How to Deploy Passwordless Authentication Across a Diverse IT Environment
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
We are going to kick it off. Today we're here to talk about deploying passwordless technology in complex environments, and we're going to get really into the weeds on what passwordless is and really what we're trying to accomplish, passwordless as kind of a feature. But first, just a round of introductions as to who we have on the line. I'll go first real quick. My name is Mike Engle, head of strategy and co-founder here at 1Kosmos. Long background in InfoSec, so I'm kind of a security geek, but then became more of an identity geek in the past five years or so. All identity, all the time. And Julie, would you like to say hi?
Julie Talbot-Hubbard:
Yes, hi. Julie Talbot-Hubbard. I'm at Optiv leading actually our clients and markets organization, but lengthy background in cybersecurity in the last four years. Specializing in identity and data privacy and data protection.
Mike Engle:
Excellent. And Gopal.
Gopal Padinjaruveetil:
Gopal Padinjaruveetil, Chief Information Security Officer at AAA Auto Club Group. I've been in this position, I'm starting the sixth year and like you said, I'm a geek. I'm an identity geek in that sense of the word.
Mike Engle:
Excellent. Well, so great to have you here. I know we're going to have a fun discussion. Just a couple things, the format of this is going to be a little bit of a visual and some dialogue around it. And if you're looking to meet with any of us in the future, we have monthly webinars we do. In the past we've covered things like decentralized identity and new hire contractor onboarding. There's over a dozen of them out there. Next month we're talking about modernizing customer onboarding, synthetic identity, account takeover, focusing more on the consumer side of things. And I think all of us, many of us on the Zoom will be at some of the upcoming identity events. The big ones are Gartner, the IM conference coming up in March. It's in Texas. And then of course RSA, not necessarily an identity conference, but it's where you go to meet everybody. We'll be there if anybody's there. Give us a shout out. And Identiverse in Las Vegas as well. Gopal. Julie, either of you go into some of these events.
Julie Talbot-Hubbard:
Yeah, both Gartner, Identiverse and RSA. And then also want to put the plug out for the IDSA. They have an identity day coming up in March and there'll be a lot of great information coming out about that, too.
Mike Engle:
Perfect.
Gopal Padinjaruveetil:
And probably same. Gartner and Identiverse, I did actually did the keynote at last year's Identiverse on the topic of identity and metavers, and passwordless, right. So from the customer, so I was talking about how do you do identity in metaverse? So I was a keynote last year in Identiverse.
Mike Engle:
Excellent. Yeah, I think I remember that. So great. And maybe we'll do our next webinar in the Metaverse next month or something. That'll be fun. We'll have our goggles on and everything. So we're going to ask the audience a couple of questions. There's three total, just to keep it interactive a bit. So Maureen, if you could tee up the first question here, which is what percentage of hacks today involve stolen credentials? So you have 65%, 82% or 100%. We'll see where the audience goes with this one. Give it a couple seconds. I heard a really catchy phrase on this topic. It's that hackers don't hack in anymore, they log in. I just love the way that resonates. It is the truth, right? So I've seen in the identity security monitoring space getting really hot. So I'll give this just another second here.
Julie Talbot-Hubbard:
And I think that's what we've seen, just the increase on insider threat, Michael. I mean that's really a big portion of that.
Mike Engle:
Exactly. That's right. Yeah, you can give your credentials if they're not done right away so easily, they may be fishing resistant, but we call them collusion resistant credentials as well. It's a whole new term that we're looking to coin there with our peers in the industry. Great. Let's end this poll, Maureen. And yeah, we got 75% of people said 82%, and 17% said 100% percent. And that is actually the right answer. So this comes from a piece here that if anybody wants to look it up. Gopal, I believe you shared this one with me. Why does every hack involve stolen credentials? Now I'm sure there's still some of those solar whimsy things out there, but you just don't hear about them anymore. It is the help desk got compromised, a credential got stolen and that's what we're here today to try to mitigate and talk about a bit. All right.
Gopal Padinjaruveetil:
Yeah. Credentials have being problematic. And even Verizon, DBIR, everybody, I mean they've been saying that credential harvesting, credential privilege escalation and all those things. So everything without a credential involved, there's not much you can do. So.
Mike Engle:
That's right. If you know who it is, it really mitigates the risk of it, right?
Gopal Padinjaruveetil:
Yeah.
Mike Engle:
And that's what we're going to talk about. So we're trying to get this really simple for today's discussion, but it is a complex issue because you're trying to change the behavior of literally everybody. Some people actually like usernames and passwords. But then when you introduce 2FA on top of that, all of a sudden they're like, yeah, there's got to be a better way. And you need the 2FA, right? That's no-brainer. If you don't have 2FA, you're just asking to get taken to the shed for a good beating.
And so two key issues are how do you make deploying password lists or modern authentication tools convenient, consistent? And the key theme here is multi-factor, right? Something you have, something you are, something you know. Those types of things coming together. And second is how do you apply that to your business risk? Gopal, before the show started here, we were talking about it's not about cyber risk, it's about business risk.
So you can't apply draconian controls to places that don't need it. You'll alienate your employees, your customers, et cetera. So we call this a custom journey depending on what you're trying to accomplish. All right, so hopefully this resonates and we kept this really simple and we're going to jump in here. But just kind of breaking that down a little bit further. And I just want to ask both of you, is passwordless really the objective? So it's a term, it's everybody's throwing it around now. The platform vendors, you have really amazing efforts with [inaudible 00:06:59] authentication. But do we just need passwordless? Or as I put here, is identity the objective? Julie, what do you think?
Julie Talbot-Hubbard:
No, I mean I would say on the identity and really managing an authenticated identity, I think passwordless is a way to simplify the environment, also reduce the risk. So I look at the passwordless as a method.
Mike Engle:
Yeah.
Gopal Padinjaruveetil:
And I think the whole password came because you needed to identify in a distributed system, right? Way back, I think it was 1980s or 90s when Fernando Roberto started the, when two computers were talking, he introduced this. He is the one who coined the word "password". That was not the objective. The identity is that how do you prove that you are who you claim to be in a digital world? Especially if you're talking about internet, it's a stateless world. And it's a beauty of internet is it's stateless. Curse of the internet is it's stateless. So the clear objective is identity and password is a means to the end. And unfortunately it's not working.
Mike Engle:
That's right. That's, and something that both of you are incredibly familiar with is you have a complex environment. So have you even thought about trying to get rid of passwords everywhere? Some of my prior companies that I've sold to have literally thousands of applications. So we're going to talk about this today, and the best approach. I mean Gopal, how complicated is the environment over there at ACG?
Gopal Padinjaruveetil:
Yeah, I mean I think just like any other enterprises, we have multiple application, on-premise applications, cloud applications, third party SAAS, right? I mean when you move towards borderless or decentralized world, I mean when you move towards everybody's working from home and I mean everything, there's no more protected perimeters and all those things. So all applications are moving to the cloud. So the environment itself is becoming complex. And there are applications galore, I mean if I can use that word right. So when you're talking about every application, unless you're a B2C where unauthenticated, it's a public facing application, most of the business applications would require identity or authentication in some form, right? So there's a journey that you have to start somewhere, right? So we'll talk about what's the right place to start, but end of the day the goal is to get to the applications because that's what the business users are using.
Mike Engle:
Exactly. Exactly. And then both of you obviously have done a lot of work with both the customer and the employee side and then we've treated those populations different. You have your customer processes over here, your employee processes over here. I will present the case on today's discussion that you can have one way to just prove who somebody is regardless of whether they're a customer or an employee. So we'll dive into that. And lastly, how do I do this without killing my staff? They're already overworked, doing more with less. Julie, like you pointed out, the environment's getting so complex. So keeping it simple, the KISS principle. So first I want to define the term identity, because it's meant different things at different times in the computer evolution and, in fact, in the human evolution really, too. So digital identity from my perspective is actually kind of, we can quantify it today.
And it's how you prove who you are online remotely a username and password doesn't prove anything. So there's some standards that I'm sure many in the audience know that we're going to talk about here today. And they're really important because everything we do in technology is based on standard. Try doing something other than HTTP and see how far you get on the web. And the two coming together are proof of who you are and using that proof over and over again. AKA, authentication. So on the proving who you are, the kind of golden standard for this is the NIST 800-63-3 standard. And what it says is, how do you prove who you are remotely? It's presenting valid claims. I have a driver's license matching your identity to that claim, et cetera. It's very well quantified. And once you do that, then presenting that over and over again.
And up until about five years ago, maybe seven years ago, it was really hard to do these things remotely until the advent of modern computing systems. So not only the smartphone but a high res camera, take a picture of a driver's license, scan your face, those types of things. But also a safe place to keep a credential. Your TPM in phones and in your desktops, laptops, computers is now a safe place to keep a credential. And those aren't the only way. There's smart cards and UBI keys and all that stuff, but this is what's the big enabler today. And we refer to this putting these two together. NIST 800-63-3, Fido, and biometrics together as identity-based authentication. And so Julie, since you have so much exposure to so many clients at Optiv, are you seeing these technologies really resonate with your clients?
