Getting Rid of the Password

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, and we have a short chat for about 15 minutes about the current topic. And my guest today for the first time is my colleague Warwick Ashford acting out of London. He is an analyst working for KuppingerCole. Hi Warwick. Hi there. Cheers. Good to join you. Great to have you do a bit of introduction.

When, when I joined KuppingerCole in 2015, I was working at EIC for KuppingerCole as a moderator. And of course, as an analyst there as well, one of my first tasks was to moderate a discussion, a panel with lots of interesting industry partners and the topic was how to kill the password. And that was 20 15 5 years. Fast-forward there's still the password. And you have just provided a leadership brief how to get rid of the password. So how do we get rid of the passport work? Unfortunately, there's not a simple answer to that question.

The good news is that technologies have moved toward, and basically the key to all of this is standards and the uptake of standards. So what's happened in the meantime is the Fido two project, which was a collaboration between the Fido Alliance and the worldwide web consortium. And so now we've got strong authentication for the web and Fido to the Fido two standard or specification is now kind of available in web browsers and that kind of thing.

So it's a far more doable thing, much like AI, you know, we've been talking about it about it for years, but we haven't had the technology, the technology hasn't been there to actually make it practical. And so now I think for the first time we can seriously talk about going passwordless, but it's, it's not quite as simple as just switching from one to the other. So most organizations would probably have to look at some sort of a transition from what they're doing now, which is in the, in the main, it seems to be generally very highly dependent on passwords to becoming less dependent on them.

And then finally weaning off completely. Okay. I think many of the audience that listening to this episode are still using passwords, and this is still rather common, but as you've mentioned there, that there is already technology and there have been changes to technology that is available for you and me and for everybody who's listening right now, already in place in the tools that they are using. So you mentioned the browser, there are mechanisms in place where you can be stronger with your authentication than with just passwords.

Yeah, this is right. So this is what we're, w we're seeing now the emergence of applications or sort of smartphone based applications that work and, and use the Fido two protocol. So these are the kind of only a tree or the password things. So she'll sort of, short-term going password wordless means solving the challenge of enrollment and account reset or credential recovery without requiring a password while at the same time deploying capacity to accept wide variety of authentication. So this is including biometrics hardware, tokens, and mobile devices.

So this is where also modern devices help like laptops and smartphones, where you've got built-in thing, print readers, and that sort of thing. Right. And when it is built in into the devices that you use anyways, I think that also is good for the level of acceptance from the user. So I think user experience when it comes to strong authentication is still an issue.

Yes, user experience is vital, and this is one of the reasons that is blamed for the slow shift away from passwords is that, you know, people want it to be quick. They want it to be easy. They want it to be familiar. So the password is familiar and there is a certain amount of resistance to moving away from that. And so anything that takes longer. So this is also the reason given for multifactor authentication.

This sort of one is a halfway house is kind of one way of moving away from reliance on passwords, but because traditional systems of MFA have been slower, users have resisted this and have not been so keen. But now fortunately, because of the changes in the technology and the use of the standards, the availability of the standards, this can be a lot quicker. It can be just a question of pushing or your, your thumb print onto your, onto your device. And the authentication happens in the background. And so it is a lot less friction.

And so that's why, again, I think now we're at a point where it's becoming a lot more practical than ever before, Right? And I think there is a move towards more secure authentication, at least for the more tech savvy audience already in place. So you've mentioned multifactor authentication, and I think one additional important aspect is also single sign on. So reusing already well authenticated credentials for using it in a different context.

So if I, if I protect my Google account with MFA and use Google to log into another system just by using that account, that of course strengthened security immediately. Yeah.

Well, we know that eliminating passwords will improve what should improve the user experience because people forget them. They have to keep track of them. It will reduce the cost. You won't have password resets, as you've been saying, we've been discussing it will increase the security. So I would also recommend in the meantime, sort of a password managers at the very least, because this means you can have complex passwords, although you're not going to be independent of them, you can have them complex passwords, they can be unique for each account and they can be changed automatically.

