“The password is dead.” We have heard this statement for at least a decade, yet even in 2019, data breaches based on stolen user credentials continue to dominate the headlines. Why do passwords so stubbornly refuse to die?
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
“The password is dead.” We have heard this statement for at least a decade, yet even in 2019, data breaches based on stolen user credentials continue to dominate the headlines. Why do passwords so stubbornly refuse to die?
“The password is dead.” We have heard this statement for at least a decade, yet even in 2019, data breaches based on stolen user credentials continue to dominate the headlines. Why do passwords so stubbornly refuse to die?
Well, good morning, good afternoon, or good evening, ladies and gentlemen, depending where exactly in the world are you currently located? Welcome to another call webinar. My name is Alexei Balaganski. I'm a lead Analyst here at Kino call and today's topic is the passwordless enterprise building a long term zero trust strategy. And today I am joined by George tubing, director of marketing at transmit security. But before we begin, just a few words about what company call actually is.
We are an Analyst company, headquarter INPO in Germany, but with a pretty global reach ranging from the us to UK Germany, obviously, and all the way down to Australia and Singapore. And we are focusing on three major topics, identity, access management, cybersecurity, and artificial intelligence offering the full range of services. You will typically expect from an independent Analyst house. This of course includes multiple different research publications, which you can find on our website, cover all those topics I mentioned.
And of course, various events ranging from free online webinars like this one, all the way up to major and very well established real life. If you will events our largest head, our largest flagship conference is a European identity cloud conference, which usually takes place each may in Munich. But on this slide, I can also show you the various topics which we cover in the smaller, more local events here in Germany, in other parts of Europe and in the us.
So hope to see some of you personally, in one of those conferences in the future, we are usually controlling all the technical aspects of the presentation. You do not have to worry about muting yourself or anything like that. We are recording this webinar and we will publish the recording as a webcast on our website. Tomorrow is the latest and everyone will get a link where you can watch or download the recording as well as a slide deck we will be using today.
By the end, at the end of the webinar, we will have a Q and a session, but you are encouraged to submit your questions as soon as you have them. And you can use the questions boxed on the go to maybe not control panel somewhere on the right side of your screen. Probably the agenda for today is again, more or less standard. I will start providing you neutral Analyst view on the field of the strong authentication, and there is alternatives towards traded insecure passwords.
And then I will give stage to George Dubin who will be talking more in detail about implementing all those alternatives in a single or consistent technology platform. And as I mentioned in, we'll have a Q and a session. And without further ado, let's start with scooping a call favor slide. So this is basically the world we are in now. Everything is connected. There is no longer perimeter around your organization or your sensitive assets are no longer protected by a single cast wall.
They are everywhere on-prem in the cloud maybe, or somewhere on the edge, if you will, in the manufacturing facility or just moving around the world in the hands of your employees or customers, contractors, or any other humans, or even just smart devices, which need to access your data to access your application to the resources at any time wonderful digital or interconnected world.
Unfortunately, with a deep dark side, if you're probably aware the cost of cyber crime is only growing with each year and it's expected to double within five years to six terabytes or what six trillions of course, of dollars by 2021. And if you, again, probably aware the biggest, the number one reason for all this data breaches is illegitimate access through stolen credentials. And most of those credentials are still the passwords. So what can we do to, to break this trend and to turn the tide and to reduce the exposure of the sensitive data?
Oh, there is this general paradigm shift in authentication. What used to be simple static or, and pretty easy with just one small bit of data to remember the password is now considered weak and cumbersome and really a management nightmare, because the more resources you have, the more passwords you have to deal with and the easier it is to forget them to leak them or to just lose them somehow through negligence though, there are many, many alternatives to passwords nowadays, but the idea, the business drivers behind all of them are that authentication has to be strong, insecure.
It has to be a continuous process and not just a single validation, but at the beginning of your work sessions, it has to be convenient for users to improve their productivity and to reduce the, the friction. And of course it has to be easier for organizations to manage, to reduce the number of help desk calls and so on.
So the, the question is if the password is that if the passport are, the passwords are long, considered weak and insufficient for modern world, why are they still in use? We have so many alternatives to them for years. Why are they, why are we still clinging to passwords? But basically listen, the too much of the choice, you have too many alternatives. And in the end, you end up using too many different strongest education options, be smart card, or one time password generator or any mobile device based authentication of biometric.