Julie Talbot-Hubbard:
No, we are. And I think it's also around, we talked more about reducing the risk in the environment, but it's also more on the user experience. And when you think about just the complexity we talked about a bit there, as organizations continue to increase in the multi-cloud environment, I will say I had not heard them talk about decommissioning the old jet. And so that's still out there. So then they've got the opportunity. It could be where you've got systems that are put through MFA, SSO. You've got one kind of password authentication structure and then you've got multiple others. So I have seen mean organizations, I would say I haven't seen any 100% deployed yet across, but definitely moving towards passwordless in kind of a phased approach.
Mike Engle:
Right. And Gopal, I mean you have an amazingly large customer base and of course lots and lots of employees. What are your thoughts on this?
Gopal Padinjaruveetil:
So one of the things that I've been, I mean I think this is becoming the defacto standard and the history of the state [inaudible 00:13:36] is really interesting. I won't go to that, but I think the way that I've been talking about it is carbon identity, which is because we are all human and we need to prove in a digital world. So we are calling it as the user identity, like carbon identity. And then I interact with systems, digital systems through my phone or through my devices or my laptop. So I'm calling this as a carbon identity. So the way that we are moving towards is that not only establishing the human identity and the carbon identity, but we are device binding. And some of the passwordless and this whole world where we are going with the standards is both the device and the authentication together provides a very secure way of identifying who is, right?
Because without knowing which device you're coming from, I mean things can be spoofed. I think we are moving to a world where we are looking at both the carbon and the human and the silicon. I'm calling it silicon, carbon and the silicon. Because computers are silicon. So I'm looking about the overlap or the marriage of carbon and silicon to provide a seamless authentication. That's where we are going towards, right?
Mike Engle:
Sure, yeah. I've never been called a carbon entity before, but I'm with you. I feel very carbon today. No, that's spot on. The human element is the weakest one. We'd make it easier on them and they'll use it and love it. And hopefully we fix some security challenges along the way. Speaking of just segued myself, we've been deploying single sign-on technology since Kerberos in my life, way back in the day. And it seems like we're spreading around the problem a bit. And I just want to build this out here. We have lots of single sign-on systems, which are doing great work. Give you one place to go and pass that down to 200 downstream web-based applications or whatever it is. Unfortunately, we use lots of different authenticators. I call this authenticator sprawl. I just went onto my phone this morning, I swept down from the top to search for apps and I type AUTH and I have eight icons that have start with the word "auth".
This is a problem. I don't have a consistent way to prove my identity. So SSO systems use authenticators to access lots of operating systems and applications. And what this creates is, of course, complexity. So what happens then when you have just look in this pile and the bottom left here, when you have so many different ways to access so many different applications, it creates a lowest common denominator for the bad guys to get in. So when they call the help desk, you can take your pick of which one of these things they can target. So how many authenticate have you seen come and go over the years? Julie, are you seeing a trend with Optiv clients who want to consolidate this and possibly save money? Or is it more about the user experience?
Julie Talbot-Hubbard:
I mean, I would say it's more towards the user experience now, but I can see from a cost savings, and I say that more from a system, but then also a support component too. I can see that increasing as we go through the year. And again, just with the complexity of their environments. But I've seen it more from a user experience today, Michael. But if you think about even this graphic here, we've got multiple SSO systems really going the authenticator, I mean there's organizations today, many of them that aren't from an SSO perspective, they don't have their full kind of application suite infrastructure even going through those today. Many of them have started with still maybe on their compliance or on their key systems there, and not necessarily have that really covering their environment either.
Mike Engle:
Yeah, for sure. Yeah. And Gopal, I mean how many of these have you used in your days at various points in your career deployed or had to wrangle in? And what would it be worth for you to get rid of three of them, to pick any three? Secure ID tokens are kind of the gold standard going way back, but they're getting along in the tooth.
Gopal Padinjaruveetil:
And I think if you're working companies that's been there for 100 years, 50 years, so you kind of abide this problem. I mean because at any given point of, because it's a journey. So you will have these things, but we are now, at least from an identity perspective, I'm just flipping the conversations because complexity is unavoidable. So you open the tab in your home and you get water, but what you don't understand is behind that water, there's, I mean if you remember the Flint Crisis, a small change could cause a big problem behind that. There's huge complexity. The users doesn't understand that and users need not understand that. So we are talking about identity through a different dimension that what matters to the business and the users is this concept of trust and experience. I want to trust something and I want to have a better experience.
So we are now talking about identity and authentication, everything that how do we provide that trust at the same time simplifying the experience? That's a language that I want to take to my business leaders, to my board and everybody to talk to them about how do we bring on trust at the same time making it easier for the users to, because it is a friction and whether we like it or not, authentication, that is a friction point. I mean that's not the purpose of a business application, but you have to get through that gate. And we are to make it seamless and trusted for them to actually go and do what they want to do with the business application. So unfortunately, we have made it so difficult. I mean we have been adding friction by MFA, right? Password strength, you need to have eight characters. All these things, you need change your passwords. I mean we have made it so, we have added friction and it's not helping. I mean that's where we want to move to a new way of looking at removing that friction through, but maintaining that higher trust and a better experience.
Mike Engle:
Right.
Julie Talbot-Hubbard:
Well, and one thing I would add, I mean a few things there Gopal. And I agree completely, but I mean if I look back at my career for 15 years ago, I mean I've always said the more complex you make the control, users will go around it or they'll find a way to go around it. And if you think about that from a password complexity perspective, I mean writing down passwords, sharing passwords, using the same password wherever you go. Your one comment on trust, one thing that also I look at as a lot of organizations may use step up authentication based on risk of the user. And when you've got more of that fragmented authentication in your environment, I mean I think it's challenging for an organization to really look at that holistically when they're leveraging so many different authentication mechanisms and really trying to understand where do we use that step up authentication. And then maybe you get more authentication fatigue every day as a user where you're authenticating every time you leave your desk. That's more the friction I've seen I guess.
Mike Engle:
Yep. Yeah, it's seen the authentication go from 15, 20 seconds down to 3 in some of the ways these technologies can be deployed. And it's rare for the security department to get a high five from any user ever, but this is one of the areas where we can make a difference, especially in some of these esoteric systems. So these complex, any Global 2000 company has just so many applications. Of course things migrating to the cloud and being put behind various gateways is helping, but there's a lot of things that you just can't reach. It's hard to reach places with just SAML and OIDC. So you need a comprehensive strategy, and we're going to come up with a suggestion here in just a minute. But what I want to do is kind of flip the script a bit and suggest that you could actually use identity, not an authenticator, to log in.
If you go back to those two standards that we had on the opening slide, if you use identity to access everything, just like you do in the real world, you get pulled over. They don't ask you for your password or a code or what your mother's shoe size was when you were six years old. They ask you for your identity. And so if we can do this and get rid of, consolidate, rethink about these authenticators, it'll make a big difference. And I'm sure everybody in the audience right now is like, all right, well that big red box there really doesn't mean anything to me. What the hell? How do I do that? It's kind of like that internet cartoon where you say a miracle occurs, right? But it is actually very quantifiable. So if we take those standards and break them down to a couple of key things that matter, it's how sure are you of the authenticator?
We call this the authentication assurance level. It's part of the standard. You need an AAL authenticator level two or three. It's just kind of table stakes these days. And most authentication companies can do that. And then when you need to prove somebody's identity, you need the identity assurance level, the IAL side of it, that's the first part of the standard on the left. And just as important, if you deploy a system that doesn't have a privacy first design that you aren't thinking about your employees biometrics and how their consent is being done, you'll create real trouble. And here's one that I want to tee up in our next polling question is coming here. I'd love both of your thoughts on real biometrics. So we've all come to love and enjoy touch ID, face ID and the Android equivalence. Look at your face, unlock your phone, log into your banking.
That doesn't prove your identity. For example, both my wife and my face are enrolled on my phone and I can use it to log into my banking application. So can she, that's fine, but the bank doesn't know who's doing it and then you really can't because it's bound to the device. So the alternative, as I mentioned in the beginning, is you now have an 18 megapixel camera, you've got voice scanners and all this stuff. Do you see a place for that? Are your customers talking about it and thinking about it? And this answer's very different in the US versus abroad, but love your thoughts on that Julie, if you want to kind of tee that one up a little bit.
Julie Talbot-Hubbard:
Yeah, I think I would say we've had some client conversations. I think that there's, with the privacy component and then also more from a compliance perspective, I think we're getting there, but I think there's been maybe more concern around ... More from a compliance and privacy perspective more than anything. When I say compliance, Michael, it's not more compliance to a standard, but it's really around if it's a regulated environment, how auditors, how everybody's going to look at that. But I think there's definitely an interest in that and a need across the environment. I just haven't seen much adoption yet.
