Paul Fisher, Senior Analyst, KuppingerCole
C. Maxine Most, Principal, Acuity Market Intelligence
Frances Zelazny, Co-Founder & CEO, Anonybit
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So I, I was just interested when you came up with Maxine, when you, you were talking about the, the explosion of funding, which was quite, quite extraordinary amount of funding in one year. Just, I know you touched on that a little bit, but maybe you could just enlarge a little bit more on why you think, is it not, is it just because of, you know, you say the black Swan or the, the, the COVID effect.
Yes, it is literally that it is just, you know, what happened is remote work and virtual interaction, as we're seeing today, right. Went from being something that people sort of used, and it was nice and okay, you could do that. And there were a lot of webinars to becoming a vital, critical function for the enterprise. Okay.
You know, government commercial, you name it, even small businesses, you know, it, it, it, it went from being something that people thought about to something that became an imperative. And I think in, in, because of that, this broader notion of digital transformation went from being, you know, like 37th or 120 fifth on the list of things to do for every CEO to being a top three mission critical enterprise priority. Okay. So there's a lot of money out there. So let's get back to our, the subject for this panel, which is the identity emergency.
So my first question is really, is there really an identity emergency right now? And what does that mean for the traditional ways of doing identity that we, we all know and love?
So I'll, I'll let you start on that one, Francis. Yeah. So thank you. I think if we just read the headline just in the last month, I'll give the us perspective and I'm sure there's a European perspective of it, but the headlines in the last month, the United States pulls out from Afghanistan. And what happens to all of these biometric, the, the personal data records that, that have been collected over the years of good guys, of bad guys who has access to it, what do we do with it? And in the same week, we get a news alert that T-Mobile has been hacked.
And everybody's all the people who, whose data was stolen are compromised now, not only their standard name and date of birth and, and social security number, which, you know, why a telco has to have all that information is a whole other story. But, you know, all of that information is now compromised along with the device ID information.
So it, it, to my knowledge, this is the first time that you had like this very nice, neat package that pretty much had every single piece of data that you wanted, including that device, which is pretty valuable considering how many people rely on this device for authentication, you know, now available out there. So my question is, you know, how are you supposed to a, if somebody compromises all of that data, you know, prove to somebody that that person is really not you. Number one, and, you know, number two, how do you go back and start to, you know, rebuild all the pieces of your life?
And I could tell you that people whose fingerprints are stolen in the United States, government breach back in 2016 are still, you know, very concerned and UN upset that potentially, you know, people are walking around, impersonating them. So if this is not an emergency, I really don't know what is, And, and of course, those things often don't come to light until several years later, they steal identities and then they, they keep them. And then you've, and then maybe four or five years later, you suddenly find that your, your bank account has been hacked or something.
So Maxine, what the next question sort of links to that. So given that emergency, why, why, why do you think that organizations stick to legacy identity solutions?
And is it, is it habit complacency or, or just because it's too expensive, et cetera. I mean, the fact that all that investment money is going into biometric suggests that there is some movement, but what, what stops them changing?
Well, I think, you know, human beings don't like change. I mean, and I think corporation different corporations have different cultures, but, you know, in the bigger the corporation, the more entrenched the culture can be. I think from my perspective, the way I think about it is that when you're talking about incorporating digital identity into an enterprise environment, it you're fundamentally turning the it model on its head.
And so I think a lot of the, the, the pushback over the years, and I think now there's, you know, the pushback is just gonna fall because there's people have to do this going forward. Companies have to do this, but, you know, if you think about the way it systems are set up, they're not set up around identity, right. They weren't built that way. And so we're taking a concept and what people have tried to do over the last decade is to kind of hang it on the edge and it doesn't work.
You have to fundamentally transform the way you think about your, it operating the way your systems operate with identity at the center of everything. And so I think it, in some respects, it's really, really difficult to make that kind of fundamental transformation.
You know, if you could just say, oh yeah, well, we'll just like put access control on the edge and we'll just kind of link it for physical and logical and, you know, and that doesn't solve the problem. Okay.
It just, it pushes it Out. I, I actually wanna be a little bit controversial. Oh please. So I think the real reason that companies don't move is that when they actually look at what's out there versus the alternative, they continue to see holes in the alternatives and they say, you know, why should I actually make a change?
