Okay.
So I would like to welcome you all to the track two in the afternoon. My name is Fabian Z from, and we are now at the panel for its traditional multifactor authentication the right solution in a past COVID world. We have different panelists here. One remote will join us in a few seconds. It's Joni Brennan, but onsite, we have Andrew Shikha for the fi EMS, which will introduce himself in a few sentences.
Oh yes. So Andrew Shakar, I'm the executive director and CMO Fido Alliance.
For those of who don't know what Fido is, we're a consortium of, you know, 250 plus companies worldwide working to create open standards and interoperable ecosystem of products around stronger user authentication.
Thank you so much. And we have onsite Patrick McBride from beyond identity.
Yeah, I'm the CMO of beyond identity we've beyond identity is actually a phyto member, proud pH member. And we are, our path started to eliminate passwords. That was kind of the first step on a longer journey to developing really strong authentication.
So, and also onsite is Martin copy the founder of cope and co
Hi. I think I don't need to make an introduction of myself. Everyone probably knows me.
So, and up to now, Jon Brennan also joined us. Hi Jon, can you hear us?
Hello? Yes.
Hi,
May you can have a brief introduction of yourself.
Ah, yes. I'm Joni Brennan. I'm the president of the digital ID and authentication council of Canada. We are digital ID adoption accelerator and trust framework provider. We have 110 plus members from the public and private sector in Canada, and we're working on issues in the global digital economy. And we're also liaisons with Fido Alliance.
So thank you all. If your questions, of course, please raise your hand. We try to get your questions into the panel or use the virtual app.
I also have a, a tablet in front and I also see your questions there that we can include some to start Martin, the us C just declared single factor authentication, being a bad practice. So is there a way without relying on multifactor authentication?
Yeah, so I think I posted a very short LinkedIn post where I just say it's absolutely overdue to declare single factor authentication of bad practice. It has been bad practice probably forever. I think the only question is how does future proof MFA look like? And I think part of the discussion will be pass forward less or just MFA.
So you want to bring yourself in.
Yeah, first of all, I think it's pretty cool. Thatta has a bad practice list. I'm picturing like Chris Krebs and likes outfit and a N list, but it's interesting of the three bad practices they have. Two of them are about passwords and authentication. So I think that shows how critical getting authentication right. Is to protecting the, the, our networks.
Yeah.
And, and we, we would agree, you know, and I would actually extend that, you know, the recommendation is not just for single factor, but you know, I'd like to see them go further and say no weak factor. I mean, anything that's a shared secret by its nature is even if it's two factors, if I have a screen door in front of a screen door, I'm not keeping anybody out.
And so I think, you know, where stronger authentication has to go and, you know, Fido is leading the way here is, is to, you know, a passwordless authentication model where you can use techniques that, that we already know work, cuz they work in lots of other places
You would agree to that journey or do I have a different opinion?
Yeah. I would say that the research that we've done and I presented some of that yesterday on Canadian perspectives in the topic is that they're, you know, very open for two MFA. They're also very open to learn more and better understand biometrics.
And so I'd say that there is a, in addition to it being the right requirement, I think that at least in our audience, there is a desire and an interest to learn more because they do wanna protect themselves and protect their data. And that does seem like a very straightforward way that clients and customers and citizens can understand how they can lock down their accounts.
And, and, and I think this learning more clearly a point I remember I had all, some interesting discussions about what makes a diff what is the difference between password authentication and chest MFA. And I think this is where we still need need some education because sometimes password to my, my experience looks at first impression, it looks relatively weak, but it, when you look under the hood, so to speak, it, it is better than, than, than many of the, the, the standard MFAs and not to speak of the, the traditional username password stuff.
One of the issues.
And we've run into this when we say passwordless just the term itself doesn't necessarily mean the same thing. Yes. Three different people and you'll get different net definitions. So one of the definitions is I, I just hide the password. People think storing the password in your browser and, or in a password manager is passwordless, but it doesn't eliminate the passwords from authentication flow. Or I just send you a magic link, you know, forget multifactor, just a single factor.
