Welcome to the webinar, Passwordless Authentication, What, Why, and How. My name is Alejandro Leal. I'm a Research Analyst at KuppingerCole. And today I will be joined by Jeff Carpenter, Director of Product Marketing at ForgeRock.
Thank you, Jeff, for joining me today. I look forward to this webinar, and I'm sure we will have a fruitful conversation. But before we begin, just some important information for the audience. All of you are muted centrally, so there's no need to mute or unmute yourself.
Also, we will be conducting a few poll questions, and we will discuss the results at the very end. And also, at the end, we will have a Q&A session, so you can enter questions at any time by using the CEvent control panel.
And yes, we are recording the webinar, and the recording as well as the slides will be made available in the coming days. So moving on. So moving on. Here's the agenda for today. I will begin by introducing the topic of passwordless authentication. And I will also talk about the Leadership Compass Report on passwordless authentication that we published last year. I think it will be important to talk about how we did the report, what were some of the main questions and things we're looking at. And then I will give the floor to Jeff to continue with the webinar.
And at the end, we'll have time for questions and answers. So here's the first poll question. And it's asking, what is your organization's current stance on passwordless authentication? Are you considering adoption? Are you in the process of implementing it? Or has it already been implemented? Or you're not considering it at all? I encourage you, the audience, to participate, and then at the end of the webinar, we'll be able to discuss the results. So here's the question of all the questions. So what is passwordless authentication? What's all this hype around passwordless?
Well, passwordless, as we know, is becoming the new normal. And passwords are becoming less and less relevant. I'm not going to spend time talking about why passwords are bad. I think we all know that they are insecure, inconvenient, and annoying. So what's the solution out there?
Well, there's passwordless authentication. And the way we define it at Copenhagen Coal, the way it was defined in our leadership compass was a set of identity verification solutions that essentially remove the password from all aspects of the authentication flow and from the recovery process as well.
Of course, there are many different flavors of passwordless. And many vendors and individuals have a different understanding of what is passwordless. But I think something important is to talk about what is not passwordless. And I believe that Jeff might talk about this later on. But essentially, passwordless authentication means strong MFA. It should provide a consistent logging experience across devices. It should cover all systems and applications. And it should ensure that all the passwords and password hashes are no longer traveling across the network.
So passwordless authentication can be used on its own or as part of a 2FA or MFA strategy. And it's becoming an essential component of Zero Trust. On this slide, we have some of the main capabilities that we take a look at when it comes to doing research and evaluating some of these vendors. We believe that most passwordless solutions should cover most of these capabilities, at least a good basic level. And in the report that you can find on our website, the Leadership Compass on passwordless authentication, we go more in depth and we provide more capabilities.
So we only chose a few, which I believe are quite important when it comes to looking at passwordless authentication solutions. So why go passwordless? We often hear about the need to improve security and improve the user experience. So of course, one of the main aspects of passwordless authentication is that it improves user experience. It can also potentially save money. You can also avoid the risk of being hacked. It can also potentially save money. You can also avoid fines and penalties due to non-compliance.
Passwordless solutions also reduce the number of data breaches and compromised credentials. You can find numerous studies out there that talk about how compromised credentials are usually the main thing that causes data breaches. And that leads me to the next point. Passwordless authentication solutions increase security. You can also propel organizations to embrace and adopt a zero-trust security model. And it also provides innovation, something that you guys will look at later on when I start to talk about the Leadership Compass.
You will see that there are many vendors offering passwordless solutions. And even though they all provide their unique approach to it, in one way or another, they are all doing passwordless. And some of them come up with very innovative features. And I believe it's a very, very exciting market to be in. Here are some market observations based on our latest research. For example, our analysts predict that the compound annual growth rate will go up to 31%, leading the passwordless authentication market to reach $6.6 billion by 2025.
When it comes to the competitive landscape, as I mentioned, our research indicates that the market is growing rapidly. Many vendors are offering mature solutions that support millions of users in various industries. And this has yielded a very dynamic and competitive space. When we talk about adoption, I think the development of standards, such as FIDO2 and WebOT, are instrumental in driving further adoption.
Also, lately, we've seen in the news that the integration of passwordless methods, such as Passkeys, by companies like Microsoft, Apple, and Google, is also going to play a crucial role in the adoption of passwordless solutions. And I believe that Jeff will also talk about Passkeys at some point. When we look at the geographical focus, the strongest growth we find it in North America and in Europe, but we see an increase of adoption also in the APAC and to a lesser extent in Latin America.
