KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So I'll be talking about passwords and who would really love to get rid of this message. Huh? Pretty much everybody. I can see you folks at home. And if you are reluctant, it's probably, you know, okay, well, what's the alternative. I did a sort of informal just asking around to my non-technical community. I actually talked to normal people as well, even though I'm an identity nerd and asked them, you know, what, what's your thoughts around passwords?
And, you know, I can, these were, you know, summary of the words that came up. And interestingly enough, in the newspaper, the same day I was doing, this was an interview with one of the most famous violinists in Norway. And he said, you know, I get a nervous breakdown whenever I heard password and we can relate to this, right?
It, it is painful. We are putting a lot of responsibility on people. Okay. So what are we being told?
Well, we have to have long passwords. We have to use special characters. We cannot reuse them.
I mean, we're putting all these demands on normal people. And I mean, who can honestly say I have different password on every site? I use anybody. No.
Well, somebody which is good, which means probably you have some sort of algorithm or rules for that. At least I used to do that as well.
No, but anyway, we putting a lot of responsibility on people and we forget passwords. We write them down. Somehow we share them. I've seen so many examples where people actually share passwords and we use common passwords that are easy to guess. And the challenge is how much responsibility can we put on people? And looking from the service provider side, I mean, it's a security risk. You're storing this information. It's a liability risk. You get support requests on this. And we see there's a lot of break ins of this.
And since people use the same passwords, well, we can break in on a weak security side and log in somewhere else. And a lot of credentials have installed, and this is a challenge. And already in 1973, it was recognized that, you know, okay, a password will keep out, you know, the average user, but someone is who's determined to get in.
Well, you won't be able to stop them. So passwords are known as shared secrets, supposedly shared between me and the service provider. The challenge is people share them either voluntarily or by accident and they're hacked.
So yes, they are shared, but not very secret. So password is not a very good way to do things. And also a very important realizations. What we are doing with password have changed Originally passwords was to access something.
That's, you know, password is, you know, it's celebrated its 60th birthday 60 years since we got the first password and they were put to protect resources, right? So you had a file system, you had an email account or something. So the point was to protect that. So you added a password to make it difficult to get into it. And if you go even further back, I mean, passwords were used to get access to facilities. And anybody that had access to the facility will, would know the password. And you would say the password and you would get in. Now we're using passwords to prove who you are, right?
Because we are using them. We are using them to authenticate you, to, you know, apply for, for loan, get a bank account, sign a document, et cetera, not passwords by themselves, but they're important part of it. And we still using the same mechanism. We're still using this sort of shared secret, but it's changed from giving access to something. In which case it's not really critical.
Well, if I have a file system and somebody else need access to my file, Hey, here's my password. You can access the file, no problem. But if I'm using also the password to sign a document, well then suddenly that person can impersonate me, which is a challenge. And of course from all this we recognize, well, passwords in itself is not enough because they're so easy to, to guess or reuse or share. So started adding some mitigations. And of course, one of them is the password manager. And I guess most of us are using some sort of password manager to, to keep track of all these passwords.
I mean three digit number of, of passwords. We want to automatically generate them. And of course, then we can have different passwords on all the sites. How easy are they to use?
Well, the challenge is all these sites with all the special characters, the upper and lowercase, and some sites don't allow space in the passwords and then to get an error that doesn't make sense. And you know, all these mess with the complex password rules, which why by the way, should be taken away. So if anybody's using complex password rules, you know, uppercase, lowercase, special characters and dead squirrels in your password, get rid of them. The only thing that counts is a long password, but this help, but how easy are there to use?
I mean, I'm professional on this and still, you know, it's not always, you know, easy. The integration is not always good and it doesn't really access the problem. We're still using the passwords. We're just changing the way we're using them. And well, Gartner was not the first one to say that passwords themselves are not enough, which, oh, joy, we get multifactor authentication. So not only the passwords, but then I have to do something else. And of course we all love that, right? I log in.
And then either you have to pull out a, you know, a device thingy or, you know, a card or you get, you know, a text message on the phone or, you know, it adds to the burden of the user again. And we're still using text messages a lot. I think I use this slide at the EIC conference at KA Cole in 2017, which when was this article came out, that it was, you know, really easy to capture this text messages. It's still being used a lot. And of course it's still better than not having a second factor, but it's not secure.
