Amar Singh, KuppingerCole
John Bradley, OpenID Foundation, Kantara
Steven Hope, Winfrasoft
Anthony Nadalin, Microsoft
Mike Neuenschwander, iC Consult Americas
Bart Renard, VASCO Data Security
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Amar Singh, KuppingerCole
John Bradley, OpenID Foundation, Kantara
Steven Hope, Winfrasoft
Anthony Nadalin, Microsoft
Mike Neuenschwander, iC Consult Americas
Bart Renard, VASCO Data Security
Amar Singh, KuppingerCole
John Bradley, OpenID Foundation, Kantara
Steven Hope, Winfrasoft
Anthony Nadalin, Microsoft
Mike Neuenschwander, iC Consult Americas
Bart Renard, VASCO Data Security
Okay gentlemen. So I think the format is I'm gonna talk a little and then we'll do this panel about, do we need to put secrecy back into security, but for now the topic is authentication trends. Will variables take us back to the future entrusting title?
You know, you have to do what the boss says. So really, okay. It's not showing up fully there, but let's see what it works. It probably would. That's the K over there, I'll read out anything that you can't see and I'll make it as quick and entrusting as possible. Excellent.
X back, whatever you want to call it, role based access, you know, or what is, what is very exciting is attribute based access, you know, or controlling the shit out of people. Excuse me, there's obviously you've seen the other slide after this, but there was a beautiful movie which was called crank. Anyone. See that I saw it really exciting in a way, but it was exciting because there was this whole concept of adrenaline and Jason being injected with something that had to keep him alive.
The only reason I thought I'd bring this up is to bring up the concept about possibly in the future where biometrics will play a significant role in access. You will probably see such things happening more and more in reality, rather than in movies.
I mean, this was just a, is that something happening to the, okay. You'll probably see more and more of this happening in the future.
Maybe not, maybe. Yes, but I just found the movie really exciting in terms of, if this guy didn't get an adrenal adrenal in, in injection every few hours, he would die. They gave him some kind of a portion to basically kill him, meant instant that for the guy. So before we go into the whole thing, there's this search of perfect authentication still continues. I think honestly, we, I'm pretty much excited about the times we are in There were multiple more than just two factors of authentication is becoming a, an easy to reach, easy to, easy to attain reality.
I do apologize for the screen there. There's authentication there.
I mean, we've always had this, you know, the passwords that we all know about, we've always had, I mean, everyone here hopefully has some kind of two-factor authentication, right? What's very interesting is some people confuse, two-factor authentication with two levels of authentication and it's quite worrying sometimes because they call it two-factor authentication, but let's just say it's two-factor for now.
It's not, you know, don't want to talk about two level authentication, something you are, this is becoming pretty exciting in terms of getting into the reality of being able to get into three factor or more dynamic based authentication. Oops, sorry. And I guess the whole conference, you know, EIC 2014 and beyond is to discuss how we use multiple factors of authentication in the whole access model. It doesn't have to be always three factor. I think technology is definitely evolving and maybe already evolved to a certain extent.
You have the mobile providers playing with a lot of variable biometrics, constant biometrics, pulse, you know, monitoring your pulse. I personally don't have that bit. Is it bit bits, bit Fitbit, but I have seen several people here actually wearing that and I have had good feedback about it, but I think that probably is very exciting as more and more of those kind of devices develop and start integrating into the authentication mechanisms available to enterprises. No doubt.
I don't talk about it here in terms of a slide, possibly some of the biggest challenges are gonna be the privacy implications of that, right? And that's a topic for a different month, not even for a different day is because you can imagine every possible aspect of the corporate governance, privacy governance, all going completely nuts about monitoring people's heartbeat, whether or not they are drunk.
You know, what kind of behavior are they showing before they can access a certain amount of critical data. But I, I still find it really exciting because I guess, regardless of what, what privacy regulations are, the push in the future now, hopefully in the very near future will start to be, to work with employees and enterprises working together to, to figure out how they can best achieve more than two factor dynamic context based authentication. You know, it's bringing us so many choices again, which I find really exciting.
I'm quite bored about, you know, just the simple two factor authentication. I know it's now on the mobiles. We have all the software tokens. We don't have to carry those big fat three letter tokens. RSA. Did everyone hear about the Verizon story that came out last year, where there was a specialist and maybe some people know more detail, but roughly there was a specialist group of developers within Verizon and they decided to look at their logs and their identity access logs.
And they saw this a constant daily connection from China every day, about a particular user who was a developer sitting in, in the states. So they, they got, obviously they were worried, you know, something from China every day, eight hours, consistency. It was super consistent. It was every day, Monday to Friday. And when they investigated it further, this particular pretty smart guy, I would say, had offshore his work to China. Now they were perplexed because they had two F two factor authentication, the RSA token. And they thought, how the hell is this?
You know, guy in China compromising the RSA token? Well simple. He just shipped the RSA token to China. That's actually all that he had done. And he was submitting pretty good code. Actually. It was quite good quality code that he was passing off as himself Kind of gives you a bit of a reason. Sorry.