Mike Engle:
Right, right. Gopal, your thoughts on may I scan your face to let you in, please?
Gopal Padinjaruveetil:
Yeah. And I think I'm going to be honest with you and please, it's my age. My kids have no problem in using biometrics. But I personally, I mean I think I don't want to end up in a situation 20, 30 years from now because if I lose my password, I can create password. But if I lose my, somebody loses my biometric right? I mean that is where I mean once you're capturing the biometric and all those things and it's converted into a machine thing. So absolutely as an industry, we need to make sure that these are, I mean, a person's biometric information, both from a privacy perspective that we respect, I mean obviously beyond consent. So we need to treat that as sacred and we need to make sure that it is, nobody can get access to that, right?
I mean because we can use it to authenticate. I mean when you're talking about biometric, it's not just face, finger. I mean you can use your voice, you can use, I mean we can even use DNA. I mean there is many ways you can take this approach to [inaudible 00:26:48], but I think the key thing is it is a great way for authentication because it has uniqueness. There's no question whether your fingerprint, your face, all those things. But as an industry, 30 years from now, we don't want to be talking about, oh my gosh, we didn't, I mean, right? This is not going the right direction because there is no coming back at that point of time. I mean that is my, on this topic, I'm a little skeptical because I personally feel that we as identity professional have to think deeply and not make the mistakes really 20, 30 years ago when we started with passwords.
Mike Engle:
Yeah, you're absolutely right. It has to be done. And we've seen some issues with one of the big three letter agencies last year where there was improper use and of face against databases of faces, things like that. So yeah, we'll see how this evolves. It's I think an important tool. I would love that before I let some contractor in Eastern Europe, SSH's root into my AWS infrastructure, that we look them in the face. And that stuff is now possible. So we'll see where it goes. And that tees up the next polling question. Maureen, if you would pop this up, and this is a very simple yes no question. Just like Gopal, would you be comfortable using real biometrics for critical internal applications? Before you log into the domain controller, look them in the face. So this will be interesting. And while we're doing that, I just want to point out one article that came out recently. I saw somebody point out, so [inaudible 00:28:30], this is an article from the UK I think. Said that they're doing some kind of surveillance facial recognition on to determine if something's a rat. I don't know, I saw this and I had to put it on the slide, I didn't digest it, but if they're doing it even for a rats, Gopal, come on. We can do it for anybody. So don't be shy.
Julie Talbot-Hubbard:
One thing I was going to say, Michael, I've seen more this being used right now with clients more like when they're out in the field or if they could be trying to authenticate on a iPad or larger device and just from a user experience is what they're using it for. But I've seen that probably wider adoption thus far. ,
Mike Engle:
Okay, great. No good feedback. At some states, it varies state by state, country by country, industry by industry. In Illinois, they have BIPA, which has been plaguing a lot of the tech giants like Microsoft and Walmart and et cetera. So we have to proceed carefully. And our stats came in, we can end the poll. It's a 60-40 split. 60 yes, 40 no. And of course there's going to be more yeses on this audience because there's a lot of identity geeks on this call here today as well. All right, so now where do we start based on what you guys have seen and what you're thinking about in your customer's environments or your environment, Gopal. We have reorganized these icons and where we're seeing the most traction at one cosmos. So it's the front door remote access your operating systems and your SSO system. These are really the 80-20 of where you spend a lot of time either control, delete, logging in and where the bad guys would probably get the most bang for their buck as well. So Gopal, you want to go first and think about as you deploy passwordless in your environment, where you would start and any thoughts on that?
Gopal Padinjaruveetil:
So I think one of the things that I would highly recommend, that's what we are doing. So do you have an overall cybersecurity or a security strategy defined? And then in that strategy, where does identity and access, and we talked about customer identity, there are third party non-employee identity partners and contractors, and then you have your employee identity. So what is your strategy around identity and access? And then how do you map out? So I think one of the things we have done is for the identity part, so we do have an enterprise security strategy and we have an identity strategy. What we did was we took the identity strategy and created a reference architecture and then we said, hey, this is where we are today and then we want to go to tomorrow. And then that reference architecture and our identity strategy is driving us towards passwordless.
I mean also from all this technologies that we have been talking about. So you really need to understand where you are today, and what is your environment look like? Are you ready for something like this? And how do you move, right? Because Rome is not built in one day, and most of the companies are legacy. I think it was Gartner when it came to identity coin, this really wonderful term called bimodal, right? So there said you need to live in both worlds. I mean for some point of time, I think there was probably 10 years ago when Gartner talked about bimodal identity architecture. So that is where, do you have a strategy? Do you have an architecture? And then you have transitional architectures on here. This is where we are going to go and keep updating that on a different basis. And I think, like I said, remote access login, these are SSO, right?
I mean these are very easy. I would say these are low-hanging fruits if you want to, from an ID strategy perspective. So I agree, typically 80% of the users, this is where the users are going. When I wake up in the morning, I need to log into my machine and I'm working from home. I need to log into before I log, I need to have remote access. So this is where we are today. So this is an easy problem to, I mean this is a low-hanging fruit, but this needs to tie into your larger strategy and the larger direction you want to take your organization too.
Julie Talbot-Hubbard:
So one thing I would just add on that, too, and I agree, Gopal, but we talk about 80% of user logins occur in those. I think another way to look at it too is in terms of what's the strategy wrapped around them, and what are you trying to solve for? So is it the user experience, is that the driver? And if so I think that the one selected or a key, but I also look at there could be new hire, there could be other pieces you include in that kind of first phase. If you're concerned more about from a threat perspective, and how do you mitigate that, we talked about the insider threat, we talked about where still the largest organizations are getting breached. Then you look at to me, where are those passwords, where's that occurring? And I still think that you would still end up probably more on the phase one line there, but you could have some more of the privileged access management and some of those pieces really kind of roll into that, too.
Mike Engle:
And that's a key part of the deployment consideration is if you do one of these, you're basically giving a modern authenticator now to all of your employees or very large population. So then sprinkling it on top of your CyberArk or your psychotic, whatever it is, it's just another integration that you've done all the hard work already of getting it out to the user. So these downstream ones become much easier once you get started. I know the thousand-mile journey starts with the first step. Yeah, no, thank you for that. One of the deployment considerations that can really crush a passwordless deployment, we've gone into organizations that have bought a technology and a year or two later they just could not get it deployed. All right, looked great. But when the rubber hit the road and we've come in and given them a better path, and one of the reasons that it can fail is when you force a change to everybody at the same time.
If you switch from secured tokens to UV keys and you have to push them all out to everybody and say, next weekend we're switching over, that's just a terrible example. But if you force password lists, flip a switch, it's going to fail because you have so many edge cases, things will go wrong. Orchestrating the help desk and all that as well. So this is an example of a real world authentication for one of our clients. This is sitting on top of Ping and they augmented their traditional on the right, Windows User ID password, 2FA would come after that, with a passwordless experience on the left. So you could roll us out to one user. Well you figure out all the mechanics and things might go wrong or whatever it would be, and then you can roll it out to a thousand the next day. It does not matter because they could still continue to use option A on the right. But option B, once they do it once, they will never go back. And of course over time, the goal would be to phase this out. So in terms of a password list deployment strategy, Julie, what have you seen work for some of the clients that you've worked with?
Julie Talbot-Hubbard:
I mean definitely doing it in phases like you mentioned. And then the other piece because it is change and it can cause, I mean again, there can be a lot of challenges or issues and what I've seen when you have those issues when you're trying to do a large scale deployment, once you have some, it's going to take the security team probably much more just political capital to get that moving quicker if you've had those issues. So I think that the phasing is correct, but also the communication and not just communication to the employees and everybody what's going on, but also like you mentioned, the service desk and all those components, I think that's really key. And I also mean from a user group, I mean find a group of users that are going to be your champions across the enterprise and ones that are known for that.
Mike Engle:
Excellent. And how about you Gopal?
Gopal Padinjaruveetil:
And I think my philosophy is choice is good and at some point of time choice is bad. So I think going back, I mean like you said, you want to start with deploying passwordless in parallel. And then I would say nudging users from one to another. I think our end goal is obviously to get everybody to a passwordless world. And I think the adoption is going to be a challenge when you are living in both world, like I said, once you have a choice, you can't control what choice a user will go to. So that is where we want to give it start with choice, but that could technically become a bottleneck. So you need to have a strategy on a how am I going to nudge, I mean to drive adoption? Because some people really, I mean no, some people do like to hold your nose like this.
I mean that's if I said that's my preference, who are you to question that, right? So that is where I think we need to start thinking while ... Hey, my gosh, just scan your QR code on this, look at the [inaudible 00:37:59]. It's a no-brainer, right? But there are people who will say, no, I like my old ways. And so that is where you need to start giving them choice at the beginning. But you need to have a strategy on how are you going to drive adoption, whether it's through communication, handholding and maybe subtle pressures, nudging them to get to where you want. I mean that is where, that is the key thing. But as you said, from a deployment perspective, you need to start deploying this in parallel. I don't see any other option.
