Okay, so welcome to our panel discussion. I guess we should start just letting everyone, every participant to quickly introduce themselves and maybe start with some kind of an eye-opening statement on this whole subject of identity resilience. And let's start from the left to the right, so please.
Okay, well, so I got the short straw. So the eye-opening thing on identity is that, you know, part of my identity is actually working for RSA. I've been at RSA for 22 years, right? So I'm the field CTO at RSA. My name is Ingo Schubert. So part of my identity is the work, which is for many of you as well, I guess.
So yeah, if that's eye-opening for you, congratulations. Otherwise, you have to come up with an eye-opener now. I'll try my best.
So yeah, currently, so I'm working for IC Consult in more than one and a half years now. And yeah, I thought about this topic and I say, okay, this is the old thing I did. So I was also doing mobile banking, mobile application development for private equity banks. And that's more of a topic that I had during this day, how to prevent users doing stupid things. And I really love Xamarin mobile phones for accepting every fingerprint when you have to write a display protection foil on it, which they delivered at some point during my career.
And that was a lot of fun to deactivate in biometrics in the app and a lot of happy customers. Here we go. Rita Bachmann, working since 20 years for One Identity, Quest software, Dell software, name it. So we changed the name many times, still the same company, still the same contract, left 20 years, the internal IT because of being boring about not doing what we should do to make the company secure. My name is Lukas. I'm from Migros in Switzerland and behind the governmental identity hubs, we are the largest identity hub throughout Switzerland. My name is Fabian Iwale.
I'm the co-founder and CEO of Keyless. I'm one of the leaders in privacy preserving biometric authentication. One fact is that face ID or local biometrics aren't really authenticating a user, not tied to a real world identity, but just unlock the device that you're using.
Well, my name is Georgio Medapinto. I'm an incident response consultant working for St. Paris based in the Netherlands. One of the eye-openers is when people contact us for help, is that we always try to understand what happened, maybe even why, and the answer is we don't know. In other words, make sure you know what's going on in your active directory and also be prepared to do the thing when the worst occurs. My name is Ulrich Herberg. I'm a distinguished architect of eBay and Identity. I'm also building up engineering teams here in Berlin.
Eye-opener, maybe it's interesting how we, this community, talk about the most sophisticated authentication factors, the wallets, passkeys, all of that, but most of our users are still satisfied or just basically use passwords and don't even know what a passkey is. Okay, thank you very much. It was a really great opener. Just to remind you, this is a panel discussion. It's supposed to be interactive, both for the on-site audience and the online one, so Nitish will be taking care of the questions.
So, let's see what we have from the questions list. Yeah, I would like to start with David. You mentioned about stopping people from making mistakes.
So, what steps can these people take to protect their personal identities in an increasingly interconnected world? Yeah, so basically, we're doing it right now pretty wrong.
So, protect a bit of your data. So, we're running around with barcodes right now and our names on it and also the company.
So, yeah, try to minimize your attack surface, of course. Try to not spread everything about your personality online to keep the attack surface low, but also try to protect yourself by using a device, by using biometrics.
So, even if you're using MFA, even if it's not the most sophisticated one or it doesn't really have binding and everything, it's still more secure than just using your password and being open for a social engineering attack. Who wants to go next? Anyone want to add anything to that? In terms of disclosing information in this world today, everybody publishes all kinds of everything on the internet without even understanding how it can be misused. And it can be misused in many ways. And like this gentleman said, many of their users, his users, are still using passwords. Everybody hates passwords.
I hate passwords, but it's a fact of life. They're still there and for many companies won't go away anytime soon.
So, even from a sense, you could also say visibility could also be a sense of vulnerability, because the more you publish, the more the other guy, the bad guy, has to attack you. So, as I think we all agree, keep publishing information as low as possible. An eye-opener, like saying that water is wet, but again, it is true. The more you publish online, your users, it's going to be a bad thing.
And yeah, it's important. I totally agree with you.
