KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Adaptive Authentication tailors to what the users want (convenience) and prefer to use (mobile) – all the while adapting appropriately to access risk (smart), by balancing authentication strength with risk information. Today, we find both stand-alone solutions for Adaptive Authentication and integrated solutions, e.g. as part of Web Access Management and Federation tools.
Adaptive Authentication tailors to what the users want (convenience) and prefer to use (mobile) – all the while adapting appropriately to access risk (smart), by balancing authentication strength with risk information. Today, we find both stand-alone solutions for Adaptive Authentication and integrated solutions, e.g. as part of Web Access Management and Federation tools.
Good afternoon, ladies and gentleman, welcome to our Kuppinger call webinar three steps to modern authentication. The, this webinar is supported by IBM. The speakers today, I me Martin Kuppinger. I am principal Analyst at KuppingerCole and Brian Magan offering manager at IBM. Before we start, I quickly want to give some general information and some housekeeping information, keeping a call as an Analyst company, we provide enterprise it research, decision, support, advisory, and networking for it professionals. We provide research services.
So all the reports we do our leadership compass and so on. We provide advisory services and events, and we have a couple of events within the first coming months. The next one will be the consumer identity submitted to the held in Paris in France. And by the end of November early March, we'll do the digital finance world in Frankfurt. And in may, we will do again, our European identity and cloud conference, which is the lead conference for identity cloud security and related topics in Europe.
All information about is event is easily to find at our website regarding the webinar, some guidelines. So first of all, you are muted centrally. So you don't have to care about mu or yourself. We are controlling these features. We are recording the webinar and the podcast recording will be available tomorrow. And also tomorrow we will put the two slide, the PDF files online so that you can download slide X, the Q and a session will be at the end, but you can ask questions using the questions and answer tools time. We will usually pick up the questions by the end of the webinar.
In some cases, we might pick up a question earlier, but usually, usually we do the Q and a session. Now that's also what you will see in the agenda slide. So when we look at the agenda, we as usual have three parts, the first part I will talk about adaptive authentication. I will put it into the sort of bigger context here in the second part. Then Brian Mulligan of IBM will provide IBM's point of view to latest offerings and project projections in the authentication space in the third part, and will do our a session, as I've said, right side of your screen.
There's the go to webinar panel, usually to the right side. There's an area of questions. And there you can enter your questions at any time. The more questions we have, the more lively the Q a session will be. So let's directly start with the topic and best. Let me start with a quick explanation of what are we talking about? We're talking about adaptive authentication and this adaptive thing is about two aspects of adaptiveness. So to speak, the one is the adaptiveness of authenticators and the adaptiveness of the authentication strains.
So what is it about it's about on one hand, we need to be able and adaptive authentication includes the capability of supporting a variety of different authenticators. It's commonly includes some integrated types, such as S out of the band, cetera, but usually it does supports a couple of other hardware, OTP, tokens, and all that other stuff. The idea is to give the user and the enterprise, the choice. So to use virtually everything from simply user and passwords to complex multifactor authentication, to be adaptive of what they need for different use cases to provide the flexibility.
On the other hand, we have the adaptiveness of a syndication strengths, which is then based on the context and the risk. We might require a different level of a different, different level of authentication strength. So context includes aspects such as location, device style, the health status of devices, network connection, etcetera. So if you insecure device over a public wifi, the risk is different from using a desktop PC in the office, connected we at a corporate lamb and the risk, the adaptiveness comes from balancing the risk of the interactional transaction. So what do you want to do?
Do you want to just access the menu of the contain, or do you want to do a $1 million transaction in your SAP system, different risk of interaction transaction, and depending on the context risk, you might be allowed to do it or not. And the system might ask you then for additional features. So step up authentication cetera. These are common elements is an adaptive authentication on this topic becomes increasingly important and just make a very high level context and this digital transformation.
So when we look at the digital transformation, we have a lot of external drivers, and I don't want to go look at everyone, but we literally have to ever change the regulations, which mean we need to sometimes support other types of authentication. We have ever increasing attacks. We need to get more secure. We have different types of partnerships, integrate more partners, become more flexible in that space. We also have some key capabilities, which I more skip here. So actually in waveness flexibility and we have a number of key topics.
