Hi, welcome to the webinar, Unlock the Potential of Passwordless Authentication. Today's speakers are Christie Pugh, she's a Digital Product Manager at KuppingerCole, and Alejandro Leal, that's me, I'm a Research Analyst at KuppingerCole, and today's topic is passwordless authentication. It's a big and exciting topic, and we hope that you learn something new by the end of the webinar.
So, let's get into the topic, but first, some important information, all of you are muted, but at the end, we will have a Q&A session. You can enter your questions at any time during the webinar, and you can do that by using the GoToWebinar control panel. We will also run a few polls during the webinar, so I encourage all of you to participate, and yes, we will be recording the webinar, and it will be available together with the slides for download in the coming days.
So, the agenda for today, I will begin the webinar by talking about the problems of passwords, and then exploring the concept of passwordless authentication, and hopefully by the end of the presentation, you will understand that by adopting a passwordless authentication solution, your organization can increase both security and convenience, and then Christy will go on, and then we'll have time for Q&A. Before we start, here's a poll question.
I'm going to give you guys maybe 30 to 40 seconds to answer, and the question is, what is the biggest challenge your customers face in adopting passwordless authentication solutions? Is it old-school mentality? Some people have no knowledge of what passwordless authentication means. Some people also don't really know about the risks associated with passwords. Perhaps it could be migrating from legacy systems.
Some organizations, both small and large, often struggle to modernize their systems, or perhaps it could be having trouble selecting a product, and that's something Christy will talk later. I'll give you a few more seconds, and then we can move on. Okay. We can carry on then.
So, before we deep dive into passwordless authentication, let's do some contextual analysis first by asking the following questions. What is our actuality? What is happening in our present, and where are we going? I know this sounds like vague and even philosophical questions, but if we apply them to our industry, we can find some exciting developments. The acceleration of cloud adoption, the explosion of the Internet of Things market, the shift to remote and hybrid work, and the steady growth of e-commerce are clear signs that digital transformation continues to gain momentum.
So, what is digital transformation? Digital transformation can be understood as a process that organizations go through to deliver digital services to consumers and customers in the digital age. Essentially, delivering digital services requires the management of digital identities of workers, customers, consumers, and partners in a secure and seamless manner. As a result, in recent years, businesses and organizations are starting to modernize their systems by adopting new authentication mechanisms that go beyond the traditional username and password.
While the elimination of passwords has been a goal for a long time, many people have been talking about it for years, if not decades, it seems like it's finally starting to gain traction in both workforce and consumer use cases. As we all know here, passwords are inconvenient and insecure. Passwords can easily be guessed, stolen, and compromised. And relying for passwords has become increasingly risky for organizations and businesses.
Numerous studies have shown that most data breaches often involve the use of stolen credentials and compromised passwords, making passwords one of the weakest links in cybersecurity. For example, in 2021, IBM showed a cost of a data breach report, and they found that the average cost of a data breach in an organization was about $4.2 million, while organizations that have 80 to 100 percent of their workers working remotely, the average cost of a data breach was $5.5 million. It's worth noticing once again that passwords play a crucial role in data breaches.
Social engineering attacks and phishing attacks are targeted at users to obtain their passwords, account details, and credentials, so attackers can gain possession of them and use them for other purposes. If we go to the next slide, we can see some of the most common types of attacks. And I think it's important to recognize why passwords are failing as an authentication system.
In most cases, users use and reuse the same password or similar passwords across platforms, services, and applications, increasing not only the risk of having a vulnerability or of a password-based attack, such as mobile SMS calls, voice calls, push notifications, or one-time passcodes. When it comes to enterprise use cases, managing and resetting passwords can be very time-consuming and very costly as well. It is also important for employees to understand how cyber attacks can impact their businesses and how to protect themselves from day one.
We believe that it's important for new employees to get cybersecurity awareness training during the recruitment and onboarding process. Fostering a cybersecurity culture is imperative in today's age. In our company called Research, we often talk about how legacy MFA solutions, multi-factor authentication solutions, they were once hailed as the ultimate solution to manage digital identities. But the problem is that legacy MFA systems still rely on a password on a password as a backup or as the first factor of authentication.
Traditional MFA requires users to provide two or more factors to authenticate, something they are, something they have, and something they know. Unfortunately, some of these factors are prone to phishing attacks, such as the ones on this slide. So by removing the risk associated with passwords and by adopting a passwordless authentication solution, organizations could drastically prevent password-based attacks and increase their security posture at the same time. In recent years, we see this new trend of passwordless authentication solutions. It became a very popular and catchy term.
