Welcome. My name is Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts. I'm here today to talk with André Durand, who is founder and CEO of Ping Identity, about the topic of passwordless authentication. André, welcome.
It's great to be here, Martin. One of my favorite subjects.
Yeah. Pleasure to talk to you again. So we have heard quite a bit about passwordless authentication in the past, I would say, two or three years. So what's your take on passwordless authentication?
Well, Martin, we've been on a authentication journey now for the better part of the last 15 years or so. And so I think our point of view on passwordless is that it's not the Holy Grail of authentication, but it most certainly is the next evolution in the user experience of authentication. And we have a few things that we're attempting to achieve right now. One is that the strength of passwords and the number of passwords obviously has grown. So we are now being forced into password management on the one end, which is friction to the user experience of authentication, it’s becoming more difficult. And on the other end, the passwords, because they are essentially fishable or stealable to launch attacks, account takeover and otherwise on our identity systems, it is the weakest link, if you will, in the security of our authentication systems. So we have an opportunity here through this notion of passwordless to both improve the user experience and improve the security at the same time. But as I said, I don't believe that it's the Holy Grail of the authentication journey, if you will, the evolution that we've been on. It is a very, very important next step. And I think our point of view is that it's not a product per se. There's no one size fits all. Every company is a little bit different. Different user populations will balance the security and friction and put the trust at different locations. So in highly secure situations, a little bit of friction is okay to achieve higher security. In other scenarios, you might just say, Hey, everything lines up and we're just going to let the user in. It turns out it is fairly complicated as well.
Yeah, So I'm with you, it's part of a journey. And we have been talking about the passwordless [...] for I don't know how long, surely way more than a decade. Right now, I think we are getting a bit closer. Still, too many passwords out there, too many websites popping up, which still have username and password as the standard authentication. Too many passwords and legacy systems. But when you say the passwordless authentication is just a step in a journey, what comes behind that?
Yeah. So I actually think we will ultimately move to a system to where the systems around us, and that's both the devices, the embedded biometrics and the hidden or implicit risk and fraud signals that we have access to will become strong enough that our systems will eventually recognize us at certain levels of assurance. Now, we're still a ways away from that because it's going to require pretty sophisticated authentication systems to mix the signals that I say we have access to, device, location, geo velocity. Are we sure we've seen that device? Are the patterns or the user behaviors the same? All of the signals need to line up. And as I said, the device biometrics like FIDO2, the new standards that are leveraging the embedded platform recognition capabilities, those things ultimately will come together in our various authentication policies to give us certain levels of assurance. And so just ridding ourselves of a secret, the password doesn't belay the total story of where we're going in recognition. It's not just about eliminating the password. It's about a level assurance of authentication.
Yeah, what I could argue is, at the back-end we have quite a bit of that. We have adaptive authentication risk and context based authentication support for quite a while. That is not entirely new, but I think what you're bringing up is a different aspect. That is, we need more signals from the device, we need something which helps us not only to have at authentication time, a signal which says, okay, this is this device and this is maybe, in best case, in this health state and Martin has authenticated with a fingerprint sensor. But which provides also sort of continuously signals that help us to understand, Is this still the same state, is something going wrong, how does Martin behave, is Martin acting like that? So at the end it's probably gradually moving from an adaptive risk context based authentication approach, which is mainly handled at a back-end towards one where device and back-end work very closely together to go to a real continuous authentication based on way more signals than we do today.
Yeah. You're exactly right. And I'm a big fan of the notion of continuous adaptive trust. This notion that we're essentially combining at point of interaction, the trust that we have in the identity of the user, and we typically do that through an authentication event. The trust and signals that we have of the device being used by the individual at the moment at which they're authenticating and creating a session, what we're trying to do is bring those two things together to build a level of assurance around the user's identity and evaluating that trust in real time because the signals are changing in real time to essentially determine do we let the user through or not. It's really the Holy Grail of idea as the control plane and the authentication and strength of that authentication is important. We need to take the risk and fraud signals on one end. We need to take our authentication policies that map our own levels of assurance and trust to a session and a device and then ultimately map those through to what is acceptable for users to access and all those things need to work together much stronger than they have historically come together.
