Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today for the first time and just joined KuppingerCole Analysts, is Mike Neuenschwander - and I have to read that out, actually - his role is Vice President KuppingerCole in the U.S. and Global Head of Research Strategy. Hi, Mike. Good to have you.
Hi Matthias, good to be here.
We want to talk about a topic that we have covered earlier with Alejandro Leal, our colleague and you have written a blog post that comes with the nice title - again, I have to look it up - The Second Law of Authentication Dynamics. And that, of course, is a play with words, a pun on the second law of thermodynamics. But first of all, we want to start talking about passwordless authentication because this is the key of that document. So the passwordless authentication, can you start by giving the audience an overview of what passwordless this actually is and why it's so important or is considered to be so important right now?
Yeah. There's actually a number of technologies that fall into this category of passwordless, and in some cases, they still involve passwords of some sort, right? So but really, there's been this coalition of things happening, coalescence of things happening in the market over the last few years where people have obviously access to a lot better devices in their hands that are capable of doing things like biometrics. They're also capable of creating on their device a, for example, PKI material, where you can create a private key on your own phone. And so we're starting to see a little bit more decentralization happening because of the presence of these devices. And in addition, we're seeing governments issue identities, especially in Europe, and that's becoming more common, right? And so these are heavily vetted types of, you know, government grade identities. And so we're able to take advantage of those as well. And so a lot of companies are looking at it and saying, you know, we don't want to be in the business of issuing everybody that needs to have access to our resources, a credential, right? And so if you can just register one that you already have, whether that's through biometrics or whether it's one of these government IDs or something, then you can start to do very trustful kinds of transactions like create bank accounts. You can, you know, without having to go into a branch to fulfill that know your customer requirement. But, you know, there's Fido that's happening. There's a lot of other things that are happening around this idea that you can reuse some form of a strong I.D., right? And in that case, you don't have to actually create or know a password in order to use it.
Right. If I think back, I've joined KuppingerCole ten years ago, the first time I visited or attended EIC, I moderated a panel with all those experts in the authentication business and the topic was “How to Kill the Password”. And the result was the password cannot be killed. We will have to let it starve. And this is the process that we're going through right now.
Yeah, I think so. I think we're still a ways out. It's..., the problem has been something else I mentioned on the on the blog post, is that the utility of passwords is so much better than anything else we've come up with, that it doesn't -, a password automatically is future proof, right? As technology changes, as new standards come out. And you bring in a lot of new, and it's happening very rapidly, right. Passwords just have this ability to work in any domain, in any framework. And I think that what happens with the, like the W3C is working on some standards, but then everybody has to adopt that standard in a relatively short timeframe in order for the ubiquity of this kind of a technology to actually make it there
So how should a passwordless system then look like, to contradict you in that point to say, okay, yes, passwords are useful, passwords are still there. If I said the same sentence to Martin, he would at least hit me, Martin Kuppinger. So what can we do? What is required? You've mentioned the standards. You mentioned the adoption. What is the way to be better there?
Well, you know, I am still skeptical about whether passwordless is the ultimate endgame here. I think that there are many new and important technologies that still need to make their way. And some of that some of what I was trying to poke fun at, as it were when it came to the blog post, is just that, you know, maybe we've squozen almost everything we can out of authentication and we need to start looking at other ways to build trust and transactions. Is it enough to just know something or have a certain fingerprint set? I mean, ultimately, just because I can prove that it is in fact me, does that mean you can trust me? And I think that we need to start asking those kinds of questions, because in some ways, the reason I got into the authenticators thing is that I think we're kind of approaching this place where it just doesn't -, where it breaks down. It doesn't make sense that just because something you know, something you have, something you are - that kind of worked for a while, it still sort of does. But it's not..., it’s, we need a new idea. So maybe, maybe passwordless is a nice off ramp into the next phase of figuring out where identity and authentication belong in an overall trust relationship.
Right. You've mentioned in that blog post that passwordless, and I don't even know how to pronounce it, it's the 0th factor. So it would be below the first factor to use. And can you elaborate on that idea a bit? What you mean by that and how it differs from traditional multifactor authentication mechanisms?
Yeah. And that can be a little bit confusing because I first used it to point out that there are times when..., when I'm using certain types of passwordless technology, like I have a Mac, so the way Safari handles it. Basically, oftentimes you end up in a situation where I don't have any of those three factors that are, you know, so commonly referred to in security, right? But and so that that was kind of like zero in that case. But I also meant zero with in the sense that, well, maybe it's time that we just sort of reassess, what does a “factor” mean and “authentication” in the first place. You know, maybe there's some basic, very base level 0th, some sort of -, something that comes even before all that, you know, like that there's an identity that exists out there and we can use that as the foundation, the touchstone for many other types of transactions. And so it's possible that there's a kind of an edifice that we have created around authentication about something, you know, something you are, something you have, that maybe it's time to reassess that and say, you know, actually we just need something very base and root level. And passwordless looks like it's headed that direction.
