Passwordless For the Masses

Well thank you for being here with us today. Perhaps we can do just a quick introduction and then we can maybe proceed with some some questions so we can Hi emailer, CTO of Four Track. Nice to meet y'all.

Hi, my name is Ric, I'm CEO of CDOs. Nice to meet you. My name is Raj Tarik, working for Yubico as a solutions engineer. Nice meeting you all. Well thank you for the introduction. So one of the questions I wanted to ask you guys if you talked about it for a bit, but the question would be, you know, some organizations that have lots of MFA tools, how can they approach and adopt a passwordless solution when they have so many tools and applications all over the place? Any thoughts on that? So maybe I take this one. So I think important is of course to really understand the big picture.

All customers are different. A lot of customers are going to the cloud, cloud based approach, but a lot, a lot of customers also have maybe legacy applications still on premise that we should take seriously as well. So of course we need to start to protect what we have today. And I think that was mentioned earlier in the discussion as well. MF n a MFA is better than passwords alone, but we have the technology in place today, at least for the majority of cloud solutions. Ideally in combination with a good identity access management solutions.

We have a lot of identity access management solutions here on the, on the show, on the trade show as well. So I think that is a good approach. And then ideally on top of the identity access management solution, try to use the best possible authentication technology. And that is from my point of view, passwordless ideally combined with the phishing resistant approach. I think when we are talking about the passwordless and the path to passwordless, I think also one thing you've mentioned is, or I would phrase it the fear of failure.

So If you go there, we take the e-commerce example, what you meant, retail example, if you go there, introduce passwordless, most people are afraid, okay, if I introduce it I might lose customers anyway. So there's some kind of way how we, how you mentioned Passwordless experience where you maybe can provide different authentication options in parallel, which will help them to transform and also gives the confidence into the company that passwordless is possible. And we will then easily see that most of the users will accept that because they're used to it.

So five two basically if we use that, if we have any stick or any touch, ID face ID windows, hello these are all tools what customers today are already using. So they will quite fast adapt to that. And maybe I'll just add one little thing to that, which is when it comes to consumer circumstances, you know, I'm more frequently running into this as just a regular person out there on the web and it is possible to do a terrible job of you know, designing these experiences and you know, some of them they'd be laughable if it wasn't so important to get to whatever the app is.

And so I think, you know, maybe a little fear of failure is a, a sort of a good motivator for doing a good job and testing and that way we can increase everybody's confidence and you know, not hurt the consumer in the process. Maybe just one thing to add to that as well. Totally agree to the to to what you said. So when we look at FI for instance, FI was especially designed to be secure on the one side but also make it much more easy for the user.

And I think this is a very, very important point that we really convince the users that the technology is not only better or secure, it makes life easier. Yeah. And I think this is the combination. And the last thing about the fiber protocol, what makes it so special? It's an open standard and very easy to implement.

Yeah, I think the implementation is quite important and you have a broad set of, of possible authentication options then because it's an open standard. So you will have different tools, different authenticators basically, which you can utilize, which also broadens up the tool set the customer can use. Well maybe this is another question, a bit of topic, but it's a question I often get as an Analyst, are we ever going to get rid of passwords? It's the ultimate question, right? But what are your thoughts?

Hopefully So I'm convinced about that, but as I said earlier, it depends a little bit on of course on the complete infrastructure of the customer. We have to consider that. And this is a very, very important point.

We, we, we cannot just go say we take it all passwordless when we still have some applications that cannot come along. And so this is something we, we need to approach now. But what I also would like to say is the good thing about Passwordless is that all major companies, tech companies, whatever identity access management solutions say all go the way passwordless. So the chances are very good that we are gonna reach the point passwordless hopefully soon. I think hopefully we'll get rid of the password and I think there will be a turn point.

So as soon as one company starts or a few company starts and users are attracted by that innovative or easy comfortable authentication, at some point others are forced to follow. So you have normally this early adapter curve and then the first start, customers like that, users like that. And if you do not follow taking the retail example, if one retailer starts to do that and the others do not follow, they are, there's a risk to lose users.

So at one point or the other, even if you have an have an old infrastructure you need to follow and then you need to be forced to replace that infrastructure. If you talk about the timeframe, I don't give a prediction on that, but hopefully soon. But I think since users will start fast to adopt it, there will be also a fast adoption phase then removing the old infrastructure, replacing it by not only the consumers on the workforce area. Well just for fun, I'm gonna take a contrary opinion here.