So, you know, and Fido led the way with cryptographically, you know, defining what, what that might look like.
I, I think it's, it's very simple to explain. There's no password that travels over the network anymore.
Amen. That's
It. So we've also done some consumer research on this and found that the term password list really does not resonate with consumers.
They find it off putting or confusing or even concerning, but you're absolutely right about, you know, the right way to implement pass is with cryptographic signatures and doing pass release correctly in a standards based way actually gives you, you know, two factors of course, in one, because you've possession and inheritance at the same time. Right.
Right. And tying that to a, you know, tying that to a device, you know, so that you get the combination of, of things.
So yeah, two, two strong factors and, you know, Joni brought up biometric, you know, the modern biometrics on all of our endpoint devices is strong. I mean, it's, there's a reason why the, you know, the FBI keeps an apple to open up this phone or that phone of somebody attacker is it I've been in cybersecurity nearly 30 years. You never say things something's hack, hack proof, you know, but the, the cost of trying to, you know, get into the TPM chip and fish out the, you know, maybe fish out the, you know, the biometric information is very high
Jonie. So what's your opinion on that.
So do you agree also on the statements of your colleagues?
Yeah, I would agree with, what's been shared so far and particularly the cryptographic, you know, as being protection as being the key. I think it's, you know, it's fascinating and very, very in line with what we've seen in terms of customer's reactions to particular words like password lists and their degree ability to their ability to understand these topics.
So, you know, ultimately, you know, what our research shows is that we really need to deliver convenience and we need to do that in a way that's safe and secure. And so if we're communicating with customers that convenience and protection, or at the forefront, they won't necessarily need to know or care or understand passwordless or not, they just want to know that it works and it's safe.
Yeah. And I think this maybe the, the missing element in a sort of a triangle of, of things which are interdependent, so it is security.
It is convenience and this sort of speak trust, and that is really secure. And, and I think we have, that's the cool thing I like was good. Password authentication is we don't balance security and convenience. We combine security and convenience, which is very different. We don't make a trade off.
We, we have both, which is unique. And the thing is we need to, to, to create the trust, the understanding, I think this was what all of you said as well.
You know, John Tolbert this morning and his presentation talked about, you can have both security and, and convenience, right. They don't need to be at odds.
In fact, they shouldn't be. But again, going back to, I mean, usability is a big challenge here, right? As we move everyone towards this passwordless model, like even like, you know, hiding the password for now is a good stepping stone to getting people's thinking behaviors trained towards going passwordless. So we just released these user experience guidelines. So a lot of our, our banks are members of pH Alliance wish to deploy solutions that take advantage of what we call platform biometrics.
So windows low touch idea on a MacBook, we did a very extensive study to understand what's the best way to do this. And what we found is that, you know, by doing this research is that there's a lot of nuance to trying to get someone to actually enroll, you know, for a platform authenticator.
Right. And so it's, it's a net new thing to them. And there's a lot of questions, a lot of concerns, you know, if you're using a local pin or your, your MacBook password to log into an RP site, it just doesn't necessarily compute with people.
And so we, you know, so what we did is put guidelines. Anyone can use, which are best practices to help guide someone through the user journey from enrollment through login. But I think it's gonna take baby steps to get fully educated, you know, starting with, you know, replacing the typical login flow with the passwordless flow, ultimately replacing passwords with key errors.
Yeah. When we see we, we're selling to really two distinct markets, one is for the workforce, you know, for your employees, consultants, and, and folks that need to get to company resources.
And then to the consumer market where, you know, an e-commerce app of banking app, et cetera, might adopt a passwordless play. And, you know, in both of those scenarios, convenience is, is really important. It's far more important in the consumer, you know, side of things, particularly with both flows, the signup for flow and the login to flow.
Yeah.