Mike Engle:
That's right. Yeah. And this has the kind of potential to go viral. So what we've seen is if you're in a conference with a bunch of people and somebody sees the QR code, you whip out your phone, scan it, and one second later they're staring at their desktop and the shmoes to the left and the right are sitting there and they see that, they're typing the way and they're doing the 2FAs out, they will want it. And they're like, how do I get that? Some of our customers have put it up on the screens in their conference rooms, go to this URL and self-provision yourself. So that's a part of the onboarding journey. There's lots of ways that we've seen that cat get skinned. So thank you for that. And we're just really going to hit on one more point before we bring up our final poll here.
We'll make sure everybody gets off before the top of the hour and has time for a refreshing beverage. We won't hold you hostage the whole hour. So another deployment consideration, in addition to doing it in parallel, we call coexistence, is flexibility. So one of the big use cases that we see for large shops, lots of legacy is consolidation of multiple either directory accounts. You know, you have four AD Forests that you need to consolidate. You have UNIX accounts, you have X509 certificates, they all need to be addressed with the same framework. Otherwise you'll have two, and that's what we're trying to avoid here. So a key deployment consideration. And the second one is your self-service password reset. Lots of different ways to do this. The one most common is calling up an 800 number, using your voice or answering some secrets, which of course open up, it's a vector.
If you can use the same tool, press a button, scan your face, reset the password. Now it may sound ironic that you have to reset passwords as you go passwordless, but even if you read Microsoft's guidance or Gartner's guidance on this, as soon as you get rid of passwords, you can't get rid of them all. In 87 days, you're going to need that password again for something. Well what do you do then? You just created possibly more friction. I don't know it, you just taught me to forget it. Now I have to do my benefit enrollment and log in with my AD user password. I just spent 87 days forgetting it. So press a button, set it, you're in, and then forget about it for another 87 days until you get rid of it for good. So again, just mechanics that make the end user's lives and IT administrator's lives much easier. Any of this stuff resonate with you, Gopal?
Gopal Padinjaruveetil:
Absolutely. And I think we are living on the first point, an under meter of target accounts must be supported. I think we are living in a world of mergers and acquisition. So this is unavoidable that you will over a period of, if you're a company in the, I mean doing an MNA kind of factor with this, you can't, right? So that you need to, this is a given that you will at any given point of time, you'll have multiple AD [inaudible 00:41:46]. Over a period of time, and you need to make sure that you can support both these things and just as a strategy you need to do that. And then I think, like you said, no matter what, you need to have some kind of a legacy passwords. I 100% agree that if you tell people, "Hey, no, don't use your password," and they're not using it for many of the application, but here I want to use it, you absolutely need to make it easier for them to recover the password. Because otherwise you've added more friction to that. So as part of your, and again, it is self-service, right?
You don't want your users to call your help desk. You want to actually make it easy for them to recover their or reset their passwords through the platform itself. So absolutely, it is an important consideration for people who are undertaking this journey. So I think you did a good job and bringing this point up. It's a boring, I mean, the nitty-gritties of this is boring, but it is an important aspect of the environments that we are living in.
Mike Engle:
Right. And Julie, thoughts on this?
Julie Talbot-Hubbard:
Yeah, I mean I would say I think the legacy password kind of reset support I think is really critical. Again, if you look at the user experience. But your example there, I think more on the benefit benefits there. I mean I think that I would venture to guess there's a lot of organizations that may not even know, or people might not even remember all of these other legacy systems, passwords, frequencies, all of that. So I think that's a really key, not only for the user experience, but also for your service desk helped desk, all the kind of noise that could create there too.
Mike Engle:
Yeah, no, for sure. One of our clients, we just had them in to talk to the whole company last week and there's one little tweak that we made to the user experience. He said that was just a game changer. This is the kind of things that you'll learn over time. And it was one less step in a process. Those is what, typically you see that on the consumer side, you dare ask my consumers to click something else. So yeah, mechanics are important. And the last topic I want to make before we bring up a question, the final question, and I have a question for everybody in the audience, do you know who Ned Ludd is? LUDD? Because I bring it up on my third polling question. So if anybody knows who General Ludd or Ned Ludd is, just throw it into the Q and A in there for me.
But the concept of us having different systems for identifying a consumer, a customer citizen versus a contractor or an employee has been the standard. Let's go build a customer system because it needs customer things. Let's go deploy workforce stuff because there's workforce, you're seeing the industry try to consolidate this, right? Octa buying off Zero, everything Tom Bravo's doing is heading in that direction. So I think I probably already answered my question, but for the two of you, do you see a way to address the needs with a common either framework, set of reference, architecture, et cetera? These bullets that I put on here are the differences between them. You hand your employees an authenticator, you make them use it, but you have to give your customers 10 options, 2FA maybe in there. One time codes, magic links via email, all those things. So just really no specific question here, but just your general thoughts, Julie, on the consolidation of some of these technologies, because you're solving the same problem.
Julie Talbot-Hubbard:
Yeah, I think to your earlier point about all the different, I would say consolidations of the larger identity players out there today where you see them talking about consolidating both workforce and the consumer kind of identity, trying to solve the same problem. I think that we'll get there. I think as we see more workforce, I mean if you think about just the consumer, the digitalization of everything, especially through Covid, I think that really created a different expectation from employees as well, just based on what they started seeing more as they shopped online than everything else online ordered. I mean just everything online. So I do think that we'll get there. I think it's also, it could be more from the biometrics and as we see some movement there as well. The one part though that I look at from an enterprise perspective is you typically have different stakeholders there too.
And even from an identity team, I've seen organizations that have a consumer identity team could be sitting within security, could be sitting within infrastructure, could be sitting within the digital officer or the business. And then you've got the identity team that's really managing the workforce identity. And they're even disparate groups within the organization. I, and maybe it is more from a framework perspective, but when you start pulling even those teams together, it's going to be needed as well to get them on board on even just business requirements. So you brought up more from a, you can call it, you got their gentle step up options for consumers when you think about who you've got to get on board inside an organization to allow this. Again, it's different than from an employee perspective where it's going to be just maybe pushed to them and they're going to do. So I think it'll come down to also getting alignment across your stakeholders within an organization, too, on use cases. And then also really kind of the level, level of security and trust. They want to establish what their customers and their employees.
Mike Engle:
Excellent.
Gopal Padinjaruveetil:
And I agree with everything that Julie said. I want to just make a small differentiation here. I think what we will see is not consolidations, what we'll see is a convergence. So you're talking about customer IT work for society, I think that I'm going to make a prediction here, maybe that way you'll see, I think that these things are going to converge. Because end of the day, IT is IT. So I think that more than consolidation, we'll actually see some level of convergence between customer, because I am a customer, but I'm also an employee. So that is where, if there's an opportunity for me to us to get that converged. So I think that the architectures will evolve, the industry will evolve towards convergence. So again, we are talking about identity, I mean we started this conversation with identity. Let's end this conversation with identity. I think that we'll see more and more direction towards convergence of identity, whether it's, and we have labels, right? Workforce, customers and all those things. I think that we should and we will see a convergence of this. So that's my thought.
Mike Engle:
No, thank you for that. Thank you for that. And that was kind of the final word. So we're just going to pop up one more polling question here. Maureen, if you're ready. For anybody out there, does your company have a plan to go 100% passwordless? There's really, really two answers, but I put a third one on there. This is where I talk about General Ludd. So yes, we're working on it. Or yes, we do have a plan. No, we're working on it. Or General Ludd, if you ever heard the term, Luddites was a group of people, it was like a secret oath based organization that came out in the textile industry in the 18 hundreds. And they went out and smashed the textile machines because they were taking away high paying jobs from the textile workers. So if you ever heard the term Luddite, it comes from this fictitious person called General or Captain Ludd.
And of course, nobody wants passwords around. This is obviously a silly thing here, but I just like the picture of the ax and wanted to use it somehow. So yeah, results are in and we have about 8% say they do have a plan to go fully passwordless, but of course it is a complicated journey. It's just getting traction. 85% said they're working on it. That's great. And only a couple people said they worship General Ludd. So we'll see if we can change their minds on this one as well. So we're going to wrap up. We just have one or two questions that I want to shoot out. And the first one, this is a great question, how MFA will work in a passwordless environment? And that's the key, is passwordless typically has inherent multifactors built into the process. So when I walk up to that screen with the QR code and I scan it, I am presenting a digitally signed challenge response and my biometric in one process.
So it's a single touch multifactor experience. And so it's really, MFA is really implied in a passwordless experience. So hopefully that makes sense. And the other question, because we use a blockchain, private blockchain technology to keep identity information safe and easy to share. People ask if they're related, they are not. But most identity frameworks that are proposed in the future do leverage what's called decentralized identity where you can prove your identity once and use it over and over again. So we have a bunch of webinars, we've talked on that topic and we have a couple more coming up. So any final thoughts from either of you before we call it a day?
