Hello. Welcome to the webinar, Overcoming the Challenges of MFA and a Passwordless Future. My name is Alejandro Leal. I'm a Research Analyst at KuppingerCole. And today joining me, I have Malte and Dennis.
Hi, guys. Hi, Alejandro. Hi. How are you? Hello. Good to be here. Thank you. Great. Happy to have you here. But before we begin, I'd like to remind the audience of a few things. So all of you are muted, so there's no need to mute or unmute yourself. We'll be conducting a few poll questions throughout the webinar. So I encourage you all to participate on those. It helps us understand more of the audience and also it's good for our research. And we will be having a Q&A session at the end of the webinar. So please enter any questions at any given time using the CEvent control panel.
And yes, we'll be recording the webinar. So in the coming days, we'll be making that available for you as well as the slides. So just to set the stage, I'll be first introducing passwordless and a few other things. And then Malte and Dennis will step in and then they will be discussing some of the challenges that they see in the market and also other things. And then at the end, we'll have some time for Q&A. But before I begin with my presentation, I'd like to have the first poll question. So the question is, which of the following best describes your organization's approach to authentication?
Passwordless, MFA, including passwords, just username slash password, or others? I'll give you a few more seconds and then we can proceed with the next slide. Here's a motivational quote for you. Organization systems must see supporting legacy authentication methods that are prone to phishing attacks, such as mobile SMS codes, voice calls, push notifications, or one-time passcodes. These techniques were once standard practices, but they are increasingly considered less secure and are no longer trusted by security professionals.
As you guys, many of you know, SMS codes, for example, SMS, you know, they're messaging protocol. They were never really used to provide secure authentication. And the same thing applies to passwords. So you check the news. And these are some of the things that you see. Data breaches, compromised passwords, password leaks. And as I said, and I've said in other webinars in the past, that passwords were not created to provide secure authentication. They were created over 60 years ago by university professors and researchers at MIT.
And back then, the password was mainly created to keep track of the time spent on a mainframe computer so individuals could access private files. So it was never intended to provide security. And for example, I was reading the news this morning, and there's an article discussing that a couple days ago during the American elections in the state of Colorado, in one of the counties, there was a password leak of one of the voting systems. Apparently, back in June, there was a spreadsheet that was available online publicly, and it contained some of the passwords used to access this voting system.
Apparently, nothing happened. There was no breach or anything. But it's another demonstration of why, you know, we are using passwords after all these years and after all the things that we see on the news. So against this backdrop, we then see the implementation of regulations. In the case of Europe, we see NIS2, Andorra. Both regulations are aimed to strengthen cybersecurity practices, risk management, and incident response. So organizations, they are aware of the problems that legacy authentication methods provide. They're also aware of the regulations that arise. And it can be confusing.
It can be a bit complicated. Maybe some organizations, they don't know how to start, how to deal with their legacy systems. So this is just important to keep in mind that things are moving fast. The problems are just becoming more sophisticated. The attacks, but also in terms of legality, they're also trying to catch up and it's changing. So this can be problematic for many organizations. So what are the challenges of MFA? So if we look at the previous slide and we see the regulations and we see that entities are, governments are trying to promote better cybersecurity practices.
Well, many organizations are already using MFAs. But is that enough?
Well, MFAs, they introduce certain complexities in terms of usability, in terms of integration and costs. So here on this slide, I have these three. And of course, there are other challenges that we see. But these are probably the most important ones to keep in mind. It's inconvenient for users, users just trying to do their work. So having to use MFA every time they want to access a system or application, it can be ineffective when it comes to their productivity. I don't have to say that. I'm sure most of you have been in that position.
But it also it's also costly, especially in distributed environments. If an organization has workers in the office or remotely or doing hybrid, it's costly and it requires lots of resources to make it happen. And then the third is legacy system compatibility, which I will be discussing further in the next slide. So here we have legacy MFA versus passwordless MFA. So as I said, there's this compatibility issue, modern authentication methods such as passwordless authentication or even biometrics. They often require updated infrastructure and protocols such as FIDO2 or SAML.
But many of these legacy systems, they don't support these standards, which makes it even more complicated for them to transition to a more modern approach. Then there's this complexity of migration. It sort of requires a phased approach to avoid business disruption. But this requires extensive testing, new integrations with existing applications. And this requires planning ahead, requires resources, and it can be time consuming. And there's also the problem of user adoption. So employees are accustomed to legacy methods. It could take them some time to to figure it out.
