interesting to ask how are these younger generations going to feel about consumer or any digital interaction, like long-term. Also, if not only young people, but if we talk about old people, I mean, that's also another challenge, right? So there's lots of things to think about and you know that everything is moving so fast. There's also compliance requirements. We see the legal requirements, they're slowly catching up, but there's many different things to consider that organizations need to be aware of.
There are also technological advancements and questions on scalability and adaptability. Essentially, with all of these things facing organizations, it's important to say that a holistic approach is needed to address all of these things and to be better prepared for any possible outcome. So here at Coping with Cold, we have the Identity Fabric Framework, which is a modern approach to identity management.
It's all about creating a unified, flexible, and scalable identity infrastructure and it should always be adapting to the changing needs of the businesses, but also of the digital environment in general. And that's, I believe, something that Haider will talk about, how we can navigate all of these different challenges by having a holistic and unified approach. And I would like to introduce now the second poll question. So I encourage all of you to submit an answer here. And the question is, which of the following best describes your organization's approach to authentication?
Is it passwordless authentication? Or are you using MFA including passwords? Or is your organization only using username slash password? And don't be afraid of clicking that option. It's anonymous, so we're not going to judge. And the last option is others slash not sure. So I want to give you a few more seconds and then we can move on so we can give the floor to Haider. But before I do that, before Haider joins us, I would like to briefly show you the last poll question. I'm running out of time, so I'll just...
So what are the primary factors impacting your organization's identity and access management budget? Is it because of emerging security threats and technologies? Or it has to do more with compliance requirements? Is it organizational growth and scaling? Or more about operational efficiency and cost reductions?
Okay, so now let's move on and I'm going to give the stage to Haider. Thank you Alejandro. I don't know about the others, but I was listening really intently and I think a great overview of where the passwordless authentication industry, if you'd like to call it that, is heading as well. So thank you for sharing those insights. I'm going to start off with reiterating one point at least from Alejandro's slides, which is the primary drivers for implementing passwordless authentication to begin with.
And yes, I mean, you see three of these and then obviously the compliance part, which are extremely important as well. But you come to understand that different organizations might be relying on passwordless authentication more for security, some others for user experience, and some for reducing the operational cost. Because obviously, just the management of resetting of passwords alone can be a nightmare in terms of operational cost for some of the organizations.
So I want you to have this as a context before I go into the different challenges, because I think over the course of the years, many organizations, they realize the importance of these drivers and they understand the importance of implementing passwordless. But when it comes to actually implementing passwordless, they run into a number of challenges. And I think part of that has to do with the fact, as Alejandro was mentioning, obviously, it's a very competitive landscape to begin with.
But then oftentimes you come to realize, depending on whom this organization is speaking to, their view of passwordless authentication might be a bit more narrow compared to what it should be. So for example, if a certain organization is speaking to a company that just produces, I don't know, FIDO authentication tokens, for instance, it's highly likely that this organization is going to try to implement these external hardware-based FIDO authenticators for a broad range of users. It might not work. It might work, might not work for them.
And similarly, if they're just working with a pure play access management company that offers passwordless authentication as part of their capabilities, they might overlook the fact that certain user constituencies, they cannot use, for instance, smartphones for authentication and they actually need those hardware authenticators to actually implement passwordless authentication for those kinds of users. So again, when you look at those challenges, one of the first things that you need to look at is what kind of user constituency do you want to implement passwordless for to begin with?
Is it for the consumers? Is it for the workforce? And mostly what you'll see is that most of the initiatives for passwordless authentication on the consumer side, they're driven more from the angle of a better user experience as opposed to the workforce side.
However, the challenges oftentimes within these organizations that are taking these passwordless authentication initiatives, the teams that are responsible for implementing passwordless authentication for consumers versus workforce, they're not usually speaking to each other. Now, granted the drivers for passwordless authentication might be different, but there are a lot of synergies in terms of reusing a lot of the technology, reusing a lot of the expertise that these teams could actually leverage, but do not end up doing just because they're not speaking to each other to begin with.
The other interesting challenge is, you know, when you speak about passwordless authentication, there is the notion of the level of assurance that you would need for your authentication as well. So imagine a simple use case where a factory floor worker, for example, just walks up to a terminal, which kind of lights up, which is kind of like a zero factor authentication of sorts. But then on the opposite end of the spectrum, you know, you have kind of like a knowledge worker who has access to very sensitive data or applications for that matter.