And, and that is a, I think an important point, I think Toronto and his talk this morning, he talked a little bit about deconstructing user journeys. And I think in fact are the two flows you need to deconstruct to explain to the, the banks, to the retailers, etcetera, because it, it is really, there are so many different elements and you have your device with the authentication device, with the TPM trip, you have them, the IDP, you have the data, the customer record, the retailer, et cetera. And I think there's still not enough clearness about that.
And I think this is also part of this entire education we need. We all, I think need to do to make clear, there are so many things you can do and you can combine, and you can bring in new things like decentralized identity without killing everything. Part of our drop.
Yeah.
When, when the, when you talked about the convenience thing, it was, was very interesting for us when, when we first rolled this, you know, first rolled things out. One of the things that we had to do was integrate with IDPs.
I mean, people have a, an identity infrastructure. They've got a single sign on system anyway, typically protected by a password or multifactor, but it's the, you know, and, and the title today is traditional MFA. And I think that's where the, the flow is traditional. MFA's got such low adoption rates. I actually, I don't know if, if you guys have numbers, you know, it ranges across a different Analyst firms, you know, from like 30% to, you know, 40% adoption rate.
And, and even in companies where it's adopted, it's typically only adopted for say one or two applications, really important applications and not the other ones, cuz it's just so hard to, to use. I mean, I pick, you know, get my, you know, login prompt and I have to pick up my phone and type in a code and it's just more hassle than people need to go through. So like you said, now we don't have to have that argument. We can make it easy and, and secure at the same time.
So we talked about before, what is traditional MFA?
And a question from our side is what makes traditional from modern MFA different. So what's your opinion on that journey?
Yeah.
You know, I, I think, I think Martin raised a raised in the last point as well, an important piece here, which is as we move from the traditional scenarios as we move from the traditional methodologies. And I think that there is some good customer understanding about what some of those flows are. We're going to have to move into an ecosystem of decentralized identifiers, decentralized identity, digital wallets.
And so we're going not to think about things in additional factors of authentication, but also it's a very similar conversation, you know, moving into the decentralized world into the wallet space, into the verifiable credentials world requires that I do have authentication and security and convenience and that now I also need to understand my credentials and how I'm leveraging them.
So I think, you know, adding in new factors, whether that's around, you know, contextual based behavioral based authentication and different ways forward, I think you're gonna be important pieces of the puzzle, but this is no time to step back from MFA that works seamlessly for customers that they can understand and they can use as we move into the decentralized and the digital wallet space with verifiable credentials.
I mean, to me, the delineation is pretty clear between traditional MFA and modern MFA and Patrick hit on this before.
I mean, it's, it's either possession based or knowledge based and anytime you're, you know, there's a knowledge based secret on the server that you need to validate, you know, whether that's a password or an OTP, you know, those are knowledge based factors. And to me that's traditional MFA, which has been used for years as a, certainly better than a password or one factor.
But as you move to possession based rather things like Joni Joni alluded to like contextual behavioral and other, you know, more things that are about the user themselves, I think that's to me where you get into modern authentication.
Yeah. I think that that that's an easy delineation. It's either using only strong factors. Having multiple factors is important, you know, at least two and then adding behavioral and some other things.
But at, at a fundamental level you can have very secure authentication with two strong factors. Now we've, you know, between our devices and the biometrics or pins there and then some cryptographic relationship, you know, for the transaction and you know, so no weak factors is the way, you know, modern versus, you know, tradi the legacy is, is the way we look at it.
Yeah,
Totally agree. If we move forward away from traditional MFA to modern MFA and what we talked about also before passwordless ation, how do do both relate?
Yeah. So I think per we touched it already. Passwordless really means there's no passport traveling. And so what traveling is, is traveling is cryptographic information, which makes, makes, makes a huge difference. And so even if you have a password, which would be in a, a relatively weak factor in this modern thing, but it might be used for certain fault X or as a cert factor, for instance, in certain use cases.
So it's not that it, it's a way it's, it's in more opinion. So like you have opinion on your device, which compliments other things, but ideally clearly, and I think this is what you brought up correctly. Ideally you trust rely on the strong methods and there are these methods and, and you know, when going back.