Don't trust it because it's not really that hard to supplement this as a cyber protocol and, and get access to them. So, But we have the second factor, which is, again, the reason we have the second factor is because the first one isn't good enough. And it's also mandated by PST two. So if you are in the financial business, you're doing monetary transaction P two, the payment services directive mandates that you have what they know, call SA strong customer authentication, which means the second factor. So it's getting there and the challenge is what, what we're trying to work.
You know, we we're saying, well, Hey, don't use SMS because it's broken or text message because it's broken. And you know, we don't want to use passwords. And the complexity, the, the problem is that, you know, using a password to get it with a text message, it's so simplistic, it works for anybody, any good, old stupid phone, it's gonna work, nothing to set up, nothing to prepare.
And this is hard to compete with, with all the solutions where, where you have to install a special app, or you need to have a really smartphone and you know, all these things I'm gonna talk about now, when I'm moving into passwordless, it's difficult to compete, which is also why passwords are so stuck with us. So passwordless, Hey, we all agreed. We want to get rid of the password. We don't want to have this thing. We remember to prove who we are. And I mean, even bill gates said, this, this is now almost 20 years ago, right? Password is dead. Try Google password is dead.
You'll find a ton of articles. Goals is the password dead. Hardly. We still use it pretty much every day.
And again, the reason is because the mechanisms we have are so simple, Again, an illustration for Gartner illustrating a lot of different mechanisms. I'm not planning to go into details, but saying, you know, it's something based on knowledge, some something, you know, it's a talk and something, you have biometric something. You are then combining this with signals, et cetera. So there are multiple ways of doing this. So no one hand, we want to make it secure. We want people to be able to prove who they are.
On the other hand, we want to make this secure and a prediction also by Gartner is, you know, that a large number of enterprises will be using password less in more than half their use cases. We'll see in most use cases, passwords are still involved and we still want to get rid of, I have one very good example though, of passwordless. And I was sort of intrigued by that, you know, when you use your credit card contactless, if you, the amount is over a certain amount limit, well, you need to pin code, or if you accumulate more in a certain time.
So I was intrigued when I was paying with my apple watch. I never was asked for the pin code. I don't know if anybody thought about that. If you use apple pay to pay and, and use your, your watch, you never asked for the pin code. And I started looking and it's interesting because again, back to PST, two, it mandates that you'll have to do, if it's more than a certain amount and I paid much larger amounts, the reason is this. If you look at the receipt that says verified by cardholder device, what happens?
You put it on the apple, watch you enter your pin code once and you don't have to do it again. So now the apple watch knows it's on my wrist. If I take it off, if Matthias now steals my, my watch and tries to pay with it, well, you can't because the first time you need to enter the pin code, as opposed to my credit card, if you take my credit card, well, you can tap it, but then you have the limit. So this is one example with the device bound to me as a user, wanting to think about with the indication is you really need to be your own identity provider. You need to do this yourself.
There are a lot of ERD solutions out there. This is just a sample map of Europe with the different identity providers coming from the Nordics. We use this a lot. We have the bank ID, which I use. I mean the nor which, and so the Nordic use them between five and 10 times per week for all kind of different purposes. And we see that's coming in in other countries as well. Okay. So this is not really sort of the password password less, but you're outsourcing it to somebody else. You're saying, well, why do I need to worry about the authentication?
Let the professionals do it, let the ERD providers do it. And of course at a, at the bottom right corner.
Well, we have Facebook, a lot of places you can say, log with Facebook and Google. Well, I wouldn't do that for privacy reasons then, but the convenience is there.
I mean, you're reusing something that's created already, but yes, there are a lot of mechanisms for that. The mobile ID solution. I think we're seeing more and more instead of using text message. You're using your secure back channel. You're linking the device to your account, which means there's somewhat more work. When you setting up the account, you need to install some software. You need to, to do the account linking, et cetera. The good thing then is that you can make this password less.