Any, any question. So please do ask quite exciting in terms of, we thought RSA is something you really need to have with you on you, but he just shipped it over. And his Chinese counterpart was accessing his username log on and two factor authentication to FA every day to, to do and compile, compile the code, submit the code, I guess, with three factor or more or different types of authentication, it's gonna become exciting unless you ship yourself off to China and like go and live over there. How are you gonna give your heartbeat?
You know, your pulse or anything else that you are gonna wear, or you're gonna be internally rather than just externally, I guess you could do a bit of what minority report did or something. I don't know. There's quite a lot of fiction sometimes in there, but quite a lot of reality, the choices are I put a question mark there because I, I think it's no longer important, necessary to, to count. It could call it multifactor, but it wouldn't fit in the box. But you know about context where you are. I know this is already available.
I think the biggest challenge that we are seeing right now is about the privacy concerns. Unless you have a very open remote working policy, most employees do not wanna share their location, but the Verizon case really brings it to, to life.
As in, if you do need to do location based authentication, which is possible, you really need to have your privacy in order. And depending on which country you work with also, but you are internal I'm again, I think I've separated them. Normally it was basically your external, you put your Iris scan your, your fingerprint, but you are internal. I'm hoping it becomes very easy in the near future, in the few, in the next five years, maybe to also start granting access based on more than just what you are from outside, but basically how you're working from inside also.
And I think that's, what's really excites me, is that where authentication the options available to everyone may not be necessarily the right thing to do. I don't know. There's always the ethics discussion about how much do you invade into a person to grant them access or her access, but it'll be really exciting times for people to consider the various authentication options that they have already. I think someone mentioned yesterday where they asked him about publicly available stuff before authenticating, trying to remember who it was, sorry.
It was in the panel yesterday, where in America, someone talked about they, they challenged him with information about what car he drove, but they told him it was publicly available information, which really makes it, sorry. Was it yourself? Yeah.
Ah, there you go. And I believe that that may become a norm.
In fact, credit rating is probably used already for many other things. It may be used for authentication purpose. I don't know if it is, does anyone else here know if such things are officially or unofficially, maybe what you wear.
Some, a product has just come out on Kickstarter, everyone know of Kickstarter about variable biometrics that are measuring your biometrics and trying to tokenize that data. I don't know if I'm gonna support that or not yet. So I need to consider that, but it's, it, it sounds very exciting. I need to go back and look at, you know, how much money they need to raise and stuff, How you feel, how healthy fit you are. I think all of this is gonna be used and should be used in my opinion, in some kind of context.
And I know I'm gonna be opinionated here, but I think it should be used depending on who you are and how much access you have to the crown jewels. Right?
If you, sorry, go on. No yourself. Yeah. Is That more, excuse me, organization rather than authentication. Yes. Okay. Coming to that. Yeah. Okay. The other thing that I, and I know have discussed with many other people in the know who are always constantly researching these kind of things is not only location based, but depending on how close you are to, you know, using IBN technology, apples, apple is investing very heavily in, I beacons NFC is one thing, but I beacons, which is about Bluetooth.
And maybe people here may know more about it please, to share already where you have been in the past six months is, is used to grant you authorized access in governments, whether or not your passport is approved sometimes. But, and this is going back to what I think you said, sorry, I didn't catch your name.
Mike Mike, what Mike said was, you know, what was your last LinkedIn post? So, you know, he's being asked about what car he was owning and Accessible publicly or personally accessible information is already starting to be used to grant access as an authentication mechanism to grant authorization, but you know, different attributes going to what I would call the question is more, there's more FA multifactor authentication. Does it make it more secure? I personally don't think it makes it more secure.
There are some in the industry who constantly market the fact that if you have several different authentication factors, you are definitely more secure. I think it's definitely much more complex than that, you know, and I guess we could sit here and argue and talk about how secure or not it is. I think it does add an, a layer of complexity, which makes it a bit more difficult to, to, for the regular individual who may want to compromise access.
But I don't think it necessarily makes it more secure that should read access control ex anyway, authentication and access authentication and authorization on a very high level equals access control. And I guess what I, what I find really exciting and what's happening, hopefully happening more a adoption is a bit slow entitlements attribute based authentication. Any anyone here using aback, fully Authentication, attribute, attribute based access control, anyone using that fully or even partially no, There wasn't there wasn't Enough.
Oh, right. Okay. So actually that's very entrusted because that kind of confirms what I believe or what I've seen also is that, although it's very exciting, which is X back or rather attribute based access control, the reality is most people are using everyone using role-based access control right now.
You know, I think they have ways to improve role-based access control, but on the aback, the adoption seems to be quite slow. Maybe it's because vendors are still gearing up. Adoption is quite slow.
Sam, everyone using SAML, right? Most people, most vendors do support SAML. Correct.
In fact, I think it's almost default that it's difficult to find to someone, a vendor who does not support SAML. I'm not sure about the, the XM XML thingy, but SAML seems to be the choice.