There is no solution which can address all the requirements, all the platforms, application types, identities of your users. So in the end, all the solutions which were meant to reduce your complexity and prove your experience to the opposite. Obviously there has been a lot of growth in the mobile authentication area because everyone has a mobile phone or a smartphone nowadays.
And again, in this area, we have gone through a pretty long evolution, starting with additional SMS or text message based one time passwords are so popular, although long duplicated, because it's been proven many times that they can be hacked and abused by various malicious actors, mobile biometric are grown in popularity because, oh, you know, many phones have fingerprint scanners. Others can scan your Iris or your voice or any other solutions, or just use a mobile push notification, just install an app, which will replace your password.
Again, the adoption here is growing, but very unevenly and also much less than many would have expected few years ago, again, because of a utterly disconnected nature of many of those alternatives. There is, there are nearly no standards. There is very little interoperability between all those offerings, which you find on the mobile authentication market.
Nowadays, there have been a lot of talks recently about the fi Alliance, fast identity online, which has just ly published a second version on their strong authentication specification. And we will talk about them later in this webinar and explain all the advantages and drawbacks of this approach. So there there's been some interesting development in the standardization in this market, but well, you you'll explain why it's not yet kind of working as expected and obviously are all the best practices nowadays recommend to use multifactor integration.
That is, are a combination of multiple factors. Some of those will be something you have like a physical authentication device or your smartphone. Some will be something, you know, basically your password to a pin number. And some of those are something you are like your biometric factor, fingerprint, a voice or Iris scan.
The only secure combination, the only combination which is considered secure enough by modern centers is having at least two on those factors, combined any single factor, strong method of authentication is proven to be, if not entirely broken, at least vulnerable to multiple outand attacks and other exploits. And you can see there is a lot of overlap with mobile authentication mentioned earlier. So it's no wonder that whereas mobile based multifactor solutions are popping up in the market.
Some of those are knowledge factor based like you need an app and the pin number, for example, others are biometric based, or you need a, again, an app in your fingerprint, but basically you have to have a combination. The next step in this evolution is what we at co call called context, aware, authentication. If you build, there is not yet an universally approved term for this, but basically the idea behind it is that authentication has to take care is many context variables into account as possible.
It's not just your passport or your fingerprint or any other authentication factor that defines who you are or who you are not. Whereas other aspects like where are you currently located? What's your IP address? Is it known to be malicious or not? Is your device protected by antivirus? Are you within a trusted network for example, or not? Each of those factors contribute to the final decision? Can you be let into a sensitive application or can you be allowed to access sensitive effort or not?
And all these decisions are driven by centralized policies, policies, meaning that you can use in some kind of a business oriented language. You define the common rules, which clients, which devices are allowed to access, which resources under which conditions, if you will, if implemented properly, this policies can be extended across multiple technology stack. So the same policies can drive your strong authentication on-prem and in the cloud for windows, applications, and websites, and even APIs through mobile applications, for example.
But again, this will only work if you do it right. If you find appropriate technology platform, which can translate those business friendly notations into multiple low level technical languages for different systems. So by combining this context driven context where authentication process with centrally managed business policies, you get in theory, a future proof extensible authentication framework.
And again, the next step is to start thinking about risks. Again, some of those factors can be direct, translated into risks if you are, if you dual locationed, you are in North Korea at the moment, or for example, you were in Boston 10 minutes ago, and you are now in, in Moscow, we can safely assume that there is something wrong with you.
This, you are a risk now though, the solution or which supports risk based ation is supposed to take all this risks into account and make these risks translatable into policy based decisions. This is where risks come into play. Another term issue probably hurts many times, or I did at least is adaptive authentication.
Again, this is something which doesn't have a strictly commonly agreed definition, but basically adaptive communication is implied that your authentication framework no longer works as a standalone thing. It's tied deeply into other systems into other aspects of your security architecture and your identity management architecture, and even your business process, if you will. And also, so basically you have to combine the policy based authentication authorization.
I just talked about before with threat and throat intelligence systems, which many companies already have in place like banks and financial institutions, it has to take risk analysis into account. Ideally in runtime, it has to work together with identity life cycle management system. So maybe plug into your HR system directly, for example. And of course it has to be able to feed the telemetry and all the authentication decisions into your existing security analytics services and raise an alarm as soon as something suspicious or some kind of anomaly is detected.
And finally, the last term I'm going to talk about today is continued authentication. Again, it implied that the process of authenticating a user is no longer a point in time. It doesn't just happen once in the beginning of a session. And then if, for example, user takes his phone and moves to a different location, something has to change, right?