You know, for those, you cannot afford to rely on zero factor, but you would much rather rely on a much higher assurance level, perhaps even phishing resistant authentication or multi-factor authentication to actually grant access to, let's say, an ERP application or a CRM application for that matter. So you already come to realize that you need many different types of authentication mechanisms for different kinds of users, depending on the type of resource that they're trying to gain access to. And you can already see that there's a need to actually have passwordless authentication policy.
So there needs to be a mechanism of orchestrating those different authentication journeys for those different kinds of users. And like I said, you know, depending on the kind of vendor that you're speaking to, sometimes you could potentially overlook this particular aspect that you need this flexibility in your organization to implement passwordless authentication.
So when you're trying to summarize those two points, you can have this simple representation of sorts, which is represented on this illustration over here, which is on the x-axis, for example, you can imagine that you have from the left to right, you know, internal users that you need to address versus on the right side, the external users that you need to address.
So imagine you have a number of permanent employees, temporary employees, for example, that you have to work with, but then you have these external users as well who could be contractors, suppliers, or your consumers, for example, for whom you might need to implement passwordless authentication. And again, don't forget the assurance levels that you might need for these users might be quite varying as well.
So I've just represented, you know, one scenario over here, but you can imagine, for example, if we take the example of banking industry, you know, the arrows represented over here for the consumer might actually be a lot higher because you need a much higher level of assurance for the consumers signing into banking services as well.
So this gives you a good starting model to understand the picture inside your organization where you can use this model to build your own view of passwordless authentication in your organization in terms of which users actually need passwordless authentication inside your organization and what kind of assurance levels do they actually need for those kind of users. That brings us to the topic of passwordless 360. So what exactly is it?
And before I dive into that, you know, when we look at our existing customers today, you know, we see them across a broad spectrum in terms of their maturity of adoption of passwordless as well. So you see some that are still at a very basic level of maturity. So maybe they're just eyeing one particular use case or one particular user constituency.
Perhaps, highly likely, often is the case that, you know, maybe they've had a recent breach and that has been because of a phishing attack of some sort. So they end up actually implementing passwordless for a small group of privileged users, for example, to avoid that from happening again. But that is exactly what it is. It's a very myopic view or a narrow view to look at it. Whereas on the opposite side, you know, you have the companies that look at passwordless for transformational results.
So not only are they using it to solve their security challenges, they're also using it to enhance the user experience, not just for the external users, like their consumers, but also for their internal users as well. So again, when you're looking at yourself as an organization in terms of your maturity, this gives you a good model as well to keep on evaluating or re-evaluating which stage of maturity you are at or your organization is at in terms of reaping the benefits of passwordless authentication.
So what I want to do is, you know, make this a bit more action-oriented for you guys as well so that you can actually go back and start implementing some of these things in your organization as well. When you think about digital journeys of different kind of users, I've taken one example over here, which is of an end consumer.
And, you know, imagine that this person has been looking for a new car for many weeks or many months now and has finally made his decision that he wants to buy this new car. But now, before he actually buys the car, he wants to buy insurance for his vehicle as well. And in order to do that, obviously, he needs to go to an insurance company's website. So all of this that I explained as a context is extremely important for the digital journey of that user. And I'll explain why that eventually, you know, cascades into what that means for passwordless authentication as well.
But before that, so what we encourage But before that, so what we encourage organizations to do, and this is a very busy slide, so you have to excuse me for it, is to map the digital journey of that user. And let me see if I can try to simplify it for you so that you don't read all the text on the slide. But imagine Bob was just trying to buy insurance from this company. He will need to go through multiple steps to actually buy that insurance from your organization as well. So there are a lot of front end or UX related things that you need to factor in.
But don't forget that there's a lot of back end stuff that needs to happen in order for you to fulfill the needs of Bob as well. So for example, you might have your own marketing team that needs to do certain stuff. You might have certain partners. So for example, imagine when Bob is, you know, he wants to review or compare different type of insurances, you know, you can imagine that perhaps you need to have some form of input from your partners as well, where perhaps, you know, Bob can compare the products from your company as well as your partner products as well.
So you see two different kind of journeys happening all at the same time. One, which Bob is going through as an end consumer. So you can think about how you want to implement passwordless or how passwordless can improve his journey. But then at the same time, don't forget that there are a lot of internal users, whether those are your own employees, or certain other external users, such as your partners or suppliers, who are actually helping you in build that digital journey that's going to wow Bob at the end of the day as well. So you need to think about passwordless for those users as well.