So, so I always argued that smart cards in the tradition form factor doesn't make much sense anymore. You don't get devices.
Funnily, I had to relatively fast replace my, my notebook and ended up with one, which by accident had a smart card reader in,
Ah,
I, but
I can't bring up this argument anymore.
The us government uses that quite, quite widely, actually it's T cat cards in, in the us and that's, but that's also a strong cryptographic relationship. That's where they went very early.
You know, it was one of their factors now it's not very convenient, but it, it does a job from a security perspective.
Well, and, and related to that, and related to the CSO question we opened with, you know, back in may that the Biden administration issued an executive order, mandating that every government agency, including government, civilian agencies move to multifactor authentication. Yep. And for the first and, and using cryptographic asymmetric, public cryptography. Yep. Right. And for the first time they're saying you don't need to just use PI cards or cat cards.
You can use anything that does that. Yep. Which opens the door for fighter security keys. Yep. Right. Which have the same protection, they're much quicker to deploy they're much, you know, cheaper to deploy and much more scalable. So it's interesting to see the government regulation actually evolving with this technology.
I,
I like that executive order. This is really a good one.
Yeah. Yeah. We we've we've lagged for, you know, collectively governments around the world have lagged on this issue for far too long. And I think it's, it's, it's nice.
I mean, you, you, the Europeans, I think move things forward with the privacy regulations and we go back and forth and maybe do some right things.
You know, I see discussions in Germany about the BSI discussing with video then secure enough. So that's probably going a little over the top because it say, theoretically, you can bring in a fake video on stuff like that. Yep. With a lot of effort. But I think this is the wrong place to start. I think we should start with the, the, the, the big risks to fix and not with esoteric risks. Yeah.
Maybe that's the difference in thinking here way more pragmatic, what your C us than what RP in.
So we have a question from the audience on our passport talk to your all. So the passwordless no, the password is not visible to the world and it's in the user's mind, but in passwordless authentication, the identity is visible to the world fingerprint or face ID, for example, and this may get stolen while sleeping or in other cases. So now come the question, can passwordless authentication, replace passwords, single factor, or do we still require MFA with passwords?
Listen, first of all, I'll start, there's a, a bit of a misconception about passwords. It's far, far, far more difficult to steal your face and use it, the modern, you know, your, your smartphone or your tablets to use, you know, the biometric information have all kinds of controls to make sure I can't just take a picture or something like that and use it.
And, and that's continu and improve on the other hand, just because a password isn't invisible, it's everywhere. It travels. As Martin said over the network, it sits on yellow, sticky notes in offices.
It, you know, so we, we all know, and you have lots of them, or we reuse the same one. So stealing and reusing a credential accounts for upwards of 70% of the breaches ever.
So it's, it's not, you know, this isn't a theoretical, it's harder or easier to steal a password. We know a password is a fundamentally flawed thing. Not just because it, cuz it is a knowledge factor and it travels over the network so other people can know it, steal it and it happens routinely.
Jon,
Maybe Judy.
Yep. Yeah.
I, I, you know, I would agree that I think that in any case MFA is the way to go. And so although as we move up, I think the line between traditional and modern, the stronger and stronger, stronger factors are the ones that we wanna be leveraging. I think from the last question, as well as, as the connection here, I mean, ultimately it's the, it's the user, it's the, it's the workforce, it's the client that are connected to these solutions.
And so, so they're gonna have to understand how, you know, how to use them and put them together, you know, going forward. But I, I, I see a world where MFA multi solution approach is, is, is really always gonna be the best case.
So, and I like, I like trust your point. Have you ever heard about whatever 17 million data sets behind faces being stolen? No. No.
I, what I was gonna add on to Patrick's point also is like the most dangerous place to password could sit is on a server, right? Because anything on a server can and will be stolen or could be manipulated outta the user's hand, make the dark web to be resold and stuffed, you know, so it is really that server side piece that's so dangerous.