So he's may no longer be considered as safe as before, or what if the user has simply left his laptop and someone else is now working on his laptop, all of this things can happen at any time and all these things must be tracked and they must influence real time risk score of that identity. And of course this risk score is supposed to have an influence on authentication on authorization decisions.
So if you suddenly move to a different wifi network, maybe your application have, has to forget your existing session and force you to reauthenticate on the other way, if, for example, you are working with a banking app and you want to access another area of the app, which is slightly more sensitive than before. So if you want to move from looking at your current bank account state to actually making a transaction, maybe the authentication framework is supposed to automatically understand the changed risk and force you to step up your authenticated session.
For example, with a fingerprint, all this has to happen at least periodically, ideally in real time, but how do we translate all this terms and approaches into a single strategy? Well, probably I seen the term zero trust in the title of today's webinar.
And yet, although zero password does not automatically imply zero trust designing as strategically sound and future proof of indication framework is probably one of the cornerstones of any zero trust architecture. And on this slide, I wanted to highlight the importance of time, user identities, device identities, and states with all those context attributes together, only this way.
Can you make your, the real trust architecture work basically without continuous or identity governance and device, state validation and protection without privilege management, without all those various context attributes are tied together in a single platform, which is risk aware, which is continuous, which is adaptive and policy driven. Well, this is the only viable status is only future proof approach towards making your strong authentication really strong enough for today's interconnected world and the big picture.
Again, taking one step away from even the strategic approach. This can only work this whole zero trust approach can only work when it ties together, all other risk aspects of your security architecture. So not just monitoring your users' devices in sessions, you have to have tools in place which detect anomalies and threats, which ensure continuous governance and risk analysis of everything which is happening within your organization. And those continuous processes must have direct influence on your response strategies.
Or if there is a threat, if there IST a normally detected on your user device, it's not just a sign for your authentication framework to terminate the session. Maybe you have to raise an alert to your security operation center. Maybe you have to reevaluate the global risk score for that particular sensitive asset. Maybe it's a sign of an ongoing advanced attack on your infrastructure. Maybe it's a sign that you have to change your access policy for the future. Basically the point of it, this process is never ending.
There is no end or this journey towards zero passport and slash zero trust enterprise. It's constantly evolving and constantly self improving circle of life. The adaptive authentication life cycle, if you will, of zero trust life cycle. So the key takeaway from me as an Analyst would be, so yes, passwords are dead. They're dead. They were dead long ago, but unless you do something quickly, you end up having a password zombie infestation within your company.
And there are so many choices available to you to replace those zombie password at the moment that if you do not approach this change strategically, you may end up driving the complexity and costs up not down, but if you do things strategically, you should really understand that password replacement is not a single task is not the goal.
It's just one step in your, hopefully not that long journey towards a fully integrated policy based adaptive architecture, which will be the foundation of your enterprise zero trust environment, and how to implement this, how to start joining, how to translate those terms and strategies into concrete technologies and business practices. Well, that will be a job for George to, to explain.
So George, the stage of yours. You're welcome. Thank you, Alexei. That that was a great presentation.
I, I don't think I could build a better case than Alexei just presented for password replacement. And I think you also did a great job of covering a lot of the considerations that we need to go to for doing this. Let me see here. Okay. So when we think about eliminating passwords, you know, I, I could go through and, and talk about all the reasons why, and, and I think Alexei did a great job of presenting a lot of the reasons why, but I'm really not here to convince you to, to eliminate passwords.
I, I think we can agree as Alexei said, you know, passwords are dead. We've known this they've been dead. We need to do something else. So it it's going to happen. It's not a, a, a question of if this is gonna happen, it's a question of when it's gonna happen and, and how you're going to go forward with this. So my purpose here in the presentation is more to make you aware of what you're getting into. When you do decide to go forward to replace passwords in the organization.
And, you know, this is something we've been doing for a lot of large global organizations. And we we've been, we've spent quite a bit of time on and, and built a great tool to do it, which I'll, I'll talk about a little bit at the end of the presentation. So I wanna share with you some of the things that you need to consider when you head on this journey and how do you incorporate all the approaches and recommendations into a single strategy like Alexei. So eloquently said tying user device context together on the single platform. That's risk aware and policy driven.
These all make sense when we say it and we all nod our heads and say, okay, yeah, that makes sense. But how do you actually do it? Because it's, it's not as easy as you would think, and it's a lot of things to consider.