So, which also include, I used the term here, new your customer. So being very flexible when it comes to better connecting with your customer to know about your customer, regardless of which login, he uses, map it all to a single person. And also the internet of things where people come in with connected things with connected devices, which changes the way they interact with the company, with the organization. And we have a number of enabling technologies, which are around cognitive blockchain and so on, but also about identity and security and privacy.
And I think one of the, the, the really fundamental things of what is currently happening is that the way organizations interact with their customers, the business models they provide are changing. That means when we look at this entire authentication space is not only about saying, okay, how can we connect with our employees where we can maybe give a standard type of OTP, token one time, password token, but we have to figure out ways where we can use all these user groups with an adequate type of authentication, the business partners, the customers, the employees.
So simply that digital transformation is driving the need for adaptive falsification identity is one of the elements, security, privacy, know your customer, all these parts, these essential elements of the digital transformation also lead to, we need to get better in how we do authentication. We need to get more flexible because everything and everyone becomes connected. People are using devices, things, organizations are connected. These people, the devices communicate back to some organizations. The devices might communicate autonomously. It's still far more complex world.
Instead that we can say, okay, the common user accesses using his desktop in the office, or accesses using a username, a password at the web browser, the word is changing. And this is what we have to reflect on the way we do authentication identity. Quite a while ago, I wrote on seven fundamentals for future identity access management. I want to go sort of RA quickly, but some of them are very much about this adaptiveness. So we have different identities, not only humans anymore. We have different providers of these identities. So we have to deal with social logins, etcetera.
Also additional information come might come from different providers. Users will use different identities in many cases, and we need to understand that's the same person, the same policies to apply the same information about how to rate the risk of this person to apply. We will have. That's where we really come to our topic of today. We see more and more authentic indicators there, no single loss indicator, any model that works for all, yes, you could argue us and password works virtually everywhere, but it's, as we all know, not the best way to indicator.
We have to understand how these things map. So if someone comes in, there's a different device must understand it's still Martin right now, not using the web browser or using in password, but it's using an app and O is a standard or whatever else and context again. So sort of my fundamental five and seven are the most important ones in the context of these webinar identity and access risk vary in the context, different context, different risk. And then we need to understand what can we allow to do and whatnot. This is sort of the, the foundation we have.
And as I said before, we must make this work for all identities, employees, business partners, customers, consumer services, and so on. And when we look at this bigger picture than of adaptive authentication in adaptive authorization, it's about saying, I have an application in an ideal world, that application would request an authorization. In many cases, it's more that we say, once you pass the authentication layer, the authentic, the, a, the application then uses certain groups, roads, and other preconfigured static entitlements to decide.
But anyway, the point is on left side, left hand side, we have the identity, the context, the credentials. So this is what we use to authenticate. And then we have the policies and based on what we have on the right hand side. So what type of application, or what should be done in that application need to make our decision and the policies then control which level of authentication do we need.
So is it sufficient to come in with using and password or with the social login, or do we need more, do we need to ask for additional pass phrase, depending on the risk, depending on all this context, we have to react and we have to adapt. We have to understand, we need to do it differently. And maybe at some point we also will have realtime risk information from our realtime security inte tool from our security operations center, which then affects the policies like in execution so that it's not static anymore, but it's dynamic.
So if there's a new type of attack going new type of attack around, we might say, okay, then we need to increase it. If there's an incident that's which affect some of the authentication technology we use, we might say, okay, then we have for certain type of access to increase, to strengthen the level of authentication. And this is so in a, at a very high level, this is really what is happening around this adaptive authentication.
It's something which is highly important in the context of digital transformation, to be more adaptive, support everyone with the authentication and the device, or sing of choice, but also understand what is the risk and which level of additional security you need to bring in here. So, adaptive authentication is the question then clearly is, is it more about saying I need a different tool for that, or it's about extending what we have. So currently we see as from, for our Analyst perspective, we see two different approaches in the market.