I have this section on messaging because when we talk about passwordless, we often hear about this security and convenience, how both increase when you adopt one. But I believe that to effectively communicate the practical benefits that your particular solution brings to the table, you need to find the unique selling points. And that leads me to the last section here, which is differentiator is key. Passwordless vendors should clearly communicate what sets them apart from other players in the market, whether it's security or user experience or some particular feature.
These unique selling points can help you win customers, so the messaging must be clear. Now, how to move forward? How can organizations take advantage of this? Sometimes it seems like we talk all about the benefits of passwordless, but many people ask, how can we start implementing one?
Well, we believe that the first step should be to identify the needs of your organization. Specifically, when it comes to security, the user experience that you're looking for, and also the technology stack of your organization. We recommend that following a zero-trust security model will prove essential to then select the right passwordless solution for your organization. And then it's all about choosing the appropriate deployment model based on the existing infrastructure of your organization.
Here on this slide, we have some of the prerequisites that, from a technical point of view, could be important when determining and selecting a passwordless solution. The first one is technical knowledge, which is, I think, a very important one, because many people out there still don't know what passwordless authentication means. When I talk to some of the vendors, they tell me that sometimes they struggle to communicate the message and to tell them that these people sometimes struggle to convince their board to adopt some solutions like passwordless. So knowledge and education are important.
Also, legacy systems. Many organizations, no matter what size they are, small or medium, they have a legacy system. Small or medium or big, they often still depend on legacy systems. So passwordless vendors must ensure that the transition will be smooth and secure.
Also, the support of standards is important, as I mentioned earlier, and also selecting the right deployment. So if you're looking for something more agile or a hybrid deployment, it's all about knowing what your organization needs. And then the last thing here is scalability. So by carefully analyzing a passwordless solution that you're interested in, you must know if this solution will be able to scale up and adapt to the business changes of your own organization.
Now, moving on, we will talk about the leadership compass on passwordless authentication. I will explain the requirements and evaluation criteria that we did, and then I will show the way we do a coping goal, this leadership compass. I will show you the procedure, how it goes more or less, and then I will show the results of last year's LC. But it's important to mention that we are going to have an update on passwordless authentication starting in January, or even starting in December of this year. So I expect many, many more vendors to participate in this LC.
I remember the EIC conference we had in May. I had a session on passwordless and many of the attendees, they were telling me why we're not on that report. And I think many people are very interested in the topic of passwordless, and I believe that the next report is also going to be very important. So moving on, these are the technical evaluation criteria that we used. So basically, we gather hundreds of questions that we send the participants. So the vendors, they go through the questionnaire, and then they answer the questions.
And the questions can be more or less, let's say, divided by these seven criteria, or let's say seven sections. And based on the questionnaire, we start the evaluation. So for example, we have nine dimensions. We have five here on this slide, and then four on this slide. And by taking a look at these nine dimensions, then we assign ratings to each vendor on security, on functionality, on deployment slash integration, on interoperability, usability, innovation, market, ecosystem, and financial strength. So what we do is we assign ratings for each of these categories.
And the ratings are strong positive, positive, neutral, and weak. So depending on the questionnaire that we got, and based on the briefing that we had with each vendor, then we use all of this information to determine the rating for each of these categories. So by the time we come up with results for DLC, we have four categories of leadership, product, market, innovation, and the overall leadership. And this is a summary of the procedure. Like I said, we first identify vendors from this market segment, then we send out the questionnaires, and we have briefings with them.
And then we evaluate based on the information that we got, and we start writing the drafts. Then we have a fact check stage. So we can always have a second call with vendors in case anything was, let's say, not accurate or not. There were some minor details, we can always have a second call with these vendors to adjust whatever we presented in the draft, and then we publish. And you can find our research on our website. So let's show the results of last year's DLC. We rated 24 vendors, where you can find them on the left side, and then we also have a section of vendors to watch.
So first, we'll show the overall leadership in the password certification market. The overall leadership is the combined view of product, innovation, and market leadership. And here we see a mix of established vendors, but we also see some small but very innovative companies. We also have a product leadership category, and this one is mostly based on the seven criteria that I showed earlier. The account recovery, architecture and deployment, authenticator support, APIs, device trust, IAM support, and scalability.
