Hello and welcome everyone to our webinar today. Today's topic is what does the future hold for passwordless authentication and zero trust. And I'm joined today by John McKinnis, director of product marketing for I global, just a little bit about us. Coing our coal, we're a global Analyst firm focusing on IM cybersecurity and AI. You can read our research at KC plus you can for about 800 euros, get access for a year to all of our research. We also put on events. EIC is our flagship event coming up in Munich in may. We produce master classes.
E-learning so about the webinar today everyone's muted. We will unmute as needed the recording. This will be recorded and the slides and the recording should be available tomorrow. And there will be a Q and a session at the end. And there's a control panel. You'll see on the side for go to webinar and you can enter your questions into the questions on the control center at any time. And we'll take them at the end of the session.
So I'm John Tolbert. I'm gonna start off talking about the background on different kinds of authentication requirements, the regulatory constraints, zero trust.
What is it, where does authentication fit into it, and then why and where authentication appear in our identity fabrics and information protection lifecycle. And then I'll turn it over to John McKinna from H I D global. And he'll talk about zero trust in more detail. And then again, we'll take questions at the end. So first off, I think it's important to try to get authentication, right?
And I, I see that there are like three main challenges here. First of all, it's gotta be usable. We all know passwords are a pain, but there are also difficulties with other kinds of authentication methods. We'll look at that in a bit more detail in a few minutes too, but usability is important. Security is important.
Again, passwords are insecure. I think we should make sure that authentication assurance levels are commensurate with the level of access control needed as defined by policies. And increasingly we're seeing authentication just isn't a one time thing. It's not a, I log in at the beginning of my Workday. And then I log out, there are different kinds of authentication events that need to take place throughout the, the day or even within a session. And it should be risk adapted and continuous.
And again, we'll define that in a little bit more later, and it's different for consumer versus employee kinds of use cases. And then regulatory compliance users may seem to prefer in some cases, things like biometrics or other methods that are easier, but as we know, regulations are increasingly beginning to define the kinds of authentication methods that are required for different kinds of situations.
So let's take a look at the major authentication options.
As we know, there are some good that some bad password there, you know, we all know that's the cause of like 85% of data breaches all start with bed or guest passwords or passwords that you can find online on the dark web. And then to make things worse. Resetting passwords is often backed up by using what we call KBA or knowledge based authentication. And most of these so-called security questions, you can bad guys can find out the answers to online, especially if it's something like, you know, your mother's maiden name or what school did you go to.
Or now we see lots and lots of quizzes and things on social media, which almost seem to be designed to give up information. So that makes it easier for the bad guys to guess how to answer your KBA questions.
Then we see SMS OTP. It's a second factor authentication method. It's kind of come into wide use. People are familiar with how this works, but at the same time, it's kind of fraught with security difficulties as well. Organizations like N have deprecated it and many other organizations around the world are trying to move away from it because of the security problems with it.
We have social logins. This is leveraging things like social network provider as authentication service providers, and then writing on protocols like oof and O IDC to do authentication at other kinds of sites. We see this a lot at, let's say retail sites, media sites, things that are very atory consumers, and this can be a good choice for consumer facing applications. We have hardware tokens. These have been around for years and different kinds of form factors. These like smart cards can be based on really strong cryptography.
It allows to represent identity in a very strong and secure way, and also make the best use of, of high identity assurance situations. They, they too can have some difficulties though with, with usability.
I mean, think about in terms of, you know, that employee shows up to work and they've forgotten their, their smart card or, or token, you've gotta engage secondary processes to let them work for a day. So pros and cons to the mobile apps we see increasingly, especially like on the finance side companies that are building their own mobile applications, they have authentication built in talk about the standards involved there later mobile biometrics. We see things like the use of fingerprint authentication, facial recognition.
Those are both pretty common and you know, they have their strengths and weaknesses too. Biometrics can be easy to use. And in some cases, if you look like the false acceptance rate on things, such as let's say touch ID, it's about one in 50,000, they claim face IDs about one in a million, but they could be susceptible to things like presentation attacks.
So again, there's trade offs on all the different authentication methods out there, and we need to sort of right size them to the specific applications.
So from a requirement standpoint, let's think about business to employee workforce. The requirements really are driven by things like regulations.
