KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Passkeys are quickly becoming an interesting option for phising resistent authentication in the enterprise, but what kind of challenges are you likely to run into when you roll out passkeys in an enterprise?
This session will cover what we have learned about passkeys and passkey roll out in a global, flat packed, and meatball centric organisation.
Passkeys are quickly becoming an interesting option for phising resistent authentication in the enterprise, but what kind of challenges are you likely to run into when you roll out passkeys in an enterprise?
This session will cover what we have learned about passkeys and passkey roll out in a global, flat packed, and meatball centric organisation.
Okay, So my name Isand and I'm the product leader for in inter Ikea, which is the mother company in the IKEA group. So let's stop the standard slide. My main job is to make you hungry for meatballs. So you go to an IKEA warehouse or IKEA store and buy lots of stuff. So don't get hungry from this.
So our, our main mission is round the meatballs and like platter packages across the globe and There's Quite a lot of noise still. So By doing this, we need also need to protect the systems that makes it possible to ship meatballs and Billy bookshelves across the world and design new ones. And to do this we have another standard slide, which I've seen in many places now.
So the reason for this, this talk is, is basically that a lot of our attacks that we see both when we talk to our, our peers in the industry also when we do red teamings and purple teamings, is that a lot of the attacks go in through identities. You could of course argue that some of the attacks are not login based, they you steal an assistant session. But basically one of the big areas that you can get into an enterprise is through stealing identities. And how is that done?
Well, what we're seeing is that for a long while we had quite good protection against phishing in form of scanners and the attackers have gotten better. One is that the large language models means that you can now write very nice phishing letters, which for example, the, the Icelandic banks discovered that suddenly you could, you could write down phishing letter in Icelandic and their ENT out to the roof. You can also see that a lot of the scanners are looking at links and hey, I put it in a cure code instead I can bypass the scanner.
Now the really evil attacker stay not only put them into emails, they put it into a QR code that they put in a box and insert into your, your supply chain. And at some point someone is gonna scan it and most of the time that's not gonna work. But sometimes this scanner actually has an identity and happily you can steal that. Usually they don't have MFA on those scanners. So when you are in an enterprise, your problem and your biggest assets is that the average employee tends to be average.
So you can of course train your employees to not click the links that the scam version is sending, but some are going to do it and it doesn't really help that HR keeps on sending emails that you're supposed to click on to fill out surveys or other things or some are parties are, but what you also have is that you're gonna have some that are going to do nothing when they see the email, perhaps because they're busy with other things, you're gonna have some that happily clicks in there and gets phished and you're gonna have some that sends back if you have at least if you have installed a nice little button.
This is a phishing email and what we have seen is that this is actually one of your biggest assets in protecting your identities in our latest purple team. How many minutes do you think it took between we sent out emails until our so woke up and started seeing the attack took two minutes. So this is actually one of your biggest assets.
If you train your your staff to react to it, you're gonna be able to see that there's not gonna be one phishing email goes out, there's gonna be a hundred, 150, 200 and a skilled attack will of course do them a little bit varied to make the life of the sock a little bit harder. But generally this is a very good protection mechanism. So what happens next when you have these, these phishing emails? Well one very common attack here is, is the AERs in the middle token attack and all of these are available.
There's actually quite good articles at Microsoft if you want to dive in and understand a little bit more details. Now of course most of us here probably are M have MFA and the idea was that MFA was supposed to protect you and we all rolled out MFA and then we discovered that S-M-S-M-F-A had a number of problems not on operational but also security wise. So we all went to push MFA, that's all the problem.
No, not really. So if you look at for example, m ms authenticator, which is one of the bigger of the the push clients, Microsoft is happily stating that this is not vision resistant. It doesn't mean that it's worthless, but it does mean that you can get through it through phish. So what do we do instead? Well again, we can ask Microsoft and we can ask caping a code, but what you do see, tend to see is that you want to get up to the right corner there. So you want to have cryptographically safe methods to make yourself more fishing resistant.
Now if you look at the methods there, windowsill of a business, great, but it's not that easy to roll out if you don't have it on your machines today. CBA also really good. A number of us here probably have CBAs today built on the old Microsoft problem. There is that that's getting a little bit long in the tooth and it's a bit unclear on the future. So of course you can have PKIs, you can load another PKI, you can distribute the, the certificates and the keys different ways but not fast and easy.
The third party, the five two and of course the hardware keys are great but again requires a quite big investment. So when you look at pesky, it's an enterprise, it's a way to get a improved security level compared to the your current MFA at a decent investment cost, especially if you already have all the licenses, which if you don't it's very expensive. But if you do, then it's quite acceptable.
And this of course is the same thing I think you know, no matter what framework you have today for your, your primary IDP, if they don't have either have PEs keys or have an existing pesky should probably consider having a discussion and consider upgrading. Now an important part of this is that PEs keys will not solve all your problems. It is an important part of a defense in depth and this is also something we have seen in our, in our proper team exercises is that actually this is one of the few things that AI seems to be actually useful for it.