And then we have a product leadership category, and this one is mostly based on the seven criteria that I showed earlier. The next category is the one on innovation.
And here, for example, we see that some of these small companies score quite high because they specialize in certain features or certain capabilities or use cases, for example. So something that I learned when I did my research was that many of these vendors, even though they provide similar solutions, they all have their own unique approach, and they have their own vision of what passwords should be. And I think that's quite fascinating. And then in the last category, we have the market one.
So we have some smaller vendors that are targeting mobile operators, or they just focus on small and medium enterprises. Other vendors focus on highly regulated industries, like aerospace or government or finance. So you find a very diverse group of companies. And that leads me to the second poll question, which is what is the primary driver for your interest in password authentication? Is it about improving security or about user experience or more with regulations and compliance? Or it could also be about cost reduction. So if you could participate in this poll, that would be awesome.
And that leads me to the end of my part of the presentation. So I will give the floor to Jeff. And I will be back for Q&A.
Hello, everyone. Jeff Carpenter here. I've got a bit of a split identity today because ForgeRock and Ping Identity are currently in the process of merging. So I represent both of these organizations today. And very good to be here with you. Very gratified to talk about passwordless because it's always a good day to talk about passwordless.
Now, Alejandro mentioned the Cuppanger Coal Leadership Compass for passwordless authentication. That's kind of a big, long mouthful. He mentioned you can go to the Cuppanger Coal website and look at that. That's true. You can also get that report for free from ForgeRock because we have actually purchased that report from KC. So if you want to go to forgerock.com, you can actually download that report, look at how those 24 vendors performed. And Ping and ForgeRock are both gratified to be listed in there as leaders, as overall leaders in that report.
Now, Alejandro covered a lot of ground. Thank you for that. We are going to focus now on the, not necessarily the what and the why, because that was covered very well. We are going to focus on the how. Because passwordless authentication perhaps is the hottest topic outside of AI. Everyone wants to talk about AI. Everybody wants to talk about passwordless.
Alejandro, I bet at EIC, when you were talking about the passwordless, your session, I bet it was standing room only. Because I know everywhere I go, every time I talk about it, people are full of questions and everybody wants to engage on this topic. So what are we talking about here? And what's the ultimate goal of passwordless? And it's really kind of the twin towers of delivering that ultimate seamless and frictionless user experience. Whether that user is a customer of yours or whether they're an internal employee. And the other part of this is making sure that it's secure as well.
So that all of the things that we've experienced the last 70 years, yes, 70 years, that's all the password is. With phishing and the usability things and users sharing them in lockouts, that those are supplanted with great security and a pathway for users just to get to their applications and get on the network or perform that transaction as quickly as possible. So that's the ultimate goal, the user experience and strong security. And fortunately, with the passwordless solutions we have today, we can accomplish that.
So as I mentioned, we're gonna focus on the how of everything here and give you guys some really meaty takeaways that you can use to make the case in your organization, to advance the cause in your organization, to create that return on investment that those KPIs that you can use to advance this project along. I was really heartened when I saw some of the research there on the 31% CAGR growth of passwordless and the way it just hockey sticks next year.
And that dovetails with what we are seeing at ForgeRock and Ping, because we see every organization we talk to has now committed IT projects and funding towards passwordless authentication. And what that means, we'll talk about that because what does a passwordless project look like? And it all starts with this slide right here, because at ForgeRock and Ping, we talk to probably the broadest cross section of customers in every industry across the globe. And they say, look, we're looking to get started on this passwordless thing. Where do we plant our foot on this?
And we say, the use cases, look at your use cases. And are you trying to do enterprise authentication? In other words, looking at your internal users, your contractors, your employees, the people you generally have the most control over from an IT perspective, are you trying to make their life easier to access their applications and the network remotely, to get access to the applications that they use to do their job on a daily basis? That's enterprise authentication. Are you looking to make it easier for your customers or your consumers or your citizens to get access to your solutions?
And this is kind of the external facing solutions to your company. In an identity parlance, we call that SIAM.
C-I-A-M, Customer Identity and Access Management. In this space, what you're looking at is, how do you make it very easy for those users to enroll and to get access to what they need from virtually any device so that you don't have things like abandoned shopping carts, lost transactions, user lockouts, things that would negatively and inversely impact your revenue. And then there's also your mobile applications. And let's not forget, IoT devices have outnumbered users in most organizations by a magnitude of 5X for a long time now.