You know, on the workforce side, you've got financial regulations, privacy regulations that govern who can see what, what kind of authentication events are acceptable and even export control laws in some countries will require higher identity assurance security policies. If it's a global enterprise, maybe you have different security policies, you're subject to different regulatory regimes in the different countries you operate in. So many companies will take sort of a, a least common denominator approach to that.
Whatever the most restrictive regulatory jurisdiction is and build their security policies on top of that. And in many cases, they'll have even more strict policies that might govern access to things like company, financial data or intellectual property.
It should be risk adaptive and risk appropriate only apply friction when friction is needed.
Again, risk adaptive means evaluating a variety of attributes at at decision time. Try not to make it any more obtrusive that it needs to be and allow your authentication system to be an integral part of the overall authorization infrastructure so that you can also promote the concept of continuous authentication, which leads to the IOP with aback systems attribute BA based access control authentications just the first step. But there's a lot of information that can come from the authentication context that can be used in authorization.
Ease of use is important in business or business to employee kinds, work cases. But sometimes we find that it takes a backseat to risk consumer authentication. The requirements can be a bit different. In many cases, we're really driven to reduce fraud. We see lots and lots of increases the number of different kinds of fraudulent attacks.
So this drives a need for transaction level analysis. There are regulations that govern this PSD two, for example, I'll talk more about that in a minute.
It requires strong customer authentication and like on the business to employee side, it needs to be risk appropriate. Same thing applies to security policies. Many companies will have security policies related to what consumers are allowed to do in terms of accessing information or types of transactions that are allowed.
And again, that's kind of a complex mix of not only the regimes or the regulatory regimes in which they operate, but also what the company's individual preferences are in those cases. Ease of use is far more important on the consumer side. You want to bring consumers in, not make it any more difficult than you have to, to allow them to transact business.
But again, you don't want fraud and then different from the B to E side where, you know, if your company might smartphones or other devices to employees, you have some control over the kinds of devices that you will be encountering, or your applications will be encountering. You gotta build sort of to include backwards compatibility and interoperability with all the different kinds of devices that are out there in the field. Your consumers may not all have the latest smartphone. I'm sure they don't have all the latest smartphones and, and some may not have smartphones period.
So design with that in mind as well.
On the regulation side, GDPR came into effect one on two years ago.
Now it, it states the consent and that you must have really good business reasons for asking for processing and storing PII. We were mentioning biometric a minute ago, that's considered a sensitive category and also subject to things like D Pia is under GDPR. So important to keep that in mind, with regard to building authentication solutions, CCPA, California, consumer protection technically became law on in January this year, slated to be enforced around July. It's similar to in, in many ways, GDPR, but not exactly the same.
This allows California residents to sort of limit the onward sale and use of their PII. Biometrics are also considered PII under CCPA, and then PSD two banks and financial technical companies have to offer strong customer authentication. Fortunately, they define that kind of the same way we do an industry where it's two factor, and then also you can use risk adaptive or continuous authentication solutions under PSD two, to reduce the need, to have to require a big authentication event.
Every time we use their wants to log in, say to their banking app, there are other factors that can be evaluated, and if they haven't changed significantly or haven't changed, you know, within the parameters of the policy, then you don't necessarily have to pop up an authentication event.
So what's zero trust. And how does this fit into it, or whether it's impacts on authentication? I think it's easier to start by saying what zero trust is not. It's not about eliminating all digital trust.
We often hear people say things like zero trust networking, but it's, you know, way bigger than just a networking thing. It's not about just VPNs or network segmentation or even NextGen parameters. It's not something that can be found in a single product or even a suite yet it's a bigger job than what we in it can do by ourselves.
It's really very process oriented as well, but it is an architectural model that we believe encompasses not just users, but devices, the applications, they may try to access individual data elements or information objects, as well as the networks that all this rides on. It's a combination of processes and technology, and really it's about restricting the movement and access. And then to try to provide kind of a unified user experience, whether it may originate from your employees, your partners, or even consumer consumers.
And sometimes I think we see this embodied in what we call the consumerization of it. And employees often now expect similar kinds of it experiences, whether that's, let's say authentication that they might use at home or for personal use at work. And this is what I think is driving a lot of the interest in both mobile app and mobile biometric authentication.
So breaking this down into three categories of user device and context from a user perspective, zero trust means, you know, increased use of MFA multifactor authentication, increased use of risk adaptive authentication.