It does able to find the attackers, at least in our practical experience unfortunately finds lots and lots of people who goes on vacation to places they're not normally in and they keep on working. So it's not a hundred percent safe. But the important part here is to look at all the different parts that you can detect a change in the user. And if the user suddenly starts logging in from UK when they're almost always log in from Sweden normally, well it could be it because the person has gone on vacation, it could also be because it's an attack.
Likewise, if you do are able to control the devices, I change your devices, it's another a good signal. And again, this is an example on Microsoft but this is something you should have in your IDP. If you don't then start having the conversations. So what are the kind of the decisions and and complexities that you will see?
Well one is if you're gonna go for device bound or sinkable and there's like an interesting conversation and I was listening to some of the other plan talks on this topic or similar topics and I think in general if you're gonna try to roll this out to your entire population, then synable does solve, make your operational effort a lot lower. But if you're using this targeting to to protect your high and highest, so you log into your PAM system, you log into your really critical systems, it might be prudent to go for device bound.
Yes it's gonna be more work, but you won't have to kind of do the thinking about is there a risk that my keys just happily synced away somewhere else? And that is gonna be the attack path. So that in mind, I think one of the main attack surfaces we're gonna see is the service desk. The reason for this is that device binding the devices to the person is really hard. It's very hard to do this in a secure way. If you can get the users into your, your service desk, it's not that hard because then they can come either they know you or that you can show an ID or something.
But remotely, this is very complicated to do this really securely and I'm waiting for the day when we're gonna see some big attacks that is gonna be against the service desk. Of course they've already happened to some degree, but as we tighten up other areas, this is going to be a a major area. So one interesting application of ADAS would be to able to have that trust anchor also remotely that will of course only move the security problem but it would at least provide some form of a strong trust anchor stanker. So let's just talk about a few things that we have seen during our POC.
So one thing we run into is that you need to have a quite new phone of us. So right now we are seeing about 35% or so of our phones are new enough obviously depends a little bit of how aggressive you change phones and also which population you're targeting. But an important thing to keep a little bit of an eye on so you don't roll out something that only you know 50% of your population can use. Another thing we run into is all kinds of interesting problems with app packaging.
For example, teams doesn't work right now for us, we're trying to figure out why we think it's because of how the app is packaged. Another classical problem is the remote desktop. So you know, Citrix similar, they don't seem to go very well with pass keys and of course that's a bit of a problem if you, what you're gonna use it for is PAM flows and so on because they tend to be remote desktop. So to summarize and hopefully have a little bit of time for questions and also get some time back, our experience is that past case can be part of your ITDR strategy especially.
It can be a way to push forward a bit and get off either SMS if you're still there or push up for at least for your high and highest security people. Our experience is, it's a good idea to start if your IDP supports this, start piloting and you discover this, all kinds of people actually really wants this. So we actually had a problem of there was too many people who wanted to be part of the pilot, they had to say no to some. But that gives you really good feedback and you can discover all of these weird edge cases and at least try to kind of size them up.
You know, is this a mouse or an elephant that you run into? The third part is to, if you want to go add a little bit more high volume rollout, you need need to start talking to your business because new phones are expensive. So if you do need to do that, then upgrade. It's always a good idea to talk to, to your business, you know, ahead of the, the fiscal year cycle and try to get to make sure that there's investment in place.
Likewise, the, the service desk is really, really key. So start working on the stop socializing this, try to get some of the service desk into your, your pilot is a good idea. So thank you very much for listening and I hope that there was some oxygen also in the middle. Thank you. Thank you very much and bringing us through the experiences that you've seen in the organization and and giving some really practical examples. We do have some questions from the audience.
Yeah, yeah, go for it Eve. Yeah, we got quite a few questions. In your opinion, do passkey essentially eliminate the ability for threat actors to take over an account?
Well, every time I thought that that was the case, I've been wrong. So most likely I'm wrong this case as well. And the thing is that you need to protect the entire chain.
You know, you can have a extremely cryptographically strong if they can just go to the call, the help desk say, hi, I'm Martin, can I please attach my phone? I lost my old phone.
Well, you're true. Doesn't matter how strong your technical solution is, So no guarantees. Okay. How do you empower the service desk with the right process and tool not to be, to not be fooled in the past key reset flows?
Yeah, this is a, a, a very hard problem and I'm hoping that the EI does might provide a better solution that I haven't really found a good, really, really strong solution. Of course, if, if you can get the users in to the help desk, you can do it very strongly because it's a lot of work to to forge a a, a driver's license to right person and also to, you know, travel to a site and all of those things. I think we have time for the last question that, that was put into the app. Should everyone in your organization have a pass key?
So that comes back to a little bit that should everyone have MFA and I, I definitely think that this is something you need to look at at the total protection picture. So it's very easy to say if you're a bank for example, where you only have, especially like say investment bank where you only have quite highly paid knowledge workers, that's one thing. But if you're a retailer where you have a lot of, of transient and not as, as highly enumerated people, then the cost of having a really strong MFA solution be it past something else starts becoming painful.
And at the end of the day, we're about selling you a nice sofa at a fair price, so you need to control this cost. So maybe not yet. Thanks. I think that was, that was great. We had time for three. Thank you. Thanks Martin. You.