Not don't disagree disagreeable, but you know, I, I've joked in the past about you know there's something, you know something, you have something you are, and it's a little bit like the three macronutrients and I spent a long time as a low carb person, it's really, really hard to eliminate a whole macronutrient and despite the, you know, sort of like wifi password joke, I mean it's a perfect use case for you know, a static shared secret that is easily synced between people and can be pla plastered on walls. And it's really, it can be pretty low assurance, right?

I mean it's kind of level negative one or something. It's, you know, there's room for for static shared secrets in the world and we don't yet, we have not yet lived through all the consequences of truly trying to eliminate one. And I'll give you eliminate them and I'll give you an example of something we're gonna have to learn how to do properly if we ever achieve no passwords, people sharing passwords in households in that kind of use case, it's friendly impersonation.

I don't, you know, I don't like officially the word impersonation for what's kind, what's a kind of delegation really. But we are gonna have to figure out how to properly implement delegation between people. I know how to do it, I've been writing standards for it for a long time. We're gonna have to do that stuff if passwords get eliminated as an option because it's really handy. So you know, we don't, we're gonna, we're gonna be throwing out the baby with the bathwater if we don't understand all the affordances that passwords have.

Yeah, I think be a hard work to do and I think we have delegation, all these functionalities which also provide a benefit. So if I consider families sharing, account sharing might be in an e-commerce, certainly not perfect. So if the children can buy alcohol because I'm a very bad user in an e-commerce shop, the delegation might be more useful. The good thing is, as you mentioned, we have not done all the password things but we have done the password so we have learned it's not the perfect solution. There's bad customer experience. So we have learned that.

So now we have to, can do our learning that the passwords authentication and move toward better future hopefully. Can We just agree that, I mean Netflix has taken a really weird position on this cuz you know it's affected their bottom line, they've had to report it to the S e C and so on and they persist in trying to bop users over the head with oh we're gonna impose multifactor, it's an opportunity to build great delegation and other companies have done it so like it confuses me, it's an opportunity. Yep. Agree with that.

I Think that the bottom line here is it must be easy to use and otherwise it will be just very difficult to implement a passwordless future. Absolutely.

Alejandro, should we maybe take some questions from the audience? Do we have any questions? I remember you had a question.

Yeah, This is I guess about the workforce implementation of password ha and I mean users in workforce have been trained to be abused by the whole security paradigm, but there's also use cases where people don't have emails, shop floors. So there's a really interesting intersection of dynamics there including B Y O D versus handing out a a a token. Do you really want employees to use their own devices? How do you address personal autonomy or privacy and utility in the, in the, in the workspace implementation of this or the workforce implementation?

I think the, to start with the first part, you also have mentioned some kind of real world identification. So we are already today talking about identifying users without password in the real world. So company use cases where you have your RFID card or something with you or your bracelet, whatever it is, we already have that. So we are already using kind of password authentication methods.

So if you consider a broader range of identity management in the real world already and I think that's a perfect use case to get back to the topic of different A indicators, different options, what you need to provide. So in the first step we might will have still passwords, but in the future the development might be changing. So maybe you in the future we'll have like a smartwatch, everyone will have a smartwatch to open a door and you can also utilize that.

It's more like a wallet concept or different things where you have different authenticators available which you just use to authenticate there you are not sharing any details. So it's not using maybe a private phone or something, it's trust authentication, what you bring with you. However that will work. That might be anything.

Yeah, there's, there's a real opportunity for better inclusivity, particularly for worse workforces who may have you know, quite a variety of folks, a diversity of experiences, languages, ability to type, you know back in my old Analyst days, you know I was taking inquiries about, well you know it's the operating room floor and they can't use fingerprint cuz they've got gloves on or it's, you know, workers in a factory and you know, it's not practical to even teach everybody how the whole password thing works.

There's opportunities for innovation there and I love the idea of, you know, smartwatches or similar devices and you know, maybe cheaper devices may, may need to be used but like there's, there's a lot of opportunity to do way better than we've been do been doing with passwords with which is kind of, you know, a single solution for many different circumstances that it's often not appropriate for for different people.

And I think this is also where for instance past keys, which is based on Fido is coming in because we are not only depending on a external authenticator for instance, we could use the external authenticator as a route of trust to log on once and then we create a pasky on a specific local device like a mobile phone or maybe maybe even the future on the, on the mob, on the iWatch. I think that for instance might be an interesting approach as well.

Alright, we had other questions. Alright, I think two of you at least mentioned adoption. We need to think about app, app basis gradually increase adoption. I just want to dig, dig into that question a little bit.