Gopal Padinjaruveetil:
Yeah, I think I would say that I've used the Chinese curse. We are living in interesting times. So let me, right, so I mean it's really, truly, we're living in an age where, so we are living in interesting times.
Mike Engle:
For sure, for sure.
Julie Talbot-Hubbard:
And the only thing I would say is, I think from just a security professional's perspective is anything that you and your organization can do to reduce complexity within your own environment from a security tooling technology across your IT teams that you need to manage, I think is critical. I'm going to be critical this year and going to the next. And the other I think is that user experience. And you can say, you pull that in to the simplicity, but I also think that that user experience, again, when you design controls, you put controls in, I'm always a big believer if you make them simple, you make them frictionless, your users are going to love you. But more importantly, I think it's going to better secure the environment. So user experience and reducing complexity are key.
Mike Engle:
Perfect. I'll take two. So thank you so much for joining. With that, we are going to call it a wrap and move on to the next Zoom meeting, right? So thank you so much for coming. I really enjoyed the conversation with both of you and we'll see you online and at the next show.
Julie Talbot-Hubbard:
Great. Thank you, Michael.
We are going to kick it off. Today we're here to talk about deploying passwordless technology in complex environments, and we're going to get really into the weeds on what passwordless is and really what we're trying to accomplish, passwordless as kind of a feature. But first, just a round of introductions as to who we have on the line. I'll go first real quick. My name is Mike Engle, head of strategy and co-founder here at 1Kosmos. Long background in InfoSec, so I'm kind of a security geek, but then became more of an identity geek in the past five years or so. All identity, all the time. And Julie, would you like to say hi?
Julie Talbot-Hubbard:
Yes, hi. Julie Talbot-Hubbard. I'm at Optiv leading actually our clients and markets organization, but lengthy background in cybersecurity in the last four years. Specializing in identity and data privacy and data protection.
Mike Engle:
Excellent. And Gopal.
Gopal Padinjaruveetil:
Gopal Padinjaruveetil, Chief Information Security Officer at AAA Auto Club Group. I've been in this position, I'm starting the sixth year and like you said, I'm a geek. I'm an identity geek in that sense of the word.
Mike Engle:
Excellent. Well, so great to have you here. I know we're going to have a fun discussion. Just a couple things, the format of this is going to be a little bit of a visual and some dialogue around it. And if you're looking to meet with any of us in the future, we have monthly webinars we do. In the past we've covered things like decentralized identity and new hire contractor onboarding. There's over a dozen of them out there. Next month we're talking about modernizing customer onboarding, synthetic identity, account takeover, focusing more on the consumer side of things. And I think all of us, many of us on the Zoom will be at some of the upcoming identity events. The big ones are Gartner, the IM conference coming up in March. It's in Texas. And then of course RSA, not necessarily an identity conference, but it's where you go to meet everybody. We'll be there if anybody's there. Give us a shout out. And Identiverse in Las Vegas as well. Gopal. Julie, either of you go into some of these events.
Julie Talbot-Hubbard:
Yeah, both Gartner, Identiverse and RSA. And then also want to put the plug out for the IDSA. They have an identity day coming up in March and there'll be a lot of great information coming out about that, too.
Mike Engle:
Perfect.
Gopal Padinjaruveetil:
And probably same. Gartner and Identiverse, I did actually did the keynote at last year's Identiverse on the topic of identity and metavers, and passwordless, right. So from the customer, so I was talking about how do you do identity in metaverse? So I was a keynote last year in Identiverse.
Mike Engle:
Excellent. Yeah, I think I remember that. So great. And maybe we'll do our next webinar in the Metaverse next month or something. That'll be fun. We'll have our goggles on and everything. So we're going to ask the audience a couple of questions. There's three total, just to keep it interactive a bit. So Maureen, if you could tee up the first question here, which is what percentage of hacks today involve stolen credentials? So you have 65%, 82% or 100%. We'll see where the audience goes with this one. Give it a couple seconds. I heard a really catchy phrase on this topic. It's that hackers don't hack in anymore, they log in. I just love the way that resonates. It is the truth, right? So I've seen in the identity security monitoring space getting really hot. So I'll give this just another second here.
Julie Talbot-Hubbard:
And I think that's what we've seen, just the increase on insider threat, Michael. I mean that's really a big portion of that.
Mike Engle:
Exactly. That's right. Yeah, you can give your credentials if they're not done right away so easily, they may be fishing resistant, but we call them collusion resistant credentials as well. It's a whole new term that we're looking to coin there with our peers in the industry. Great. Let's end this poll, Maureen. And yeah, we got 75% of people said 82%, and 17% said 100% percent. And that is actually the right answer. So this comes from a piece here that if anybody wants to look it up. Gopal, I believe you shared this one with me. Why does every hack involve stolen credentials? Now I'm sure there's still some of those solar whimsy things out there, but you just don't hear about them anymore. It is the help desk got compromised, a credential got stolen and that's what we're here today to try to mitigate and talk about a bit. All right.
Gopal Padinjaruveetil:
Yeah. Credentials have being problematic. And even Verizon, DBIR, everybody, I mean they've been saying that credential harvesting, credential privilege escalation and all those things. So everything without a credential involved, there's not much you can do. So.
Mike Engle:
That's right. If you know who it is, it really mitigates the risk of it, right?
Gopal Padinjaruveetil:
Yeah.
Mike Engle:
And that's what we're going to talk about. So we're trying to get this really simple for today's discussion, but it is a complex issue because you're trying to change the behavior of literally everybody. Some people actually like usernames and passwords. But then when you introduce 2FA on top of that, all of a sudden they're like, yeah, there's got to be a better way. And you need the 2FA, right? That's no-brainer. If you don't have 2FA, you're just asking to get taken to the shed for a good beating.
And so two key issues are how do you make deploying password lists or modern authentication tools convenient, consistent? And the key theme here is multi-factor, right? Something you have, something you are, something you know. Those types of things coming together. And second is how do you apply that to your business risk? Gopal, before the show started here, we were talking about it's not about cyber risk, it's about business risk.
So you can't apply draconian controls to places that don't need it. You'll alienate your employees, your customers, et cetera. So we call this a custom journey depending on what you're trying to accomplish. All right, so hopefully this resonates and we kept this really simple and we're going to jump in here. But just kind of breaking that down a little bit further. And I just want to ask both of you, is passwordless really the objective? So it's a term, it's everybody's throwing it around now. The platform vendors, you have really amazing efforts with [inaudible 00:06:59] authentication. But do we just need passwordless? Or as I put here, is identity the objective? Julie, what do you think?
Julie Talbot-Hubbard:
No, I mean I would say on the identity and really managing an authenticated identity, I think passwordless is a way to simplify the environment, also reduce the risk. So I look at the passwordless as a method.
Mike Engle:
Yeah.
Gopal Padinjaruveetil:
And I think the whole password came because you needed to identify in a distributed system, right? Way back, I think it was 1980s or 90s when Fernando Roberto started the, when two computers were talking, he introduced this. He is the one who coined the word "password". That was not the objective. The identity is that how do you prove that you are who you claim to be in a digital world? Especially if you're talking about internet, it's a stateless world. And it's a beauty of internet is it's stateless. Curse of the internet is it's stateless. So the clear objective is identity and password is a means to the end. And unfortunately it's not working.
Mike Engle:
That's right. That's, and something that both of you are incredibly familiar with is you have a complex environment. So have you even thought about trying to get rid of passwords everywhere? Some of my prior companies that I've sold to have literally thousands of applications. So we're going to talk about this today, and the best approach. I mean Gopal, how complicated is the environment over there at ACG?
Gopal Padinjaruveetil:
Yeah, I mean I think just like any other enterprises, we have multiple application, on-premise applications, cloud applications, third party SAAS, right? I mean when you move towards borderless or decentralized world, I mean when you move towards everybody's working from home and I mean everything, there's no more protected perimeters and all those things. So all applications are moving to the cloud. So the environment itself is becoming complex. And there are applications galore, I mean if I can use that word right. So when you're talking about every application, unless you're a B2C where unauthenticated, it's a public facing application, most of the business applications would require identity or authentication in some form, right? So there's a journey that you have to start somewhere, right? So we'll talk about what's the right place to start, but end of the day the goal is to get to the applications because that's what the business users are using.
Mike Engle:
Exactly. Exactly. And then both of you obviously have done a lot of work with both the customer and the employee side and then we've treated those populations different. You have your customer processes over here, your employee processes over here. I will present the case on today's discussion that you can have one way to just prove who somebody is regardless of whether they're a customer or an employee. So we'll dive into that. And lastly, how do I do this without killing my staff? They're already overworked, doing more with less. Julie, like you pointed out, the environment's getting so complex. So keeping it simple, the KISS principle. So first I want to define the term identity, because it's meant different things at different times in the computer evolution and, in fact, in the human evolution really, too. So digital identity from my perspective is actually kind of, we can quantify it today.