Any, any cloud vendor, any of the dam vendor is now supporting SAML integration. Okay. That should read in, in my opinion, reality is access control does need a bit more urgent change, maybe not necessarily full change enhancement. And it needs to be going back to the ten five tenants discussion yesterday, user driven, focused on what user finds acceptable also rather than just what an enterprise thinks is really necessary. And having the options of multi-factor authentication may actually end up being the option of allowing your employees depending on where you are.
No doubt the option to choose what kind of authentication they prefer, Risk based context in terms of authentication and access is definitely coming in the pipeline. I know some are offering it to some extent. And does that mean no passwords? I don't know. Can we take a vote? Do you think we should get rid of passwords? Anyone? Sorry. You should define password first. What is the password? Different concepts, Different concepts agree. But in terms from the end, from the sure, From the end user perspective, again, I, I, I deal with a lot of end users a lot of the time.
I'm sure you all hopefully agree with that, but they don't really like passwords, right. In terms of typing in passwords, they really don't like that. I have sat down with a, an editor once who tried to educate me from his perspective of why he refused to change his password. It was really entrusting and irritating. At the same time, he spent almost 45 minutes. I used to work at news international as an interim C S O, and this gentleman refused. He went all the way to the top. He refused to change his password. So it is quite interesting trying to convince him why he possibly needed to do that.
So there are some people really passionate about not really bothering with anything to do with current good advice or complexity, you know, change your password regularly. Everyone has anyone heard of, I did pick this up. I need to do a bit more inside into that. The feos password free authentication initiative. Yeah. I find that very interesting actually. And that's kind of, I know that Fidos here, right? Fido is here. Hello. Right. So you guys can talk more authoritatively on that, but I find that, sorry. Sorry. Was that anything? No.
So I find that very interesting because that kind of rhymes in with the whole concept of the end users, having a totally different perspective on what they feel is really good access control and authentication compared to what we may believe that is good authentication and access authorization. Okay.
Again, that reads probably provide varying degrees of strong, secure, dynamic, authentication, rich set of attributes that are possibly usable today. Keeping privacy concerns aside for a minute, right. And that probably will never happen, but Hey, this is just a presentation discussing what can be done, right? Doesn't mean it has to be done or will be done Long run airbag and some exciting stuff discussed yesterday.
That also is really exciting on the, but I think whether we call it attributes, whether we call it enhanced use of several different factors of authentication to grant access, right. I, I don't think the current two factor authentication is personally in the long run, viable or secure.
It, it needs to be enhanced. We need to work together to offer users something that is still very transparent at yesterday's talk. It was quite interesting from the five tens, the user experience. One got the most hands up. I didn't ask the other four because everyone put their hands up for user authentication as being a key, sorry, user experience. I do apologize the user experience of item being a key cornerstone in, in the tenets of item for now. I think it is possible. And it could be with working with privacy, HR to adopt more than simple two or three factor authentication.
Any questions when we have gotta go to a panel now, but any questions for now, we need some chair here. So if you give it two minutes, I'll, I'll move some chair here. The panel is, Do we need to put secrecy back in security, the reinvention of authentication Standards and policy group within Microsoft. And so my focus has been lately strong authentication across Microsoft's products, the phone, the Xbox windows, et cetera.
And so we're, you know, on a mission to try to, to fix some of the stuff and then to improve it and to make sure that there is better assurances on authentication processes. And so as far as the topic is, is concerned, you know, we, Microsoft is, is concerned about, you know, authentication and mainly around the theft and reuse of passwords that have been going on this cost, Microsoft and other companies, you know, billions of dollars each year.
And so if there weren't passwords floating around and being stored on various servers that get breached, you know, this not only increases the security of the end users, but also saves companies, billions of dollars on account theft, account recovery, et cetera. And so, you know, we're not in a mission to put secrecy back in security, but we're in a mission to make sure that we have accountability during authentication time. So John Bradley from the CTO office at ping, I mostly deal with standards there. I'm on the open ID foundation board.
One of the authors of, of a number of specifications that probably annoy you to no end well, the, the topic is, well, I guess hope vague enough that we can probably go almost anywhere with it. Certainly I don't know.
The, the problems with passwords are pretty well understood. The, the people who are the least competent to manage passwords are likely the ones that you've given them all to and websites are notoriously bad. We have breaches every couple of weeks. People don't actually even necessarily LinkedIn, as an example, had never heard of password solving, etc.
Storing even hash passwords at a lot of relying party websites is just, you know, you're hoping that they will be, be confidential for some period of time, which may be anything between minutes to weeks or, or months, but, you know, they will be compromised eventually. So how we replace passwords, you know, from a secrecy or confidentiality point of view, you need to get the right attributes or claims to the right place at the right time to be able to make access control decisions.