So there needs to be also an emphasis on educating existing employees as well as modifying onboarding processes with a new modern authentication methods. So as I said on this slide, while a password based MFA system may once have been effective enough, its viability in today's threat landscape is diminished. So passwordless MFA solutions, they should be able to eliminate the reliance on passwords or other easily feasible factors. And there's also the problem of having distributed environments. Some workers are working remotely, others are at the office.
Maybe it's a multinational corporation that has presence in various countries, and that also makes it more complicated to have an integrated approach to authentication. So what's the solution here?
Well, how to overcome this? There are multiple ways, and I'm sure that Malte and Dennis will go deeper into this. But some of the things is having a hybrid approach to bridge the gap, also adapting more modern protocols, such as FIDO2, and looking for a centralized management to streamline identity and access control. So what do we mean by supporting a modern approach? I think there's a lot of work to do when it comes to educating users and the audience in general about the benefits of passwordless. That's not like a shock to say this.
I mentioned this in my previous webinars, and when I have conversations with passwordless vendors, we always have that topic of conversation that it's going to take time for many of these solutions to be more widely adopted by users, by consumers, by people that are maybe not very tech savvy. So a modern approach should be able to address many of the challenges of legacy systems. It should also address the problems that organizations face when they have workers doing work remotely, and also dealing with hybrid approaches. So a modern solution should have all of these things in place.
But to be more precise when it comes to passwordless, here we have a few aspects that most passwordless solutions should be able to support. These are not limited. It's just a list that we gathered from our research. But passwordless solutions should be able to support a broad range of authenticators. They should have strong authentication, which in the context of this webinar is important. They should also be able to do risk adaptive and context-based and continuous authentication, adaptive and step-up authentication.
Of course, they should support legacy applications and services, strong cryptographic approaches, integration with third-party authentications, device trust, support for federation standards, and of course, comprehensive set of APIs. And if we look at the next slide, then we can see some of the criteria that, at Cooper & Unicore, we've added in our research reports to evaluate passwordless vendors.
So we got, for example, account recovery. I believe Malte and Dennis will also talk about it a little bit. But this is also a topic of conversation that I've mentioned before, and it's one of the things that I usually like to know when I talk to passwordless vendors. So if a user loses a device or cannot access their account, so what can we do to facilitate that process in a way that is secure and convenient for the user?
Some companies are still providing visual factors to recover the account, so they still allow users to enter their username or their password or have an SMS code or a push notification, etc. But I also see some vendors that are coming up with their own innovative and, in some cases, proprietary ways of doing account recovery. So if we really want to move to a passwordless future, this should be an area that passwordless vendors should be paying attention to.
Then there's also architecture and deployment, authenticator support, APIs, device trust, which is an area in which some passwordless vendors focus a lot. Some of them have this approach that as long as the device, and we focus on the device, and the device can be trusted, then there shouldn't be any problem.
Of course, it's just one approach to that, but it's an important element in passwordless. Then there is identity and access management support, and of course, these solutions need to be scalable. So what are some of the trends that we see in the passwordless market? So at Clipping Your Call, we published two reports this year, one report that focused on the use of passwordless solutions in the enterprise and another report that focused on the use of passwordless in the consumer space.
And what we see is that the demand for passwordless authentication is increasing, and as a result, we see lots of vendors diversifying and coming up with their own ways of doing passwordless. So it's a very competitive area. Despite the presence of major players, we see smaller companies that promise the passwordless feature that we've been talking about earlier. Some of them don't even provide any feasible factor for authentication or for account recovery. Some of them are doing something called SIM-based authentication, which relies on the SIM card of the phone.
So there are different ways, and it's not only, I guess, it's not only FIDO, but we also see companies trying to do something different. Then we see the impact of regulations. As we mentioned earlier, the U.S. government is also involved in this. There was a memorandum published two or three years ago by the Biden administration on achieving zero trust across agencies in the country. And then we see technical advancements, famously the introduction of passkeys, which is a very good topic of conversation and is gaining prevalence in the consumer space and as well as the enterprise.
But there are some challenges there that maybe we can discuss later. So the future promises a landscape where fewer passwords are needed and MFA as such will be in a way more convenient and more secure. But in reality, passwords are still going to be used. It will take time for this user adoption to be implemented, as well as the adoption of standards across organizations and across the world. But we predict that the compound annual growth rate will continue to grow up.
