Gartner IAM Thoughts and Observations

Javed Shah

1Kosmos had the pleasure of attending the Gartner IAM Summit 2022 in Las Vegas. It was our first time exhibiting and sponsoring the event. I have to say it was great to see long time friends, former colleagues, customers, partners and prospects. It was a great feeling to meet people face to face again. As we move beyond our COVID shutdown, it makes me appreciate the things I lost appreciation for. For me, the show was very busy. It felt as though everyone came out just to go meet the folks that they used to be in touch with!

I attended as many sessions as I could balancing my time between meeting customers at the booth and attending the highly informative sessions.

In this blog, I wanted to share some observations and highlights of the event because I know not everyone had an opportunity to attend.

1. Passwordless is a Day 0 imperative

My first observation was that passwordless authentication was a frequent (or top of mind) topic. Gartner VP Analyst Ant Allan has been talking about the end of passwords and the need to eliminate them for years! Based on the presentations and focus of the exhibitors, this is a hot topic. I was happy to see that the discussion has moved past just passwordless and in fact it is simply “expected “ now. Gartner took it much further in fact, and described the journey to MFA and RBA (risk based authentication). And then they dropped the big one- Continuous Adaptive Trust! Learn from the environment. Learn from the user’s previous access and form an opinion about the inherent risk of each new access. I believe this is where the world of user authentication is headed and selfishly, no one can provide Day 0 passwordless as we can here at 1Kosmos. But, yes it’s good to see the market and analysts move in our direction. Also, passwordless is accelerating across workforce, customer, and citizen use cases.

In speaking with attendees, many express some doubt about their ability to achieve the goal of being passwordless or communicate that they don’t know where or how to start. Of course, I was more than happy to talk about our approach and show prospects how it’s not only possible but, with our approach, it’s very practical, and it provides an excellent experience for users. I said it here- passwordless is just the beginning and there is much much more to come to remove friction from secure user access journeys!

2. Signal Orchestration with Predictive Analytics

Multi-factor authentication is an absolute must these days. That’s nothing new. But what was new is the need to move past a risk based (RBA) model and into a continuous authentication model. The shift will ultimately mean that authentication journeys will not be preordained as it is today. The industry will move from a stepwise imperative to a desired end-state declarative model!

With the addition of signals, security teams can orchestrate the appropriate journey based on the user and their action. For example, security teams could base authentication on a NIST IAL level. If the user does not meet that IAL requirement, say they are IAL 1 presently but they need to be IAL2, then the system would adaptively put them through a journey to achieve the assertion corresponding to a NIST IAL2 level!

This move to a predictive – based on AI/ML – approach to access via declarative journeys and orchestration will be the future of access management. The shift here is that currently security teams already know the signals they are supposed to be looking for. So security is based on what is known. But the world is moving on. The hackers have moved on. We need to move to a continuous model – Adaptive trust. This is another way of saying we need to try to predict when the system might be at a higher level of compromise or threat, and then go and introduce obstacles, sensible obstacles, contextual obstacles, into the authentication journey. That’s really what they were trying to drive towards.

3. Web3 and the Rise of Privacy!

Web3 was a surprising discussion point. What was clear is that this is in its infancy. Many are talking about – specs, requirements, technology, and even implementations but the strategic imperative is clear.

Web3 is promising a complete redesign of the web as we know it.
Decentralized compute, storage, and always-on application execution will be executed via distributed ledgers.
Everything will live on a blockchain and will have an address. All nodes work together to compute, verify, and record the state change of the tokens (the things that represent value), which will lead to a token economy.
An application called a wallet is the human interface to the blockchain technology stack. It holds the seed phase, all your blockchain accounts/addresses, the corresponding public/private key pairs, your tokens, and above all, initiates the state change. Early talks of a standard to allow for wallets to work anywhere are underway.

This is just the tip of the iceberg. Web3 promises a utopia where everyone online is a known entity. No more anonymity but the fundamental principle to uphold will remain user privacy. Users and creators alike will need, and regulations will mandate, a consent driven journey with sufficient recourse available to users for consent revocation. These drivers will, over time, fundamentally alter the way we engage online. Gartner is already beginning the analysis.

While this is just a high level view, there was more to the event than just this. But these were my key takeaways. As a PM I already have much of this in production, in development, or on a roadmap. As an organization and the leader of the strategic direction of our platform I believe we are headed in the right direction to help you meet the future demands of your workers, customers or citizens.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.