The one is for the adaptive authentication building, the Arab was adaptive. Authentications is a separate service and there might be mixes. And Brian later on let's in touch, one of mixes adaptive authentication building means support for some level of adaptive authentications, commonly found today, particularly in the web access management identity Federation identity Federation solutions. So as an integrated solution, different authenticators and some support for context and policy based decision making about it.
So the policy management management of authenticators, etc, is done per such solution. However, if virtually everything you do runs through that set of applications, then why not the feature setting these integrated solutions in many cases is somewhat more limited than special specialized solutions, but that is getting smaller. On the other hand, there's a couple of offerings which say, okay, we do, we provide you authentication service with a cloud service or something, which is a box on premise, specifically focused on the adaptive host indication part.
So this is something which is, as I've said available, usually there are so as well, both as well on premise and cloud based offerings. In that case, it requires integration with other solutions you have with your background systems as your web access Federation solutions, whatever else you have done, one specialized in the point of authentication policies. So an advantage from the policy perspective, sometimes an advantage from the future perspective, but you will need to integrate it with your applications. Both are relevant approaches.
I think it's really depends very much on what you already have on the use cases you have. But what we definitely see is a far bigger support for adaptive, for education than ever before. So it's really a technology that is ready to be used, and it is ready to be used both consumer and enterprise identities. So for consumer identities, also, we need to understand the primary focus. There is more convenience. It's about use the authenticator. You'd like to use the secondary focus security. If you want to do financial transaction, you need a higher level of authentication strengths.
For instance, the enterprise it's somewhat different. The primary primary focus security while sec secondary focus is supporting the mobile workforce for more convenience, use something which works at the device of choice, particularly these days where bring your own devices a reality in many organizations.
So it's about adequately protecting corporate resources while enabling access from all devices in use in a convenient way, and getting rid of the single loss indicator play we had for many years in the past, where many organizations have decided to say, I go, okay, I go for a specific type of OTP to, or I go for smart cards and then learned, oh, it doesn't work well for mobile users. It doesn't work well for my partners and others, and this is where we need to become more flexible.
And I think we are really at the point where we can and what I find interesting before I hand over to Brian and part before I hand over to Brian is to make you, this is not only from my perspective, something which is relevant for the finance industry, where you find such technology a little bit more frequently, it's relevant for every organization, because it's one of the enabling technologies for what you need to do as part of your digital transformation of your organization. We start a hand over to Brian.
Well, thank you. That's a great introduction and touch touches on many of the themes that, that we are definitely seeing at IBM in the access management space, as Martin mentioned, my name is Brian Mulligan. I'm the offering manager for IBM's security access management product. And I wanna talk today about three simple steps to improve authentication. And if you were paying attention during the introduction, you'll notice that these are nicely aligned with the overall themes that that Martin laid out for the industry and the technology space in general.
So the problem here for authentication to solve is a balance between usability expectations and the need to be secure the, the need to keep digital assets and resources under tight control in a way that's auditable and reduces financial loss and reputation loss from, from data breaches and financial fraud.
These two forces have been at odds as long as there's been security, even before there was digital security, but recently the consumer expectations or the usability expectations have skyrocketed mobile devices and, and pervasive digital interactions have raised everybody's expectations of how, how digital interactions with both your employer as an employee and as a consumer with businesses that, that you're interacting with should work.
And this poses a challenge for the, the authentication space at the same time, the number of data breaches, the, the levels and sophistication of fraudulent activity, both in financial institutions and other places like rapidly growing fraud in store loyalty, rewards programs, or airline or hotel frequent flyer miles programs.
So there there's never been more of a sec security threat from the other side, as Martin explained, there are differences in, in the use cases between employee scenarios and consumer scenarios, employees really wanna get their job done and are increasingly likely to use whatever tools they think will help in the pursuit of accomplishing their, their goal, whether or not those tools are sanctioned by, by it or by corporate security. And the authentication blockers there are, are often a key, a key inhibitor.
So if the, if an employee has to sign in multiple times, if they have to use a hardware token, if they're not able to access resources on, on mobile devices when traveling, or when they're not outside the corporate network, these are all things that will just cause employees to define their own own solutions. And there's plenty of solutions out there from a security perspective. Insider threats are employee involvement in involving major data. Breaches has been a commonality.