And actually you mentioned the IRC. I was at the EIC a couple of years ago, and somebody introduced me to a YubiKey and I've been using a password manager using my YubiKey ever since then. And that's basically changed my life because it means that I can have a unique password for every account. I can change them automatically. Ella don't have to remember anything except one master account and just keep my UV key in, in my wallet for the occasions where I have to authenticate. So like when I travel, it detects, oh, you're in a new location. This could be a bit suspicious. Is it really you?

I just plug in my YubiKey and it's done. As you say, single sign on this means you only have to remember one password. So you can then access all your applications and the data you need, but all the security is happening in the background, but it's not down to the user. And so you should be using multi-factor authentication low with password managers. That's why I say I have a YubiKey with my password manager and for single sign on sites. So just to up the security there, so that made sure that you're not, you're less reliant on the password for the security.

You have that second or third factor if, if required. Okay.

Hey, I Learned today that first of all, when we want to get rid of the password, we need to manage the existing ones adequately. That is what you said with a, with a password manager and protect that.

Well, you've mentioned multifactor authentication and often that is achieved by by software or, or mechanisms that are connected to mobile devices because they are identified as already a secretary actor. You own it. So that is really something that adds to that as well. What else is there when people today want to strengthen their security posture on the one hand, or to increase the security in an, in a corporate environment, what are additional aspects, additional technologies that they could look at right now?

Well, of course, you've got a adaptive authentication where you can adjust the number of authentication factors according to the context. So this is kind of risk adaptive or dynamic authentication.

So if, if, as I said, there's a change in location or there's any other sort of change in normal behavior, you can step up with some sort of risk analysis goes on in the background, and then it can ask for additional factors of authentication. So that's the adaptable authentication, also continuous authentication. This is where you have periodic checks for the presence or proximity of a card. Also analyzing keystroke patterns.

I was reading recently that one of the UK banks has introduced this keystroke analysis technology for their transactions, their online transactions, so that it's continually checking is this conforming to the profile of this user. And that's a great example of some frictionless way of thank educating someone they're not having to do anything. They're not even aware that it's happening, happening in the background from we're also talking about the change in technology.

Microsoft has stepped up quite and so they can use things like we can use things like windows, hello, which is like what I use every day. My computer just says, just checking that it's you turns on the camera does a quick crucial recognition.

And, and then I can just get on with my work. So I don't have to remember a password there at all. And every now and again, if the lighting is not perfect or perhaps if I've not had a good night, it might not recognize me. So it says, okay, put in a pin.

But again, that's fine because although this is not eliminating passwords, the pins stored in the TPM, which is the trusted platform module on the computer. So it's not, it can't be intercepted by anyone. So it just authenticates me to, to the machine. And then that allows me into my, into my accounts. And of course we've mentioned the biometric authentication already. Although this technology is still sort of fairly immature and prone to error.

So for biometrics to replace passwords, supporting technologies will first have to address issues such as false acceptance rates, false rejection rates, integrity of samples, the threat of associating, a legitimate to users biometrics with an illegitimate user and the threat of using things like photos and 3d models to fool biometrics at prisons, I sang the Iris scan score the best in terms of false acceptance or rejection rates and uniqueness and persistence and operational effectiveness, but in truly password lists, we're limited to technologies.

So short-term paths with this means solving the challenge, as I said earlier, enrollment. And so there are some suppliers who claim to be passed with this, ask them how they've solved this issue and, and find out whether they truly password lists or not.

And one way of doing this is to deploy access management products that use SAML, and that's the security assertion, markup language, and to integrate a broad spectrum of authenticators into applications on the back end plus enabling passwordless enrollment and credential recovery either by using hardware tokens that comply with Fido to, or using single use QR codes that can be sent to new employees. You get a QR code, the company knows that you've accepted this. You just it. And then that authenticates you to the system.

Another way of moving closer to becoming passed with lists for the enterprises to switch to as your active directory, because also they've recently added support for Fido to them. So this means that users of as your active directory connected applications or services can immediately authenticate themselves using a Fido two compatible security device, such as the Microsoft authenticator mobile app or windows.