So when you combine all of those different concepts together, right, so this is what I encourage you to do. Go ahead and draft your as is state today, as in where do you stand today with your passwordless authentication implementation. So obviously, this is a very simplistic visualization of it. But imagine, you know, all those different kinds of users that we spoke about those internal versus external users requiring different levels of assurances. For how many of those users do you already have passwordless coverage, right?
Think about your existing state, and then think about your future state, or states, right? So imagine you have a future state in mind, where, for example, you know, you want to have passwordless for many different kinds of users represented by green circles over here. And you should then define different milestones in between in terms of how you can reach that final state that you want to achieve. And as you're transitioning from one stage to the other, you want to make sure that you go back and revisit the user experience that you're trying to build for those different kinds of users.
And then at the same time, also keep on evaluating, okay, with each one of these steps, are we still at a basic level of maturity in terms of reaping the benefits of passwordless authentication? Or are we at a more advanced stage or even a more transformational stage with our passwordless coverage?
So again, this is a very simple representation. But those who have to present passwordless authentication to non-technical people, and dare I say, imagine if somebody needs to go and present it to the board, a very simple representation like this can actually go a long way in terms of explaining how you're actually approaching passwordless implementation inside your organization, and to what benefits for that matter as well. And that eventually brings us to the concept of passwordless 360, right?
Which is, when you think about those user constituencies from left to right, and when you think of those different levels of assurances that you need within your organization or for your external users as well, you need to have a 360 degree view or a holistic view of looking at passwordless authentication. So when you map that out, you can then go on to see how you can fill the gaps or fill the needs of your passwordless authentication journey. So for example, you know, maybe for internal users, you need some kind of orchestration tool for managing the passwordless authentication policy.
So you can use a tool or an application like SafeNet Trusted Access from Thales to actually help you in building those passwordless user authentication journeys. Or for external users, you could use the One Welcome Identity Platform, for example, whether those are for B2B users, gig workers, or consumers.
And then when you think about the different levels of assurance that you need for those different kinds of users, again, you know, we thankfully have a really broad portfolio of authenticators that Thales produces itself, which gives a lot of flexibility to organizations who really want to implement passwordless authentication for those broad set of users.
So again, this for me is the simplest possible visualization that you can have of mapping your existing state of password authentication, and then your future state as well, which should give you a holistic view of how you should be implementing passwordless inside your organization. Now, to be a bit more specific, you know, let's go into some specific examples as well. So we spoke about the consumer use cases, for instance, and I'm pretty certain most of the folks in this call, they've heard the word passkey as well, which is kind of the new buzzword.
I think for the people in the know, they would understand that it's not something significantly new per se. But the whole notion of sent passkeys, for example, while it's good to replace passwords as a user experience, you come to realize that it's still not good enough for the high assurance use cases.
So when speaking about those external users, when speaking about those consumers, you need to think about a much stronger form of authentication for those users, especially for use cases in the financial industry, like banking, for example, where sometimes you need SCA or strong customer authentication as well, where sometimes you might even want to compromise on the UX just because the security needs because of compliance or security reasons are much higher for those kind of users.
Similarly, when you're thinking about passwordless authentication for your own employees, you know, you need to have flexible mechanisms of identifying those use cases to begin with, whether that is granting access to productivity applications, web conference tools, so on and so forth, and then mapping that on to the security needs or the UX needs for your users to see what kind of authentication mechanisms would work best for them. And then obviously flexibility, absolutely crucial.
So when you're thinking about passwordless from a holistic point of view, you need to take into account those different phases or steps that I spoke about. Today, your needs might be different, but a few months from now or a few years from now, you might have different needs for passwordless authentication for the same user constituency. So you need to have that flexibility in the back end, like I mentioned, an access management solution that can actually help you in implementing those access management policies for those different kind of users as well.
And as I mentioned, different levels of, you know, assurances that you might need for different users actually require you to use different kind of authenticators as well. So you want to make sure that you're familiar with a broad portfolio of authentication mechanisms, so that you're not limiting your users in any shape or form in terms of how they do their work as well. I know we're almost up on the time from my side as well, so I'll try to wrap it up a bit quickly, but I want to make sure that I put a few important points across as well.
So we spoke about some of the core technologies that you can potentially use for passwordless authentication as well, but you need to look at the periphery as well, right? And this is why passwordless 360 can really help you because when you're looking at it from a holistic point of view, you come to realize that, for example, for some really high assurance use cases, when you're thinking about a use case like Windows Logon, for instance, right, there are some solutions out there which actually offer you logon capabilities, but they're still storing the password somewhere in the back.