So let's, let's talk, let's talk through all that. First of all, when we wanted replace passwords, passwords are everywhere.
All the, you know, our windows, laptops and Mac laptops, virtual environments, clouds, intranet, they all have their own username and password, methodology and systems. And, you know, we do have some single sign on that's happening, but passwords are just everywhere. It makes it incredibly complex. When you go through your organization and you say, I wanna replace passwords cuz you, you just don't realize how prevalent these, these things are.
And also, you know, we may feel that we have systems that don't use passwords like our, you know, maybe our touch device on our laptop, but a lot of these fall back to passwords is, you know, when that, that authenticator doesn't work and what we're talking about is true password elimination, not to use for our first factor, not to use her fallback factor, but to eliminate passwords through the organization. Now there's also a lot of options and, and Alexei touched on this a little bit as well to consider when you're going to replace passwords.
And a lot of, I think a lot of people are driven by what's happening with biometrics on laptops and on mobile devices. And the mobile device is a great main authenticator.
It, it really is a great option. Everyone has one, you may be issued one by your company. A lot of companies do B Y O D where people use their own mobile devices. And it's good because it offers very strong binding, you know, there's hard work within a device that can store certificates that could be access through biometric capabilities.
And, you know, by definition it's a multifactor authentication approach that everybody has with and is very strong, but we can't have a single solution. You know, there are a lot of other options out there and we have to be able to span all use cases. A lot of organizations don't allow mobile devices. A lot of people may not have their mobile device with them. What about in the situation where you're away from a network or, you know, you don't have mobile coverage, what do you do? So there are other types of authenticators that could be used.
And you know, the idea is to decide on the right set of authenticators and use the right ones in the right places. And we'll talk a little bit more about how that's done later in the presentation. Now there's a lot more to consider is the authenticators, but if you're gonna go ahead and really think about going forward with this, let's, let's try to get this right.
You know, let's, let's try to build a solution. That's really gonna take care of a lot of problems that we've had over time. So we know over the last several years, we've had a lot of our different authenticators that have come to bear.
You know, some are very popular and then they go away. Like you look at the iPhone and you know, touch ID was the way to go. And then suddenly we don't have touch ID anymore. We have face ID and I never thought I would like face ID. And now I love face ID.
So our, our preferences and, and, you know, the types of authenticators change over time, there's a whole bunch of different vendors out there. And those keep changing. Some vendors were very strong recently and now they're, they're, they've been acquired or they're out of business. There's new vendors coming. Microsoft is a strong player in this, in this place. And they're trying to get everybody to move to the Microsoft solution, but there are issues with that.
You know, one of which is being locked in now to the whole Microsoft, you know, infrastructure and, and having them, you know, work to lock out other capabilities, as well as, you know, some security issues you have. So, you know, you really want to have a good, you know, heterogeneous very set of, of authenticators and capabilities. We also work in heterogeneous environments where everybody seems to be moving towards cloud, but you know, we still have a lot of on-prem solutions, which means a lot of companies are in this kind of hybrid environment.
And how do you implement a solution that works across everything. Alexei spent a lot of time talking about risk, contextual aware, authentication, and how do you incorporate risk into this? How do you integrate risk indicators and really have true context or authentication?
I, I, I think most people feel that the authenticators we have been using are kind of point solutions where you authenticate just using the authenticator and that's really all that's considered, but we know that's not enough. You know, we know, especially in consumer facing environments, there's a lot that happens behind the scenes to detect risk in fraud.
And, and we need to bring that into the enterprise environment as well. How do we do that? And then lastly, it's eliminating complexity. I'm gonna show you the next slide, what we've gotten ourselves into because we kind of hard code everything in, you know, all our authenticators are, are hard coded into applications and devices, and it's not just the coding issue, but there's identity stores all over the place. They all have, you know, have different frameworks and we want to make changes to authenticators, to policies.
And we have to do a lot of coding and a lot of organizations at any one time, we'll have several or dozens of identity projects going on just to make some changes to their current identity framework. And, and how do we simplify that? How do we make that much easier going forward? So this is the slide, you know, I love this slide. It kind of shows what we've gotten ourselves into for our identity infrastructure.
You know, we, we have all our apps and devices on the top. We have all our different identity services on the bottom and, you know, connecting authenticators risk tools, devices and services is really complex. And the siloed approach where, you know, every of these apps and devices are, are kind of purpose built by themselves, really lead to disjointed architectures, you know, fragmentation long and complex times to make changes.