And it's how you prove who you are online remotely a username and password doesn't prove anything. So there's some standards that I'm sure many in the audience know that we're going to talk about here today. And they're really important because everything we do in technology is based on standard. Try doing something other than HTTP and see how far you get on the web. And the two coming together are proof of who you are and using that proof over and over again. AKA, authentication. So on the proving who you are, the kind of golden standard for this is the NIST 800-63-3 standard. And what it says is, how do you prove who you are remotely? It's presenting valid claims. I have a driver's license matching your identity to that claim, et cetera. It's very well quantified. And once you do that, then presenting that over and over again.
And up until about five years ago, maybe seven years ago, it was really hard to do these things remotely until the advent of modern computing systems. So not only the smartphone but a high res camera, take a picture of a driver's license, scan your face, those types of things. But also a safe place to keep a credential. Your TPM in phones and in your desktops, laptops, computers is now a safe place to keep a credential. And those aren't the only way. There's smart cards and UBI keys and all that stuff, but this is what's the big enabler today. And we refer to this putting these two together. NIST 800-63-3, Fido, and biometrics together as identity-based authentication. And so Julie, since you have so much exposure to so many clients at Optiv, are you seeing these technologies really resonate with your clients?
Julie Talbot-Hubbard:
No, we are. And I think it's also around, we talked more about reducing the risk in the environment, but it's also more on the user experience. And when you think about just the complexity we talked about a bit there, as organizations continue to increase in the multi-cloud environment, I will say I had not heard them talk about decommissioning the old jet. And so that's still out there. So then they've got the opportunity. It could be where you've got systems that are put through MFA, SSO. You've got one kind of password authentication structure and then you've got multiple others. So I have seen mean organizations, I would say I haven't seen any 100% deployed yet across, but definitely moving towards passwordless in kind of a phased approach.
Mike Engle:
Right. And Gopal, I mean you have an amazingly large customer base and of course lots and lots of employees. What are your thoughts on this?
Gopal Padinjaruveetil:
So one of the things that I've been, I mean I think this is becoming the defacto standard and the history of the state [inaudible 00:13:36] is really interesting. I won't go to that, but I think the way that I've been talking about it is carbon identity, which is because we are all human and we need to prove in a digital world. So we are calling it as the user identity, like carbon identity. And then I interact with systems, digital systems through my phone or through my devices or my laptop. So I'm calling this as a carbon identity. So the way that we are moving towards is that not only establishing the human identity and the carbon identity, but we are device binding. And some of the passwordless and this whole world where we are going with the standards is both the device and the authentication together provides a very secure way of identifying who is, right?
Because without knowing which device you're coming from, I mean things can be spoofed. I think we are moving to a world where we are looking at both the carbon and the human and the silicon. I'm calling it silicon, carbon and the silicon. Because computers are silicon. So I'm looking about the overlap or the marriage of carbon and silicon to provide a seamless authentication. That's where we are going towards, right?
Mike Engle:
Sure, yeah. I've never been called a carbon entity before, but I'm with you. I feel very carbon today. No, that's spot on. The human element is the weakest one. We'd make it easier on them and they'll use it and love it. And hopefully we fix some security challenges along the way. Speaking of just segued myself, we've been deploying single sign-on technology since Kerberos in my life, way back in the day. And it seems like we're spreading around the problem a bit. And I just want to build this out here. We have lots of single sign-on systems, which are doing great work. Give you one place to go and pass that down to 200 downstream web-based applications or whatever it is. Unfortunately, we use lots of different authenticators. I call this authenticator sprawl. I just went onto my phone this morning, I swept down from the top to search for apps and I type AUTH and I have eight icons that have start with the word "auth".
This is a problem. I don't have a consistent way to prove my identity. So SSO systems use authenticators to access lots of operating systems and applications. And what this creates is, of course, complexity. So what happens then when you have just look in this pile and the bottom left here, when you have so many different ways to access so many different applications, it creates a lowest common denominator for the bad guys to get in. So when they call the help desk, you can take your pick of which one of these things they can target. So how many authenticate have you seen come and go over the years? Julie, are you seeing a trend with Optiv clients who want to consolidate this and possibly save money? Or is it more about the user experience?
Julie Talbot-Hubbard:
I mean, I would say it's more towards the user experience now, but I can see from a cost savings, and I say that more from a system, but then also a support component too. I can see that increasing as we go through the year. And again, just with the complexity of their environments. But I've seen it more from a user experience today, Michael. But if you think about even this graphic here, we've got multiple SSO systems really going the authenticator, I mean there's organizations today, many of them that aren't from an SSO perspective, they don't have their full kind of application suite infrastructure even going through those today. Many of them have started with still maybe on their compliance or on their key systems there, and not necessarily have that really covering their environment either.
Mike Engle:
Yeah, for sure. Yeah. And Gopal, I mean how many of these have you used in your days at various points in your career deployed or had to wrangle in? And what would it be worth for you to get rid of three of them, to pick any three? Secure ID tokens are kind of the gold standard going way back, but they're getting along in the tooth.
Gopal Padinjaruveetil:
And I think if you're working companies that's been there for 100 years, 50 years, so you kind of abide this problem. I mean because at any given point of, because it's a journey. So you will have these things, but we are now, at least from an identity perspective, I'm just flipping the conversations because complexity is unavoidable. So you open the tab in your home and you get water, but what you don't understand is behind that water, there's, I mean if you remember the Flint Crisis, a small change could cause a big problem behind that. There's huge complexity. The users doesn't understand that and users need not understand that. So we are talking about identity through a different dimension that what matters to the business and the users is this concept of trust and experience. I want to trust something and I want to have a better experience.
So we are now talking about identity and authentication, everything that how do we provide that trust at the same time simplifying the experience? That's a language that I want to take to my business leaders, to my board and everybody to talk to them about how do we bring on trust at the same time making it easier for the users to, because it is a friction and whether we like it or not, authentication, that is a friction point. I mean that's not the purpose of a business application, but you have to get through that gate. And we are to make it seamless and trusted for them to actually go and do what they want to do with the business application. So unfortunately, we have made it so difficult. I mean we have been adding friction by MFA, right? Password strength, you need to have eight characters. All these things, you need change your passwords. I mean we have made it so, we have added friction and it's not helping. I mean that's where we want to move to a new way of looking at removing that friction through, but maintaining that higher trust and a better experience.
Mike Engle:
Right.
Julie Talbot-Hubbard:
Well, and one thing I would add, I mean a few things there Gopal. And I agree completely, but I mean if I look back at my career for 15 years ago, I mean I've always said the more complex you make the control, users will go around it or they'll find a way to go around it. And if you think about that from a password complexity perspective, I mean writing down passwords, sharing passwords, using the same password wherever you go. Your one comment on trust, one thing that also I look at as a lot of organizations may use step up authentication based on risk of the user. And when you've got more of that fragmented authentication in your environment, I mean I think it's challenging for an organization to really look at that holistically when they're leveraging so many different authentication mechanisms and really trying to understand where do we use that step up authentication. And then maybe you get more authentication fatigue every day as a user where you're authenticating every time you leave your desk. That's more the friction I've seen I guess.
Mike Engle:
Yep. Yeah, it's seen the authentication go from 15, 20 seconds down to 3 in some of the ways these technologies can be deployed. And it's rare for the security department to get a high five from any user ever, but this is one of the areas where we can make a difference, especially in some of these esoteric systems. So these complex, any Global 2000 company has just so many applications. Of course things migrating to the cloud and being put behind various gateways is helping, but there's a lot of things that you just can't reach. It's hard to reach places with just SAML and OIDC. So you need a comprehensive strategy, and we're going to come up with a suggestion here in just a minute. But what I want to do is kind of flip the script a bit and suggest that you could actually use identity, not an authenticator, to log in.
If you go back to those two standards that we had on the opening slide, if you use identity to access everything, just like you do in the real world, you get pulled over. They don't ask you for your password or a code or what your mother's shoe size was when you were six years old. They ask you for your identity. And so if we can do this and get rid of, consolidate, rethink about these authenticators, it'll make a big difference. And I'm sure everybody in the audience right now is like, all right, well that big red box there really doesn't mean anything to me. What the hell? How do I do that? It's kind of like that internet cartoon where you say a miracle occurs, right? But it is actually very quantifiable. So if we take those standards and break them down to a couple of key things that matter, it's how sure are you of the authenticator?
We call this the authentication assurance level. It's part of the standard. You need an AAL authenticator level two or three. It's just kind of table stakes these days. And most authentication companies can do that. And then when you need to prove somebody's identity, you need the identity assurance level, the IAL side of it, that's the first part of the standard on the left. And just as important, if you deploy a system that doesn't have a privacy first design that you aren't thinking about your employees biometrics and how their consent is being done, you'll create real trouble. And here's one that I want to tee up in our next polling question is coming here. I'd love both of your thoughts on real biometrics. So we've all come to love and enjoy touch ID, face ID and the Android equivalence. Look at your face, unlock your phone, log into your banking.