Don't interrupt the user. If you can collect other kinds of attributes and evaluate those things like user behavioral analysis there, UBA you'll find a lot of financial institutions store information about what users have done in the past. So let's say I tried to use a, a mobile banking app to send, you know, 15,000 euros to someone I've never sent to before that would be flagged as a potentially suspicious transaction.
So you can roll that into your authentication solution, such that in a case like that, you may actually prompt me for some sort of additional confirmation that I want that to happen.
IGA. I did any governance bringing the life cycle management approach to not only the enterprise side, but consumer as well, zero trust for devices. We find things like UVM unified endpoint management, being able to sort of inventory devices find out what's out there in the field.
If it's a B to E case, you know, making sure your phone, your, your user's phones are patched and maybe making sure that they've got endpoint protection or EDR clients using device intelligence sometimes from within your own environment, as well as subscribing to external feeds of device intelligence, there are feeds of information that can provide information on, you know, I E I numbers SIM numbers, whether that they've been involved in fraud or, or any known bad activities, device IDs, this can be complicated fingerprinting, you know, more than just the ID that comes with the device, but sort of a holistic look at the device, all the things that are installed context again, I think it's really important to do this evaluation against security policies, taking the authentication context, information, and process that the IP address geolocation again, quite important.
There are feeds cyber threat intelligence feeds that will provide information about IPS and locations, and then the requested resources or details around the transactions.
So zero trust for access management really zero trust is all about least privilege and think of that. That's why I believe it applies to more than just the network, more just users, but also apps and devices only give enough privilege to get the job done. And then if administrative revoke it afterwards, there are advantages to be gained by centralizing policies and policy enforcement.
It has to be dynamic, be able to make these kinds of access control and authorization decisions and built time and adaptive. And by this, we mean being able to process additional informations like cyber threat and fraud intelligence.
Overall, we see moves away from passwords using things like mobile STKs security concepts and constructs within that like global platform, secure element, trusted execution environment. We do see people using mobile biometrics and mobile apps. These are sort of the building blocks for things like risk adaptive and continuous authentication. We do believe the goal is moving toward fast cordless getting rid of the password altogether. But at the same time, we have to make sure that we're increasing security, authentication assurance level as needed, you know, as defined by policies.
And then also adhering with privacy regulations in different places around the world. Mobile's important for MFA because if you're using mobile with a pen, that's something, you know, and something you have mobile with biometric would be something you have plus something you are standards to consider pH O pH oh two came out last year, web authentication.
This allows an easier integration between two factor devices or mobile devices and web based applications, or even windows OS global platform se and T you mentioned that just a second ago, what's important.
There is it's ways to secure keys or secure execution on Android devices. So that let's say the authentication process, can't be tampered with things like job tokens, O two O IDC and SAML are good ways of representing authentication and sometimes authorization events and federating those with other systems specifically, Fido is good for, you know, not only the authentication itself, but it's privacy preserving. I think that's an important consideration when we look at the regulations, you know, each, each relying party connection to Fido requires generation of a separate key pair.
So that's the privacy preserving aspect. And again, global platform provides with a secure element, a good place to store keys, certificates, credentials, and the te can lock out other applications from interfering with operations, or, you know, even be able to get access, to see what, what the user's doing on screen.
So I think those standards are, are increasingly important for securing mobile authentication today. And then lastly, I want kind of fit this into our Cooper and Cole identity fabric and information protection, lifecycle concepts.
So on the identity fabric side, the idea behind this is to sort of look at all the component services that an identity management system could provide. And what does that mean in terms of the capabilities? Can it be offered as a service?
And if so, how so? On the capability side, what's most key here, of course, like MFA or which you can use for building authentication services.
Now, whether you choose to deliver those yourself as an enterprise or say, use an external authentication service, MFA will be one of the capabilities that you need. And we do see the trends here, or, you know, leveraging things like APIs and microservices to build and deploy authentication and other IAM related services.
This is where we're, where we're heading and then how this fits into our information protection lifecycle, the information protection lifecycle.
We, we define three phases to the lifecycle acquisition, which can be creating or discovering information, the active use life when you're doing things with it and then disposition. So authentication comes in most prominently here in the control access. Part of the active use life of the information protection life cycle. Happy to go into detail about these with anyone who'd like to discuss further.