By going to a website, you enter only your identifier, which may be your email address or unique number or something. Device pops up and say, Hey, you're trying to log in. Is this site please confirm? And you confirm it completely passwordless. And we see this coming more and more, both the standalone apps, but also built into the, to for example, the banking apps, which we are working a lot. And these are really strong.
I mean, they have the jail bank protections. They have, you know, all kind of security measures to prevent this from being copied, et cetera. The challenge, of course, it requires a fairly modern device. Does everybody have that again, competing with a good old stupid phone and a text message, which is, it is a challenge of course, more and more people have advanced phones now and we're using biometrics.
Well, Hey, that's the holy grail, right? We're we're solving everything with biometrics. We're using a fingerprint or, or face ID. Most solutions are using local biometrics. Does that prove who I am?
Nah, it proves who set up this phone. It can be made very secure.
Again, some challenges. Biometrics is currently there's a strong bias.
I mean, I'm in a demographic that, you know, it will normally always work. If you look at other demographics, we've seen a lot of challenges where it doesn't recognize different faces of different skin tones, et cetera, which is a big challenge on this. And then again, one of my favorite tweets, I just have to show you on biometrics. We think biometrics is so secure, right? And I think this is a really good example of, you know, we need to be careful by trusting that biometrics is always proving who is there, this kid picking up his dad's phone while they sleeping, watching Disney plus.
And Hey, I used your MLA. Are you with sleeping? Right. Just want to mention in bypass because I, I think it's an interesting concept. I've talked to him a couple of times working on this concept or pictures. So instead of passwords to pictures, so you upload a number of your own pictures. This one shows then a random sample of your own pictures and other pictures, and you just need to click your own. It hasn't really gone widespread. Right? But I think it's an, an interesting concept and you will immediately recognize your picture or images and nobody else will probably be able to do that.
Okay. So future, where, where are we going with this? We need somehow a mechanism to prove who you are better than knowing something because knowing a password, doesn't prove who I am. So really what I want is that my device knows that is my possession, my cell phone, which I'm carrying on my body now recognize the way I move, et cetera. So if materials now takes my, my phone and runs away with it with the first thing, my phone is gonna say, Hey, running generic, never runs. This can't be him. Right? And in addition, it disconnects from my watch, it's gonna connect to a different wifi.
All that is is gonna be a, a really good solution for the future. We've done some experiments with it. Technically it works couple of challenges, battery life. If you're gonna do this continuously, you're gonna need to charge your phone every hour, which is, you know, not what we want. And also security on, on the, the iOS on the apple side, which isn't allowed to do this in the background. But I think we need to see this coming. And then of course, if you combine that with pulling in all the signals of, from the server side, what browser are you using?
What kind of device, what's the language, what's your IP address? What time of day?
I mean, if, if certainly the system found that generic is trying to, to do a monitor transaction at three in the morning, it's gonna say, nah, generic is always sleeping at three in the morning. So that's not him, you know, all these kind of signals. So combining that.
So, I mean, that's what I think we are looking for. And I also saw very interesting presentation related to this. And I was immediately thinking about my apple watch. Somebody was looking at heart ID, so not your pulse, but your actually heart curves, which is gonna be pretty hard to fake for somebody else.
And, and this is then, you know, a way of binding the device to me as a person, which means, okay, the device knows it's in my possession. Why bother me anymore?
So again, as a summary, and I also want to mention, we always think about smoothness. It needs to be so smooth, so frictionless and everything, but is that always true? There are cases where I expect friction and especially if I do, for example, in mono transfer and the value is high, I would expect more friction. So something to think about, there are situations where you actually want to introduce some more friction to, to show that this is a secure solution. So in summary passwordless, well, why not use existing identity provider?
Let them, the experts, the bank, the, yes, the very me the whatever work on and solving this problem. Instead of everybody being their own identity provider, look at the mobile ID solutions, using auto band's security, binding the device, and then keep an eye off for, for, you know, expanded or the new innovation.
And again, I'm still looking forward to the time where my cellphone knows it's in my device possession and not Matthias running away with it. And again, remember the challenge we're trying to solve is binding a physical individual to my digital counterpart. Thank you.