And, you know, the, the whole confidential or privacy thing is private from who, you know, in some cases you do care. Some use cases you do care about not having your identity provider know about where you're going. In other cases, you may actually want your identity provide who ha if you've chosen an identity provider like a bank or someone who has a fiduciary responsibility to protect you, they may actually have a legal reason to not want to be blinded to where you're going so that they can actually fulfill that. So people need to be involved in the consent.
We have to make the process transparent attributes need to go where they need to go. Thank you. Speaker 10 00:27:00 Good morning. Still. My name is bar Bernard. I'm with Vasco data security. We're a company that deals quite a lot with authentication. One of our sweet spots is, is the banking market. So if you have tokens from banks, you'll most probably see some Vasco on, on the backside, which I understood, we all hate, but I, I point is taken.
Meanwhile, we've moved along in, in other authentication steps as well. But so personally I deal with business development. I try to find new solutions for our customers, new markets as well, and also new new ways of doing authentication and on the topic, whether we need to put secrecy back into authentication. I can only say that putting secrecy in something is, is making something obscure and people don't like it. So if they don't like a fob and you then make it secret on how they authenticate, then they'll definitely not like it.
So I think instead of putting secrecy in, in authentication, I think we should put transparency into authentication and embrace the fact that this multifactor is going to be around and use it to the extent that we can given privacy, given the rules that every government has or every company has so that we work within the boundaries and, and try to open up, find the balance between the ease of use for the customer and the level of security. Thank you.
Hi, I'm Mike Dand from IC consult and yeah, wait, wait a year. And I'll be somewhere else.
So yeah, I think that the secrets is one of those interesting words, right? From a computer tech technology point of view, which is we, you know, we have, we certainly do use in many of the standards today. Something we call a shared secret of course. And that's very important. I think we really do still have secrets in that sense still, right?
I mean, I think those are, those tend to be, time-bound very small kinds of things, but we, we do sort of proofs and other kinds of things in open ID and other kinds of PKI and that sort of thing. And I, I think that kind of a secret is of course, very important to preserve and figure out how to make that technology better.
We also, it, it's kind of funny to the terminology there is shared secret. So I guess I don't, I don't know how, why, how widely could you share it before it becomes no longer a secret? I don't know, three we've we have three people. Is that what it's, three's a crowd that's, that's actually right. Tech.
Yeah, that's right. Technically in, in the standards that we're talking about, you know, if you're talking about SSL, for example, or, you know, you're hoping that it's a two party communication, right? A lot of times there are sort of three party kinds of things that need to happen potentially multi-party.
So I, I think that secrecy itself, though, when it comes to something like, as, as was mentioned before, privacy is much more difficult of a problem in the sense that it's very difficult to encrypt things. I I'd be interested to see how many of you encrypt your email regularly or can you yeah. Right. Sometimes I see a few hands out there.
I mean, I, I can do it, but I choose not to. Right. So most times, because it simply is, is a lot of squeeze right.
For, and you just don't really know if the receiver's gonna be able to see it, then, then you gotta go back and spend the rest of your afternoon trying to figure out why the PKI certificate wasn't installed quite properly. So I, I, I think that when it comes to things like secrets and, and I think that that's not really the goal, you know, we're, we're trying to create a channel in which there's not a lot of eavesdropping and that sort of thing, but, you know, encryption everywhere as Kim Cameron was talking about, I think in his presentation is interesting.
I think we have ways to go though to really make that work because the technology, even though it's sort of there today is not very user-friendly to talk about user experience for a moment. Alright. And one last thing I know this is kind of going long.
I, I see a lot of the factors we talk about two and three factor authentication. It seems like a lot of those factors aren't really what they used to be. When you think about something, you know, for example, being a password, most of the time, I don't necessarily know it, right?
Like it's, it's just sort of like my computer knows it and puts the password in for me. So it's altered that factor. But if you start making assumptions about how the factor was produced and you know, why, and that sort of thing, it, it, what does that mean? All of a sudden, you know, I think that, you know, a lot of the factors that you listed in your slide show earlier are, are becoming very interesting. And there's a lot of contextual things that are going on that are very important, but again, those things need to not be secret in order to, you know, to use them.
So there's a, there's a dilemma. Right. Okay.
Well, that's all I'm gonna say for now. I, I thank you for listening.
Oh, you, Speaker 11 00:31:56 Hi, everybody. Steven hope from wins soft. I did a presentation similar to this topic at info second London last month, which was quite interesting that it comes up again. And I think one of the interesting parts is the most common authentication type everyone's using today is we've already heard is the password. And as Mike was saying, what is the password? It's a shared secret and well, how do you keep a secret?
Well, we start by not sharing the secret in the first place. And what do we do with the password? Every single time we use them right now, we pipe the whole thing in and we hit enter, and we have no idea what goes between the keyboard and whatever we piping it into that is gonna be stealing that password and reusing it. It doesn't matter how long it is, how complex it is. Speaker 11 00:32:41 You know, everything is immune to that thing being stolen and reused without you even knowing. And now that is a huge issue from security point of view.