I mean, one thing to add to this, at eBay, we had an internal talk from a social hacker that we invited. And I'm sure if you Google for social hacker, you will find them on YouTube. It's really interesting.
So, it's a woman who tried to hack someone's account without their, they were basically sitting next to them. The reporter was sitting next to her. And she called their telephone company and she had a recording of a crying baby in the background. And it's like, oh my God, my babies are crying.
Sorry, sorry. You know, could you help me? I forgot my password. Can you just reset me? And oh my God. And she also used information that the reporter published on his LinkedIn and Instagram and Facebook and all of that, like where he was born and other information that the security questions were asked to the social hacker. And she was then able, I think she changed his flight ticket. It was Las Vegas to the middle seat and took all his miles from his flight account.
So, he was not quite amused about it. Maybe one thing I can add.
So, with the work with several European banks, we're finding most of the account takeover fraud issues or many of the account takeover fraud is happening through the call center, especially with crying babies or things in the background, putting some pressure and just trying to social engineer and get the pin code or the password. SMS OTPs, another big challenge.
And yeah, what we're finding is that approaches that exist today, be it the SMS OTP or a passkey, they don't assure the genuine identity of the person. When it comes to biometric information, another thing, especially not in Europe, we're seeing the same in the US happening. No entity wants to store and hold personal identifiable information, especially sensitive category PII on their service or with a third party.
And those new device binding journeys, account recovery journeys where your bank may mandate you to physically show up in a branch or you get an activation code sent via letter to your home address. So, these are all journeys that are so complex today because it might be the best solution aside, obviously, a private biometric to truly authenticate the actual user.
So, yeah. For us, it's quite challenging to convince our customers and users to make use of any kind of second authentication factor. It doesn't matter what it is. It doesn't matter whether we motivate them by any incentives.
So, we cannot get them to use anything what is above or stronger than the password. And this is, for me, a cultural problem because people just believe that whatever they do with the internet remains safe. And this awareness problem needs to be tackled in a much broader sense. I think there is also something other like chat GPT because people started writing their CVs, whatever, in chat GPT to get nice letters for new jobs.
So, they put a lot of information in the end in the internet which can be hacked or get by everyone. The same about flight tickets. There were some cases where people put picture of the ticket in Facebook with the code of the ticket.
So, there are a lot of possibilities where people put things in the internet, not just personal information like pictures, everything. It's the same yesterday when I went out here in Berlin. A lot of people, tourists, they film during their walk through the street.
So, they never asked me, for example, if they allowed me to be in their film with all their communities behind and watching that I walk or pass by. So, that's...
Exactly, yeah. That's why I took my off when I leave the event. And a lot of people, they keep it. You see a lot of people running around the airport, by the way, after an event having the badge on.
So, there is a lot of possibilities to get your information in the end. And I think we need a bit more awareness on all these things in the end.
Sorry, but what is it in the end that kind of drives people to all these stupid activities? You just said earlier that everyone hates passwords, but everyone uses passwords.
Like, everyone wants to be private and yet everyone is running around with their badges. So, what do we have to address? What do we have to raise awareness of? Human stupidity or...
No, lazy. It's easy.
So, I think most of the people, it's just they're lazy. It's easy. It's the same with passwords. Since how many years we try to teach people to have different accounts, different passwords. There are tools around like password manager, whatever. But especially older people, they have the same easy password for everything. How many people change the pin of their credit card, by the way? No one.
So, by the way, myself as well. So, I think it's a conversation of energy. You don't like to change course, you know, change your behavior, how you do things. And that prevents many from, you know, it worked before, it works now.
Like, what's the problem? And this is what the attackers actually then, you know, use to gain access, do fraud. But I like to just do for the individual security, I like to just point out that there are many, many really non-technical users, right? We are all experts. We are all techies, right? To a certain extent. But there are so many which have no idea how things work, right? And these often get forgotten also by us, yeah? Like we talk about, you know, Fido and all this and MFA and for them, it's like, you know, I have my password written down here, yeah? And then they get scammed, yeah?