That doesn't prove your identity. For example, both my wife and my face are enrolled on my phone and I can use it to log into my banking application. So can she, that's fine, but the bank doesn't know who's doing it and then you really can't because it's bound to the device. So the alternative, as I mentioned in the beginning, is you now have an 18 megapixel camera, you've got voice scanners and all this stuff. Do you see a place for that? Are your customers talking about it and thinking about it? And this answer's very different in the US versus abroad, but love your thoughts on that Julie, if you want to kind of tee that one up a little bit.
Julie Talbot-Hubbard:
Yeah, I think I would say we've had some client conversations. I think that there's, with the privacy component and then also more from a compliance perspective, I think we're getting there, but I think there's been maybe more concern around ... More from a compliance and privacy perspective more than anything. When I say compliance, Michael, it's not more compliance to a standard, but it's really around if it's a regulated environment, how auditors, how everybody's going to look at that. But I think there's definitely an interest in that and a need across the environment. I just haven't seen much adoption yet.
Mike Engle:
Right, right. Gopal, your thoughts on may I scan your face to let you in, please?
Gopal Padinjaruveetil:
Yeah. And I think I'm going to be honest with you and please, it's my age. My kids have no problem in using biometrics. But I personally, I mean I think I don't want to end up in a situation 20, 30 years from now because if I lose my password, I can create password. But if I lose my, somebody loses my biometric right? I mean that is where I mean once you're capturing the biometric and all those things and it's converted into a machine thing. So absolutely as an industry, we need to make sure that these are, I mean, a person's biometric information, both from a privacy perspective that we respect, I mean obviously beyond consent. So we need to treat that as sacred and we need to make sure that it is, nobody can get access to that, right?
I mean because we can use it to authenticate. I mean when you're talking about biometric, it's not just face, finger. I mean you can use your voice, you can use, I mean we can even use DNA. I mean there is many ways you can take this approach to [inaudible 00:26:48], but I think the key thing is it is a great way for authentication because it has uniqueness. There's no question whether your fingerprint, your face, all those things. But as an industry, 30 years from now, we don't want to be talking about, oh my gosh, we didn't, I mean, right? This is not going the right direction because there is no coming back at that point of time. I mean that is my, on this topic, I'm a little skeptical because I personally feel that we as identity professional have to think deeply and not make the mistakes really 20, 30 years ago when we started with passwords.
Mike Engle:
Yeah, you're absolutely right. It has to be done. And we've seen some issues with one of the big three letter agencies last year where there was improper use and of face against databases of faces, things like that. So yeah, we'll see how this evolves. It's I think an important tool. I would love that before I let some contractor in Eastern Europe, SSH's root into my AWS infrastructure, that we look them in the face. And that stuff is now possible. So we'll see where it goes. And that tees up the next polling question. Maureen, if you would pop this up, and this is a very simple yes no question. Just like Gopal, would you be comfortable using real biometrics for critical internal applications? Before you log into the domain controller, look them in the face. So this will be interesting. And while we're doing that, I just want to point out one article that came out recently. I saw somebody point out, so [inaudible 00:28:30], this is an article from the UK I think. Said that they're doing some kind of surveillance facial recognition on to determine if something's a rat. I don't know, I saw this and I had to put it on the slide, I didn't digest it, but if they're doing it even for a rats, Gopal, come on. We can do it for anybody. So don't be shy.
Julie Talbot-Hubbard:
One thing I was going to say, Michael, I've seen more this being used right now with clients more like when they're out in the field or if they could be trying to authenticate on a iPad or larger device and just from a user experience is what they're using it for. But I've seen that probably wider adoption thus far. ,
Mike Engle:
Okay, great. No good feedback. At some states, it varies state by state, country by country, industry by industry. In Illinois, they have BIPA, which has been plaguing a lot of the tech giants like Microsoft and Walmart and et cetera. So we have to proceed carefully. And our stats came in, we can end the poll. It's a 60-40 split. 60 yes, 40 no. And of course there's going to be more yeses on this audience because there's a lot of identity geeks on this call here today as well. All right, so now where do we start based on what you guys have seen and what you're thinking about in your customer's environments or your environment, Gopal. We have reorganized these icons and where we're seeing the most traction at one cosmos. So it's the front door remote access your operating systems and your SSO system. These are really the 80-20 of where you spend a lot of time either control, delete, logging in and where the bad guys would probably get the most bang for their buck as well. So Gopal, you want to go first and think about as you deploy passwordless in your environment, where you would start and any thoughts on that?
Gopal Padinjaruveetil:
So I think one of the things that I would highly recommend, that's what we are doing. So do you have an overall cybersecurity or a security strategy defined? And then in that strategy, where does identity and access, and we talked about customer identity, there are third party non-employee identity partners and contractors, and then you have your employee identity. So what is your strategy around identity and access? And then how do you map out? So I think one of the things we have done is for the identity part, so we do have an enterprise security strategy and we have an identity strategy. What we did was we took the identity strategy and created a reference architecture and then we said, hey, this is where we are today and then we want to go to tomorrow. And then that reference architecture and our identity strategy is driving us towards passwordless.
I mean also from all this technologies that we have been talking about. So you really need to understand where you are today, and what is your environment look like? Are you ready for something like this? And how do you move, right? Because Rome is not built in one day, and most of the companies are legacy. I think it was Gartner when it came to identity coin, this really wonderful term called bimodal, right? So there said you need to live in both worlds. I mean for some point of time, I think there was probably 10 years ago when Gartner talked about bimodal identity architecture. So that is where, do you have a strategy? Do you have an architecture? And then you have transitional architectures on here. This is where we are going to go and keep updating that on a different basis. And I think, like I said, remote access login, these are SSO, right?
I mean these are very easy. I would say these are low-hanging fruits if you want to, from an ID strategy perspective. So I agree, typically 80% of the users, this is where the users are going. When I wake up in the morning, I need to log into my machine and I'm working from home. I need to log into before I log, I need to have remote access. So this is where we are today. So this is an easy problem to, I mean this is a low-hanging fruit, but this needs to tie into your larger strategy and the larger direction you want to take your organization too.
Julie Talbot-Hubbard:
So one thing I would just add on that, too, and I agree, Gopal, but we talk about 80% of user logins occur in those. I think another way to look at it too is in terms of what's the strategy wrapped around them, and what are you trying to solve for? So is it the user experience, is that the driver? And if so I think that the one selected or a key, but I also look at there could be new hire, there could be other pieces you include in that kind of first phase. If you're concerned more about from a threat perspective, and how do you mitigate that, we talked about the insider threat, we talked about where still the largest organizations are getting breached. Then you look at to me, where are those passwords, where's that occurring? And I still think that you would still end up probably more on the phase one line there, but you could have some more of the privileged access management and some of those pieces really kind of roll into that, too.
Mike Engle:
And that's a key part of the deployment consideration is if you do one of these, you're basically giving a modern authenticator now to all of your employees or very large population. So then sprinkling it on top of your CyberArk or your psychotic, whatever it is, it's just another integration that you've done all the hard work already of getting it out to the user. So these downstream ones become much easier once you get started. I know the thousand-mile journey starts with the first step. Yeah, no, thank you for that. One of the deployment considerations that can really crush a passwordless deployment, we've gone into organizations that have bought a technology and a year or two later they just could not get it deployed. All right, looked great. But when the rubber hit the road and we've come in and given them a better path, and one of the reasons that it can fail is when you force a change to everybody at the same time.
If you switch from secured tokens to UV keys and you have to push them all out to everybody and say, next weekend we're switching over, that's just a terrible example. But if you force password lists, flip a switch, it's going to fail because you have so many edge cases, things will go wrong. Orchestrating the help desk and all that as well. So this is an example of a real world authentication for one of our clients. This is sitting on top of Ping and they augmented their traditional on the right, Windows User ID password, 2FA would come after that, with a passwordless experience on the left. So you could roll us out to one user. Well you figure out all the mechanics and things might go wrong or whatever it would be, and then you can roll it out to a thousand the next day. It does not matter because they could still continue to use option A on the right. But option B, once they do it once, they will never go back. And of course over time, the goal would be to phase this out. So in terms of a password list deployment strategy, Julie, what have you seen work for some of the clients that you've worked with?
Julie Talbot-Hubbard:
I mean definitely doing it in phases like you mentioned. And then the other piece because it is change and it can cause, I mean again, there can be a lot of challenges or issues and what I've seen when you have those issues when you're trying to do a large scale deployment, once you have some, it's going to take the security team probably much more just political capital to get that moving quicker if you've had those issues. So I think that the phasing is correct, but also the communication and not just communication to the employees and everybody what's going on, but also like you mentioned, the service desk and all those components, I think that's really key. And I also mean from a user group, I mean find a group of users that are going to be your champions across the enterprise and ones that are known for that.
Mike Engle:
Excellent. And how about you Gopal?