So, but at this point I would like to wrap up with some recommendations here, thinking about, you know, how to move to zero trust and password list. I think you've gotta start by inventorying your use cases, understand your regulatory environments, and then use that to understand too, your business requirements, take a look at your existing architecture, develop a roadmap of where you want to go.
That's taking into account all these factors above budget for it, invest in your authentication solutions as needed with special emphasis on mobile, invest in network and device authorization solutions as needed. These are often very different things and then design risk adaptive authentication, or aback architectures, and then deploy and maintain.
So I will save this for the Q and a session. And at this point I'd like to turn it over to John McKenna.
Okay. Thank you very much, John Tolbert, hello to everyone out there taking note of this presentation, certainly do appreciate your time.
My name is John McInnis. I'm from H I D global and most people know H I D global from the smart badge that they use to get into the office every morning. And that is because one thing that I D does is the, we are the world's leader in physical access control. But what I'm going to talk about today is how you can converge access control in some ways, but other things that we can do in terms of password list and zero trust. So the title of my presentation is called the journey to passwordless authentication.
We might not get to passwordless authentication for quite a few years, but it is the ultimate goal. So we keep high security password authentication in mind as the goal that we're moving toward.
Now, let me begin. I refreshed some statistics here on password problems. This is not breaking news and password problems have continued over the last three years, 2.3 billion credentials stolen 2017 alone. But in 2018, we saw 126% increase in exposed records containing that private information, which is protected by the GDPR and CCPA. As we know a huge rise in fishing attacks, which is become the one of the primary attack vectors now displacing malware in 2018, 19, and going into 20. So these are some of the business losses that we're experiencing from passwords.
But the other thing is the cost up to 50% of help desk costs are due to lost passwords. And 1300 years spent each day by humans entering passwords. I'm probably responsible for two or three of those, myself and John mentioned knowledge, knowledge based authentication KBI, which is that mechanism. That's supposedly secure mechanism that we use to recover passwords in case they're lost. What's the middle name of my grandma? Where did I meet my wife, et cetera.
Now, most of us only 16% people of people actually listed the answers to those questions as part of their online profile. But as John Tolbert mentioned, those questions can be phished and social media, just the way we can fish your log on credentials. And 40% of users that's me were unable to recall the answers to their questions when they did need them. So KBA is just as faulty as password recovery. John did a pretty good job walking through zero trust.
And I imagine that anyone that would take the time to watch this presentation has some notion of zero trust and how it adds another layer of security beyond traditional perimeter based security. And why do we mention zero trust when we're talking about multifactor authentication is because the way that organizations are getting that control is by only permitting users could be people or things as mentioned that are confirmed by their identity fingerprint, and being able to correctly and accurately verify users is essential in a zero trust environment.
And that can only really be achieved through multifactor authentication options, including some, some really popular recent nuances. John was talking about continuous risk based adaptive authentication and mobile applications. So that's why we talk about zero trust when it comes to MFA. I wanted to back up for a second in reference, one of John's slides on getting authentication, right? The challenges I thought he nailed it in terms of the things that customers are looking at when they're implementing a multifactor authentication solution.
But I put 'em in a little different order here based on what we see as the buyer journey. So what really brings customers to the table and start to plan for MFA is the regulatory compliance. It could be the internal security policy, or it could be external compliance. Now John mentioned the couple here, the GDPR and CCPA get this, the California version of GDPR.
Most folks are familiar with those, and those are privacy laws.
They don't necessarily point to multifactor authentication in the specifications, but the idea is you can't really control the data flow until you can accurately control who has access to that data. And that's where multifactor authentication comes into play.
PSD two, once again, that's consumer for banking and financial institutions, consumer play. I'm going to SL my presentation more towards employees and the enterprise. So there's some regulations that touch industries exactly and require strong authentication. For example, electronic prescription of controlled substance requires multifactor authentication for the doctors and staff accessing the system, as well as folks at the pharmacy. And also requires that documents passed back and forth are signed and encrypted. So you definitely need multifactor authentication for that.
And even PKI in that case, under the TSA, there's an organization you may have heard of called CS a, the cybersecurity infrastructure security agency, what comes to mind there.
And I have got a blog out on LinkedIn.
If you want to check out the full story is that CSA reported in February, just a couple of weeks ago, that they, again responded to a state sponsored intrusion in a pipeline operation facility where the intru, the attackers were able to use a fishing attack to steal passwords log onto the it system, and then find a bridge over to the operation technology and actually start sniffing around in the pipeline operation side of the facility. Luckily they were only able to impact windows systems and the actual operation systems, which did not run windows were not impacted.