And then I see like, you know, like tips from like police, like, ah, you know, you have to with your grandchild, you know, have a code word, you know? So, it's like, bullshit, that would never work because they, the attackers create those high stress scenarios, yeah?
So, I think we need to also take into consideration that, you know, for certain groups of people, you know, things are still too complex, yeah? And then, for example, to, you know, avoid fraud like, you know, somebody like, you know, you send me money because your grandchildren is in the jail or whatever.
So, it's like, nobody will ever ask you for money, full stop, yeah? So, just have practical things and easy way to secure them, yeah?
Again, we, I think, we as an industry often forget that there are, I wouldn't say stupid, but very non-technical users out there, right? And this is one of the reasons why those new fancy things don't get picked up the way we would like them to. Right? Based on what the gentleman at the end said, I don't think it's all about stupidity. It's about not realizing what can occur. And like the gentleman said, regarding the request for money through WhatsApp or selling site or, I don't care, something.
Hey, I'm your daughter, and I forgot my phone, I have a new phone number, can you please make, or transfer money, all that stuff. It happens continuously in the Netherlands with young people, older people, and it's a huge amount of money what people lose. And every single time it surprises me that if, for example, I would approach a person on the street asking for money, nobody would give me a cent. But if I'm one of the attackers behind a computer, asking people for money in a conning way and a smart way, because I know I have some information, then there's a chance of getting money.
And after the fact, we can all say it's stupidity. Sometimes it is. But it's people not realizing what's going on. And I agree also, there are too many, well, not too many, because you can't really do something about it. Many people not, they are non-technical. My mother-in-law, which is 76, her passwords were really, really bad. Everything was reused all over the place. But I taught her to use a password vault, how to use that password vault to generate passwords really, really long. And if there's anything that is out of normal, just hang up.
She has been called a few times by a guy, so-called being from Microsoft. Well, on the other hand, I manage her computer, so she can't install anything, but okay. She has to call me. But I taught her, look for the weird things that are just not common. And as soon as you don't trust it, just hang up, don't do it. If you made a mistake, we'll fix it later. Just one last word, and maybe for me, before we maybe have a next question. So let's replace stupidity with complacency. So that's what it is. People just don't care. It's not stupidity, it's complacency.
But like you said, for eBay, for example, how to get people into two-factor, make it more secure, we have to make it fancy. It has to be easier than the password before. And this is now coming up. So with passkeys, there's a huge chance to make things a bit more easier to lock into eBay.
So for me, I'm lazy. I don't want to put in my password for eBay. I don't want to put in my password anywhere. So no matter if it's consumer or if it's work. And then this makes it more easier for people. And if I just go to my parents, as a good example, but also to other people and say, okay, look, it's easier with passkeys now. You just do this once, and then you just smile into your mobile and you're locked in, and it's more secure than it was before. It's not the securest, okay? We're never going to get it 100% secure, but it's more secure.
And that's how we're going to get people using those things. So we now have to wait for Google, for Microsoft, for Apple, with the standard. And I hope this will help to get people finally away from passwords because I'm luckily away from passwords, at least with some certain mobile consumer markets.
Yeah, there we go. Thank you.
Moving on, I would like to now tap into identity resilience. So what impact does the convergence of physical and digital identities have on identity resilience and how can it be managed effectively? Maybe I'll start quickly.
I think it is very important to tie a physical identity to a digital identity in order to assure the genuine identity of the person, which a passkey or a local biometric doesn't do, and ultimately just unlocks the device, especially in regulated industries or financial services for use cases where you secure high-value transactions, changing your address information, making high-value payments. Strong customer authentication under open banking, PSD2, requires that anyways.
Especially account recoveries and device bindings requires a binding of the digital identity to the real-world identity because after Christmas, everyone gets their new phone. If that happens, the old phone is just lost or the app is deleted, device binding is gone. So banks are sending activation letters, pay their KYC providers some money to redo the KYC, or you have to physically show up in the branch. It actually happens to me. I'm a German citizen. I used to bank with a community bank, a local bank in Germany. I'm not resident in Germany. The activation letter never got to my home address.