Like, okay, this isn't good. But if I go and invest tons of money and change all of my processes to Maxine's point, what am I actually gaining? If I use a passwordless authentication method that ultimately relies on a password as a fallback, what have I actually gained if I use an authenticator from a device that, that a fraudster can just circumvent by calling the front, the call center and using my, you know, my stolen identity, what have I actually gained? And so I think a lot of people really ask these questions and then they, they actually don't do anything. Okay.
So when I introduced you, I, I mistakenly said you were gonna talk about blockchain, but actually you were talking beyond blockchain, but I, I thought that, and that blockchain was actually one of the savior of secure identity, et cetera, because nothing can change in a blockchain without everybody else knowing about it. So maybe, maybe you could just tell me the limitations of blockchain, maybe both of you, but I'll start with you Francis, cuz you, you were the one that we're talking about it.
I think, you know, it, it's almost like blockchain is like a buzzword right now and there's no one size fits all right? Like it's a technology capability, but that doesn't mean that it works for every single use case or for every application. And with biometrics specifically, there are two things that we need to do that blockchain does not afford allow. Number one, we have to be able to delete. We have to be able to enroll people. We have to be able to, you know, take people out of the system.
And obviously, because it's all locked in there that doesn't, that doesn't work a second of all, when it comes to biometrics, we need to be able to, it's not static information. That's just sit, sitting there to, to retreat. We need to be able to process the data in two modes, a one to one match and a one to many match. And these are very, very complicated, especially lookups or very, very complicated, you know, functions that cannot be done on the blockchain.
There are also other, besides the function aspect, other considerations in terms of cost and in terms of time and in terms of, you know, what the use case you're actually using the blockchain for. So I mentioned, and I don't know if there was, I was clear that almost all of the application of decentralized identity today has to do with taking a credential and digitizing it on the blockchain link to a device you do not, and there's not an authentication function attached to that.
And I think we need to, you know, this goes to the reason why, of why I was saying, we're not seeing these more advanced applications max, I'm sure you have Todd Max saying, do you wanna add some, can I just, Yeah, yeah. I just wanna jump in and say, you know, it's great to have data on the blockchain. So we all heard that story about that guy who lost millions of dollars because he lost his password or token or whatever it was. So my question is, okay, so I wanna access my information on the blockchain. How do I do that? I need biometrics.
So I, it just, you know what I mean? It's like a chicken and egg thing. And I Francis touched on some of the other issues, you know, with biometrics, these are threshold based technologies that evolve over time and they need to be updated. And the idea of keeping the whole record of that, those interactions is problematic, but it just fundamentally, you biometrics basically are the tool that link humans to their digital identity. So the idea that somehow blockchain's gonna replace that doesn't make any sense. There's a place for blockchain and it's useful.
But I think as Francis said, it it's a buzzword and everyone, you know, for a long, I think people are backing off, but for 18 months, the answer to every question in digital identity and most of it was blockchain. I we're kind of getting for that. Yeah. Actually that guy that you mentioned, he lost 200 million or whatever it was, he, he, he did an interview and said, well, I've made my peace with that. And the guy said, no, I'm could ever make peace with the fact they lost 200 million. But anyway.
Yeah, exactly. So What about, unless he has 200 million more somewhere else that maybe I was about to say, I I'm sure he is still looking for or trying to remember, but so the alternatives there are biometrics and AI and things.
What are, what are more viable solutions going forward? Francis, I'll start again with you. Yeah.
So I mean, I, I, I was showing the Gartner hype cycle on purpose because I think, you know, that reveals multiple types of technologies and frameworks. The, the point is that I, I zeroed in on multi-party computing and zero knowledge proofs, but I think regardless the answer has to lie on those four principles that I, I mentioned during, during my talk, we cannot be dependent on the device. We have to make sure there's no third party ownership of data. We have to make sure that you can leverage PII and biometrics without, without actually like storing it and managing it.
And all of that, and most important is, you know, to be able to support multiple use cases, like what Maxim was saying, what's good about, what's the point of storing information on the blockchain, if you can't access it, what's the point of, you know, using device based authenticators, if a hacker can just call the call center and, and circumvent it. So what, whatever these new frameworks need to be, they have to have these principles at the core. Great Maxine. Yeah.