Hello, that we've already talked about. That is also A mechanism that I currently use already because when I, whenever I log into my office 365 account with a new device than actually my, my watch tells me that I have to provide authentication and the watch he knows me because I own this watch. And it has realized that I'm still breathing or I have, I have a heartbeat. And then I can just confirm the login process just on my watch or on my, on my phone. And that is really an additional level of security that really helps.

And yeah, making our company also more confident that data is accessed by the right people. So short-term, you know, there are lots of ways of reducing reliance on passwords, but I think, you know, we've got to think longer term for the password enterprise to be an option. And so that means standards.

As I, as I mentioned earlier, like the Fido two authentication standard, also web authen and the OAuth standard need to be widely implemented in products and browsers to enable easy integration between authenticators and applications, as well as passwordless enrollment and credential recovery, which I was talking about earlier. So therefore organizations should plan to gear up to use Fido and standards to integrate applications with a wide range of authenticators. So for different user groups within the enterprise.

So what might suit someone who works on the road will not necessarily suit someone who works in the office, for example. So this will address the issues of high implementation costs because that's, that's, what's also cited as a, as a reason for not going passwordless is the, the high costs and lack of interoperability and poor user experience. So these standards will help address that they'll make it easier and less expensive, basically, Right?

Even if I can recall that panel, that I moderated in 2015, the summary or the results of this discussion was we cannot get rid of the password in the, in the near future, but we can make it less important and protect the user more diligently by adding additional factors. And I think that hasn't Changed right.

Well, there are some, as I say, there are some suppliers who claim to be passwordless already, and they are using all the things that we've mentioned above. So it's a question of finding out who these suppliers are and then just asking them the right questions to find out, you know, how true is it?

Because, you know, there are those who will claim that, but I have found one or two who, who look like they, they are genuine. So are they definitely worth work investigating? And as I say, they all predicated on the standards that I mentioned. So it is theoretically possible to do it already. Okay.

Usually I, at, at, at that point of the, of the episode, I do a summary and I sum up the recommendations, but I think that whole episode was a set of recommendations for improving your password hygiene when still required. And you've mentioned the password pencil, but also for individual home users, but also for the enterprise user to really use these technologies. And if you're a deciding person within a, an organization to gear up, as you've mentioned to go for a multifactor authentication to stronger authentication, all that is actually a set of highly recommended measures to take.

Do you have anything to add to that, that you would give our audience as a recommendation? Well, we work, we haven't mentioned is that, you know, in addition to these standards, they, there needs to be a shift from sort of front end controls that require users to prove their identity, to using sort of more intelligent AI supported backend controls. So for example, in the finance sector, I mentioned the bank earlier that allow or block transactions based on, on risk analysis.

So to prepare for a passwordless future organization should also consider switching to a services based approach to identity and access management or using API APIs in a concept of a identity fabric, which is about connecting users, do services systems and data using decentralized identity rather than a password. So this approach moves away from the shared secrets approach, which uses passwords, pins, one-time passwords that are all stored in the enterprise, which is an attractive target for attackers and difficult and expensive to defend.

So organizations need to consider a services based approach. I am to enable anyone to connect to anything using the centralized identities so that they get passwords are replaced by PKI, which means users can connect to anything using a single smartphone app that connects to a service and uses a third party identity provider. For example, rather than multiple authenticator apps, you don't want an authenticate to act for this. And then another one for something else. You just want to be able to have a unified experience.

And there are some suppliers out there who claim to be offering this experience. So my advice is go out there, see what's available in the market and see if you can apply it because going passwordless today may just be an option.

Of course, Being an analyst company. I think of course, those who are interested in getting an overview of the market of course, can also go to KuppingerCole dot com and find out more about the market segment when it comes to multifactor authentication, to strong authentication, to adaptive authentication, by reading our leadership compasses around that topics, they are available at our website. And I've mentioned earlier that you've written a leadership brief around that topic that we just discussed that is available also on the website, right? Yeah.

You just look for passwordless future, I think, and you should get it Right. And so highly recommended. Thank you very much worried for, for being my guest today. That was really interesting. And I think we should follow up on that topic also in an upcoming episode and more topics of course, to come together with you to get into more detail here as well. Thanks again for joining me Warrick bye-bye and thank you very much on your paycheck by for me to