That was during COVID, and I couldn't fly. I had to wait six months in order to fly back, physically show up in the branch, show them my new iPhone to tie that device to my account. I could log into the main banking app, but especially in the Dach region, many banks still use a second token app for payment authorizations, and I couldn't bind that new device to that second token app. So in that context, binding my real-world identity to my digital identity that I could reuse across devices and not just bind that to one device is very important.
So you brought up one good point regarding the local biometrics versus the end-to-end biometrics and the connection to legislation, regulation, which is something that we also spent quite a bit of time on. The question is, why are certain people hesitant using biometrics? And I have a good anecdote. I was discussing with my lawyer, well, eBay's lawyer for SCA, so someone who's not technical but who is really familiar with this space, and I asked her, well, do you use Paskey's?
And she's, no. And I'm like, why not?
Well, I don't want to hand my biometrics to Google or Apple. And it's a fundamental misunderstanding that they are not uploaded to Google's or Apple's or our servers ever. We don't see them. We see a challenge response. We don't see the biometrics never leave the secure enclave of the phone. But it shows, if she, a person who's super smart and familiar with the general area of SCA, thinks this, I'm sure a lot of people still think it.
So, oh, sorry. No, go ahead. Just one thing I'd like to mention around, especially Fido and binding that to a person, those sync Paskey's circumvent that to a huge degree, right? And sync Paskey's, if you don't know, in your Google account or Apple account, it's synced across all your devices, which is a bit of a problem, especially when, like with Apple, you can actually share the Paskey's as well, which is like, yeah, that just blows this all out of the water.
And I think especially in enterprise use cases, that is not on the radar of many that if you allow sync Paskey's, you're completely relying now on those third parties. Love them or hate them. Yeah. But the fact is that, you know, you basically hand over the keys to some other process and yes, they are secure, they encrypt and all that, that's fine. But the fact is, for account recovery and all that, you're suddenly relying on somebody else, right? And with the whole sharing of Paskey, which I think is horrible, that actually just enables like all different kinds of attacks as well. Yeah.
And that's something that, you know, FireLines frankly rushed out and never really implemented or like designed controls around that from the start. And I think that actually is a problem and that will actually become a bigger problem the more Paskey's are used.
Well, I totally agree with all of my colleagues told so far in a idealistic future world where technology is sound and everyone is using this future technology, reality is completely different. Wherever we see multi-factor authentication, most of the people make use of an SMS or something like this. And this is basically the binding of the SIM card to your physical identity. And recently we have experienced quite a lot of these SIM swapping attacks where we have problems in the process and procedures before that people do not do the real authentication, for example, in the store.
And the targeted attacks that take place, they are quite common nowadays because we have so many different telco providers or SIM card providers, basically, that issue with very lazy controls. And this destroys the whole chain of trust. And so I totally agree in the future world, 20 years from now, we will be safe. But up to that point, we will have a really hard way. And it's really hard to keep those, like you said, with... I actually know this scenario.
So also when we had issues with some mobile devices, so patches, you get a new Android version, they change the binding, they do a new algorithm and then suddenly all your customers have a key, a secure key that's not working for the device anymore. And then you have to roll out like a bazillion thousand letters to the customers and they're cut off from their bank accounts for one week at least. So this is really something also you have to keep in mind. We have it secure, but it's not convenient again. So there are ways now around it.
Now we get in Germany, finally, the Ausweis app, so you can use your ID card. Some other states are way ahead of us from the German region to also authenticate yourself with your local ID. So that can be used again to show the bank it's really you.
Of course, it can also be insecure to some point, but that will help in future to re-enroll the people if they do these stuff, if they start to de-install their application or just lose their mobile, the mobile is damaged. But until then, it's always the weakest point. So you have to wait for your letter or you have to service desk again, which can be used for big frauds again. So we're back at point zero again, if we want to make it more convenient. Thank you. I want to take this opportunity to see if anyone's in the audience has any question right now. Okay.