So don't forget those devices as well because they can be part of that passwordless journey. Most IoT devices use either a very simple password or X.509 certificates. And you can actually, with a lot of IoT devices, substitute that with a truly passwordless approach that makes it easier for those devices to get access. So start here and ask yourself, what are we trying to do? Usually it's those scenarios on the left.
Are we doing enterprise authentication for our employees, making it easier for them to get their applications and making them more productive, lowering our IT costs, things like that? Or are we doing something on the consumer side? And really figure out, we like at Forge Rock and Ping, we like to talk to our customers about four different dimensions on KPIs. And those are things around security, cost savings, productivity, and user improvements or user experience. And figuring out what those are because they're different for each of these audiences.
So for example, for enterprise authentication, you say, well, what's the cost of our password reset tools and our password synchronization tools? And if we launched on a passwordless project, could we, at some point down the road, look at sunsetting those solutions for a savings of 200,000 euros a year? Those are the KPIs that you'll wanna come to. If it's consumer, you wanna look at things like revenue, abandoned shopping carts, when do users drop out of a potential transaction? How easy is it for users to enroll?
If I'm at point of sale, maybe I'm at a store or a restaurant or out in the world, and I want to download your app, your company's app and get access to something, what does that journey look like? Can a user do that in 60 to 120 seconds or less? The passwordless journey is key to answering all that. So in the how category, this is number one. Assess those use cases, outcomes and requirements.
Now, shortly behind that is developing an organizational migration strategy. Because when we talk to organizations about passwordless, there tends to be an all or nothing mentality that goes on there. In other words, all right, we wanna go to passwordless next year. What do we need to do to have all of our users, all of our applications, consumers, enterprise, IOT, everything on passwordless?
We say, well, we can get there, but let's take it in some smaller chunks here. And those smaller steps are represented on the screen here. The first thing we advise is that you not change the user experience very radically. And this is a great message that your application owners, the people that are in charge of, especially on the consumer side, on the revenue side of things, will be very receptive to. Because if you have users already enrolled with passwords, why not just add a passwordless factor onto that user experience? And then you don't change what the user sees at login.
So today, if a user is logging in with username and password, you just add, through an enrollment, you add a passwordless factor. So you have username, password, and then the passwordless factor. So that's that first step is add that factor in there. Now you may say, but wait a minute, you said passwordless. There's still passwords there. And that is correct. That's why Alejandro covered the definition in the what phase of our session today, what passwordless is.
And unlike other terms, maybe like zero trust that kind of landed and people got that concept very quickly, passwordless is one of those things that doesn't have, it's a term we're working with. You know, we didn't invent it. It's there, it's in the wild right now. And we're just all dealing with it. It's a bit of a misnomer because at least in that first phase, you still have a password there. But now we move into that second phase, into the passwordless experience.
And this is where you are setting up your applications or your network access, your logins to your desktops, your mobile applications with the initial enrollment, doesn't even ask for a password. You know, you can just now take what you're doing in that step one in that passwordless factor and now just remove that password field.
You know, again, the password is still there. It's in a database now, but you're not passing those hashes back and forth over the network. You're not relying on the shared secret. You have a now passwordless experience. And when we say passwordless experience, we'll get to what those authentication methods are. But know there that there still is, you know, an improved experience, but a password somewhere there that is oftentimes used in a scenario where a user may be locked out and you need another factor to get back in. That password may be presented there.
And then thirdly, you know, the Nirvana state, the complete passwordless. This is where from beginning to end and that whole workflow, there is no password ever enrolled, ever asked for, ever generated, ever stored. And you are truly going passwordless. And I would say, you know, if you had a little slider, you know, think about where your organization is. Most of the organizations that Ping and ForgeRock deal with are in that passwordless factor very quickly in the next 12 to 18 months moving to that passwordless experience.
You know, very few organizations, unless you're very small and you, you know, you're kind of born in the cloud kind of thing, really have that complete passwordless solution. Because look, you know, we're all in the cybersecurity IT space here. Look at our organizations. They're very complex.
You know, enterprises have hundreds of applications running, lots of APIs, lots of different types of users and devices. It's a complex situation, but one that, you know, you can start down that pathway. But just remember the all or nothing thinking doesn't benefit us, doesn't benefit, you know, your organization. Take it in these bite-sized chunks and figure out where you are and how best to move to that next step.