We will be doing a new market size for next year, so we can take a look at how the passwordless market will change over the next few years. So here we see the trends. But what about the obstacles that we see? And some of them are from not knowing how to start with, you know, some organizations or people maybe are not familiar or maybe they're skeptical with this passwordless bus world, you can say. Some of them are maybe not very tech savvy, so they don't really understand the benefits of passwordless and how they work.
So that's why vendors need to do a good job in that sense to increase adoption. There's also the problem of business versus IT alignment on goals. So if passwordless vendors or MFA vendors are talking to the tech people from a particular company, it will be very helpful to deliver a very good and concise message. So the people that make the decisions, people from the executive level or the business level, people that are maybe not very IT, maybe they don't know much about IT. So they can understand why passwordless is necessary, why having this strong MFA is good for the organization.
So vendors need to do a better job with the messaging. Of course, there's the legacy application integration that we talked about. There are considerations regarding deployment, selecting the right product, but also this old school mentality. So some people are just happy with what they've been using for years. They don't see a problem. They've never faced a data breach or a password leakage or they've never had any problems with using these legacy systems. So they are maybe not aware of the problems there. And in the next slide, I'll just have some related research.
So you can go to our website and then you will see that we have plenty of content on MFA and passwordless and what organizations need to know to make this transition. We also do other than research, we do events and webinars and advisory projects. And we'll be having an event in December in Frankfurt, where we'll be discussing some cybersecurity topics and in particular, the role of identity in cybersecurity. And before I hand it over to Dennis and Malte, I would like to have the second poll question.
So the question is, what are the primary factors impacting the organization's identity and access management budget? Is it mainly due to emerging security threats? Or it's all about compliance and regulation? Or maybe it's because the organization is growing and scaling? Or it's just cost reduction and operational efficiency? That's all from my side. And I'm going to now hand it over to Malte and Dennis. Thanks a lot for that.
First off, I would like to introduce myself and Dennis to you. My name is Malte Karst. I'm the managing director and founder of Emtrix. I will share a little bit of background on who Emtrix is in a second here with you. But Dennis, please go ahead and introduce yourself real quick. Sure. Yeah. So my name is Dennis Rober. I am the CEO and president of Emtrix America. I've been in the authentication space now for about 10 years. And so yeah, you'll get to learn a little bit more about what we do at Emtrix through this presentation, I hope. Perfect. Please move to the next slide, sir.
So yeah, just a little bit of background on Emtrix. We are a company focused entirely on solving user authentication issues of enterprises. So we help enterprises to secure their digital identities and assets by implementing multifactor authentication and helping our customers to use best-of-breed technology and kind of cover the end-to-end story when it comes to multifactor authentication or any form of user identity proofing, so to say. So we are 18 years on the market. We've been founded 2006.
Our headquarters here in the northern part of Germany, close to Hamburg in a little city called Lüneburg. We also have an office in the United States in South Carolina, where we help our US customers and the European customers with US presence. We cover the entire NAFTA area from the US location. At this point, we serve thousands of customers, I need to say. We have customers from various industries. We are not centric on any specific industry. We have a lot of automotive, healthcare, pharmaceutical companies, which are our clients.
We are a member of the FIDO Alliance since the very beginning of its formation, so to say. I think we joined as number two or three members in Germany here. And we are really excited to follow the FIDO story here. Not everything is FIDO, but it's a goal to reach. And I guess we're going to touch point on that later in this talk. Just to give you an overview, we are about 27 people here in total at this point. And we have over a million seats, which we are covering with our solutions end-to-end with our customers.
So, Dennis, would you like to introduce the end-to-end story real quick? Sure.
Yeah, absolutely. Thank you.
So, the end-to-end story is really a journey that Amtrix likes to assist in taking our customers on, right? Enterprises are not small, and they have a lot of moving parts to them. And there's a lot of things to take into consideration.
I mean, we just saw a great background and overview of MFA challenges that organizations face. And the questions that need to be looked at and asked, and we'll talk about those in depth here in a minute. But as far as the Amtrix approach, we love to come alongside a customer and give them an end-to-end solution. And that usually starts with consultant and a selection process, right, a discovery phase. What products do you have currently in place? What challenges or requirements do you have? What regulations are you facing?
And then we help the customer to understand, you know, what products are on the market for them and available to meet those needs, those requirements. And we help them in the implementation of those if they choose to go forward with a software solution, so to speak. Oftentimes, we find enterprises are pairing their software solutions with hardware, whether it's security tokens or biometrics.