So maybe moving on now, we talked about individuals, but what about enterprises, especially the small and medium enterprises who have limited resources? How can they tackle this situation?
Well, for me, the crucial thing there is that they do not know what is the real problem. And whether you go to some painter company or so one person companies, they have no idea what it really means. They have no idea about regulations and whatever is provided to them, they consider helpful and useful. And many of those people are not aware what are the problems with passwords, et cetera. And they do not even understand the basics of technology like firewall.
There, of course, it's just about awareness, how you create awareness, how you come into the situation that in Switzerland, for example, we have, I don't know, 99% of all legal entities we have, they are one or two person companies. And these are the real targets that need to be protected. So it's about awareness, about spreading the word and helping them. The main focus about the discussion is continuously identities and looking at the question that was asked, what can people do these days to secure their environments smaller companies or mid-sized companies?
For example, let's take Active Directory. My belief is that the default installed Active Directory is by default insecure. You have to secure it. And there are many things you can do without buying third-party tools. Third-party tools are definitely worth having them because they provide lots and lots of functionality that by default are not available. But what can you do yourself? I'm going to talk about it tomorrow during my session, but to already give a few things. For example, a tiering model. On the internet, there's a lot of information about creating a tiering model.
At a very high level, tiering model is nothing else than segregating your administration to different levels. Tier 0 for the highest, tier 1 a little bit lower, tier 2 even lower. And then you have your users. That's about separation of administration. I was just talking to a gentleman when I suddenly realized I was talking about tiering. And then I realized, wait, in my belief when I'm talking about tiering, it's also about hiding information. A few minutes ago, I made the comment that visibility is also a certain vulnerability.
So when you create your tiering model, you should also think about hiding the identities and also the groups that are part of that identities. So that an attacker cannot see. Why is that important? In Active Directory, every single user can see anything. And because they can see anything, they can obviously look for the crown jewels and then try to attack you in one way or the other. If you hide the information, it's not visible. They're not easy accessible, and then they have to do more effort to get it.
Another one is, for example, LAPS, a solution from Microsoft that is for free and that prevents lateral movement. Because by default, if you don't do anything, every single system might have the same account, but also the same password if you don't do anything about it, which is tricky. And because it's from images, and then it has the same password. If you use LAPS, a solution from Microsoft, you can make sure that every system has its individual account and password.
Therefore, you cannot move from one system to the other. There are many things out there that can help you. So make sure to use them. So one thing, especially for small and medium, but also for larger companies is I see, unfortunately, many times that didn't even do the basics right. So it's proper risk management, risk assessment, classification of data, classification of users.
You know, it's your help desk security, you have a service catalog, all those things. I mean, they are like, you know, simpler in a sense when you're small or medium sized.
I mean, they get really complex when you're large. But you need that. That's the foundation, how you make a decision, how to protect a certain thing, data, user, doesn't matter to which extent, which level. If you don't do all that, that's your homework. You need to do that. I know we all did this.
Yeah, we all do this. Yeah. But many of your customers or other companies, sometimes I go in there and I go, how did you work? How did you get so far? Yeah. We're not doing this.
I mean, there are all these great solutions that they're talking about risk and like, you know, proper levels and different. Yeah. You cannot apply that because you don't know what you have, what you protect, in which way. So those basic things, which are super boring sometimes, but they are so important because they are the foundation where you can build all the other stuff from top on. So first of all, I don't think it's boring, Ingo. Yeah. So I think you're completely right. Do the basics. But also in my mind, so what I like to tell people is it's all always the human thing.
So what will happen if you will get hacked? So where will they start? What is the worst thing that can happen? Imagine you will have a really, really bad day. How will this bad day look? And that always helps people to realize, oh, shite, if they get inside this system or this is really insecure, this is something you have to have a look at. So do the basics, but also maybe play around with their heads a bit and then try to engage them in the conversation and say, okay, this is really something that will really make a really, really bad day for a company. And that's where we should start first.