Now, when we look at the integration requirements, this is really key here. I really like this, you know, just kind of dovetailing on what I was talking about on that last, you know, slide there.
The, you know, people ask, where are we with passwordless authentication? And I like to say that we are at the end of the beginning with passwordless. In other words, you know, two years ago, three years ago, passwordless was a complete, was a complete fog.
Vendors, customers, everybody was just kind of walking through it and, you know, relying a lot on the platform vendors on Apple, Microsoft, Google, you know, and standards like FIDO2 and WebAuthn, optimizing around web and mobile first, you know, and now we have, I won't say we've matured on that, but we're getting, like I said, to the end of the beginning. Standards have been laid down.
Use cases have been put forward and organizations are having a lot of success on that first thing that you see there on the very left on this slide here where you see managed and unmanaged applications, web and mobile. In fact, Apple estimates that the typical user, you know, unlocks their phone in a passwordless fashion 75 times a day. And that's not a surprise to anyone. So we're already doing passwordless. We're already using it.
You can very likely utilize a lot of the applications, mobile apps you have on your phone, using passwordless to, you know, from start to finish, to engage, to unlock your phone, to open up and authenticate yourself to the application, to perform a transaction, to do a payment and do it all, you know, using the security of the device, but doing it all in a passwordless manner. But now here's where things get a little more complex. Look at what happens now when you start moving to the right.
And Alejandro, you know, he brought up the KC, Governor Cole Leadership Compass for passwordless authentication report. It's a mouthful, but it's very juicy and there's a lot in there. And one of the things that he mentioned was that vendors have different approaches here and that you should ask your vendor how they differentiate in the passwordless space.
Because there is a temptation to think that, well, you know, passwordless is just FIDO too, you know, FIDO is the Fast Identity Online, which is a consortium of vendors who came up with some standards like WebAuthn to basically do passwordless. Or it's just PassKeys, which is, you know, the platform vendors being able to generate, you know, through the, you know, private public key pairs, those private keys, store them securely on the device, put them in the cloud, push them down to other devices on that platform. That's what PassKeys are.
But in reality, there are different approaches and differentiations here. And one of them is what happens when you start moving to the right and you start getting into all of the hundreds of applications that organizations use, the devices, such as different desktops. So you might say, well, you know, you can go with Microsoft, Windows Hello for Business, and that works very well for Microsoft desktops. And then once you start getting into Linux desktops, Linux machines, Macs, you know, does your organization have Macs?
Well, 92% of us do. So, you know, once you start getting into those, or you start getting into non-Windows, you know, domain join machines, workstations, servers, you know, those green screen applications that a lot of our organizations still have and mainframes. What about VDI?
You know, if you're doing virtual desktop interface. Yeah, once you start getting into those, passwordless starts getting really gnarly because a lot of those applications, legacy applications that are very old, but still very essential to running our businesses, still rely on that password field. And vendors like Ping and ForgeRock are able to essentially take that password field, secure it. So securely replay a password to that.
That's, you know, we can get into the details of it, but basically make it like that FIDO2 experience that you would get if you're logging into your Windows, or sorry, your mobile or your web apps. And a good passwordless approach will take into account all of this. Because what we know is, you know, when you start seeing success on that left-hand side of the screen with your mobile and your web applications, you'll very soon start to see users saying, why can't I use it for this application? Or I'm rolling out this new application.
You'll have your app and your business owners come to you and say, let's put passwordless on this. And then you're going to start to see that you need a full approach that encompasses all of these different things. And what do you need in your organization to start to have passwordless?
You know, and we bucket it down to these three different items here. There's authentication methods, access orchestration, and app integration. First bucket there is authentication methods. Your organization is not one set of users. It is very likely dozens and dozens, if not hundreds of different types of users, groups of users, different users doing different things, different users that need different security levels. So for example, sysadmin might need greater passwordless security than somebody who's just kind of a run-of-the-mill employee.
So you're going to need different authentication methods to support different users. And we'll talk about that on the next slide, what those authentication methods are. Access orchestration. So ForgeRock has an orchestration tool called Intelligent Authentication, Intelligent Access. And there's also Ping DaVinci. Now what orchestration is, is it's the ability to design and quickly put into place and quickly put into place no-code, low-code user journeys. And with a click of a button, test those journeys out, another click of a button, put them into play.