Right, Right. Of course, we cannot talk about your blogpost without talking about the second law of authentication dynamics. You drew this, parallel between the second law of thermodynamics and the persistence of passwords. Can you talk a bit more about that?
Yeah. As I mentioned, I was watching a podcast and Stephen Wolfram ends up defining entropy in a way that I think I've heard others express. But he was saying that, you know, it's not really a stage in which -, if we think about entropy, we like to think of it as, on the one end, everything is hyper organized and if you just let it be on its own, it will dissolve into something that looks less organized. And I think that we -, his point was that that's just the preferred state that it wants to be. And there's not a good and a bad state. There's not a highly organized and a disorganized, it just looks like that to a human being, right? Because we want structure, and we want everything to be just so. I think passwords obey that law in the same sense that, you know, on the one hand, we're kind of angry at passwords because, you know, they're just everywhere, right? And it looks like a very disorganized state. But in fact, that's the right state that it should be in, apparently. Because that's, you know, the universe has spoken, in a way. And it's not, if we try to squeeze everything, you know, all of the gaseous elements of a vacuum and put it all on one side of the room, then that's not natural and it's probably not really achievable. So we need to start thinking about, when it comes to authentication and those sorts of things, we need to take into account that there will always be this tendency to go into some more comfortable state around authentication and identity and that sort of thing. So that's a long way around. But, but I think that just trying to help people who are very irritated by this idea of a password to maybe not be so irritated. Because it's, I don't know if there's a way around it, frankly, but we can do other things. We can do, we can put maybe less emphasis on authentication only and put more emphasis on interaction and transaction, relationships, that sort of thing. We can do a lot to bolster that sort of stuff, right? So and then in the end of that, we're just trying to figure out how to get people to trust each other and organizations to trust each other, that sort of thing.
Right. But just to be clear, we're not telling organizations to not use MFA, so what we're saying is that there will be passwords, but authentication needs to change and evolve in the future. And that's what you're working on, right?
Yeah, and I think that, even the notion of MFA is that it's a process, right? So instead of just having one thing at one time, it's a combination of things. So we just need to continue down that road and say, all right. And behavioral types of authentication also are in this vein, right? It's almost like another factor as well to watch behavioral types of activities and make sure that if you're logging in from somewhere weird at a weird time, you know, that that could be of interest from a security point of view. But we need more of that. So I'm saying not so much necessarily even stronger and stronger identities.
Right. And this is a topic that we're currently mainly covering in these fraud reduction and intelligence platforms, which is fraud, which is cyber security, which is governance, which is making sure that nothing bad happens. But you're moving that also into the authentication, better understanding who we are interacting with aspect, right?
That's right. And that we should be able to understand what a transaction looks like between us, either based on history or expectation on a protocol or something like that. This is something that we'll be talking about or I will be talking about it, that cyberevolution coming up here in November, expanding on some of these ideas that, you know, it's... we've maybe overly emphasized the authentication portion of the transaction a little higher than we need to at this point. And we need to start looking at the remainder of it, you know, and that is closed out in a trustful way and that sort of thing. And I think that would be a lot more fruitful.
Right. And you've mentioned cyberevolution and the discussion will need to continue. Maybe there's contradiction to what you're saying or maybe there are people who just see it right the way that you are seeing it. But nevertheless, we shall and we need to continue the conversation and use such events like the cyberevolution, like the EIC, for continuing that discussion. And if there are questions from the audience or contradictions, if you want to get in touch with Mike or me, leave your comment in the comments section of this YouTube video, or if you're looking or listening to that on another platform, just reach out to Mike and or me via mail. Mail is easy to find at the KuppingerCole website and of course follow up with the blog post that we started our discussion with. If you look for the second law of authentication dynamics, then I think we will be quickly there and then you can easily reach out to Mike. Any final words when you think of authentication, authorization and better understanding before we close down?
Well, really only that I hope that people understand that all I'm really saying and asking for is greater scrutiny of some of these things. I don't have all the answers. I think that this is a very positive direction for the passwordless status, is a very important topic. It has been for 20 years, like you mentioned So I don't want anybody leaving here thinking that I'm against any of this sort of important development. But I am advocating for, you know, let's think bigger even, right? So hopefully that made sense,
Absolutely. And if you think zero trust and the way our whole decision making process takes place there, that's quite obviously the same aspect. We are taking context. We are taking the passport, the identity, the identity assurance level plus the criticality of access. All this together is combined into access decision making. And that's what you are hinting at, right?
That's right. Yeah. That's the whole point. Thank you.
Okay, then. Thank you very much, Mike, for being my guest for the first time. Looking forward to having you soon for discussing more controversial topics and to still kick off discussions that might not be there without that and lead this discussion, that cyberevolution. Thank you very much for being my guest today, Mike.
Thank you.