And then also they start already thinking about what will we do if really something hits the fan? I will not swear, but yeah, what will I do if I then finally get breached? I hacked. So I have a plan ready. How do we prepare for day zero? But what's the most important thing and what's even the basis of basis thing is to then also for the consumers, it's hard to teach them, but at least for, if you have employees, then do some trainings, try to fish them, try to scam them and try to make them really, really paranoid and try to be, make them aware of what can happen when they click an email.
And then just be glad that this is an email that came from you to just trick them a bit. Thank you. Just to follow up on that one, because I love what you said. Yeah. It's like ask those questions, which are like really uncomfortable. Yeah.
You have, especially when you use cloud providers, you have to ask yourself the question or your customer, I'm not sure what type of users are in here, but what happens if your cloud provider gets compromised? Because they will get compromised, guaranteed. So what do you do then? What's your plan? Yeah.
I mean, yes, you would need to plan like for an outage, but what happens when they get compromised? Yeah. And that could be anything. It could be a basic service provider. It could be a security service provider, MFA service provider. It doesn't really matter. Yeah. You need to have a plan for that or your customer. Yeah. So one of those uncomfortable questions to ask. Maybe one last comment on back to the basics doesn't only apply on the consumer side, also in the corporate side.
I'm sure many of you have heard about the deep fake, talked about gen AI or gen fraud, the trick to finance worker in Hong Kong to wire 25 million into a fraudster's account. But then you may also ask yourself, what's the business process for sending $25 million upon the CFO showing up on a Zoom call? I'm sure there should be checks and balances for a wire transfer of 25 million in any organization. So that's back to the basics as well. Okay. So if you still don't have any further questions from the audience, what we do. Hi. Yeah. Just something that's kind of listening to all you guys.
I'm fully with you. I fully get everything that you're saying here. But one thing that's crossing my mind, and we haven't really spoken much about AI here this afternoon, and all the other sessions have been. I'm just wondering if you take the theoretical part of what's happening now with AI and LLM, that an assistant is going to be available to everybody. So would an assistant to your grandmother, an AI assistant, be something that would help her be more compliant and less stupid? Also for businesses that don't understand this, would an AI assistant help them set that up?
Or is the risk of putting your information into the AI outweighing the advantages of the AI being your guide in this journey? Well, proper risk management could probably have an answer for that. So I think AI can definitely help. But if you don't use it properly or have a look at it and see what can go wrong, it can actually make things worse. So I think your risk management should actually say, hey, maybe we start in these low-risk areas to use some AI and then build from there.
But going all in for everything into AI and to say we have a co-pilot that does everything, I would be rather uncomfortable right now. But ask me again in five years. Yeah. We just said it like you said with eBay, then with people thinking pass keys, my face will be stored in the internet and everything. So the same goes for then the AI, especially in the DAF market. The people are then very security aware, very data aware, while everybody's still having a Facebook account and Instagram. But when it comes then to business, all of a sudden they are very strict on the data.
And I think that's something where you first have to convince them that AI is a good thing and will help you and not will grab all the data and make you a slave at the end. I come back to my previous statement because majority of people do not know what they are able to use and what technology does exist. And if we would just install any kind of a Corona-like thing on all the laptops of our grant models or so, they don't know how to use it. And if it doesn't pop up, they will never click on it and will never ask the question.
And they will never be aware that they could ask a question if they were in such a situation. Maybe one comment on the AI topic or Gen AI from a fraudster's perspective. I think the phishing attacks and overall impersonation, deepfake type attacks will become a lot more powerful, a lot more personal, not only celebrities that will be your mother, your sister, etc. It would feel very real. I personally think that is a danger in the short term. I think in the medium to long term, there will be the good AI fighting the bad AI.
A bit like when the email technology came out, there was a lot of bad emails, a lot of phishing, and now email security is more or less solved. And then it will become an awareness topic. Just don't click on a link that you're not sure who sent it to you or call the person back who asked you to wire some money before doing so. So in the short term, I think the danger is very real. In the medium to long term, I think we'll have AI to fight the bad AI.