So then you get the user side of it, which has come into obviously being a big issue where everyone hates passwords from a user perspective, because they've got 500 of the damn things they always want to get them changed. How do you manage them? Just add 1, 2, 3 on the end, every time the month changes everyone as an individual human being is, got their own way that they manage passwords. And none of them are very good from security point of view, but that's kind of how the world works right now.
These there things have been around since like Roman times it's it's times we had something a bit better. Even if you jump onto the whole typical two-factor authentication system, whether it's oath based, pick your vendor, doesn't really matter. Speaker 11 00:33:31 You know, at the end of the day, those things are producing a bunch of numbers, which somebody types in, it just proves in theory, that they physically have that device doesn't prove who they are, which is a very important thing to understand.
It just proves that they can read and type it doesn't even have to physically have it with them. You know, you can DHL at the China, etcetera. Exactly.
You know, but, but it's commonly thought as being two-factor authentication. But in reality, what is the second factor? It's still a pin code or a password. And for those of you guys, who've got these hearing tokens or text or SMS based tokens, your phone, you know, what is the second factor? It's a four digit pin. You haven't changed since the system's deployed six years ago. That right. Okay.
So back to, well, why we changing our passwords every 30 days when your pin code for your two factor is never changed and it's only four digits, et cetera, by the way, it's the same level of security we use on credit cards. Speaker 11 00:34:24 Okay. This problem is pandemic. It's everywhere. And it's fundamental because people think that passwords are free and cheap because you can just create one. You can change them. That's easy, right? But reality, they cost Microsoft and everyone else has been brought up a lot of money, lot.
And a lot, a lot of money use a lot, a lot of headache. So surely it's something better we can do. And I don't think it's about dumping big bricks of hardware on people, giving them complicated processes and hoops to jump through because what do people do now with the passwords who the, the policy's too complicated? How do you get in?
Well, everyone just follows the reset process, right? Because that's what you do. If you don't what your password is. Or if your computer can't remember your password, when your browser saved it, you just follow the reset process, which involves a while. Speaker 11 00:35:11 Answering a bunch of questions with the answers are on Facebook, really very secure, but that's the reality people do today.
You know, the reset process is you get a new one sent to your Gmail account. You click the link and you back in happy days.
Totally, totally. This has gotta get better. So that's what we, we try and aim to do as a company's approach, authentic from a different angle to make something that's actually secure and usable because you've gotta focus on the users, the human beings, the things we're trying to authenticate in all of, of this. So I guess if we can stick with that team, but before we go to that, wanted to share real another story, which is really quite interesting.
I was trying to encourage senior executives, which I call privileged business users rather than privileged it users called them privileged business users or pubs privilege users of business. I dunno. I was trying to encourage 'em to use password managers. Right. So it's a good, I, I use password managers, right? Anyone else use password managers? Hopefully a lot of us. Right. And got the message across. Okay.
You know, it's, it's your key to your 500 passwords. Don't, you know, make, make that password really complex. And I thought I'd done a good job. And people said, yep. Yep. We'll make sure it's, you know, several characters long, not six, a few months later, there was this one executive who I was walking by. And he was looking at the back of his phone and logging in, into one of the password managers, no product name. And what he had done was he had printed out that sticker over 20 character password and spaced it behind his mobile.
I dunno, I, I really can't comment on whether that was a good approach. He hadn't written it down luckily on his desk, but he had printed a node and stuck it at the back of his phone. It was 20 characters long. So he had done what he thought was the right thing, but he couldn't remember to any characters.
I can't, I can do 16 and then I start losing it. But he had done 20 characters and he had, he had, hadn't changed that password as you know, talking about the password issue for several months now. So I just wanted to share this story in terms of coming back to the whole headache of getting the users, you know, to actually do the right thing. So I'll start from you. If you don't mind, Steven, talk about going backwards, you know? Yep. What do you think can be done then? What are you doing if you can share with us? Speaker 11 00:37:38 Yeah.
I mean, just following from your point there about the password managers, it's a great way of managing the problem of having a whole lot of passwords. But the problem with most of 'em is how do you secure your vault of all those passwords? It's worth another password, right? So you're not really improved security. You've just tried to make your life easier. Because as a user, you've got this problem to deal with is the companies you log into. Don't have this problem. They don't care. They have one password for you in theory, but you deal with many, many companies and people.
So that's why you've got the problem. But yeah, from, from our point of views, I was kind of started off a few things ago, was about having an authentication method that keeps the secret a secret. In other words, what you would normally call your password. Speaker 11 00:38:21 Now, why we told to change passwords in the first place. Now we're told they should be fresh, et cetera, and change regularly. And the reason is because they get stale. There's a good chance. Someone else knows the secret.
Well, here's the trick with the password once you've used it, once there's a good chance, someone else knows the secret. So how often should you change it?
Well, every time you use it from a security point of view, why is once a month, any different from once a day or every 60 days? You know, it's, it's, it's suddenly stale once you've used it. That's not practical. So we're back to a thing of, well, usability versus security, where is the level?