Essentially, it is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow and from the recovery process as well. Passwordless authentication solutions should eliminate the reliance of password as an authentication method by ensuring that no password or password hashes travel over the network. In the next slide, we will provide some of the main capabilities that we believe are important to have.
We understand that there are different flavors of passwordless authentication, but these are perhaps some of the most important capabilities that we believe are essential. That's the support for a broad of authenticators, strong authentication, risk context-based and continuous authentication, adaptive step-up authentication, support for legacy systems, strong cryptographic approaches, integration with third parties, a frictionless and convenient user experience, device trust on multiple devices, support for all major identity federation standards, and a comprehensive set of APIs.
We expect solutions to cover a majority of these capabilities, at least at a good baseline level. In recent months, we published a leadership compass on passwordless authentication. There were more than 20 vendors participating, and I'd say that the majority of them have these capabilities in this slide. During the course of the research on this leadership compass, we realized that the passwordless market is very dynamic, very exciting. Many of the vendors are very passionate about their own solutions.
In a way, they're all doing passwordless in one way or another, but they have their own unique way of doing it. That's what makes this a very attractive market.
Usually, the common factors involved in passwordless authentication are the smartphone and the user's biometric. In the setup, a binding between the device and the user takes place, where cryptographic information that is used to authenticate is placed in a secure element. Modern devices, such as computers and smartphones, have this secure element in place, which can hold encrypted information. This binds the user to the device, and with biometric authentication enabled at the device, such as fingerprint reading or facial recognition, the user can authenticate without the use of a password.
While the device binds while the device binding provides a second factor. Only if it is the specific user with a device associated with him or her, only then the authentication will be valid. Whether fingerprints or facial recognition is better depends entirely on your organization and the needs of your organization. For example, if we look at the healthcare industry, perhaps it may be more convenient to have facial recognition technology because workers usually have their hands full. They don't have time to put their fingerprints and authenticate.
The COVID-19 pandemic also accelerated innovation in this space. Biometric solutions started to adopt new algorithms and technologies to properly identify users wearing masks. There are other options, such as 502 tokens or smart cards, that can be used for passwordless authentication. We also observe an uptake in the market for wearables, such as wristbands and smart watches, where biometric authentication even becomes continuous by, for instance, tracking the heartbeat.
In the next slide, we would like to emphasize that passwordless authentication should work across everything, all attack surfaces and identity sources, applications and devices, VPNs, single sign-ons, Azure AD operating systems, workspaces, servers, and whatever your organization has in place. Some solutions in the market are using passwordless at a device and then federating it to other access management services or directly into the applications.
Therefore, I think it's important that organizations must choose between adopting a single identity platform or maintaining multiple fragmented identity systems as they move to the cloud. Thankfully, the passwordless authentication market is thriving, and it's growing rapidly, with vendors offering mature solutions that support millions of users across different industries, such as finance, healthcare, government, manufacturing, insurance, retail, and the defense industry. Essentially, there are two types of vendors in the passwordless market.
These are vendors that are integrating to access management solutions, and there are other vendors that are more specialized, provided by small but highly innovative companies. Specialized passwordless vendors, they are more focused on innovative approaches, like, for example, the use of blockchain technology, or they're also more specialized in specific use cases, whereas integrated solutions serve every authentication to the access management solution and all the services around.
We understand that picking a solution requires a lot of thought, a lot of analysis, because you need to understand what are the specific requirements that your organization needs, and a comparison of different products and features is essential. So, it's important that organizations choose the right passwordless solution that meets their unique requirements around their needs for security, user experience, and technology stack.
So, how to move forward, how to start this passwordless journey? Well, deciding on the right deployment model is perhaps the right approach. The capacity to support hybrid deployment across on-premises and cloud is fundamental. When considering cloud solutions, it's important to see if the vendor that you will select will also support on-premises and legacy systems. That's especially important for those organizations that continue to rely on legacy systems.
Of course, costs are also an important factor. The vendor's licensing and pricing policies should be carefully analyzed, especially when aligning to your current and future needs. And perhaps another important element here is interoperability. The ability of the product to work with other vendors, products, standards, and technology should be seriously considered. Ultimately, embarking on a passwordless journey depends on your business model and your own specific requirements.