It's not always a willing insider who is maliciously looking to harm corporation, but also unintended insiders or people who were victims of fishing or spear fishing attacks and, and their identities were compromised. And then used to access corporate information. There's been long adoption of multifactor authentication for privileged users within the enterprise. But recent experience has shown that it's not just privileged users that need this kind of security. We need to provide multifactor authentication across all of the user bases in a way that's, that's appropriate.
And, and doesn't get in the way of them performing their job from the consumer scenario. The problem is really multiplied. So consumers are, are even more sensitive to friction in their user experience than than employees are. They have a lot of choices when making commercial decisions and will naturally flow to the provider that, that delivers the most frictionless experience. And this one, one thing that's interesting about the consumers scenario is this is measurable. You can do AB testing on different authentication mechanisms yeah.
And user experiences, and see what the take up rate is among the user population. At the same time, there are vast amounts of fraud, and that fraud is a direct expense to the corporation and to the financial institutions that are, that are providing financial services to two corporations. And so that's measurable as well. So the interesting thing about the consumer scenario is you can experiment and measure the outcome of your position in this trade off between usability and security.
So with that, as framework for the problem, I'm just gonna move forward to what our three steps are to make it convenient. And then I'll end up with, with the IBM position and tell you a little bit about our access management solution. So step one is make it convenient.
So this, this is true for consumers. Absolutely, but increasingly true for employees, employees are less likely less willing to jump through hoops, less likely to carry a dozen hardware key fob, token generators, and more likely to look for places to, to do this on their own, or look for employers that provide them the necessary tools that they, they need to get their job done. The key here is providing, as Martin mentioned, a variety of authentication mechanisms. So there is no perfect authentication mechanism that works and is secure in every context.
So they're using name and passwords are, are easily compromised and also very inconvenient on a mobile device, especially complex passwords that require several changes of the, the keyboard to get the symbols and capital letters required for entry. There are various biometric mechanisms that, that are all subject to different environmental weaknesses.
So if you're using a voice biometric and you're in a allowed room or a face biometric or in a dark room, for example, those aren't convenient methods to authenticate in those circumstances, the by and large, the existing methods, the one time password methods, whether they're widely adopted via email or SMS message are, are fairly inconvenient at baseline. So you really have to give thought to the appropriate mechanism for each use case.
And for each security required, there are certain high security actions, large dollar transfers, things to do with, with corporate secrets and IP that that will continue to require burdensome authentication. And as long as your users understand that the need for it, it can be permissible.
Authentication really is like many things in technology, a journey we've been relying for years on one factor of authentication, just simply something that, you know, in terms of user name and passwords, or maybe knowledge questions, not only are those easily, easily breachable and compromised and socially engineered, they provide a poor user experience. And so recently you've seen many customers or many, many institutions adopting stronger methods involving something you have.
So whether that's something you have is control over your email account to get a one time password, or that's something you have is a mobile device that can receive a message out of band of the primary authentication and provide a, a second factor further. We've seen the adoption of wide ranging biometrics.
So the, the most popular biometric is, is the fingerprint sensors built into phones like the apple phones and Samsung phones. And that really has revolutionized consumer and employee attitudes towards, towards biometrics. When the fingerprint became truly easier than the password, the adoption was, was rapid further down the road.
We'll, we'll see further adoption of things like behavioral biometrics, the way you hold your device, the way the you touch and swipe on the device.
And that will become important in kind of a continuous authentication framework, but no matter where you are in this journey, or no matter where, where you'd like to be, the important thing is having the choice to, to allow users to select method, have a consistent experience across context of whether they're on a web website, on a mobile, on a laptop or a desktop computer, or they're on a mobile application, or they're interacting with a, a voice digital assistant like Siri or Amazon's Alexa.
There's a consistent way to authenticate that they're familiar with all of these authentication mechanisms rely on a foundation of, of risk based access and being able to, to write policies that do things in the background to analyze risk before invoking the various mechanisms that leads me right into the next of our three points here. Step two, make it smart. So not only do you have to have a variety of mechanisms, you have to have ability to analyze information in the front. In the beginning of the transaction to decide how much of that convenience you want to take away from the user.