So the plant did not lose control at any point in time, but it's pretty scary. And under CSA, it will directly re recommend or insist that facilities have multifactor authentication for both the it and the OT parts of their facilities.
It also introduces a need to combine physical and logical security, which a lot of organizations are doing for different reasons. Folks that are working in and around the insurance industry will recognize NAAC, which is the national association of insurance commissioners. They developed a, excuse me, it's called the insurance data security model law.
It's not really a law until it's adopted by each state individually. But right, as of right now, it's been adopted by, I believe roughly 40 states. So it's in almost all of the states and in those laws, it directly requires employees. Anyone accessing systems have a strong authentication multifactor authentication before they do so. So a few regulations that touch enterprises directly. Okay. So now that you have the need to buy, you're being, you have your ins, your security policy, your audits coming up, or your external regulations, what is needed.
And like John mentioned today, employees expect that consumer-like experience.
So user convenience is key. And if we learned anything by working with complex password schemes, it's that you can't put the onus on the user for security, the security needs to protect the user. It also needs to be a frictional experience for the administrators. Like John said, it needs to fit into their current architecture, gives them that that investment protection to evolve into whatever their particular goals might be, and also be easy to buy and deploy.
And what you get are almost like the benefits that we usually talk about upfront is the great security right off the bat. You get protection from misuse credentials and fishing attacks, and you take the next step toward your security goals, whatever they might be. If it's a zero trust model for your architecture, if you wanna get to a password list environment, if you need converged access control, or if you just wanna protect from fishing attacks.
So like I said, the Nirvana here is high security and convenience with passwordless authentication, where we just walk around and the machines recognize us more than humans have having to do anything that's out of the ordinary or difficult. So removing from passwords, which are low security and also very inconvenient.
And you'll see, like, for example, Google I'll show you how Google deployed two factor authentication, which gives a higher security, but it's still not that convenient to use, but there's other ways that we can make it easier for, for our employees and move toward that more convenient yet high security type of experience real quick. I'm just gonna mention the difference between Fido and PKA.
I'm not gonna go into it in any depth, because once again, folks watching a presentation like this already understand public key cryptography, how it's used, and because PKI has been around a long time in federal government and banking and in high security enterprises that people understand the use cases that it's used for both in authentication, as well as document signing and encryption.
And then there's the Fido, which also uses public key cryptography and a lot of the same mechanisms for the security. So what is the big difference?
This is the question I get asked the most often by, by the smart people that know this stuff. And the answer they're looking for is that in PKI, there's a central authority, there's a CA a certificate authority and a, a management service in the middle so that the certificates can be issued by the employer and centrally managed and revoked. Whereas with Fido, the key pair is generated on the device. The private key never leaves the device it's never registered or tracked. And it's only the public key that the user himself or herself uses to register and say, okay, this is me. Okay.
So how is it being used? Okay, you've got all these things. Now you've got the regulatory requirements, you've got the usability needs.
You need to fit into your budget, your it architecture, what are enterprises actually doing out there? So of course, a lot of what we do is look at some of the tech giants for direction. And there's a lot, there's a lot of articles here, so you can look this up. Maybe you're already familiar with it.
A lot of people are at Google since 2017, put an order in effect that all its employees much must log in with these USB security keys to protect Google from fishing. And by the way, they haven't had a fishing attack or been impacted by a fishing attack since they put this regulation in play. Now these keys that they leave laying around and a Google employee told us the other day in a presentation that they did, they don't issue the keys to users. They don't track the serial number or track the device in any way.
They basically really just leave them, handing, leave them laying around, or pick you, pick one out of a box. Here you go, but you have to use it. So you log on with your password and you won't be admitted into the it system unless this device is present. When you first load it in, you just go to the registration service, you hit the button, it generates the key pair, and now they link your public key to your password. Great scheme gets rid of the threat of fishing and lost credentials. It does not move the password list.
The password is very much still a part of the solution, but it's a two FAA solution for a specific need that works very well for Google. Well, what is Microsoft doing? Microsoft is doing a lot of things for you, folks that are steeped in that. You know what I mean?