Therefore, it's important that you look for trusted advisors and vendors that will support you along the way. It's important that you define your goals in measurable terms and understand them completely. I believe that this is my last slide, and I will hand it over to Christy. She will introduce our new product that it's good for helping you select the right product that your organization needs. Thank you. I appreciate it, Alejandro. Thank you. As he mentioned before, my name is Christy Pugh. I am the Digital Product Manager at Cuppinger Coal.
And I'm very happy and excited to announce that we are releasing a new service for everyone. It's free and interactive called KC Open Select. Alejandro mentioned that many of you may be going through some migrations and modernization at the moment, and so is KC Cuppinger Coal. Our goal as far as digital product is concerned is to meet you where you're at. We are also trying to figure out our way in providing you information that's consumable and meets your needs.
So I will provide you a little short demo video and then give you an introduction of KC Open Select, who KC Open Select is for, and how you can leverage it in the future. So what is KC Open Select? With Cuppinger Coal's intelligence, we really want to provide you, our clients, our end users, as much information, non-biased intelligence, backed by our KC Analyst Methodology and the Leadership Compass that Alejandro had mentioned previously, in a way that helps you meet your cybersecurity and identity and access management goals.
So when we were speaking to a lot of you, we wanted to get an understanding about how you consume this information, your interactions with the analysts, the Leadership Compass, Buyer Compass, all the great content that our analysts provide, and how you can leverage that in order to meet your goals, your business goals.
So in talking to clients, we're getting an understanding of what that process looks like, no matter where you are in your passwordless journey, how mature your organization is, whether or not you're Greenfield, just starting out, trying to figure out what your requirements are, or you're a very mature organization with a robust program, you may be finding yourself in the midst of tool sprawl, or just wanting to modernize and revamp and meet your clients' needs where they're at, meet your new business goals. And so it all starts with a research process.
How do you find and discover this information? And I know that Coppinger Coal produces a lot of great content, and there's a lot of other great research market analysts out there that also provide content. So how do you take all this information and translate it into actual business items, right?
So with KC OpenSelect, you're enabled to not only discover what your project requirements are, based on our intel on industry, market trends, best practices, our specific use cases, no matter if your project is B2C, B2B, your main focus is user friendliness, because you don't want to interrupt any kind of user interaction. Our intel will allow you to aggregate all of that data into our signature KC Coppinger Coal spider graph, provide a very good snapshot of all those requirements, and generate a short list of leading vendors that match your requirements.
You'll be able to see the ratings of every vendor as well as against those different use cases, as well as the ratings towards the specific capabilities within that category. You'll also have a lot more consumable content, so videos from different vendors, product demos, interviews with analysts, so it provides you a very easy way to find and discover information that might have taken you a lot longer in previous practices, because this process of discovering which tool, which solution, is right for your organization is more often than not very time intensive, resource intensive, and costly.
So how can KC OpenSelect help you realize that value a lot quicker? Who is KC OpenSelect for? KC OpenSelect is for you, for IT professionals who are trying to make smart business decisions. This is a really good launching point for beginning a project. I've had many conversations with vendors, enterprise users, who really just don't know what they don't know, and that's a very hard place to find yourself.
So with KC OpenSelect, it'll help guide you through your journey and provide you with information that will either spark more questions within your process, answer some questions, guide you in the right direction. You'll have the ability to reach out to our advisors and speak with analysts to answer any questions that might pop up. You'll also have the ability to reach out directly to those vendors, shortening that sales cycle as well. And all of this, again, is backed by Kuppinger Cole's unbiased intel. So utilizing KC OpenSelect will help you translate data into deliverables.
And a lot of times you, as IT professionals, might start off with the best of intentions, and you know exactly what you need to get done to reach your goals. But it's difficult to translate that into a business case. So with KC OpenSelect, you'll be able to display your business case in a way that makes sense and adds value to many different departments within your organization. So I am very proud to be a part of this launch, to be a part of Kuppinger Cole and their forward-thinking mobility within the market intel arena.
So I would like to hand it back over to Alejandro to speak a little bit about some of the research he's conducted with passwordless. Thank you, Christy. So here we have some related research we've done. As I mentioned before, we have the Leadership Compass that was published last year. And we had many vendors that, you know, focused on different use cases. It was the one vendor that focused on small and medium enterprises in North America, another vendor that has a background in research and cooperation with universities.