But are we then really talking just about authentication? Because I think in that case, what you're describing here, this continuous approach and the use of that information factually is this way more than just authentication, I think it inevitably ends up in an authorization approach. Where we use it for making authorization decisions that are very granular that are depending on the transaction that is currently running.
Yeah, look, you're 100% right. A bigger part of identity is the control plane, the authentication is all about step one. Let's ensure that we're interacting with the correct person that we think we're interacting with. But when we're talking about identity as the control plane, the centralized control plane to enable access, now you also bleed immediately into authorization. So continuous adaptive trust is taking the authentication event and turning it from a single event into a real time continuous evaluation. And step two is, it is feeding that into an authorization engine that also has risk and fraud signals and is evaluating whether or not those risk and fraud signals should continue to allow a policy of authorization to continue. That's a bigger story in the journey of both the authentication experience and the authorization as coupled, those two things come together to enable continuous adaptive trust. But going back to passwordless, one of the other things that we've recognized is that, to achieve passwordless, again, every company is a little bit different, what is acceptable user experience for one journey is unacceptable for another. And we have a number of techniques that are available to us, ranging from platform biometrics and security keys, both of which are now standards enabled through FIDO2, super, super exciting, very, very strong. And building upon that, we now have passkeys, the ability to essentially propagate these strong biometrics between our devices, which I think is also going to take a big bite out of passwordless once that becomes the default experience. We also have one-time passcodes, QR codes, magic links, native mobile apps that can initiate those FIDO biometrics. So when we talk about enabling passwordless across our entire user population, we are also going to need to orchestrate what signals, what passwordless techniques, how do we put those together with what authentication policies, again, to get the right level of security and friction. So there are multiple things that have to come together, but once we get the basics right, this becomes infinitely malleable for companies to essentially improve the user experience and get the right level of security.
And I think the point you are making here is also explaining why passwordless is just a step on a journey. So, getting rid of the password is important and it's essential. I think you also can't blame users for falling trapped to phishing attacks when IT still works with solutions that require passwords. So it's not the user who is the problem here, obviously. And so we need to get rid of passwords and this is part of the journey. But behind that, there is something way bigger. You brought up FIDO2 a couple of times right now, and I think this is something which is still very much underestimated in organizations, it is this potential of FIDO2 to really shift left every authentication strategy. So, not understanding FIDO2 as something I use in my usual approach as an authentication. But FIDO2, I think, has the potential for being a bit the unifying, the common denominator of everything we do in authentication, whether we use it to passwordless authentication system to a traditional access manager or while WebAuthn directly to an application. This is really changing a lot and has so much potential. Specifically with what you mentioned, the passkeys. I think it's very important that organizations not only say, Okay, I go passwordless, but I fundamentally rethink the way I deal with authentication and authorization.
The goal here, as I said before, is not just to rid ourselves of passwords. The Holy Grail is to enable a secure, frictionless experience. On the journey to a secure, frictionless experience, passwords are in the way. They're the weakest link in security, and they're hard for users to remember, and they're becoming more difficult. So, as we think about it, we need to introduce the alternative techniques that can allow companies to authenticate their users without passwords and not using passwords as the recovery mechanism, too. That's also the difficult piece here as well. So like, Start out passwordless as well as migrate users from dependency on passwords to an experience that doesn't require passwords, including in the account recovery phase. So look, it is complicated at the end of the day, are we securing customers or employees? What are we securing? Are we securing web applications? Are we securing a native mobile app? Are we securing the desktop itself directly from the moment at which you open the desktop all the way through to the web session? And then what techniques are you using and how are you putting those techniques together, risk and fraud signals combined with explicit user actions like a facial biometric or a one-time passcode or a QR code scan? What techniques are we putting together? All of these things, as I said before, need to come together in the authentication platform to enable these emerging, frictionless and secure experiences.
And for that we need to rethink, as I've said, the way we do authentication, because there's way more going on these days, way more options and potential for really sort of, also a bit of a breakthrough innovation authentication, which goes well beyond just getting rid of passwords. André, I think we are already at the end of the timewe had. So thank you very much for this enlightening insights into what you are looking at, what you are thinking. I think this is great information to all the people listening to this Videocast. Thank you.
My pleasure, Martin.