There's, there's just a ton of stuff to learn there, but mic, what Microsoft has is the kind of two MFA solution with the Microsoft authenticator. Most of us have used that. And in windows 10 devices, they have the Microsoft or windows. Hello. Now at this works really well. If in your, if, if that's all you need and you're working in a peer Microsoft type of environment, all your, all your PCs are windows 10 and above. And your working in a hybrid Azure ad joined domain, that all this will work fine for you.
What customers tell us is they don't exactly have this kind of architecture in their system. They've still got on-prem services. And by the way, they use other cloud services besides Azure, and they have users that need remote access. So the Microsoft solution doesn't solve every problem. And I'm gonna talk about the identity platform from H I D, which is digital persona in a minute.
I just wanted to mention here that we are Microsoft partners. So our products, digital persona and crescendo 2300 for example, will drop right into this Microsoft environment and work very well.
But more importantly, we can extend this single sign on and the windows, hello, like experience across your diverse it system, whether they be green screens based on radius tech acts or AC cross distributed clouds. So you wanna, and the other thing that we're seeing happen, and I mentioned the pipeline example, but more and more policy and governance teams inside of enterprises are combining the physical and digital security and want converge credentials so that they can track and monitor identities in and out of the physical spaces as well as in and out of their it services.
And so many times it converged credential is very useful there. What better company to work with when you wanna converge your physical access control and your it access control than I global, but in terms of a converge credential, there's a few things that work.
John mentioned the mobile app, mobile credential would be a mobile CRECE would be an example of that, or the smart ID badge. I think companies will continue to use the badge because it is so useful for physical access.
Why not use it as a factor to log into the it system as well, as well as fingerprints, because fingerprints are used a lot for access control as well. And other biometrics will begin to evolve there too. But that's what we mean by converge security is that it teams, or, you know, the security teams of enterprises wanna be able to monitor across domains for these things like continuous and risk adaptive authentication that John was talking about.
Okay, so converge security is a need. So here we have it. You've got the regulations which are forcing you to buy. You've got the, you know, our employee experience, which is critical for success.
You need to work in your current architecture, but have a path to move to your next generation of architecture. And you have a myriad of authentication factors that you want to use. And employees each may have their preferences, or the employers might have certain preferences that that employees use.
So what we do with digital persona is take all of that into account and enable our customers with a solution that they can use today. But it will also enable a path forward in their journey to password list or zero trust or wherever it is that they're going. So let me begin with the MFA options in terms of physical. Yes.
You know, MFA is what you know, who you are, what you have, like John said, so you can still use the password to pin the KBA. Like I said, not going away anytime soon, but the reliance on that becomes less and less who you are, which is typically biometrics, and then what you have.
And that could be a lot of different things. It could be smart cards. It could be USB tokens when you're dealing with things like smart cards and USB tokens, remember that they can be multi-generational inside of an environment. They can also be from multiple different inventors inside of environment.
And digital persona can do that. Like no other product on the market is take whatever generation of physical access control you have today and integrate it into the system and use it right away as another factor for logging onto your it there's different generations of smart cards. Some are contactless that's seems to be the popular way to go today. There's Bluetooth devices. We don't use the one time password that much anymore. That's falling out of Vogue, but you can use email mobile applications, our very popular, like John mentioned, and I might be even, oh, you could use your apple watch.
You could use your final key or your fi enabled smart card or USB key. So pretty much anything that you wanna use or employees want to use. And then on the right side, we can also bolt in that continuous risk adaptive kind of factors that John mentioned, you know, those contextual things. Where are you, what's your IP address? Are you using the, the system the way that you usually do that? What timeframe, these kind of things that are continuous. They work in the background. They're not disruptive, but can be used to detect anomalies in your system.
So finally I'll mention the philosophy that we use with digital persona is you can take a digital persona as the enterprise identity platform from H I global giving you higher security, greater convenience. And what we do there is give complete coverage across your diverse it systems, both your on-prem, your Azure, your AWS, whatever cloud services you use as long as well as your on-prem services and converge access control. No one does that, like H I D global, where you can begin to use shared credentials across your physical access control and your it access control systems.
We make it human friendly, the widest choice of multifactor authentication options. You name it, you can plug it into digital persona, and we very much are on this journey to passwordless authentication. So if you're looking at MFA solutions, I hope you'll check us out. There's a link there. I thank you very much for your attention, and I'll add it back to John.
So let's take a look at the questions that have come in.