And going back to the question about biometrics, you know, what we're trying to solve at fi Alliance and this whole kind of approach to modern authentication, what we're really trying to address are the scalable tax, the remote scalable tax, which are largely led through fishing and other mechanisms to, to do users and anything has to happen locally, right? To steal your, you know, to, to, if I'm sleeping, to take my face, that's a, you know, a small, you know, risk compared to the millions and tens of millions of, of identities that could be stolen in a remote attack.
And, and I would to go even further, if someone is on your computer and can steal that data, then why should that attack or do that? Because that would be that attacker so deep into your system, that he can start all the attacks he could do with your face directly from there. Right.
If they're in they're in, for sure.
Yeah. He then can do much more than only stealing your face ID fingerprints or something else if we move over forward.
So do you think, can we stop at authentication or is it where the real journey starts for us by utilizing the level of assurance and risk information, for example, information protection and authorization in applications?
I think that's good. Good question for Joni to start with.
Yeah.
So I, I think, you know, the level of assurance is, is, is a feature that, that, you know, doesn't, I think get as much attention as it needs to. And so, you know, I think combining the level of assurance and integrity on that level of assurance as if we're talking in a context of, you know, verifiable credentials and those verifiable credentials moving between networks or across different wallets, the level of assurance and being able to verify that is, is a foundational piece here that that is more policy based and needs to be addressed.
I think when we're combining strong levels of assurance or risk based levels of assurance with the right use cases, and then connecting that with strong multifactor authentication via devices via, via on device biometrics is we really have the best of both worlds. And so the level of assurance discussion, I think, needs more exploration, particularly as credentials move across systems and, and again, authentication knowing that the person is there live every time with that device, with that credential is, is a foundation of all of this.
We, we think about it this way a little bit. And it's a great question.
We, so we look at it at the, at the baseline. We we've talk about authenticating the user, but we running into a lot of new use cases now, particularly post COVID, you know, as the title said, and in an environment where a lot of the applications as Martin pointed out yesterday in your keynote, that we're accessing our web-based applications, either, you know, cloud infrastructure, SAS applications, we're not sitting on the network.
So the level of assurances or to flip it, companies that we're dealing with, one answer, particularly in the workforce scenario three questions, is it, Martin is Martin on a device that I want him to be on, you know, and is that device secure enough at the time of authentication so that I can trust the authentication? And I can trust that, you know, it's not likely hacked or something. So I think modern authentication is gonna bring you painted a triangle.
If you bring all those three things together, then you've got really high assurance
And authentication only is the ability to unlock an account. So
For
Sure, you know, another aspect of this question to think about is, you know, I don't think it begins with authentication. A authentication is a step in the process, but it really needs to begin with the account creation, the account enrollment, the identity proofing, the identity verification.
And that's really kind of a, a challenge frankly, for possession based authentication is what happens when you lose possession of that authenticator, right? Opens up recovery issues. And as long as those accounts are created with knowledge based factors, that's a gaping hole for social engineering or other sorts of attack. So we need to move to, you know, some sort of addend the verification onboarding that's possession based, right?
So match the possession based authentication with possession based account creation, to allow for safer recovery and to close that, that, that back door, the hackers can, can get into, which
Is not simple because no, the, the possession usually is the smartphone. So if you replace your smartphone, you, you have a major change here. And it's interesting.
I, when I did my, my, I started my research around blockchain ID vendors. My favorite question always was, do you support so to speak roaming of the wallet across devices? Yeah. And because I, I want to use the wallet for my desktop PC for my maybe office desktop PC for my tablet, for my notebook, for my smartphone.
And so on, I have at least six or seven devices in use and way more than 90% of the beginning said, I I've never thought about it. Problem already. Trust that. No. Right. So I think we still have some way to go here.
Yes, no, no doubt. On the other hand, I think we, we are also specifically, and that's again, a topic for clearly with decentralized identity.
We really moving closer to saying we do strong verification ones, the same approach gain brought up in some way.