And so, we're there to assist in the selection process of that as well. Oftentimes, we get involved with implementation, right, deploying those solutions to the customer. And if they do choose a hardware option, you know, many enterprises are not equipped with, you know, a logistics team or a team that can do, you know, mass mailings of security tokens to, you know, remote workforce, external partners, things of that nature.
And so, Emetrix has really developed over the past couple of years a real large branch of the business that focuses on this. And we are actively engaged in getting keys and security tokens and things of that nature to employees, to customers.
And so, we help with that process as well. And again, we don't just, you know, sell something and walk away, right. We support the customer. We hold their hand until the end of the process where they are satisfied, they're up and running, they're ready to go. They're utilizing the solution that we've helped them put in place.
And, you know, and some customers want to keep that on board. They want to keep Emetrix available to them.
And so, we offer support and, you know, services along that as well. So, really, it's, again, it's an end-to-end solution that we typically, you know, prefer to offer.
Now, we'll come alongside a customer that might have some of this already in place, and we can fill in the gaps for them. But generally speaking, we try to start at the beginning with the customer because a lot of times, as we'll discover in the next couple slides, they don't always know everything up front, right. We don't know what we don't know.
And, again, that's the end-to-end solution that we tend to, or would like to typically offer to our customers. Thanks a lot, Dennis.
Yeah, and so, just transitioning into our next slide here, you know, Alejandro mentioned some of this a little bit. But, you know, we definitely see the future of authentication, and we see the place that Passkeys play in that, the role they play in that, replacing the password. Eventually, right, and I'm sure many of you are familiar with Passkeys. We see this in the consumer space right now growing rapidly. And we see that, you know, many, many companies are adapting Passkeys.
You know, you look to the logos there on the right of the slide, and there's many, many more. But I'm sure all of us, if we are even the average consumer, have seen Passkeys as an option now to authenticate to various services, whether it's those listed here on the right or others.
I think, personally, one of my first ones here in the States was CVS, the pharmacy. CVS adopted Passkeys very early on. Their user experience was not that great, to be honest. They had some bugs in the workflow, actually. And I discovered those because I was an early adopter of Passkeys for the CVS website.
And so, you know, we were able to see, you know, the pains that companies are going through at Passkeys, but they're getting better. The more and more consumer applications that add Passkeys, the better the experience will be for users. And I think we'll start to see, you know, more and more of an adoption right here, especially in the consumer rate. And Amtrix fully expects Passkeys to be the number one authentication method in the consumer space moving forward. Passkeys are here to stay. And I think for consumer-facing applications, you know, it's kind of a no-brainer, so to speak.
We'll continue to see more and more companies move to Passkeys in the consumer space. However, we want to speak more to the enterprise today.
And Malte, I'll let you go ahead and take over on that particular topic. Yeah, maybe, you know, just let me add here. There is one big difference between the enterprise approach and or the consumer-facing hyperscaler approach. The hyperscaler and some of the service providers we have seen on the slide before, they are only dealing with one authentication endpoint. So they only have to worry about one, let's say, front door, which needs to be secured.
And, well, I'm not saying they're not interested in security of their overall service, but they are more focused on, let's say, the ease of use of their service and the related support efforts they need to undertake in order to keep their customers afloat. And account takeovers, account lockouts, all of the helpdesk-related processes are a big, big cost issue for these hyperscalers. Whilst if you compare that with the enterprise, the enterprise has a slightly different view on this.
Of course, it's also about account security, but it's way more focused on the identity of the user. So the enterprise needs to know exactly, is that person which is authenticating really that person which he claims or she claims, right? So the enterprise has way more endpoints within their entire infrastructure landscape. So for an enterprise, this becomes really, really complex, really, really quickly. Alejandro had one question on his slides, and that was, should we embark on a passwordless journey as an enterprise?
And our answer to this would be, of course, you should, and you'd rather start your passwordless journey today. But then there was another question, how do we do this, right? How do we do that? And maybe if we talk about the main challenges for the enterprise is to find a starting point. And to find a starting point, we always feel it's a very good point in time if you consider to move passwordless to take a break, to just think for a second, realign your organization, and also look into all of your legacy.
The biggest problem for the larger enterprises is their inherent complexity, the multitude of user identity sources, the multitude of authentication endpoints to be covered, the multitude of authentication protocols already in the field, the multitude of existing authentication solutions maybe within the infrastructure. So you have your old legacy radius, you know, one time password, VPN solution, you might have your smart card based desktop authentication, you might have something for your third party, right? So as an enterprise, you look at a heritage based, multi level complex landscape.