A tangent, because you mentioned phishing, has nothing to do with your question, but I just remembered an interesting anecdote. As we all know, PASCs have a benefit of being phishing resistant, contrary to many of the other two-factor authentications like SMS OTP. SMS OTP is one of eBay's most used two-factor authentication. People are familiar with it. They know it, so they use it. I read a blog article about phishing resistance and phishing, how easy it is to set it up. This blogger, he created a Docker image of an NGINX, configured NGINX forward proxy. They called it evil NGINX.
And it basically, it connects, you configure it, it's super easy, it takes five minutes to set up. Every one of you could easily do it. It would forward, for example, to eBay's sign-in page. So you see the eBay sign-in page, you enter the credentials. It would forward it to our page, but it would, of course, catch the password and everything. And they even had set up, like they used eBay as an example in this blog, which is why I thought it was interesting.
And they faked the domain name, they used eBay.com, but the A was like a Unicode character that was a Cyrillic, it looked like an A, so it looked like a proper eBay.com. They used Let's Encrypt for getting certificates, so it even had the lock in the browser. It was quite amazing how easy it is to set it up. Not that I advise you to replicate this on our page. Okay.
Well, I think it's just about the right time to finalize our panel discussion. It was really interesting and engaging. I appreciate all of your inputs and thoughts. So can you maybe close up with just one short final takeaway from each of our participants? So I would say as a takeaway, let's educate, let's go out there. We are the experts in this area of multi-factor authentication, authentication in general, privacy. Let's put more effort on educating everyone on how to use passkeys, what a passkey is, and all the other methods.
In terms of identity providers like Active Directory and Azure, or sorry, Entra ID, Microsoft Entra ID, don't assume nothing will happen. For sure, stuff, bad stuff will happen. Make sure to be prepared, think about scenarios, create the plans, execute those plans on a regular basis, for example, once a year, to make sure that everything works when you actually need it. Being prepared is the way to also make sure things can or will work. I would say give your consumers choice to authenticate themselves in a way they want to, in a way that is strong and secure.
There's no one silver bullet that solves every challenge, but there are very good solutions, especially for certain use cases that can be used today that many users can use in a simple and convenient way. For me, convenience of use is crucial. If people have an easy-to-use solution that we, as an expert, are going to provide, which is then reliable and can be used in many different circumstances, we can get people to a more secured identity.
I think we should not forget the people which have no idea about IT, and especially there is still a huge majority of people which are not working anymore, not grew up with IT, and they don't know about all this, and we have all these fancy buzzwords, and even IT people don't know what all these buzzwords mean, so we should not forget all the huge amount of people which has no clue about this, and I think this is, in the end, the people which, I wouldn't say they are the risk, but they are the risky people who get compromised or, in the end, working in a company and can be the phase of attack.
So, while we're then still out there educating people and hopefully coming up with a final solution, which maybe AI thinks the human being, we should also then secure customers in the back end, so use behavioral analytics, check things that don't make sense, and try to secure the customer from their own mistakes, and try to catch this up front, and try to prevent further fraud when the customer is scammed, because that will always happen, and we won't find a solution anytime soon.
So, always also think about your back end, what makes sense, what doesn't make sense, also in the company environment. So, if somebody is asking me again, oh, your IP changed again from this country to this country, what's that you, please also assume that Teams was hacked, because that's stupid as well, and there we go.
So, resilience. So, resilient systems, they bounce back, right, if something bad is happening, and I think you should ask yourself for every workflow, for every point where things go wrong, how can I recover from that if something happens to that, and that's everything in your private life, you know, if your mother-in-law gets called by a fraudster, or in your business life, like, you know, what if something goes wrong, how can I recover, at least to a certain extent. You might not bounce back to 100, but to an acceptable level.
So, ask yourself that question. Thank you.
Okay, that was awesome. Thanks.