And, and, and we, we go beyond this, this, this is a cumbersome step. I remember the first time I did the video them, I started in my living room and they said, oh, it's too noise. And I went to the kitchen and said, oh, it's the dark. Then I went up to my home office and then I, it finally worked. Yeah.
You know, and I dare to say, I have, I'm somewhat more an experienced user. So, so it really was a, and then all, all the, the cryptic mails are received afterwards to make this finally work, to set up a simple mobile phone contract. We need to get better there. Isn't it Johnny?
Yeah.
I mean, you know, you, you, and with your comment on smart cards, it's, it's interesting cuz we have in British Columbia, we have a smart card as our driver's license and our health card combined in one with cryptographic protection between those credentials on the card. We also have a British Columbia service application on our phone. We get that, that card has an identity proofing in person ID that, that service card, that license has an in person identity proofing event. So we take that home. We download the app, we open the app, we do a verified by video process.
And then that binds the, our biometric that card, that device altogether. Is it the most seamless approach that you know, my mom could understand?
No, absolutely not. I think it's, there's a way to go in terms of how this feeds back together, but you can't, you can't move the solution forward on a, you can't have having strong authentication without having strong identity proofing that's done and intervals and reified, I think is a, it just builds a weak house of cards on top.
So, and this is even more important in verifiable credential space. It's great to know that I have a W3C credential or a, or a Hyperledger in the approach credential, but the level of assurance to the information that got into that credential is the, is the house the cards are built on. So let's make it strong.
We totally can agree on that.
So we started coming from the single effect, notification moved from a multifactor, ended up into the decentralized identification part and for our audience, what would be like your closing sentence from everybody, from your side to some up our thoughts and maybe our panel starting at you Andrew
Single sentence. Geez.
Well, I mean, look, we're making progress on this. Oh.
Or two, I mean, it's, it is a non-trivial challenge, right? I mean, moving, you know, the world, you know, beyond passwords is kind of what we always talk about at Fido Alliance, moving beyond being dependent on passwords and will we get to this passwordless Nirvana? When will we get there?
You know, the answer is, you know, we're making incremental steps, but these are the right discussions to be having. I think a lot needs to be focus. A lot of focus needs to be placed on user education, especially for the consumer space and user enablement and, and tools like that. In the meantime, you know, we're seeing great progress, you know, from the core platforms you're supporting Fido, you know, building, you know, this advanced support into those platforms, such that every device can now and every user can actually leverage this technology.
Thank you so much, Patrick, what would be your takeaway for our audience
Since we haven't mentioned it today and anybody's playing bingo along with us, we have to say with zero trust. So if you can't have zero trust with passwords, you know, you just can't do it.
You know, that knowledge factor is so completely compromised that unless you fix your authentication and get to all kinds of variations of strong authentication, whether it's cryptographic and multifactor and device trust and things, you have, you have to get there. I mean, otherwise, you know, zero trust will be a myth forever
Jonie. What would, what would be your highlight for our audience?
Yeah, I would say that we've seen massive acceleration and technology adoption and willingness to adopt this technology in, in a current COVID and a post COVID world. So now is the time MFA is, is an important part of the way, future of the way forward for the future. So we have to continue to support and evolve with organizations like Fido on the, on the authentication front and for the trust of citizens, consumers, and workforce. We need to have strong education plans to the degree that they can understand and build trust.
And we, and that education, I think, has to extend to the, to government and public sector, local and federal government, public sector executives as well. We'll be making decisions to come back to the beginning of the panel with the requirement for the us government to have MFA turned on. So let's keep the federal and public education going
For sure. So my point would be deconstruct the two types of user journey.
So the registration authentication and understand how many options you have to make this more flexible to modernize this, to evolve this when something new comes up such as decentralized identities, this all can work well together. Or when you understand that there are so many different elements you can interchange, you can extend whenever you want.
So last sentence from my side, I would like to thank our audience, our panelists, thank you for taking part. And I think a small or big applause for them would be very.