So they were all very interesting cases, and it's a very dynamic market, and I expect them to continue growing. Then we have a blog post that Principal Analyst Martin Kuppinger wrote recently, and then more blog posts as well. We also have podcast recordings and other material that you can find on our website. And of course, you can always reach out to us in case of any question or comment.
Yes, we have events and webinars. We will have the European Identity Conference in May 2023, and we expect to see you there. And we also offer advisory services. And I believe it's time for Q&A.
So, oh, here are the slides, the slide on the EIC. So yeah, here's information. It's from May 9 to May 12, hybrid event in Berlin. We have plenty of topics, and we will have lots of topics on passwordless. Thankfully, I'll be there to participate, and looking forward to that.
Yeah, perhaps we can take a look at some of the questions. So there's one question that says, for consumer IAM, is it a cost, security, or increased sales conversion that is the main driver? That's a good question.
I'd say that, in my opinion, security continues to be the main driver, because if you have a secure organization, not only you prevent any password or data breach attack, but you can also maintain the reputation of your organization, which can always lead to increased sales and conversions in the long term, of course, if there was no scandal or your reputation was damaged because of a password compromised. But of course, I'm sure other people have different opinions on that. There's another question. Is passwordless authentication safe? I think that's a good question.
Of course, done right, passwordless authentication can drastically increase security in your organization, especially compared to the traditional methods of username and password. But saying that it's 100% safe, that it can be problematic. But it does increase security on a very high level. I'm seeing a question here from Alejandro, and this could probably be answered with the use of KC OpenSelect as well, but we'll go ahead and throw it out there. What should be considered when choosing passwordless authentication solutions?
Okay, yeah. So I'd say that the scope and the breadth of authenticators are important things to consider. The more flexible that is addressed, the more use cases the organization can serve.
Also, it's important to take into consideration the account recovery options. For example, there were some vendors in the leadership compass that they required changing the device in case a user loses the device. So that was a bit problematic because it wasn't very convenient for users. So account recovery, that's a very important thing to think as well. I think there's another question here. When will passwords finally die?
Well, I think that's the ultimate question, the question of all questions. Well, many people have argued that passwords are going to be dead, I think since the mid-2000s. But I think passwords are still common. Many people still use passwords to authenticate in applications and services. But I think in this decade, we're going to see an increase in adoption with passwordless solutions. I think it's likely that passwordless solutions are going to replace passwords, but it might take years, if not decades. And I'm sure that passwords are still going to be used in some place or another.
Let me see if there are any questions. Maybe, Christy, you see some. I do. Let's see. Okay. So how can organizations migrate from a legacy system to a passwordless solution?
Yeah, I think that's, it was one of the questions in the poll. And I think that many vendors often find this as a challenge when they want to talk to their customers. I think migrating from legacy systems to a more modern authentication system, it requires organizations to have a more more flexibility, to have fast solutions, to have a comprehensive set of APIs, and if they're container-based and based on microservices.
So, of course, many organizations are small and they cannot do all of these things. But that's why passwordless authentication solutions out there need to address this challenge and try to support organizations of all sizes to successfully migrate from traditional systems to a more modern authentication platform. Let's see if anyone has any last questions. So I think this is a simple question. For which use cases are passwordless authentication solutions targeted? Usually workforce and consumer use cases, also partners. And then there's one.
I'm trying to, yeah, for some reason I cannot check the other questions. Oh, okay, here's one. What is your view on passwordless demarcation? That's something actually I haven't really done much research.
So, I don't know, I don't have a lot of experience so I think that's a very interesting question. I will for sure take a look at that and you know, I cannot see who asked the question, but I would like to talk to you about it. Maybe we can go back to that.
Alejandro, if anyone of the viewers wants to have a continued conversation with you, how might they reach out to schedule that? Sure, well, they can find me on the Copinger Call website. They can reach me via my email al at copingercall.com or they can just find me on LinkedIn and send me a message and I'll be very happy to talk to them. Beautiful. I think the same for you, Christine.
Yeah, the same for me, 100 percent. Whenever anyone is using the website and there might be some sort of feature that you would like to see in the future, please let me know. I would love to have a conversation with you. Great.
Well, I think there are no further questions. We can close the session.
Okay, great. Thank you, everyone.
Yeah, I hope to see everyone on KC OpenSelect February 14th. Thank you, everyone, for inviting me. Have a nice day.