So take a break, take a big, deep breath, and reconsider your entire approach to multifactor authentication and not just focus on we now want to go passwordless, right? Try to understand where are we? What could we maybe optimize? What could we, you know, there are some lower hanging fruits in most of the cases, right? So you might be able to kill a piece of infrastructure you're running for multifactor authentication today, while it's going forward, but it needs a thorough analysis of your situation currently. And your let's say, future roadmap on the way to passwordless.
That's what I wanted to say is or what that's what I feel is the most important point when it comes to enterprise adoption of passwordless. Because passwordless is pretty much a buzzword at this point, right? And it's working for a selective endpoint. But if you're an enterprise, you're kind of, you know, getting into into this complexity thing really easy and and get you might might get torn up in that.
So, Dennis. Yeah, I mean, I completely agree, Malte.
And also, you know, just to add to that, you know, there's there's the complexity that you mentioned at enterprises is is really important here, because it's not just the infrastructure, it's your user bases, right? Internal and external users, you might have consumers yourself, if you're selling to the public, and you have an interface for them, folks. Right. The way the very design of pass keys and FIDO in general, you know, is again, from a web based perspective.
Well, what do you do with older legacy applications that are still leveraging a radius protocol, you know, VPNs and VDIs and things of that nature, right? So there's a lot of complexity here.
And again, that makes it more challenging for enterprises to move to pass keys. Again, in the consumer space, it's a no brainer, right? It's a web based interface for one endpoint for your customers.
And again, the risk of a customer account takeover is not as large as the risk of a company account takeover, right? There's more at stake if a company is compromised, or a corporate account, I should say, compared to a consumer account. And so yeah, that's, I mean, that's absolutely, you know, true. And I think moving to the next slide, we see, you know, well, how do we really, you know, gear up to answer these questions to figure out, you know, what complexities are there? Because as I mentioned, sometimes the enterprises don't even know what hurdles lie before them.
And looking at that bigger picture, as you mentioned, Malta, is very important. And we'd like to, again, suggest that, you know, we take the time, as you mentioned, Malta, to step back, look at the 10,000 foot view. And in a planning phase really is the key here to running a successful project moving to passwordless, right? What are the requirements? Are there regulatory requirements? Are there organizational requirements? Maybe there's infrastructure and legacy applications that need to be considered.
Budgets, time constraints, things of those nature, right? And the best thing that we could suggest and the thing we do with our customers is we sit down and we ask the important questions that help us uncover these requirements, these constraints, right? We talk about preparation and how it must be, you know, a major part of the planning phase of a large scale migration or rollout.
You know, if you don't ask these appropriate questions, you will find things along the way that you did not think of, that you did not consider. And those will be stumbling blocks. Those will be hurdles that are harder to overcome at that stage of a project than they are if you know about them in the beginning.
And so, again, you know, this is something that we always sit down, we work with, we work out with our customers. You know, what is your future plan? Where do you want to be in the future five years from now, 10 years from now? You want to be past this?
Okay, great. We understand that. What do you got to get out of the way in order to make that goal achievable? What hurdles are there, legacy applications? Can you migrate those? Can you consolidate different solutions that you might have, you know, in place today? Many of our customers have, you know, islands or silos of authentication for various different applications or use cases. How do we help customers get rid of those islands, consolidate those to a centralized platform where you have a central point of authority, a central point of operations and reporting, etc.?
And so, these are the questions you need to ask and the things we help our customers do at MTRIX. And, you know, again, there's a lot to consider, you know, with passkeys.
Well, there's device-bound passkeys and then there's sync passkeys. Many, I mean, pretty much all the consumer-facing, you know, endpoints and applications are utilizing sync passkeys because they make sense in the consumer space. Do they make sense in the enterprise space? Do we want our employees to take passkeys home to their personal devices where maybe their children or family or friends have access to them? There's a lot of things to consider there.
And again, enterprises must, at first, really, they need to assess the situation, their overall authentication landscape, not just passkeys in general or how they get to that. But they need to assess their overall authentication landscape so that they can ensure that they have a comprehensive roadmap moving forward before they begin.
And, Malte, with that, I'll let you add some input here. Yeah.
So, you know, speaking of where to start, we have many, many times seen a specific application owner coming to us saying, well, my application now supports passkeys. I want to use passkeys for my entire organization.