And, and just a reminder, there is questions blank here in the control panel. So feel free to type those questions in and we will take them.
So first, what I see is if we were to use photo tokens, is there a way to revoke the phyto credential if the token is lost or stolen? Do you wanna take that John?
Right. That's a good question. And like I mentioned, because the phyto credential is not centrally managed. There's no way to revoke it as an admin. The user must revoke the public key individually by himself. So there's no central control. Good question.
Okay. Next one.
If we are looking into investing in MFA technology, what sort of things should we be aware of with regard to changes in the market over the next three to five years? Well, you know, I would, I would say that, you know, like, like we have both mentioned today, you know, moving to passwordless is the goal.
And, you know, that's probably at least three to five years out for a lot of organizations. I mean, there are lots of interesting stepping stone kinds of options that can help you get there.
I think, you know, I, John covered Fido in a bit more detail. I I'm really excited about Fido two. I think that that can be a great way to move toward passwordless.
I think that the, the risk adaptive and continuous authentication concepts, we are starting to see more and more companies building that in for both consumer facing environments, as well as workforce environments.
So, you know, and, and I think there's an interesting alternative out here too, you know, that's kind in between the workforce and consumer world where, you know, I've got a blog that I'm working on right now about essentially the drive P credential specification that came out a few years ago where it may be like using the PKI credential on a mobile phone.
So, I mean, that's, that's a bit more intensive than what we were talking about here with Fido, which I, I call Fido like PKI without the CA you know, you get a lot of the benefits of the PKI sort of solution without having to have the investment and the, the management of the certificate authority and, and all the issuing of certificates, you know, on a per application basis.
But I think things like, you know, being able to store and use identity certificates and keys for signing on a phone in a secure way and standardize that, I think that might be a, you know, a bridging mechanism that we see coming to use in the years ahead as well. But ultimately I think three to five years out, we should be really much, much closer to passwordless authentication infrastructures.
So the next one is, let's see, going back to the first question, why can you not revoke the user's public key on the I D server?
Okay. You can.
And that is the point that if it were a, a PKI credential, and if you need PKA credentials, that's a different solution that can just re be revoked by the central management system. Now, the PKI public key can be revoked on the H I server or whatever server is accepting the vital protocol, what it's the, it's a user initiated event.
So it's typical to see in the consumer case, if I'm using my vital key to log onto my Amazon account and I break, lose, or misplace the key somehow, then I, the next time I log into Amazon, I'll reregister a new key and let Amazon know that old public key is no longer valid. So yes, it can be done on the server. The point is that it's a user initiated event, whereas enterprise that they have full PKI or a PIV solution like John was talking about very, and federal government uses actually four or more PKI certificates for P credential.
Then those can be revoked, proactively privileges taken away from the user. And that's the big difference between P and the Fido credential. Hope. That makes sense.
Yep. Okay. Next question. Will the presentation slides be made available to participants?
Yeah, we're recording this right now and hopefully that should be published tomorrow. Same thing with the slides question after that is there are, CVEs published to exploit Android smartphone based two FA like Google, Google authenticator. Do you see this type of attack making this two FA redundant in the near future and pushing to biometric, you know, the technology business works, even though new technology comes out, it doesn't necessarily make anything redundant overnight.
Then, you know, hardware based two factor I think, will be around for quite a while. I think there is interest in biometrics, but you know, it's not a panacea either because there are a variety of different kinds of attacks that you can use against biometrics.
You know, just researching about some of the like facial recognition, you know, you can 3d print masks based on multiple photos. And, and some of the facial recognition technology can be fooled by that. So biometrics does have the ease of uses. In some cases it does increase security, but, you know, there are different kinds of attacks, different vectors that, that can be used to compromise that as well. Any thoughts on that John
Hardware?
I
Think, yeah, well that it started off as mobile, that the, you know, that they found vulnerabilities in Android and that's like you said, that's how we bump our way through technology evolution. The same thing happened back on X 86 computers before we put in the TPM and the trusted execution flow that runs in those devices now. And I think they're making huge strides. I'm not an expert on this, but it would be fun to learn more. If anyone out there has knowledge, wants to talk to me about it, that they're improving the trusted execution environment of the other mobile platforms.
So I expect those devices will get harder as well.
And, and you mentioned earlier, things like TechX and radius. So we know those authentication technologies have been around for a while and we're still supporting them.