Well, it's gonna be different for everybody, but the point is you keep changing that password users are gonna keep writing it down or sticking it somewhere else, no complex passwords. Speaker 11 00:39:03 It doesn't really add security these days.
No, it stops a dictionary attack, but come on, who does that anymore? Just more sophisticated ways of getting into passwords and complex long ones, don't make it any harder to get in. It just makes it more inconvenient for the user.
So, you know, one of the solutions we have is around using a pattern based authentication. So you remember a shape, something visual that you don't communicate with the server when you do a login, so enables you to convey to the server that, you know, something, it knows that you know it, but you don't actually divulge what the secret is when you do the log on.
So it takes a different tack on the whole thing, in terms of putting some security back into the knowledge factor, as something, you know, because at the moment with authentication that second factor or first factor, depending on where, where you start, the knowledge component is not any secure anymore. Speaker 11 00:39:55 You know, we've, we've pretty much all kind of agreed on that one. And so we're trying to bring some security back into the knowledge factor because having a physical factor, there's 20 million ways to do that today.
There's lots of vendors with lots of apps or devices or gizmos or gadgets that can prove you have something in theory, unless you're DHL to China, but there's not a lot out there that helps protect the secret. The thing that, you know, you know, the knowledge factor, you know, biometrics doesn't do that. That's another new thing, which does worry me how many times I can change my fingerprints, but you know, these are just real good things to think about anyway. I'll no sure.
Thank you, Mike, get off my soapbox, All good points. Say I struggle with some of those same frustrations as with passwords. It seems like every time you are asked to enter your password, you're just, it's another opportunity to have someone steal it.
So, you know, be better if you just had a long lived token or something. Speaking of tokens, I think that it's probably something we need to continue to develop as an industry to try to understand how a tokenized model can allow us to reduce the number of passwords. And the uses of passwords is something that probably some of the guys down that end of the row are gonna talk about in greater depth and I'll let them do it because they're greater experts than I am.
The the, but another, I think interesting angle on, on where to go with this technology is, is to, could we start thinking of, of authentication is not necessarily being a single password and a single server kind of thing, but actually something that's more like that we see in, in our natural everyday lives. I mean, how do we all know each other? How do we recognize each other at all? Right.
I mean, we need to start thinking through some of the contextual things that we're, you know, we see each other, there's a community here, some of us know each other and we can essentially very rapidly with the people in this room authenticate pretty much everybody, very, you know, in using sort of the biological built in tools that we have.
There's nothing really like that in the moment on, on the internet that allows us to sort of recognize each other, validate each other's actions, you know, complain of something weird is happening, you know, her build and, and use reputation and that sort of thing. So I think that, you know, as we move away from passwords and we start thinking about, well, how do biological systems work that might give us some insights somewhere to go?
Then I think finally, an idea of like proofs open idea, I think was on something when they, you know, were trying to essentially approve knowledge of a shared secret, not actually exchanging the shared, shared secret per se. Right? So kind of a Diffy Hellman proof of, of being able to say, look, I can demonstrate that I have some capability on this website over here. Right.
So I can, I can prove to you that it's a little bit like saying, look, I can prove to you that I, I have some control over that car in the parking lot. Cuz I have this key fob and I can basically make it flash it lights or something, or even better. I have my iPhone and I can do that. But so there's, there's a lot of, I think, mechanisms that we need to start looking at that, that get us away from passwords. Not all of these though I think are, are kind of in their infancy, but, but I think we're very motivated at this point to make sure that we can move, move through them.
Speaker 10 00:43:05 Thank you. Yeah, we think there's, I couldn't agree more with the, the gentleman I think most of us will do so, but I think it's, it's, it's kind of a difficult exercise. The user wants user convenience and the, the, the application wants security and it's just a trade off.
It's, it's something that you, you can't give both the same level. You can't get ease of use it's it's just like that you can't get ease of use with the highest form of, of security. If you want the highest form of security, the, the, the best secured house is the one that has no windows and no doors, but how do you get in and out yourself? So you can't just think of having the highest level and then say, oh, and it has to be very user friendly. So we all here in the panel are looking for solutions like that. Speaker 10 00:43:57 And I think the, the technology is evolving.
We, we went from computers that got connected to the internet, to mobile computers in your pocket to wearables tomorrow. And I think that the, the, whether we use passwords, which are no good, whether we use just pin codes, which are no good, which we, whether we use a second factor, we are no good. I think that the, for now solution lies in the combination of what we have and what we can use. I don't think we'll find the some kind of magic wand that says, and now it's all solved because we have this or that and such.
And so technology, I think applications will still want a certain level of comfort with the security and the way it's done and users will in some sort of way, when they want to use this application, have to stick to that and use that and, and move forward with what the application wants them to use to identify themselves. Speaker 10 00:44:54 And that's the second thing I think I identity is going to help us what Mike just said.
We, we are very capable of verifying each other in a, in a physical world. We are not so good in doing that in a, in a, in the E world. And that is something that we can most probably, which will most probably help us things like, like your own identity and, and getting to your own identity and adding to your own identity and making it more complete so that you get into attributes.