Well, that's a very good approach for that application. But, you know, make sure that you start at the right level by assessing the situation and kind of coming up with an overall roadmap or strategy for the entire business. Because if every application owner is now stacking another authentication solution or another authentication island, as we call them, on top of what you already have, you're kind of adding to the complexity.
So what I feel is important that this is seen as a C-level, CIO, CISO topic, that this is handed or hung up at the right level of the organization so that you come to a holistic enterprise-ready roadmap, so to say, which is then valid for the entire organization. That's one thing I wanted to add here. The other thing is, so if you talk about all of your regulatory requirements, make sure that your regulatory requirements are up to date. Technology is faster than regulators.
The problem with that is, if you now implement something which is the lightest and greatest fancy piece of technology, you might end up in a situation where you're non-compliant, just because simple fact that what you're implementing is newer than the regulator could have digested at this point. So, you know, it's not often an issue, and most of the times we haven't seen any issues when it comes to the actual audit in the end, you know, when you need to prove that you're compliant with regulatory requirements.
But have in mind that technology is sometimes quicker than the regulatory body writing the requirements you need to meet. One other thing is, the enterprises most of the times have these big implementations of Microsoft Azure or whatnot. Make sure that if your future is Azure, you're able to migrate into that infrastructure at your own pace, right? You don't want to be dragged around by technology or by, let's say, hyperscalers without, or with, by the same time losing the ability to fully control your own environment.
So what we mean by this is there are sometimes bridge tech technologies needed or desired to be used in order to have a really smooth transition away from your legacy, away from your heritage infrastructure, moving it into a cloud-based, zero trust, passwordless future. We might jump to the next slide deck here real quick, Dennis, because once you have decided on how you want to go passwordless, it often involves some form of hardware or authenticator to be utilized. These authenticators are great. They are multi-protocol tokens for the most part, so you can use OTP functionality on them.
You can, so to say, use them with your legacy and for your heritage use cases. At the same time, they support the FIDO protocol or any other passwordless protocol, so to say, and you can use them as a bridging authentication factor. The thing is, how do those keys go or end up with your users, which are actually in need of these factors? We have seen many, many enterprises struggling with the last mile problem to get the keys to the users.
The keys, in case you have one-time password functionality on them, also need to be preceded, configured. The logistics of these keys becomes a hurdle. We are happy to help our customers with these challenges. We are today shipping to over 85 countries in the world on a daily basis. We have hundreds of packages leaving our office or warehouse every week. This is really a very important thing, which you should consider from the get-go to get covered.
Yeah, I don't think I have anything to add to that point. I mean, it's definitely a challenge we are seeing rising more and more, especially with the remote workforce of today's enterprises, so definitely something to consider. So just considering wrapping up here, again, I just wanted to bring you guys back to this circle here, this end-to-end circle or end-to-end solution that Emtrix desires to help customers put in place. And this is – we're not only solving the planning process or assisting in the planning.
We're helping set and identify objectives, challenges, identify those hurdles because it's going to be unique for many customers, right? There's going to be overlap, similar challenges, legacy applications are typical for enterprises. But there's going to be things that are unique to your specific infrastructure, your situation, your requirements. Maybe your industry has additional regulations or things to consider.
And Emtrix has the expertise to come alongside and to help folks determine what those challenges are, identify those, and make sure that they're considered in their planning process. And again, the goal is to shine a little light here into the jungle of your infrastructure, right? You might not have expertise in authentication specifically, but that's exactly what Emtrix does. And so we're able to come alongside and shine a little light and say, hey, don't forget about this. This is something we've seen other customers run into. We want to make sure you avoid that pitfall as well.
Again, if there's hardware involved, then you need to choose the right hardware, right? A display token, an old-fashioned OTP display token is financially affordable compared to a FIDO token.
However, it's an OTP token. It's fishable. And it's not future-proof, right? If you want to move into a passwordless future, an OTP token is not really the way to go. A multi-protocol token like a YubiKey or a Fashion K9 token, something along those lines, a Swissbit token, those are going to be better off because you not only have the support for your OTP and legacy apps, but now you can start utilizing the same device, the same token for FIDO, for FIDO2 as a passkey, et cetera.
And it allows you to have one physical device, one physical hardware option authenticator that can be utilized across all your applications and endpoints. And please, please, please don't underestimate the user experience and the importance it is to educate users, to give them the tools and knowledge, to equip them to understand how passkeys are utilized or whatever passwordless method you want to migrate to. User acceptance is incredibly important. And if the user doesn't accept it, if it's too difficult, if it's too confusing, they simply won't do it.