So while as a user experience it might look like it's passwordless from a security point of view, it's still a security vulnerability, and this is why we encourage you to use a true passwordless authentication solution for your logon capabilities, like the one that we recently introduced as well. But then at the same time, looking at the other end of the spectrum, right, so we spoke about, you know, wanting to enable your users to do a lot of those things in a self-serve mode as well, while still allowing them to actually deploy modern forms of authentication.
You know, you have capabilities like Fido Key Manager, for example, that allows your end users to manage their tokens themselves, or for example, capabilities like the Lifecycle Management capability. So especially for larger organizations that have historically been using PKI, for example, for authentication, which by the way is still a great mechanism for deploying passwordless to begin with, and if they want to transition to Fido Authenticators as well, they still might need authentication lifecycle management capabilities, which can be leveraged from tools like this as well.
So again, this is certainly not an exhaustive list, but what I wanted to do was to help you visualize when you're thinking about your passwordless 360 journey, you need to think about those many different capabilities that actually allow you to implement passwordless inside your organization. So I know we're up on the time from my side, Alejandro, if you're okay, I'll take a few extra minutes to speak about the world beyond passwordless, if that's okay.
Okay, thank you. So, you know, speaking about passwordless 360, yes, it gives you a good place to start in terms of your existing ambitions. But what's also important is for you to look at the future of passwordless as well. So what I call beyond passwordless, if you will.
So when you're looking at your organization's passwordless ambitions, you need to understand that passwordless authentication is just one piece of a much broader puzzle, which is wanting to implement the right digital journey for your users, whether those are your consumers, whether those are your own employees, your suppliers, partners, so on and so forth. Passwordless authentication is just a small call, an important one, but a very small piece of the bigger equation. So you need to be aware of how it fits into that larger digital journey as well.
But looking in the long term as well, you also need to take into account, and Alejandro already hinted at this on his deck as well, which is identity verification. You know, I'll give you a simple example of how Thales is actually doing voter identification as part of elections for different countries as well. And you come to realize that identity verification is actually used as a passwordless authentication mechanism for a lot of those use cases as well. And you see some of these capabilities now being adopted by the private sector as well.
Similarly, Alejandro spoke about wearables. And we see this, for example, already. So there's a very large aerospace manufacturer that we are working with today, who wants to implement wearables, for instance, for their factory workers, not just their own workers, but their contractors and suppliers as well.
So again, when you're thinking about making life easier in terms of authenticating, and we know these IT, OT worlds are merging together, you need to have these modern mechanism of authentication that you need to think about as part of your passwordless authentication roadmap as well. And then let's not forget, and this is obviously more relevant in Europe compared to the Americas at this point in time. But I suppose, you know, the whole world is going to catch on at some point in time, which is look at the notion of self-sovereign identity, for example.
Imagine, for example, you know, you have in your digital wallet, your certain attributes that you're already storing. And you need to, for example, prove your age in a certain transaction. You don't really need authentication in those kinds of use cases. You just need to prove your age to a certain service provider. And that's essentially where you see a different world of passwordless authentication evolving as well.
Coincidentally, in all of these different domains, and this last one, which is PQC, you know, Thales has a very strong role to play, because we are building products that are geared for this future as well. But then at the same time, we are actually helping the greater ecosystem, whether those are standardization bodies, regulatory bodies, in actually building the right technologies or the right standards for the future of passwordless as well. I'm going to stop at that. I apologize for running a bit over Alejandro, but I think I'm going to stop over here and hand it back to you. Awesome.
Thank you, Haider. That was a very insightful presentation. Since we're running out of time a bit, maybe we can briefly show the poll questions.
Oh, look at this. Very, very different results compared to the previous one we had. Maybe the audience members are more informed about this topic. Are you surprised to see this, Haider? Not really, no.
I mean, I can understand it. And I think it's safe to say that we have a lot of people who might be perhaps eyeing more of the workforce use cases over here, because usually, in our experience, that's usually where the notion of security seems to pop up a lot more, as opposed to building digital experience for end consumers, for example. Right.
Okay, we can take a look at the second poll question. Which of the following best describes your organization's approach to authentication? It seems like most members of the audience have MFA, including passwords, and sort of same amount of people have passwordless, and slightly less people use username slash password. So there's still some work to do.
Yeah, but I think a round of applause for those 15%, right? I mean, if they're actually genuinely using passwordless authentication in their organization, you know, two thumbs up. I think you're ahead of the curve, I would say. Absolutely. Now let's look at the last poll question. It has to do about our organization's budget. So it looks like it's a tide between regulatory compliance requirements and operational efficiency slash cost reduction.