So the lowest hanging fruit here, and the greatest security convenience that's easily implemented are things like browser and device fingerprints are, is a user coming in from a, a connection point or endpoint that, that the business or the organization has seen before. Is, is this Brian coming in from his laptop? Or is this Brian coming in from a place we've advice we've never seen before?
That's, that's low hanging fruit. And if, if I'm coming in from a place that's known, we don't have to have much authentication friction I'm coming in from a place that's unknown. You can provide require a stronger authentication, maybe an out of band confirmation on a mobile device or a one time password or some kind of biometric authentication as a step up. But the idea is this risk engine has the ability to consume all types of risk.
So things that are traditionally sent in like browser headers, but also call out to other systems that are specifically designed to measure different kinds of risk and can make, take action upon those risks. So approve, you know, let risk evaluated user looks appropriate and secure. Allow them through challenge means the user has met some bar, a low level of trust, but in order to complete this action, we need to a higher level of trust.
And we have now an arsenal of, of authentication mechanisms to increase the assurance, challenge the user with one of those mechanisms, and then make the final decision or deny and just outright block or redirect the user's access. One interesting use case here that's more sophisticated than the browser or device fingerprinting that I was mentioning as a, a low hanging fruit in the last slide is integration with fraud prevention and fraud risk analytics systems. So this is an IBM example.
We have IBM security access manager, which is the, the product that we're primarily speaking about here today, integrated with IBM TRUSTe, which is a, a fraud digital fraud detection prevention platform. So TRUSTe has a lot of capabilities to detect malware user compromise, account takeover, attacks, that sort of thing, and is able to ingest it, this huge number of parameters, looking for those kinds of behavior, and then produce a digestible risk score that you can use with IBM security access manager as a point of information.
So if you have a user coming into access an application, trust your performs, all the analysis on that user and their session produces a score for access manager, which then can decide to allow the user right through looks like the, the proper user who they're claiming to be, or if necessary require a step up authentication, require the user to touch their thumbprint to a mobile device or some similar authentication factor. This has the real world, real world benefit of, of measurably reducing fraud and acting across channels.
So the technology can work on, on web interactions on mobile interactions, all to secure this particular application. It's a really powerful way to add intelligence into the, the authentication security framework and the final step that we advocate is make it mobile. So make it mobile has two real components, the first component.
And I think we're pretty much there with, with most organizations is, is having a mobile experience that compliments the, the desktop experience, having an experience that that's not just the desktop experience stuck in a mobile browser, but is optimized for mobile and is secured in a way that makes sense for mobile.
So taking advantage of frameworks like oof, to provide login security where the, the user can, can perform a application registration initially and not have to sign in every time that they request access or having policy configured to, to determine when there is a risk level that is appropriate for re authentication to the mobile device, the second aspect of mobile, or make it mobile is taking advantage of mobile devices as a second factor of authentication.
And, and the possibilities here are really an endless, the, the best thing about mobile devices is they're the closest digital asset to an actual physical person's persona. So the whole problem of authentication is trying to assert a physical identity in a digital context and, and mobile devices are oftentimes at hand, never, never far out of reach of most users. They're likely to be noticed if they go missing and their network connected and have an array of sensors that can be used to perform a wide variety of analytics to, to feed back into the, the, make it smart step in step two.
So they're, they're almost purpose built for authentication scenarios and should be leveraged across all kinds of contexts going forward. So that includes second factor for web and desktop logins. That includes logins directly on a mobile device and in even extending out to in-person interactions, using mobile devices to authenticate, to, to a bank teller or to a store cashier, our use cases see coming up, they, they deliver a unified unified experience from the consumer perspective. If they know that authentication always involves trust of this mobile device.
So you you've probably guessed by now that the IBM approach, we think that mobile devices plus risk based access for the reasons I've described, provide an opportunity to deliver less intrusive, meaning better user experience, more affordable, meaning in the enterprise scenario, much more affordable than hardware based solutions, hardware, token based solutions, strong authentication for everyone. And we've recently launched a new capability in the space called IBM verify. IBM verify is a, a mobile application. It will be available this week in the apple app store.