So, and nothing gets deprecated easily.
That is correct, but see, no nothing ever gets deprecated.
It seems, but you know, someone also mentioned, you mentioned biometrics and, you know, the security of biometrics is improving too. Just if you take a look at the way they do fingerprint scans, once again, I'm not an expert on this, but I was reading up on some of the latest technology built into H I D door readers, by the way.
And, you know, they use these things in a lot of industrial type places where, you know, again, fingers are covered with grease and dirt with the, the spectrum type technology that they're using. This scan, the fingerprint now where it actually goes a couple of layers beneath the skin. It does live detection and these kind of things. So the security and the accuracy of, of just taking a fingerprint has really improved.
I can remember the first notebooks that had the fingerprints on 'em and people were having fun, spoofing them with the gummy bears, remember that with your fingerprint on the gummy bear, and you could fake it out, but you know, that's not, you can't just try it. You cannot do that anymore. So it's ever a ratcheting, right. Defense in offense.
Yeah.
You know, there's a, there's kind of a long question here. Let me paraphrase about, you know, variety of different kinds of technology, different methods that can be used. Yes. Passwords are bad, but it's hard to manage all my MFA as well. There can be a combination of business consumer, and multi-cloud leading to chaos. I understand the complexity and the challenges, but are we going in the right direction?
You know, that's, that's a really interesting point too. I mean, I think we are seeing a proliferation of different kinds of authentication technologies and we see different kinds of organizations adopting different kinds of authentication. Yeah. I think that this is where standards become increasingly important. Being able to not only exchange information about, let's say an authentication event and represent that maybe via SAML or O or, or something like that, or job token. But I think the question here is getting to, there are so many different ways to authenticate.
Is this necessarily a good thing?
I don't know that I have the answer to that off the top of my head. I think it's, it's necessary to be able to offer sort of right sized authentication solutions to, you know, the business requirements and the regulatory requirements that we've seen.
And, and, you know, we may be moving through a period where we see a lot of evolution in the different mechanisms and methodologies. And I hate to say things like eventually the market will sort it out, but I think, you know, the types of solutions will come to the four that pass the test, you know, regarding security as well as ease of use. So that's kind of, I would say that's where I hope it, it goes
Any thoughts on the, yeah.
And I feel for people that are trying to sort it out right now, it's like any technology evolution, suddenly there's a huge need, a huge demand and, and businesses are buying these solutions. So what happens? The market explodes with all kinds of different confusing messages and solutions from different places. So I feel for the person who wrote the question, we're highly aware of that, you know, H I D, and that's one of the things that we try to, you know, like you gotta break it down, go through your business needs, like John pointed it to the circle there.
And like, how do I decide what to do? Yeah. You have to know where you need to go eventually, but where you are today and what your needs are. And it's a challenge, but that is, oh, there's the reason that we designed digital persona the way we did it. And I wanted to mention you, you've said it a couple times. Yes. Standards are absolutely critical for the interoperability of your solution and for your investment protection, no matter what you do. And you mentioned a few Fido, OA, SAML, open ID, we support all of those.
Of course, nothing would work without our open standards. And of course we have APIs too, so you can bolt it onto your proprietary architecture. So it's a tough challenge, but we believe we can help you find a path.
Yeah. I think standards standards can be good for like the, the backend communication between different systems flow. I think where this question was going is, you know, what does that look like in the front end, the multiplicity of, of form factors or, or processes that this could lead to?
I mean, we translate a lot of these user gestures in some cases or information about the context into a form that can be consumed by multiple backend authentication solutions. But yeah, there's definitely just a wide variety of technology that's out there.
You know, going back to the question about where do we see it ourselves, three to five years out? I think, I think we will be much closer to passwordless. I think these standards are helping us get there to, you know, unify the experience, but not only the experience, but the infrastructure that, that we have to use to be able to provide authentication assurance and, and security at risk adaptive and continuous authentication. I think we're going see increasing utilization of those concepts and solutions that support those as well. So with that, we've reached the top of the hour.
I'd like to thank John for his participation today. And thank everyone for attending.
Yes, we will have the recording and the slides available probably by tomorrow. And yeah, if you have any further questions, feel free to give contact us. And once again, thanks, John.
Thank you, John. Okay. Enjoyed it.
Great. Thanks. Have a good day, everyone.