Which, yeah, makes sense to me. Yeah. So we have some poll questions.
Sorry, not poll questions. We have some questions from the audience. There's one for you, Haider. The question is, can you provide a real world example of an organization that Thales recently helped transition to passwordless authentication? What were the challenges and the main outcomes?
Yeah, but I think there's just so many of them, right? And again, I think because of the diversity of our portfolio, we actually get requests from different angles as well, because some organizations, they are just in need of a much higher level of assurance. So maybe looking for a phishing resistant authentication mechanism, for example. And that's where we get involved as part of their discussion.
But then on the other end of the spectrum, you know, we have a lot of banks, for example, who are actually leveraging our past key capabilities, for instance, to actually build passwordless authentication mechanism for their end consumers. But I think one of the most interesting ones of late is, and I've made a brief mention of that, is this aerospace company that is also a manufacturing company of sorts as well, right? And they have hundreds of thousands of external users, like B2B users.
And they want to see how they can use or leverage passwordless authentication to make life better, not just for those users, but also for their own employees as well. So the way that they're approaching this is to implement that neural system, if you'd like to call it that, which is access management for those external users, as well as internal users. But then on top of that, to have multiple types of authentication mechanisms, some requiring just FIDO, some requiring PKI, because there are certain other use cases that are attached to it as well.
So again, I think in terms of richness, and you know, thinking about that model that I was saying in terms of organizations being at that transformational level, I think this organization definitely is very close to being at that transformational level where they're actually looking at passwordless authentication from a very broad lens as well. So I hope that answers that question in terms of different examples that we see at least. Absolutely. We have one more question from the audience.
As businesses transition from traditional methods of authentication to passwordless authentication, what are some of the best practices that you recommend from an operational side to be followed? In my opinion, I think any organization that fosters cyber security culture is going to be ahead of the curve. I think that we tend to always blame the human link as being the weakest link in many of these scenarios.
But I think that if we equip employees or the people, the users with the right tools, as well as having a strong cyber security culture in an organization, that could be a much, much stronger stance. I don't know your thoughts on that question.
Yeah, I mean, absolutely. I think people at the end of the day can be, I mean, some organization might consider them the weakest link, but can be the strongest link as part of your defense as well, right? So that education goes hand in hand. And I know we spoke a lot about technology in our presentation today, but not as much about the process side of it as well. So I think you correctly pointed out, right?
I mean, educating your employees on the different mechanisms that can actually prevent from phishing attacks, I think goes a long way as well. I think one important point is a lot of the organizations, they get bogged down with, oh, for instance, they've heard the word pass keys, right? And they're just blindly chasing that goal at the end of the day.
I think they need to take a step back and think about it from a broader lens and see how something like this can actually benefit them to begin with, and then take the appropriate steps towards it rather than just jumping to the next shiny object, if you will. Right. Okay. I think we have one last question before we wrap it up. Since Dallas has a lot of expertise and experience in the defense industry and highly regulated industries, are there any specific challenges that you see in this sector? Do you see this reluctance of people from adopting a passwordless solution?
Is that the case in these industries? Not quite. I think it's more about, it's less about the realization of value. It's more about the implementation challenges, I think, that are limiting the overall adoption. So I think a lot of the things that you and I have mentioned in terms of the drivers for passwordless authentication, I think these industries, especially that require a much higher level of assurance in them, and the aerospace is just one of them, right? So there's banking as well.
Let's not forget whether those are your own employees or your consumers, you are subject to a lot of regulation and you can't afford to actually have a breach in some of those use cases. So yes, absolutely. I think organizations, they understand the value. I think it's the implementation part where they struggle. And by taking a very myopic view or a very narrow view of implementation, I think they get, I guess they get stuck in their implementation. A very typical example is a financial institution coming to us saying, oh, you know what?
I mean, obviously nobody openly admits that they've had a breach, but you know when it's happened, right? Because they come to you with a rush saying, oh, we have 2,000 users or 10,000 users for whom we want to deploy FIDO very quickly, right? Fine. I'm not suggesting that's the wrong thing to do. You should do it, but that's too reactive. I think you need to be proactive in your approach. And I think that holds true for any organization, not just the ones who are actually in these highly regulated environments for that matter. All right. On that note, I'd like to thank you, Haider, for today.
Thank you so much for joining us. It was a pleasure. And thank you to the audience. Goodbye. Thank you.