And that's important because in your passwordless journeys, you're going to need to design what-if scenarios. You know, what if a user has lost their phone or they temporarily don't have their phone in front of them? How do we support that user getting access to their applications? What if a user is outside of their cell phone reception and they can't, you know, complete that transaction, you know, on a mobile device, but they're on their desktop, their laptop, on a hardware connection.
So, you know, those types of things, access orchestration is able to support those things. And then finally, app integration. Now back to, you know, access orchestration, that's important because, you know, Alejandro talked about vendors needing to differentiate in this space. And perhaps there's no greater differentiation than the access orchestration. Not all passwordless solutions are WebAuthn FIDO2.
You know, a lot of them are, like we talked about those enterprise applications, those Windows machines and Linux and those things. And you need a comprehensive approach where you can design those user journeys for all those applications and all those users who need access to those applications. For example, one of the ways that like Ping and Cordrock differentiate there in access orchestration is being able to take those attestation signals that are generated between client and host.
So user who wants to get access to an application, you know, will send back using that FIDO2 protocol, various signals. It can be like user location and what browser type you're using, et cetera. We can actually feed those into our orchestration engine. And then based on that, plot out that user journey in different ways to make sure that user gets access very quickly or make sure that if there is a, another authentication factor required that we're able to then present that and make sure that user can get access or potentially be challenged if they need to.
We don't like to do that, but security is important here. And then make sure that user, if they need to use another authentication method that they're already enrolled in, make sure that we can utilize that as well. Let's explore these three things a little more deeply here because we talk about the capabilities that your organization needs to have to be able to facilitate passwordless. These are really the three things that you need to have in place. Authentication methods. As Alejandro said, passwordless as a terminology, as a term, really means just, you don't have a shared secret.
That's what it means. And you replace that shared secret, increasingly with things that are past keys, which are PKI or private, public key pairs. And in fact, a lot of our organizations, a lot of customers that ForgeRock and Ping talk to, they're actually referring to their projects that they're doing next year in terms of not passwordless, but we have a past keys project that we're doing. And I think that's interesting. And I think maybe we'll talk about this at the end of today's session, whether we think the term past keys will eventually replace passwords.
I think that's some food for thought. But when it comes to authentication methods, that's just a sampling that you see across there, from WebAuthn to one-time passwords, OTP to push notifications, which are probably one of the more popular authentication passwordless, MFA, multi-factor authentications that we see out there. But it could be QR code. It could be magic links. And there's varying strengths of these authentication methods as well. And we've known that for a while, NIST 800.63 has laid out strength of authentication for a long time.
So those are all authentication methods that need to be considered. But it's important to know that, interrogate your users, because when we find healthcare workers or factory line workers, there's a whole different set of authentication methods that those users will have access to, or they'll be comfortable using. So you want to make sure that you have those authentication methods available. That you can easily enroll those users and use those in their passwordless journeys. Talk about access orchestration, Ping DaVinci and ForgeRock, Trees or intelligent access.
And this is the ability, again, this is very specific to those two vendors that were able to take these signals, put them into our orchestration engines, and then shape that user journey in very positive ways. So you can say, hey, that user, it has been strongly bound to that device because they authenticated using a passkey. So no further authentication is necessary. All the signals line up. The risk score is very, very low. It's within acceptable range and have that user sail through on a frictionless experience.
And there's no reason why that frictionless experience can't apply also to the enterprise. With single sign-on and federation, you can give your users access to the vast majority of applications that they need with a simple passwordless authentication applied at the start of their workday. And finally, on the bottom there, application integrations, like we talked about, that there's a kind of a myopic view of passwordless that says, well, it's web and it's mobile applications. That's what we can do passwordless on.
But very quickly, you will see that this is moving deep into the enterprise because of the benefits that are there. I mentioned being able to, potentially down the road, disable those very expensive IT tools, the IT help desk that is involved in these daily password resets, password synchronization tools and things like that. The IT overhead in being able to maintain those things and just providing that simple, elegant, super productive work environment for your users that is also more secure. And that is in the application integrations.
Now, when we talk about supporting passwordless, there's really kind of two different approaches here. The first is that, we talked about this a lot, the FIDO WebAuthn Passkeys approach. This is standards-based. It's well-known. It's been out there. The FIDO WebAuthn standard has been around since 2018. Passkeys has been around for a while, but it's now been adopted by all of the platform vendors. And the integration efforts on those are very closely reaching maturity stage.