What, what Amar said that will help in, in getting trust, because that's the other thing you, you need trust. So it's not only about passwords, it's not only about two or three or seven factors. It's about the, the ecosystem that allows you to which you trust, which brings high level of authentication, which gives you ease of use. And that's going to be the, the winner.
I, I believe so. We need current technology. We need backend interconnection and we need identity. And that's for now we'll solve this difficult puzzle until something else strikes us. Okay. We are about five more minutes, but please It's okay. I'll use up all Tony's time. I do wanna make sure the audience also has a question, but I do apologize. Thank you.
So, so it's a complicated area, so I'll make a couple of observations. Thank you. We shouldn't, we shouldn't give up on ease of use in favor of, of security. The only way that we can get people to adopt security is because it's easier to use than the insecure thing, correct. That that's the only real way forward.
And, you know, as far as ease of use goes, I've been trying to teach Tony to do Diffy Helman proofs in his head for a long time. And that's hard for Tony at least. So I don't, I don't necessarily expect that that's, that's going to be broadly adopted, but we have a couple of dimensions. So one of the things that we have to trust if we're using a password manager or other cryptographic mechanism, is who's the author of that, is it properly secured?
So we have, now, if we're, if we have device profile information, et cetera, so somebody using a bad password manager is less secure than somebody who's actually kept a moderately secure password in their head. So there's a bunch of other ways that potentially good leak information.
So again, if you happen to have a soft key, if you've started in the wrong way, et cetera, why would somebody trust that versus a password? So knowing what the, the user agent is, what the device is, where it is. There's a lot of things that come into that we also have, you know, we tend to fixate a lot about this initial authentication, but that's only part of the problem you have, do do some sort of authorization, initial authorization decision in some sort of continuing transaction authorization, if you're more sophisticated.
So you have, you know, should the person be allowed in, in the first place, then you have the continuing question of, is it still the same person that you originally led in that's using the device? And certainly my friends in the intelligence community and other places really care about those things. So I think that more of that thinking about continuous continuous identification of who is actually using the device after the initial authorization, you know, there's a lot of things that can actually be built into these devices if you trust them.
So, one of the things is that we have to get to is if we're gonna start doing these more sophisticated things is how do we trust the device? And then how do we trust that that device is actually monitoring the right biometric checking to see who's actually using it so that we can have a higher level of confidence over the session without inconvenience people, by getting them to stick their thumb on your overtime, build Speaker 12 00:48:44 Your own device proposition.
How do you Well Speaker 13 00:48:48 To trust the device that is, Well, you could either build your own device or have somebody that you trust certify that device, which is so China. One, one might, might suspect that Fido is potentially in the, in the, in the business of making sure that the agents on the devices can be trusted by people. Otherwise the PKI kind of falls down. Yeah.
It, Speaker 10 00:49:09 But still, I, I think I'm Happy with Open source on that too. Speaker 10 00:49:12 Trust is fine, but if you can listen into Angela Merkel's phone calls that doesn't help, Anthony heard them. So as people, sorry, Anthony. Yeah. So as people said, you know, passwords are what they are today and they're used because it's very easy to, for them, for people to use it. So whatever comes along has to be as simple to use as passwords and getting into multifactor authentication, really doesn't help we've experimented with QR codes, et cetera.
And you know, you get phone, you get screen glare, everything else, you people don't, people wind up losing their, their second factor device or their third factor device get locked out. So things get complicated when you start to add, you know, multifactor. So we're on a single factor, you know, motivation here to make sure it's as simple to use as, as passwords. But as people have also indicated here, the initial authentication is only part of it, right? So I go through this long process of authenticating with five factors. And guess what happens in the end?
The process drops a cookie on the server and that cookie is, guess what not protected. So that cookie then gets replayed. So all the stuff that you've gone through means nothing because this cookie gets stolen and replayed. So what has to happen is all the way from the device to all the way down to the server, there has to be some accountability and some, you know, channel binding, whatever you want to call it that make sure that nothing can wind up getting replayed. A lot of this stuff happens when people start to take things in your sessions and, and, and start to do things.
So your maximum device security means nothing these days. Sure. Yeah. You can also just steal the hash rather like, like, like you're pointing out here. That's what was the, there was something that you could Google, basically. Somebody put something out there where you could basically Google a hash.
You could, you could look up the password based on the hash essentially. So if you could still the hash or good the hash. Yeah. If you have enough Xbox Xboxes, you can generate your hashes faster than you can actually look them up these days. But the other, the other important thing is that we can't also, we don't want to fixate just on HTTP that yes, the web is important, but we also the, one of the largest sources of password theft or, or account group forcing isn't happening over, over the web anymore.
Surprise how many people that it's the back Chan, we're moving the attackers, we're securing doing multifactor in the front channel. So the attackers aren't stupid. They're attacking SMTP ports. They're attacking IMAP, they're attacking XMPP, all the things that people still have, the same symmetric password on. So we have to start getting serious about OAuth and various other mechanisms so that we can actually apply. You have to close. If you're gonna bother locking the front door, you also have to lock the back door, lock the back door.