And one thing we didn't talk a lot about that we might have should have mentioned a little more is account recovery, right? What's the weakest link to your authentication landscape, your authentication scheme, right? If you have a fallback of a password or SMS or email OTP, that's the weakest link. And you need to consider that and consider the recovery process and all that goes along with that. Many of these breaches come from users giving up passwords to people who they thought were somebody at the help desk, and they're not. They're a threat actor who steals it, right?
So we need to make sure that user education is done and they have the tools and knowledge to properly do this. Again, we talked a little bit about the last mile problem there, getting these keys to the users, whether it's remote workforce, external partners, et cetera. We've done this for many of our customers. Many of our customers have either dealer or partner networks that need keys. And Emtrix has been able to help get those individual keys to the individual people where they might be.
And again, how can we support you? How can you utilize somebody who's been there, done that, knows about this journey and can help you along it? And that's something that we like to kind of wrap up and just carry forward with our customers after we've gotten through the implementation, after we've gotten through the logistics of getting the keys to the users and their customers. How do we then support you moving forward? How do we keep you passwordless?
Because, right, it's an ever-changing landscape. As you mentioned, as Alejandro mentioned earlier, it's ever-changing. The risks are constantly changing. The players and the way they hack and get information is changing. And we need to keep up on that. So that's what Emtrix does, and we support our customers with that. And so with that, I'll go ahead and say my thank you for you guys and your participation. I'll let Malte say thank you as well. And then I guess we'll take some questions. Yes.
Also, from my side, thank you very much. That is the end of our part of the story, so to say. And we're happy now to engage with questions. But Alejandro, the show is yours again. Awesome.
Well, thank you so much for sharing all the insights. Now it's time to address some questions. But like Denny said, passwordless is a journey. It's not a one-off-the-shelf product that you can just implement. But as we know, threats are constantly evolving. So we need to be ready. And it's good that organizations like you are supporting customers in their journey.
But yes, we have multiple questions. So one of the questions that I'd like to hear your thoughts on this, it says, is passwordless really the answer in every scenario? What do you think? Passwordless is a very good answer, but certainly not for every scenario.
I mean, taking into account that if you're operating an AS400 mainframe system, for instance, it's not capable of speaking passwordless, right? So you would need something to broker that authentication. There are solutions out there where you could utilize a passwordless authentication against the mainframe. It's possible. But you need to design that solution so that it's fitting your use case. I would say passwordless is a very, very good answer to the question on how to get away from fishable authentication factors. But it is for the enterprise, not the one and only solution moving forward.
In the IT security strategy, so to say. Is that a good enough answer?
Oh, yeah, absolutely. And you talked about it earlier that pass keys in the enterprise can be a bit more challenging than in the consumer space.
Also, employees are basically trusting their security to some third party. So that's also another thing to consider. Another question, because we have multiple, and I know we are running out of time. But one of the questions is saying, which applications should I target first for passwordless authentication? All the applications which are natively capable to speak passwordless. That could be your IDP solution. That could be a specific web service you're utilizing.
You should really consider to move ahead with passwordless authentication in case some of your applications you deem critical are supporting pass keys. There are various services out there for the enterprise which would enable you to utilize pass keys. But please, please make sure that you have an overall strategy how you want to move forward with the implementation of these pass keys. Because most of the time, just to implement it for one endpoint doesn't really enable you to gain the most benefit out of your investment into passwordless technology.
So please assess, are there other authentication endpoints which I could natively tie to it? Or would I become able to utilize the same phishing resistant factor for my users by implementing authentication broker in the middle of my applications, for instance? Perfect. There's one question that is related to what Dennis was saying at the end on hardwares. The question is, why should I consider hardware tokens when SYNC pass keys are so convenient? I'll let you speak to that, Dennis, in a second.
My first thought on that is, as an enterprise, it is more likely for you to lose the control about the SYNC pass key than it is on a device-bound or a security key, on a device-bound pass key. Well, with pass keys, we need to distinguish between device-bound pass keys, when your computer or your laptop becomes a FIDO device, so to say, or your phone, for instance. Then we have device-bound pass keys.
No, we have security keys, which are then mobile hardware pass keys, so to say. Sorry, terminology here. Those you could utilize, and you could utilize SYNC pass keys, which are then SYNC throughout a SYNC fabric of a service provider or an authentication solution. Those could get exported. You could share those with other users. It kind of depends on the solution you utilize, but those could become absent, so to say. The problem with those pass keys, with the SYNC pass keys, is that the authentication part relies on the device itself. It does not rely on the pass key itself.