Why is, it depends on the app isn't that issue with IDP is and and also related to that I do recognize the adoption in legacy enterprise systems is gonna take longer but are we conflating the challenges of convincing them to adopt O O O I D C rather than adding additional factor getting rid of password in the IDP side? Just wanna get your thoughts around do we surely focus a little bit more? So is the battle more on the IDP side or is it more on the app application side? Very good question. So I think it's a combination of both to be honest.

Of course I think it's very important to have a really good IDP in place that takes care of the different authentication options and to authorize option for the user. And of course we have the option to integrate applications directly by our federated protocols for instance. And on top of that we have the authentication ideally from my point of view should be hardware based or at least fighter based, no ideally and fishing resistant.

And I think important is, when I say phish resistant, we should rely on technology to to log on to really make sure that we are preventing phishing or man in the middle attacks. And when we not use phish resistant, we always have the risk of trusting the user or maybe not trusting the user, whatever that will risk our complete IT infrastructure.

Yeah, I think if you talk about IDP or identity mentor in general, like you've mentioned, we do not only have the authentication, we've ordered the delegation capabilities and all that. So identity management is much broader, delivers much more features to use and authentication is one of them. So it's not only, so if you talk about authentication options, we could also talk in the future about face recognition as one feature which might be available. We can talk about voice recognition.

So maybe you don't have the application anymore but your digital assistant, what you have like Alexa, whatever you use could do in auth voice identification with you. What authentication. So authentication is one feature set you and it's a part of the identity management or access management to provide different authentication factors to utilize, but identity management is in a product perspective. So you also have the delegation concept management. So really different things what you should utilize there.

Yeah, that's a great, great point. I'd say yeah, the first mile really matters in its particular way and the many different last miles really matter in their particular way.

You know, there could be many different channels like you'd give examples of and a as well as like, I'm almost tempted to call it user success, like yes user experience. And the question is how to make each kind of user successful for each channel, for each circumstance, for each app. It's like all of those contexts are are highly sensitive to conditions and it's a different kind of problem. First mile problem is you know, well it's, it's an i I am writ large problem and it should be handled robustly. Right.

I think we can take an another question but this time I'm gonna take an online question because they've been asking a lot of question but we didn't have time for them and most rewarded one is, yep. How would you advise to move on for workforce access in case of lost forgotten access device taken into account? Remote access passwords seem to be attempting choice seem to be tempting choice, Tempting choice. Could you repeat the question once more? Sure. Good.

How would you advise to move on for a workforce access in case of lost forgetting access device taken into account remote access passwords seem to be attempting choice. So if I take that up, I think one important thing, what we mentioned is we need to learn in passwordless authentication how different processes will work. Yeah. Including is one recovery process but we have the options since we then have maybe more factors since we have two or three, four different devices have different authentication options, we might use them to recover since what we already know today.

If you log into any service, whatever it is, workforce or customer area, we might have the option to remove unused devices, things like that. And we also have the option to add new devices. So if I lose my smartphone, I can log in with my tablet, with my computer, go to the user profile, remove that or start a recovery process and there are other recovery processes which might come into game. Absolutely agree. So from my point of view, this is more an organizational question. I I would say of course the different IDPs, identity access management solutions offer different options.

But what we typically see, at least for customers that are for instance home office customers or sales reps that are on the way or maybe VIPs or something like that, they often, at least from our point of view, get a second registered Fido key for instance. So if they lose one, they at least have a second key similar to a car key or house key. That would be an approach. But as I said, it depends a little bit on the ID identity access management solution, what kind of recovery options they offer. But as I said it's, it is a process topic and that can be handled definitely.

Yeah, I'm tempted to say good question. My answer is sort of yes and passwords are attempting and in fact they're not even an option to eliminate in a lot of circumstances that it, it seems they're talking about right, you know, VPN login and you know, I don't know, radius server and work stations in the workplace and there's gonna be a password, it's possible to layer solutions on top that kind of inoculate the user from those those bad experiences. So you know, effectively it acts like a one-time password cuz the rotation is managed on the back end.

So you know, each, each bit of having passwords is a different attack surface. You know, what is the rotation schedule and you know, what is the strength and, and all those different elements. And so if those have to be present you can sort of pick apart and and mitigate those risks separately. Maybe adding one hope to that today there it's like that you need a password on a, on a work sessions and all that. But my hope is that since we are moving forward to passwordless also they will change in the technologies or that we have in future option to use Passwordless there too.