So we have to be able to have these other mechanisms to use that multifactor strong authentication in these other communications mechanisms. Otherwise people will do the password reset and get in, get into your, your Gmail account and get, get into all of your other accounts because attackers are smart. They will go after the weakest point. Excellent. Do we have any questions before we move on to the next one next session? Any questions by anyone? It's really interesting. Yep. Please do one question. Go on.
I ask Speaker 14 00:52:53 The panel, there's been a few people talking about the linkage between attribute based authorization and authentication. We've seen a lot of examples like in the us, you know, the, the massive problem with the us defense messaging system, where they tried to fores cards on everybody's desks to do end-to-end encryption, and that all went out window massive problems related to that.
People have moved forward from that, but now interesting, the work done by the prism group on the ITF about the move, doing secure messaging, including based access control in terms of authentication for access to messaging. Do you see, as a group, the use of attributes, the authorization component with authentication as a way of solving this, this sort of problems or is, is it normal? Kind of see it, but yeah, so I got get a view from the, Everyone knows that giving me a microphone is a mistake. So it will ultimately be a combination of things that authorization requires attributes.
So, and attributes generally, if you want to provide PDO, pseudonymous, anti linking protection, then your initial, your primary authenticator probably doesn't want to actually expose all of the attributes. We learned a lot of things by the mistakes that were made in, in P kicks.
Well, some of us did we, we need strong authentication, but we need to have the abstraction layer of being able to present in a privacy preserving way, the appropriate claims at the appropriate place. And also the, the data, if you talk to Boeing or any of the other people, the thing, the resources that you're protecting also have attributes. So knowing that that particular part was made with a particular composite, that somebody who isn't actually an American citizen, can't actually see, you may have to make those fine grained access controls on the detailed resources.
So you both need to know the attributes of the resource and the attributes subject of the person that's, that's accessing it. And perhaps even the profile of the device profile of the person to make sure that they don't have some sort of malware, that's going to leak it out the back door, ality Speaker 14 00:55:04 In the here, the code.
Well, those, you know, we, we need to have an attribute system, which is flexible enough to deal with all of those things, right. We don't necessarily want to hard code in passport numbers or birth certificate numbers because all of our jurisdictions deal with all of those things in very different ways. Can We get a quick answer from everyone else? I'm just gonna go with what he said. Okay. Steven. Speaker 11 00:55:29 Yeah.
I mean, at the moment, See Speaker 11 00:55:32 If microphone wars. Yeah.
I mean, when it comes to getting the attributes, I think it's a good idea linking in the methods of authentication into those attributes so that the backend systems can make a decision, whether they wanna allow that user in or not based on how they've authenticated. Now it comes down to the whole risk appropriate or authentication. So if you're doing something it's a low level activity, you should in theory, be able to do a lower level of authentication to get into it. And that can be filtered through the whole application system, through your attributes.
But if you're doing something of a high value transaction or something like that, then you should be writing maybe a stronger level authentication and that should can filter down through attribute models as well. So I, I definitely agree everything is gonna be end to end, but you know, the, of the day at the moment, the front door is, is typically where the authentication is a starting point. And right now there's a lot of technology and a lot of things happening beyond the front door and still sticking a password on the very front of it.
And so we've, but yeah, definitely the end to end has gotta be thought about, Okay. But Speaker 10 00:56:36 Yeah, there was a can add much, but I think that attributes really enrich authentication and, and, and make them complete, or not only authentication, but also authorization. So getting attributes, like what was just said is, is at the way you come in is also an attribute. The way you authenticate is also an attribute. So finally, Tony, Tony give It up, give it up. So we actually are in the mode to separate out authentication from the authorization aspects.
And the going to your attributes attributes are all about identity proofing, which is all over the place these days, as far as which countries and which areas do identity proofing. And so that's gotta be a, an issue that winds up getting solved or the attributes mean nothing to you. And then how you would bind those particular attributes to the authentication process is, is a separate entity. So we do believe that they get merged later on, but they are separate from the, from the very start.
So one, one last, okay, slight disagreement because I'm an easygoing, but a long kind of guy, the, the, you know, in Sam and open ID connector for a long time, we've had this, this debate around authentication context. And what we found was that token vendors want the most specific authentication context possible so that you can differentiate RSA token from C or, or whatever the problem is that that creates very brittle systems that you have to abstract classes of authentication.
Otherwise, as soon as you add a new device or, or something else changes to make the system better or more secure, you don't wind up inappropriately causing things to break the more fine grained information. It's a balancing act, the more fine grained information that you give to the relying party, the more likely you are to break the system when you try and improve it at the, at the identity providers side.
So, okay. There are appropriate abstractions dumping, too much information to the relying party can get you into more trouble than you're than you're solving. Thank you. I think we shot overshot a little, but thank you so much. Show an please for all the panelists. Thank you.