And it works in conjunction with IBM security access manager, our access management platform, the mobile application allows users to easily add a second factor of authentication to, to desktop logins that support a number of scenarios. So one scenario is second factor authentication for login. So user goes to the desktop to login. If second factor is required, they receive a notification on their mobile device and they click yes or no.
Yes, this is me. No, it's not me. It's all confirmed out of band to the initial web session.
So you, you have a nice out ofAnd confirmation supports fingerprint with touch ID touch. I usage. It also is, is built the support transaction, signing scenarios. So scenarios that aren't simply user logging in, but user confirming a transaction or a transaction amount on behalf of, of their person. The second part of the IBM verify framework. So I talked about the mobile app. The second part is a mobile SDK. So realizing that many, many of our customers have mobile applications that they've already developed and deployed to their consumers.
We've developed a mobile SDK for iOS and Android that allows developers to easily add these capabilities. These multi-factor authentication capabilities into their native mobile apps for delivery to their, their customers inside the app, and for U for using IBM security access manager, as, as the platform for omnichannel authentication. So you can, you can do traditional web access management. You can do mobile app access management. You can do API security all with the single platform. And all of this framework relies heavily upon that risk based access platform that I introduced earlier.
So having these mechanisms and being able to fully embrace mobile, both in a native app out of box perspective in an SDK perspective is most useful. One applied in conjunction with risk analysis that only invokes these capabilities when absolutely necessary for the use case. That's the idea of adaptive authentication. So what's great about IBM verifies that it is fully integrated into this access access management platform that provides the, the same capabilities that you may be familiar with.
So single sign on for users to, to applications on, on, on desktop, on mobile devices, identity Federation to allow employee access to different SA applications or to connect users across business partners, without the need to, to replicate the identity information, advanced authorization and risk based access capabilities, and even built in application protection to block the OWAS top 10 application security threats from a web application perspective. This, this platform is importantly available in a number of different form factors to meet the needs of, of various businesses.
So we can deploy on premise in a hardware appliance, or we can deploy on premise in a virtual appliance or in a cloud environment as a virtual appliance as well. So we wanna make sure that we're there for customers regardless of how they decide to deploy, decide to deploy their applications and their access security. We have a large user base across the globe, including some large government financial institution customers.
We have customers in, in other sectors as well, especially distributions telecom are some big ones we have here Sloan in the slide, a bank using omnichannel risk based access for over 750,000 users to provide higher security while minimizing the impact on the users signing in and another government customer who was worried about scaling up government to citizen services for over 10 million users and decided to take our platform to, to, to solve that problem. So with that Martin, I think I'm ready to open it up for Q and a.
Okay, thank you. Prior, I'll make me the moderator again, right now. It's latest time for the attendees to enter the questions for our Q and a session so that we can pick these questions.
Brian, one of the, the questions clearly is is this something which is I phrase more financial services thing, or is it something where you see from, from the IBM perspective that there are more and more other industries also jumping on that type of technology? And may, is there, are there differences in the level of adaption between different industries?
Yeah, so I think that's a great question. There are definitely differences in the level of attention and the financial services industry has been the real leader here. And I think that's partly because they have oftentimes the most quantifiable expenses related to fraud and the most willingness to impose friction in their user experience. But what we're seeing as the technology gets better and becomes more native and more intelligent and more transparent to the user experience, the additional industries are, are, are coming on board.
So we've seen a lot of interest from public sector, government customers, people are doing generally pretty security, intense things with their, you know, paying taxes and the, like with governments, we've seen retail customers coming on and interested and their profile. I think, as you described, the introduction is really concerned with user experience. So they would like to reduce their exposure to fraud, but only in a way that continues to provide a really seamless experience for their customers. And so what about the, so you brought up this trust here, integration.
What about companies moving towards approaches that allow them to sort of on the fly change, the level of, of O authentication strengths required? Yeah, that's, that's absolutely a pattern that we're seeing, being able to respond to a particular kind of attack that, that has arisen with targeted authentication. So I think that's, we're seeing a lot of customer interest in, in that kind of a solution and something that as we provide more intelligent capabilities and, and this flexible policy framework we can make possible in the solution today.