It's well-known if you have a mobile app, that you can utilize those platform vendors to help with the already enrolled user. They already have their device. They're already known to that platform vendor. You have an application, user can enroll, generate those private keys, which are stored there. Public key can be shared out anywhere. So that approach is good. But remember that the vendors like ForgeRock and Ping, we build on top of that FIDO standard as well.
So it's standard-based approach, but it's one that says, hey, you can take those signals and you can do a lot of different things with them. And then similarly, on the right side is, now users are coming forward and saying, I want passwordless, but not just for mobile and web applications. I want them to be able to log on to my desktop in the morning. I have a Mac, for example. I want to use passwordless.
You know, I want that same experience that I have when I'm using mobile apps or I'm on my web browser. And, you know, providing those is a little more complex because what we do here is, you know, here's the use case here for supporting enterprises is being able to do that same thing, provide that FIDO2 experience to users using virtually any type of application, legacy application. So what we do is we, you know, the quick summary of it is we take that password field, we intercept that password.
We put it into a situation where we will lengthen and strengthen that out to almost like a password manager out to, you know, 40 to 70 different characters and shred that password and replay it securely every time that user logs in. So that's nothing that is seen by the user. That's behind the scenes.
What the user is, what happens there is that kicks off a FIDO2-like sequence of events where the user can use their mobile phone and through an app authenticate using their, you know, touch ID, face ID to then get access to that application or to do a single sign-on to get access to multiple different applications. So it's a very innovative approach that we're using here and invite you to check it out because enterprise passwordless is more than just your web and your mobile applications.
It can be virtually anything that you have today and the benefits of it, keeping your users productive, keeping your users happy and most importantly, lowering the cost on your IT help desk and the tools that you're currently supporting today. And why ForgeRock, and I would extend this also to Ping Identity as well, is we talked about today going at your own pace. Passwordless is a bit of a misnomer in that those passwords are still going to be there for a while but they will be, your organization will increasingly use and rely on them less.
New applications that are rolled out won't even ask users to enroll in a password any longer. It'll be a pass keys world that we're entering there.
You know, I like to use a funny analogy. I thought of this one. So if somebody steals it out there, you may have to attribute it to me.
But, you know, I looked at, you know, you have people who study the human anatomy and there is an organ that humans are born with called the appendix. And virtually the only time you hear about the appendix is when somebody needs to have their appendix out, right? But the appendix is an organ that at one point in our evolutionary cycle was important to us.
But today, people who study anatomy aren't sure what the appendix was ever used for. They really aren't. They really don't know what the appendix was. It was some organ that did some function sometime but we're just born with it now. And I look forward to, you know, the time when a junior IT person starts in an organization and they're, you know, they're looking around and, you know, what's this storage over here for? And some senior person says, well, that's a, you know, a more, you know, that's our password database. It's encrypted. We have it around. We're not sure what it's used for.
We just haven't gotten rid of it yet, you know? So I think it's like the appendix, you know? It's there, don't know what it's used for. It's increasingly less important and, you know, eventually they'll get rid of it.
So, but passwordless at your own pace is really important because yes, the passwords are going to be around for a while but they will become increasingly less important, less used and less of a target for those attackers. Secondly, why ForgeRock is the broad passwordless coverage. We talked about virtually anything that you have today, not just the web and mobile, which is kind of what everybody knows passwordless has right now, but creating that passwordless-like experience in those other applications that you have is now possible today. And not every vendor has that.
And also the orchestration, you know, that third thing on the slide here, the no code orchestration, being able to quickly design those journeys and you're not hiring developers. You're not having to spend, you know, months testing those user journeys. You can create those, put them into play and change them when the security situation evolves. So that is that. And you know what? We've got some stuff for you. So in addition to the KC leadership compass for passwordless authentication, which Alejandro and I both mentioned, it's available on ForgeRock's website.
Got a couple other resources for you here. The how, we talked a lot about the why, the what and the how.
The how, seven steps passwordless authentication. If you zap your QR code there, you can get that. Similarly on the ForgeRock Pass Experience Center. Very cool web app that we have going on there. You can also zap that here or just go out to forgerock.com and take a look at that. If you're interested in what that passwordless experience looks like, both for your consumers, your customers or for your internal employees, that experience center is for you.