Yeah, definitely. Alright. We have to outlive them. Perfect. We have one more question from here. Yeah. We could circle all the way back to the, to the Netflix. You mentioned Netflix and they're trying to force implement passwordless. I also come from the streaming space and I know exactly why they're doing it and I can agree that it's a bad implementation on their part, but how could you make it more easy to easy appeal to swallow if you could say it like that?

Oh, since I, I brought 'em up. I'll, I'll take a swing at this.

It's, yeah it's easy to, it's easy to say that it, it's something that's been handled rather awkwardly. It's really those surrounding use cases like you're mentioning in response to your question handling things like delegation, they have accounts and I presume you have accounts for users, it's a different circumstance and this is where you have to be sensitive to conditions. It's what I think of as a benefit account, right? Somebody is getting a benefit, they have an incentive to share access to that account because it's a goodie that they can give out.

This is where you can be susceptible to first party fraud friendly fraud. And that's different from a lot of other use cases where you know, the account is a have to cuz you work there or the account is a have to because of some other, you know, it's a healthcare care organization or whatever.

So in that particular circumstance surrounding the experience with the right support to let them do what they wanna do and freaking charge them for it, I mean, you know, there's an opportunity for upsell there if it's handled correctly and that's why I'm so confused about, you know, what I've seen in their case. Yeah, I I, I think the same.

So if you go there and so trust my native small not knowing streaming sales providers on the backend, I would say Netflix is talking quite a lot about the revenue, what they're doing and they want to increase that and Dave account sharing is one issue but why not taking the chance? It's like you mentioned your presentation, a communication topic.

So basically why not taking the chance and saying family witman you are doing one account sharing instead of whatever paying 10 euro pay 15 so you have a 50% increase in your revenue and now you have four more users and the advantage is you do not have five profiles or four profiles there and your father sees what daughters are watching, you have four, five or 4, 4, 5 different users, you have the upsell of 50% and in the future you even couldn't go ahead, the do dos move out, you can sell them a different Netflix account.

So if you really have the option by using identity management capabilities and communicating it in a benefit incentive way, increasing profit, having knowing all the users, using them in marketing and doing more cross upselling in the future. Absolutely. This is like along with retail writ large passwordless can be part of an actual business strategy and you know, that's the most exciting opportunity that I can think of because it will popularize it wherever it's done.

Right, Right. We had some questions here.

No, all right. Yeah, I, I'm, I'm aware that I do know some people that like passwords. Is there any risk that we end up in a hybrid situation where three customer choice we're forced to support both or is there any data to say some people just refuse to move? I think at the moment, yeah, I think there is a risk at at this stage because a lot of customers are not really aware of the risk that is coming with the password.

So I think it's our job technical advisor's job to really make sure that anybody is aware of the risk of what the password actually brings and I think if we reach that step it'll be more easy for us to move forward. Yeah, I think the risk is there it, I think we need the data on that. So if we go have the transition and offer both options, we'll see how many users move. It also depends a little bit how we communicated. Do we start first use password and then below now use passwordless.

Next phase maybe we'll say here is your passwordless and then down below you have log in with your password options like that you will get the numbers. How much really move onward to passwordless and find, it also depends on like a cost benefit ratio. So if finally you have 1 million users and 10 users are remaining with password, you might eliminate it because then the value is not high enough.

So it, there's a risk for a hybrid scenario but it also depends on the ratio moving and then finally on the benefit what you're receiving there We, oh sorry. Okay. We also have to acknowledge, I mean there's sort of an elephant in the room here. If we're depending on smartphone usage then there are significant proportions of populations that don't have them. And so we'd better be careful about our assumptions.

What, what we also need to consider is of course the cost factor of a password. I believe, I think the cost factor is really underestimated and you just consider what a password reset actually cost. It is. Speaker 11 00:25:16 So like when you bring things back, When you bring things back to risk discussion, you know, that's very much focused on us. I'm talking about a consumer, maybe an age demographic that have got very familiar with past raises and you know, there may not be prepared to move.

Certainly if your, your consumer population has a, an age distribution which is distributed towards the, the top end, that might be a slower adoption. I just wonder if there's any data saying the pickup of this, you know, I can imagine my 22 year old daughter jumping at opportunity to engage in the passwordless experience, but is there an age demographic effect that says some other people will come this slower?

Yeah, I think it, what you mentioned also depends a little bit on the use case. So if you have for example, streaming service provider, it might be faster because you have a, a young target group so then it moves faster and for others it might be slower. So that will be a transition period. Well I think we're exactly on time, so please a round of applause. Thanks everybody. Thanks.