And, and we have to move away from this. We have to, you know, really come up with a purpose built approach that, that eliminates complexity, future proofs this, and, and does all those things that Alexei talked about during this presentation. And a lot of which I'll reiterate, I think right now. So what are some of the solution objectives we decide we wanna go forward?
You know, what are the things that we want to, you know, really achieve? Well, we certainly wanna have a stronger security posture and we want, you know, to improve end user convenience, you know, the, the password resets and forgetting and multiple passwords, and we want that to go away.
And I think we all know biometrics is a great way to do that mobile device binding, which I talked about and you combine mobile device binding and biometrics, and you have multifactor authentication approach, which is, you know, very strong and convenient, but you also, you also want a platform that's very flexible because, you know, as we discussed, these biometric authenticators are evolving and what's accepted today, or the set that, that people like today may be different for tomorrow. We also see very different acceptance levels by, you know, demographic by geography.
So we wanna make sure that our, our platform can account for everything. The threat landscape is changing. We certainly know that the cybercriminals are always trying to break our systems and get by them and they will. They always do. So we always have to stay a step ahead and we need a system that's flexible enough to allow us to do that.
And then, you know, we also want to incorporate these zero trust concepts. As, as Alexei said, I, I, I, I really don't like the phrase zero trust.
I, I prefer something like adaptive trust assessment. I think KuppingerCole uses context aware any, any of those are fine, adaptive, contextual, I think is fine. But what we're talking about is kind of looking at these layers of, you know, device trust, you know, when was the operating system updated? Is the device gel broken? Do we see malware on the device, behavioral analysis where we take into accounts, all kinds of signals, like, you know, where are you logging in from what time of the day are you logging in from what day of the week?
How long are you logging in for, we look at authentication level, you know, what authenticator are you using? Did you log in with, or a different authenticator earlier this morning than the one you're using?
Now, we look at threat level to see what's happening across the enterprise and get external data to see what type of threats are being seen in our industry or our geography that we need to account for resource sensitivity. What, what is trying to be accessed? Is it just email or you're trying to access our internal financial systems or salesforce.com that has all our customer data. We wanna make sure that our, our identity authentication solution takes all this into account.
Now, we also need to be aware that a lot of large organizations have a very complex workforce. We have folks that are, are traveling a lot. We have remote employees to logging in from home. We have on office workers that are on the corporate network. We'll give access to consultants or contractors typically at restricted levels. And we wanna make sure that we account for all of this in whatever framework we build going forward. And as much as we can, we want to kind of have a unified client experience across all, all operating systems. And we also have to support multiple environments.
I mean, you know, we not only do we have a lot of, you know, different systems and authenticators, but we have a lot of different environments in our organization that we're dealing with between, you know, windows and, and Mac environments, different virtual environments for cloud. We wanna make sure we have an identity framework. That's not tied down to, you know, Google or Azure or Amazon. We want somebody to can span and be managed in a multi-tenant type of environment.
And, you know, then we also have our, you know, third party in-house applications that we have, and, you know, a lot of third party cloud applications that we want to get into. And, and, you know, a lot of organizations are transitioning to cloud. So we do end up being in this, you know, heterogeneous kind of environment. And you know, what they're essentially doing is going to cloud kind of app by app, by app. And we need a platform that has stepping stones. So whatever environment it is that we're in, we make sure that we have the support and the capability, you know, a across everything.
So let's get a little bit deeper into solution. You know, what, what would, what does the solution actually look like?
So first, you know, really has to support multiple authentication approaches, Fido, non Fido, centralized authentication, you know, Fido is, is great, but it doesn't solve every problem. You know, we have apple devices that aren't Fido certified or, or don't use the Fido approach. Other third party authenticators may or may not, you know, use, use Fido. So we wanna make sure that our system can support all these different, you know, distributed as well as centralized approaches.
You know, some organization will have centralized voice store or face image store, which is usually helpful when somebody needs to replace a device to verify the person is who they say they are. We also need non mobile type of authenticators for folks that don't have mobile or, or organizations that don't allow mobile or folks that just don't have mobile with them. And we mentioned online and offline environments to get into the mobile device or, or, or the laptop. We would also like to have a solution that integrates with all our existing identity solutions.
You know, we've spent a lot of time and energy building up our identity infrastructure, and most organizations have multiple identity providers for things like, you know, directories LDAPS single sign on Federation. So an ideal solution would allow us to continue to work with, with those identity providers in a very simple way. And we also have to work with all the different remote test tools.