I agree with Francis, you know, and I think we're, we're seeing things like, for example, one of the, the, the it's not important innovations and, and it's an ongoing innovation, right? With all of these things in the biometric spaces liveness, right. How do you determine whether determine whether you're dealing with a hu human being in real time, not a picture, not a, you know, some altered video, not, you know, what's called a, a digital injection attack, deep, fake, whatever.
And, and those are arms races, right? That is a constant battle between the good guys and the bad guys.
And, and I think the idea that there is a solution, the idea that we're going to get to a solution that will be the final solution in terms of solving this problem is absurd. This is an ongoing process. And I think the biggest shift, you know, from my perspective, in terms of thinking about it, security, cybersecurity, all of these things.
And when you talk about AI and you talk about biometrics and some of these other, you know, machine learning and, and these other technologies, we're talking about constant evaluation and innovation, we're talking about thresholds, we're not talking about a zero or one. I think the biggest transformation is simply to get away from this idea that there is you have a password that either matches or doesn't, and that our entire security infrastructure is built on.
You know, it's a zero or it's a one. And, and, you know, as Francis mentioned, device authentication, you can do all kinds of complicated things to authenticate yourself to the device. But then if all you're sharing is a device authentication, it's a yes or a no. Then you haven't really changed the dynamics of the problem. And that's really, I think the interesting part of this problem we're facing right now is how do we create these dynamic continuously evolving solutions to security problems, understanding that that's part of the game.
So finally, obviously at this conference, we talk a lot about identity and access management and privilege access management and things like, and they're kind of like bread and butter solutions that we have right now. How can those develop beyond passwords? And the more, I don't know, pro methods that we have authentication at the moment, how, how can, how can the eye concepts of privilege access be improved through new technology either, either one of you?
Yeah, I think we're, we're talking about that sort of generally, you know, it's like, from my perspective, it's this whole enterprise-wide approach to, to cybersecurity, to managing data, to managing access. We have to think about it, you know, as a, not as a, in the, in the context of, you know, a locked door, a locked box, a locked room, you know, the world doesn't work that way, right?
We, we live in large interconnected networks. And so the, our security models have to go beyond these, these basic concepts. And as I said, you see companies like ping identity, who has been a real leader in the identity access management space. And they're now integrating biometric customer onboarding. And they're bringing, you know, I have to know they've hired some folks that are, is bringing this kind of more foundational identity at the center of it security into their organization.
So I think those companies are evolving and as they evolve, you know, there's there there's pressure for them to evolve because the enterprises are demanding more. But I think in order for them to deal with the, the continuing threat landscape, they to thwart those, you know, ongoing attacks, they have to evolve. And this is the direction they're evolving in. Okay. I think though, to make a, sorry.
Yes, go ahead. Sorry. I was gonna say to make a successful evolution, though, it really comes down to the balance of the friction. So it used to be with, you know, with privilege, identity, identity access, that the reason it was privileged identity access was that there were a certain number of users that would accept an increased level of friction in order to, in order for the enterprise to have the acceptable level of security. The fact is that given the data breaches are affecting everyone and everywhere, this is no longer a problem for the privilege. Yeah.
This is a problem that needs to be addressed, you know, across the board. And this comes just back to all of the things that, you know, we've been talking about, right?
Like, you know, why, why, what, you know, what happens with, with passwords and you, you know, if you don't wanna do passwords, the reason why this is what I was actually trying to say about why people aren't making a move, because if you have a password today and then you have to call and then go through a whole litany of questions only to have that, those questions be, you know, the answers available, then you that's, that's not really security. And, and it's the same thing with a device.
If I can have my biometric on the device and then still have the hacker call the call center and still have to go through all of those questions, I I've increased the friction and I've not gotten any more security. Okay.
Well, It has to work. It actually has to solve the problem. It Has to work. Yeah.
Well, it's been a it's, it's a fascinating subject. We could talk a lot. Unfortunately we only have 20 minutes, so I'm gonna have to wrap it up, but I'd like to thank you.
My, my first all women panel at the show, so that that's, that's something, but thank you, Francis and Maxine for being with us today really, really appreciated your presentations and the panel. Thank you. Thank you. Thank you. Next time can be here in person. Yeah. Next time. All right. Goodbye for now.