So I think the idea of having a security administrator, who's not just passive and not just setting kind of building walls ahead of time, but actively fighting or actively trying to combat threats in real time. More like someone in a security operations center traditionally would be doing is something that's coming rapidly to the authentication space.
So, so do we eventually get to a single indication solution that could be used by consumers and employees also by recognizing their role and their con the way they, they connect the contact, etcetera. So is this the way where we can say, Hey, we, we, we really have that one single platform where everything can go through.
Yes, I, I think so. I think we will get there. I think we've seen customers, who've stepped back to look at the problem a little more holistically and said, you know what, these, these user groups have different needs, but it's all kind of solving the same problem. And there's always a lot of crossover. You have employee users who, who are in sales and may need to look like a customer for a certain circumstances. You've got help desk users who are employees, but also need to have the same capabilities as, as a customer.
So solving those, those edge cases becomes increasingly easier if you have one, one platform and one core core technology experience. So I think that that's also one thing I'd like to add here. When we look at this question once using that could be used for consumers and employees. I think an important aspect is when we look at all these various requirements, organizations are facing connect to business partner, applications, employees connecting to cloud applications, customers connecting to on-premise web applications, whatever else.
So all this in and out from different types of users, using different types of devices, different types of service at the end of the day, it nails down to, we usually have traditional web access or we have Federation. And so it's all about sort of the same type of problem, which when I look at this question, do we eventually get to a single loss indication solution?
I think we really have the opportunity if we understand that we shouldn't have this for a solution for employee access to cloud services employee on the cloud service and this for solution for connecting the business partners and so on, but thinking about a platform to do all this together. So just look at the next few questions which came in. So how to handle the situation when a software device is acting on behalf of the user, how to also Cate here. Yeah.
That's definitely an emerging challenge with, with the, the IOT adoption and that's where some of our newer delegated resource flows come in important. So being able to perform the authentication, say on a mobile device on initially upon configuration of a setup of a new software device, that's, that's acting upon behalf of the user.
I think the second thing that's important for, for RT devices, depending on the type, you know, there's all range of IOT devices from a, a sensor in your house to a car or a digital assistant platform that, that has much closer to a, a fully fledged computer with, with different options. So I think the idea of having different authentication mechanisms is key. So if you have a IOT device that supports, they can take voice samples or has voice interaction, being able to have voice authentication, same for cameras.
Being able to perform things like face authentication or, or hand authentication using the cameras in a device, expands the possibility devices you can authenticate to, but it, it really comes down to, to have a standards and frameworks in place that these devices can, can sign up to so that everyone's not just building their own. Yeah, I think that's one thing and we have some interesting standards appearing. So one is Fido, the phyto lens standards, which allow you to connect sort of building those indication of mobile devices to in a standard way to your Pega systems.
The other clearly owe us as a very well established standard right now, where you can sort of authorize your app to act on behalf of you as a user and all that stuff. So I think we see modern light of the horizon, and I think a lot of things going on, we also will have some, some other interesting challenges, particularly when it comes to sort of include us less intelligent IOT devices. So some of them are really capable. Other devices have a limited power in certain things come a little bit more complex. I have one more question here that I want to pick on.
It's probably a question which is a little bit more targeted to me, but also I think Brian might didn't answer. It seems to me that's the question or a comment that companies are still struggling with getting the IM basics in place is also something you see. So I think it's very mixed. What we see as Analyst in the market. It ranges from large organizations with large gaps to other organizations, which are really very mature, very sophisticated.
But I think on the other hand, the authentication, we see so many new requirements that I would say it's not only about getting the basics in place because it's really, we have different challenges regarding the types of devices regarding the user groups. So it's, it's also really very much about the new field here.
Brian, do you want to add something? Yeah, I think, I think that's right. I think what people have for traditional identity access management today, even even the most sophisticated organizations are being challenged by the, the evolution and the rapid evolution in this space.
And, and so it really is, is fast moving and, and we look forward to a lot of continuing development. Okay. First we have answered all the questions we've got from the audience. So then it's time to say thank you to all the attendees for listening to the script and call webinar.
Thank you, Brian, for participating. Thank you for your presentation on the, so I brought in the three important things to do to get to better level of authentication. Thank you. Thank you Martin, for having it.