We have, you know, VDIs and VPNs and whatever else we might use, and also be flexible enough if we decide to change vendors for that. We also want something that has extensive orchestration capabilities. This really becomes key. I'll talk a lot more about orchestration on the next slide. We want our organization to be dynamic. We don't have to, we don't want to have to Recode all the time.
So I, I think one of the benefits that, that we need to get out of moving to a passwordless environment is to fix that infrastructure we've had and simplify it so that when we do wanna make changes for whatever reason, whether it's a new authenticator or a new policy or a new device type that's coming organization, or a new application, that's come in, we wanna make, we wanna really simplify this and make it much easier than that spaghetti chart that I showed. And then we also wanna be able to support different user populations using different authenticators.
Now, we can't forget the help desk. You know, our users are constantly calling the help desk. If they're get locked out, they need to reset an authenticator. We wanna make sure that the help desk has access to the right tools. It can support the organization appropriately from anywhere, you know, for whatever reason.
So the, the approach that we take here at, at transmit to rationalize this is, is, is this purpose built platform that was designed to really eliminate the complexity and, and, and that spaghetti chart that, that I showed this is being used now by, you know, several top global institutions being rolled out, you know, to, to others going forward. And it, it's, it's really a, a whole different take on how to manage identity in an organization.
And it's by putting in some of the layers that, that we see here, you know, it starts with an identity services hub down the bottom, which connects all these third party tools, as well as, you know, all, all our different services and applications up top. And then you, you can use third parties with it or out of the box, biometric authenticators knowledge based authenticators. We just have to go that way.
Tokens, entitlement, store, LDAP, compliance tools, you know, all of that stuff, single sign on Federation, kind of all comes into this identity hub identity hub is, is a concept that you, we see out there quite a bit, and, you know, it's done at different levels of success, but really the real power that that's brought to bear here is, you know, orchestration and journey journeys that we have. So, you know, we have this orchestration engine, which is a learning orchestration engine that allows for real time processing and analysis of input, it can profile, it can learn.
It allows for intelligent and adaptive decisions across any application channel. And, and it takes all these inputs.
And, and then is really driven by our, our journeys, our user journeys to orchestrate authentication. So when we look at journeys, this concept of over the journeys, it's really all the identity related steps and activities for an application that, that you want to set a policy far.
You know, for example, it could be changing your con user contact details or checking for authorization or authenticating a user, you know, with multiple factors, checking for risk indicators, collecting information from the user writing information to a data repository. So the user journeys are designed using very easy graphical tools and kind of sit in front of our, you know, applications and services.
So, you know, for example, on a desktop, somebody wants to log to, you know, Citrix, the journey player would be invoked. It would follow the process. That's laid out on what, how to look at risk indicators, how those risk indicators should be measured, maybe taking feeds from multiple different risk sources, working with your orchestration engine to decide what type of authenticator should be presented, looking at the results of the authentication, then provisioning and, and deciding what that user has access to, and then doing this on a continuous basis for that user.
And then what's more, this approach allows for us to be much more actionable in our authentication, you know, so, so rather than a, a authentication, just being a pass fail thing, or under certain conditions, pushing out a step up a two-factor authentication, the, the, the decisions that could be made here are much more actionable and kind of self-service, you know, to the end user.
So the certainly approved, which really happens most of the time, but we could decide, Hey, you know, let's authenticate with a different factor, you know, based on the risk indicators and what, what the employees trying to access, you know, let's take an action. Let's maybe notify over SMS, or let's do a push to mobile for that user. Or we may decide, okay, we'll approve the user, but let's, let's restrict access for that user based on the risk that we're seeing, we can certainly deny access, but we can move a step beyond that. We can deny and say, Hey, let's, something's wrong here.
Let's lock the authenticator or lock the advice or do other device management operations. So the platform allows for much more robust actions to be, be taken so that we don't simply deny and then have that user have to contact the help desk, and again, get people involved in this problem, but, but take care of the issue, you know, at that point in time.
So let me, let me share some results from, you know, an example of, one of our, one of our clients who just recently shared this with us, you know, since implementing, you know, the transmit platform, they've experienced 90% reduction in den identity related questions in the call center. And, you know, I think an enterprise know that our, you know, help desk internal help desk. A lot of what they do is identity related questions.