In four minutes or less, you can go through the steps and look at what an enrollment, look at what a log on looks like, look at what different authentication methods are. And you can experience what your users could potentially be experiencing at some time in the future. So we have those two things available. And Alejandro, I gotta tell you, looking forward to our poll results. Maybe we have something like that going on.
Yeah, that's right. Well, thank you, Jeff, for sharing your experience and your insights on this topic.
Yeah, how about we take a look at the poll results? Look at that. What is your organization's stance on passwordless? That's a good sign, don't you think? I think so.
You know, and I think the most interesting thing here is the D, you know, the 14%. Not considering adoption, but since they're on the call today, probably passwordless curious, wouldn't you think? That's right. And that was at the beginning of the webinar. So maybe they changed their mind. Let's see. How about we go to the second question?
All right, I like this one here. Yeah, look at that.
You know, when I see this, first of all, I'm not surprised. Are you surprised, Alejandro? I'm not. But I think it depends on the context. And you think some might be looking for improved user experience based on the use cases they have.
Yeah, right. Yeah, but you know, here's an interesting thing that we found out at ForgeRock, which, I don't know, kind of blew our mind a little bit, blew mine, but I have a simple mind. So for passwordless, the key driver in the consumer space, in other words, I'm a company, I want to provide that passwordless experience to my customers when they get access to, you know, their accounts or through their mobile app.
Obviously, that one, we expected to be enhanced user experience. And that was true. But when we started going to the enterprise, we thought it would be about improving security. And guess what? You know what we found? We found it was still enhanced user experience. Okay. For the enterprise, which blew our mind because we thought it would be about, you know, first, improving security.
Secondly, you know, regulatory compliance, which is starting to have a little bit of impact on passwordless. But then thirdly, we thought it'd be about, you know, the user experience.
And no, user experience is absolutely paramount, even in the enterprise. Absolutely.
Good, good. Now I'll quickly share my screen now. And we'll go to the Q&A. Just before that, a few marketing from my side. We have a new product called KC OpenSelect. And we have a passwordless one. So you can take a look at that and it will facilitate your selection for the right vendor. We will also have a cyber revolution event coming up next month in Frankfurt. We'll be covering lots of these topics that appear on the screen.
And yes, the things that we do at KC. And you can find more research on the following links. You can take a look at it when you get the slides in the coming days. But how about we take a look at some of the questions. There's a question from the audience. And they wanted to ask you, Jeff. The question is, is MPIN part of ForgeRock's authentication methods? Can you repeat that question? Is what part of ForgeRock's? MPIN. MPIN. Like the PIN codes. The audience is saying, I am interested in MPIN authentication. Can we have an explanation regarding ForgeRock support?
Yeah, I'm not sure about that. I would want to say yes, because we can support almost any authentication method, whether it's our own native, whether it's through your platform vendor, or whether it's like YubiKey tokens, those FIDO devices. That particular one, I don't want to say yes, because I'm not that familiar with it. But come talk to us, is what I would say about that. Because I'm sure there's something or some use case you have for it that we could probably support that for.
Okay, we have a couple more minutes. So maybe one more question. Someone from the audience is asking, neither of you talk much about managing user experience, communicating change to them. I think that's critical. Am I overestimating its importance? You are not. That is very important. And thank you for bringing that up. We talked a lot about the technology today, Alejandro. And I think that that participant brought up a really good question. It's about people, process, and technology. And the people element of that is very important.
What we're finding out with passwordless is the user experience, users are generally receptive to it, because they're using it in their personal lives. But you have to look at use cases, because somebody on a factory line is not going to want to pull out their mobile phone or use that in a work environment. I mentioned healthcare workers, there are different use cases and what they can and cannot use in different healthcare scenarios and theaters. So user acceptance testing is very important for passwordless. And we did talk about, I had that one slide of the authentication methods.
And we said that one size doesn't fit all, that you have to look at not just the methods, but how users are getting access today, and then change that in different steps. So today, username and password, can you add a passwordless factor on there as the first thing? So you're not disrupting that user workflow very radically yet, and then move over to the right to a more complete passwordless solution over a period of months or years.
Good, Jeff. I think we finished right on time. It's awesome. Yeah. So thank you so much for your time today, for sharing all your insights. I look forward to catching up soon. Fantastic. Thank you. And thanks to our audience.
Goodbye, everybody. Goodbye.