The pass key itself does not have any authentication function for the user. So, for instance, I'll give you an example. I share my pass key for an online service with you. Then you could use your face on the iPhone to authenticate for my pass key. So there's nothing which is tied to myself, which would prevent you from using my pass key within your phone. And I think this is the most important point for an enterprise to take away here, and that those could be shared beyond what you are willing to accept when it comes to sharing.
Yeah, I would simply add that most enterprises are not – all their endpoints are not ready for passwordless. As we've mentioned, there's mainframes, there's VPNs, there's old things floating around that are leveraging Radius and things like that. And with a hardware token, you can do both. You can do the pass key, but you can also do the old-fashioned OTP for those legacy applications until the enterprise is ready, until those older legacy apps are migrated or moved to something new and modern and can handle pass key. And then guess what? You still don't have to replace the token.
You simply only utilize it at that point as a phishing-resistant FIDO token or pass key. You get rid of the OTP use of it, but the device is there. It's in the user's hand. The user doesn't know the difference between whether it's an OTP being injected when they press the button on their key or it's a FIDO credential. They don't care. They just want to know I can plug this in, I can press the button, and I'm logged in and securely logged in. That's all that matters to the end user.
There's a real benefit to a hardware token or security token because, again, as long as it's multi-protocol, you can carry it forward and bring your legacy along with you in the meantime. There's one more aspect, sorry, to add here again.
But if you choose an authenticator or a hardware security key, which is also enabling you to bridge that physical and logical access, the key becomes tremendously more valuable to the organization because you might be able to utilize the same token for your door access, for your time and attendance, for car parking, and various other scenarios where you would utilize a card usually or anything else. So this really then becomes your one key, which is utilized for logical and for physical access. So this is a tremendous value these keys can add to your organization. Absolutely.
Thank you for your insights. Now I think it's time to take a look at the poll questions. Let's take a look at the results and then wrap it up. So here's the first question, which is, which of the following best describes your organization's approach to authentication? It looks like most people here have MFA, including passwords. Are you guys surprised?
No, not at all. This is exactly what we see in real life with our customers. I think there's a very limited amount of organizations out there, which would be able to go fully passwordless at this point. So as you said, Alejandro, passwords were going to stick around and legacy MFA solutions going to stick around for some time. But I feel that this is more or less the question on how quickly am I able as an enterprise to adapt passwordless where possible or make it possible to utilize passwordless rather than to fully and radically eliminate that overnight because I feel that's not possible.
What is possible is to enhance your security posture by moving to passwordless and phishing resistant wherever possible. Yeah. And I guess it's a good thing that we have 0% on username slash password.
Well, moving on to the second question, what are the primary factors impacting your organization's identity and access management budget? Well, it's very close between the four options, but it looks like it's mainly because of security threats. As we've been emphasizing during the webinar, threats keep changing. Technology is evolving. Regulations are trying to keep pace with all of these developments. So that's why we have also compliance requirements very closely in second place. And then we have organizational growth and then operational efficiency. Any last thoughts before we go?
Just maybe one last comment on especially that slide here. Most of our customers are, you know, dragged around by the threat on one hand and be by the regulators. I feel that an enterprise can, if rightly approached, turn both of these, let's say, burdens into business asset. Because if you take the time to really come up with a strategy on multifactor, I'm not saying on passwordless because passwordless is, I would say, an evolution of multifactor. It's just the next logical step. We don't really distinguish between passwordless and multifactor here at Entrix.
What we say is, well, we need to somehow strengthen user authentication, period. The best way to do that is passwordless. That's a given. But if you as an enterprise take the time to really come up with a roadmap and a thorough assessment of your current situation, you can cut down costs on legacy. You can introduce passwordless wherever possible. And you might be able to even improve dramatically on your user experience by just tweaking a couple of knots within your infrastructure.
If such projects are located at the right level of the organization with enough punch, so to say, with enough oomph, then you might be able to turn your burden of being compliant and secure into a business asset, which is really adding value to your day-to-day operations. And on top of that, with happy users. Yes. I think on that positive note, we'll end the webinar. I'd like to thank you so much for joining us today. It was very interesting to see all your thoughts, especially that you guys have to deal with all of these things on a practical basis. So thank you so much and see you soon.
Thanks a lot. Thank you very much.