So, you know, they're able to achieve a 90% production. They're also able to do away with multiple identity and access management tools, a lot of hard tokens and other tools within the organization. They just no longer needed, you know, for a huge savings, as well as much better customer experience. They also had much stronger access controls for contractors, which was something they were struggling with, you know, how do they manage these outside folks that they want to give some access to, but didn't really know how to do that.
You know, user experience is much more consistent. And the main thing is, you know, they're not hearing all the complaints about passwords that that typically happen. So in summary, if to remember ever anything from this presentation, these are kind of the main points. If you're gonna do a password replacement, the solution that you use, I mean, really needs the support, multiple a dedication approaches. Now you may mainly use one, but you wanna make sure that there's support for, for multiple. You wanna be able to integrate with your existing identity solutions.
You don't want to have to rip and replace everything, but you wanna be able to layer in on top of all that you wanna have extensive orchestration capabilities, which, you know, kind of pulls in the next bullet, which is, you know, integrating risk into the decisions, but you want the orchestration to, to be very easy. You want it to be policy driven, not coding. So the ability to go in and actually use a graphical tool to make changes is really what's key here. And you also need to integrate with an assortment of help desk schools. Cause invariably, you know, the help desk is not gonna go away.
Hopefully you have much less, you know, identity related questions at the help desk, which is really to be expected, but we still need to have a solution that integrates very well with those help desk tools. So with that, let me, let me turn this back over to Alexei. Okay.
Well, thanks a lot, George. Let me just switch back to my screen again. Okay. Well again, thanks a lot. It was an interesting overview of your company's platform, which coordinated very well with the theoretical points I raised in my part of the webinar.
So yes, you absolutely. Right. And even those who believe that they can work with a single authentication method today. You never know what happens tomorrow. The whole point that your authentication system must be not just working today. It must be ready for tomorrow and you never know what happens tomorrow. Okay. So let's go straight to the Q and a part we have around 10 minutes left and we already have a couple of questions in the queue. And please submit more if we won't have time left for all of your questions, we can just get back to you through email, after the webinar, for example.
And the first question I have in the queue is, let me just read it aloud for you. So implementing this solution seems like a huge undertaking. So what kind of timeframe should we expect?
That, that, that's a great question. I, you know, we, we spent all these years building out our, you know, internal spaghetti chart that needs to be taken apart.
So, you know, what would an implementation timeframe be? I, I, I think what we see a lot of organizations essentially end up putting an identity program in place and they decide to implement the solution, you know, maybe by, by, by line of business, you know, they'll, they'll prioritize internally and, and make this into kind of an implementation program. Interestingly, with the solution, you know, that I showed we can get something done, you know, to implement a, a password replacement and, and part of the organization for some lines of business within a few months.
And then we, you know, we'll move forward and add in other implementations within the organization as we go along. The interesting thing is that, you know, some of the organizations that we've implemented into the one thing they quickly realize is that when they now do want to make a policy change to their authenticators or, or to, you know, how they're accessing risk within their identity solution, the time to make the changes.
I mean, literally, you know, one of our, one of our clients recently spoke to us, he said a change that would typically take, you know, six to eight weeks now takes 15 minutes, which is, you know, absolutely amazing. So, you know, as, as this gets put in place, I, I think you got organizations quickly start saving a lot of resources because maintaining the system that was just put in suddenly becomes, you know, almost trivial. And then as other systems get put in place, it's kind of a rolling, you know, benefit that the organization sees. Okay.
That's probably the most important part of your answer that you don't have to do everything at once. You can start small and then add additional systems at your own pace. Right. Right. And the other thing is because, you know, we, we don't require, you know, all these different identity providers to be replaced. We find ways to work with them. That also is, is quite the help because, you know, you, you don't want to change everything. So being able to use a lot of the existing infrastructure, you know, really benefits, cost as well as time to implement.
Okay, great. So the next one, isn't actually a question, but let's address it anyway. So they now attendee is writing the following. I don't fully agree on killing the password. The password should stay until we know better how those new biometric data will be, will not be misused.
Well, I would say that kind of your concerns about misuse, the biometrics data is absolutely. I mean, absolutely Correct. That there is a lot of potential problems with that, but I would argue that first of all, neither myself nor George are kind of advocating for replacing the parts work with biometrics.
No, definitely not. It's all about multifactor authentication. It's all about building all those additional layers of context, risk policy around the flexible framework, which ideally it should not absolutely matter whether you are authenticating with a password or biometric or any combination of all the factors, all the rest remains valid anyway.
So, and of course, nobody in their right mind would say that just using biometrics without any other factors is somehow secure or more secure or better. Definitely not for once you can change your password, but you cannot change your fingerprint.
So what, what do you do if those data leak in the future? So yes, your concern is correct, but in the bigger picture of progress, indication, strategy should not be a problem. Right. Yeah.
And I, and I, I, I think this will be kind of an evolution for, for replacing passwords. I mean, I think that we'll, we'll reach a point where we do eliminate passwords just because of all the problems that we've had.
I mean, all the data breaches and all the problems that we have, you know, with data theft and identity theft, and, you know, a lot of it comes back to passwords, but, you know, we, we can evolve and Alexei, I agree. Do all the things that, that you said that make our authentication much stronger and move our way into eliminating passwords.
I mean, I think once organizations become more comfortable and see a, a, a no password kind of solution in place in one area, maybe the organization, they, they could start to move it out into other areas. But I, I, I, yeah, I, I think that looking at this more holistically and including risk factors and simplifying the stack is really what's important here.
So basically quote, unquote, eliminating the password does not imply that you just replace the password to be something equally cumbersome or yes, whatever you are completely redesigning and future proofing, your whole security and identity architecture. If you say, and kind of eliminating the password is just a nice byproduct on that, Right?
Yes, exactly. Okay. Yeah. Right. Cause just swapping one authenticator for another really doesn't do anything for you. Right. Next question. So most of the context here has been about human interactive passwords and authentication, but the majority of passwords are system or machine based. So what about those? What about non-human based passwords? That absolutely has to be considered as well.
And, and we're actually doing a lot of work in this, you know, API to API authentication and looking at microservices and, and how we support that as well, because you you're right within an organization. And you know, now with IOT and, and you know, other technologies that is absolutely becoming far more important, but again, you know, this is such a big complex problem that just, you know, moving and, and trying to, to get incorrect and, and get a unified platform for, you know, human based identity authentication, you know, is, is, is challenging.
And we have to layer, you know, machine to machine in going forward as well. That, that that's that, that's a great question. Yeah. Yeah.
And again, you have to think that kind of machine to machine communications can mean different things. For example, if I am enabling a banking app on my phone to communicate with my bank, technically it's a machine talking to another machine, it's my phone talking to the banking server. Right.
But I, as a user, just kind of authorize it to work on my behalf. That's one area which requires its own stack of technologies to address all those authorization standards.
Like all, for example, open ID connect and other stuff, totally different area would be IOT. Like how do you make a smart sensor in the manufacturing plant talk to a cloud based analytics solution.
Again, it doesn't have to be password based. There is a lot of interesting development there with kind of, for example, hardware based, cryptographic identities, lots of staff, totally outside of our today's focus. And there is of course the legacy environment, which you have passwords as the only option you cannot replace them.
Those, you will probably need a solution like Pam privileged access management. So yeah. And it has to be somehow integrated with your strong authentication framework anyway, Lots of things to consider again, and you only have a few minutes left, so let's move on. Next question is what is the right balance between increase and security and user experience? I would argue that if you are seen, is this as a balance and you are doing it wrong, should increase both security and user experience at the same time.
And of course it will probably work differently for different environments application services. But again, the first thing you have to consider is your risks business risk. And you start from there, but ideally it should not be a dichotomy. If someone would say, say to you, okay, passwords are better because they are more convenient.
Well, I hope it could demonstrate today that there are much more secure options, which are more convenient than the password. Yeah.
And I, I would completely agree with you. And, and I think that the mobile device and biometrics, you know, was maybe, is really helping enable, you know, a lot of this move forward.
I mean, certainly incorporating risk and simplifying the stack is, is a huge driver. But, you know, we've had things like, you know, different card or, or hardware approaches that, that were much more secure, but had a terrible user experience. And I think now where we've moved into a place where, where we do have authenticators that are very secure and have a great user experience at the same time.
So I, I, I think that concern while I would've had that a little while ago, I think is, is greatly diminishing. Okay. I think we only have time for one last question and I would really have to apologize to all the other attendees. So we have your questions on record and George will get back to you after the webinar through email, I suppose. So the last question for today is start your platform, support smart cards as a non-mobile formal authentication. Yes. Okay. That was easy. Okay.
Well, and with that ladies, gentlemen, we have just reached the top of the hour. Thank you very much for being with us in this grouping call webinar.
Thank you, George, for taking your part, looking forward to see you at one of our future events or future webinars on one of those topics. And it just have a nice day. Thank you. Take care.