Gopal Padinjaruveetil:
And I think my philosophy is choice is good and at some point of time choice is bad. So I think going back, I mean like you said, you want to start with deploying passwordless in parallel. And then I would say nudging users from one to another. I think our end goal is obviously to get everybody to a passwordless world. And I think the adoption is going to be a challenge when you are living in both world, like I said, once you have a choice, you can't control what choice a user will go to. So that is where we want to give it start with choice, but that could technically become a bottleneck. So you need to have a strategy on a how am I going to nudge, I mean to drive adoption? Because some people really, I mean no, some people do like to hold your nose like this.
I mean that's if I said that's my preference, who are you to question that, right? So that is where I think we need to start thinking while ... Hey, my gosh, just scan your QR code on this, look at the [inaudible 00:37:59]. It's a no-brainer, right? But there are people who will say, no, I like my old ways. And so that is where you need to start giving them choice at the beginning. But you need to have a strategy on how are you going to drive adoption, whether it's through communication, handholding and maybe subtle pressures, nudging them to get to where you want. I mean that is where, that is the key thing. But as you said, from a deployment perspective, you need to start deploying this in parallel. I don't see any other option.
Mike Engle:
That's right. Yeah. And this has the kind of potential to go viral. So what we've seen is if you're in a conference with a bunch of people and somebody sees the QR code, you whip out your phone, scan it, and one second later they're staring at their desktop and the shmoes to the left and the right are sitting there and they see that, they're typing the way and they're doing the 2FAs out, they will want it. And they're like, how do I get that? Some of our customers have put it up on the screens in their conference rooms, go to this URL and self-provision yourself. So that's a part of the onboarding journey. There's lots of ways that we've seen that cat get skinned. So thank you for that. And we're just really going to hit on one more point before we bring up our final poll here.
We'll make sure everybody gets off before the top of the hour and has time for a refreshing beverage. We won't hold you hostage the whole hour. So another deployment consideration, in addition to doing it in parallel, we call coexistence, is flexibility. So one of the big use cases that we see for large shops, lots of legacy is consolidation of multiple either directory accounts. You know, you have four AD Forests that you need to consolidate. You have UNIX accounts, you have X509 certificates, they all need to be addressed with the same framework. Otherwise you'll have two, and that's what we're trying to avoid here. So a key deployment consideration. And the second one is your self-service password reset. Lots of different ways to do this. The one most common is calling up an 800 number, using your voice or answering some secrets, which of course open up, it's a vector.
If you can use the same tool, press a button, scan your face, reset the password. Now it may sound ironic that you have to reset passwords as you go passwordless, but even if you read Microsoft's guidance or Gartner's guidance on this, as soon as you get rid of passwords, you can't get rid of them all. In 87 days, you're going to need that password again for something. Well what do you do then? You just created possibly more friction. I don't know it, you just taught me to forget it. Now I have to do my benefit enrollment and log in with my AD user password. I just spent 87 days forgetting it. So press a button, set it, you're in, and then forget about it for another 87 days until you get rid of it for good. So again, just mechanics that make the end user's lives and IT administrator's lives much easier. Any of this stuff resonate with you, Gopal?
Gopal Padinjaruveetil:
Absolutely. And I think we are living on the first point, an under meter of target accounts must be supported. I think we are living in a world of mergers and acquisition. So this is unavoidable that you will over a period of, if you're a company in the, I mean doing an MNA kind of factor with this, you can't, right? So that you need to, this is a given that you will at any given point of time, you'll have multiple AD [inaudible 00:41:46]. Over a period of time, and you need to make sure that you can support both these things and just as a strategy you need to do that. And then I think, like you said, no matter what, you need to have some kind of a legacy passwords. I 100% agree that if you tell people, "Hey, no, don't use your password," and they're not using it for many of the application, but here I want to use it, you absolutely need to make it easier for them to recover the password. Because otherwise you've added more friction to that. So as part of your, and again, it is self-service, right?
You don't want your users to call your help desk. You want to actually make it easy for them to recover their or reset their passwords through the platform itself. So absolutely, it is an important consideration for people who are undertaking this journey. So I think you did a good job and bringing this point up. It's a boring, I mean, the nitty-gritties of this is boring, but it is an important aspect of the environments that we are living in.
Mike Engle:
Right. And Julie, thoughts on this?
Julie Talbot-Hubbard:
Yeah, I mean I would say I think the legacy password kind of reset support I think is really critical. Again, if you look at the user experience. But your example there, I think more on the benefit benefits there. I mean I think that I would venture to guess there's a lot of organizations that may not even know, or people might not even remember all of these other legacy systems, passwords, frequencies, all of that. So I think that's a really key, not only for the user experience, but also for your service desk helped desk, all the kind of noise that could create there too.
Mike Engle:
Yeah, no, for sure. One of our clients, we just had them in to talk to the whole company last week and there's one little tweak that we made to the user experience. He said that was just a game changer. This is the kind of things that you'll learn over time. And it was one less step in a process. Those is what, typically you see that on the consumer side, you dare ask my consumers to click something else. So yeah, mechanics are important. And the last topic I want to make before we bring up a question, the final question, and I have a question for everybody in the audience, do you know who Ned Ludd is? LUDD? Because I bring it up on my third polling question. So if anybody knows who General Ludd or Ned Ludd is, just throw it into the Q and A in there for me.
But the concept of us having different systems for identifying a consumer, a customer citizen versus a contractor or an employee has been the standard. Let's go build a customer system because it needs customer things. Let's go deploy workforce stuff because there's workforce, you're seeing the industry try to consolidate this, right? Octa buying off Zero, everything Tom Bravo's doing is heading in that direction. So I think I probably already answered my question, but for the two of you, do you see a way to address the needs with a common either framework, set of reference, architecture, et cetera? These bullets that I put on here are the differences between them. You hand your employees an authenticator, you make them use it, but you have to give your customers 10 options, 2FA maybe in there. One time codes, magic links via email, all those things. So just really no specific question here, but just your general thoughts, Julie, on the consolidation of some of these technologies, because you're solving the same problem.
Julie Talbot-Hubbard:
Yeah, I think to your earlier point about all the different, I would say consolidations of the larger identity players out there today where you see them talking about consolidating both workforce and the consumer kind of identity, trying to solve the same problem. I think that we'll get there. I think as we see more workforce, I mean if you think about just the consumer, the digitalization of everything, especially through Covid, I think that really created a different expectation from employees as well, just based on what they started seeing more as they shopped online than everything else online ordered. I mean just everything online. So I do think that we'll get there. I think it's also, it could be more from the biometrics and as we see some movement there as well. The one part though that I look at from an enterprise perspective is you typically have different stakeholders there too.
And even from an identity team, I've seen organizations that have a consumer identity team could be sitting within security, could be sitting within infrastructure, could be sitting within the digital officer or the business. And then you've got the identity team that's really managing the workforce identity. And they're even disparate groups within the organization. I, and maybe it is more from a framework perspective, but when you start pulling even those teams together, it's going to be needed as well to get them on board on even just business requirements. So you brought up more from a, you can call it, you got their gentle step up options for consumers when you think about who you've got to get on board inside an organization to allow this. Again, it's different than from an employee perspective where it's going to be just maybe pushed to them and they're going to do. So I think it'll come down to also getting alignment across your stakeholders within an organization, too, on use cases. And then also really kind of the level, level of security and trust. They want to establish what their customers and their employees.
Mike Engle:
Excellent.
Gopal Padinjaruveetil:
And I agree with everything that Julie said. I want to just make a small differentiation here. I think what we will see is not consolidations, what we'll see is a convergence. So you're talking about customer IT work for society, I think that I'm going to make a prediction here, maybe that way you'll see, I think that these things are going to converge. Because end of the day, IT is IT. So I think that more than consolidation, we'll actually see some level of convergence between customer, because I am a customer, but I'm also an employee. So that is where, if there's an opportunity for me to us to get that converged. So I think that the architectures will evolve, the industry will evolve towards convergence. So again, we are talking about identity, I mean we started this conversation with identity. Let's end this conversation with identity. I think that we'll see more and more direction towards convergence of identity, whether it's, and we have labels, right? Workforce, customers and all those things. I think that we should and we will see a convergence of this. So that's my thought.
Mike Engle:
No, thank you for that. Thank you for that. And that was kind of the final word. So we're just going to pop up one more polling question here. Maureen, if you're ready. For anybody out there, does your company have a plan to go 100% passwordless? There's really, really two answers, but I put a third one on there. This is where I talk about General Ludd. So yes, we're working on it. Or yes, we do have a plan. No, we're working on it. Or General Ludd, if you ever heard the term, Luddites was a group of people, it was like a secret oath based organization that came out in the textile industry in the 18 hundreds. And they went out and smashed the textile machines because they were taking away high paying jobs from the textile workers. So if you ever heard the term Luddite, it comes from this fictitious person called General or Captain Ludd.
And of course, nobody wants passwords around. This is obviously a silly thing here, but I just like the picture of the ax and wanted to use it somehow. So yeah, results are in and we have about 8% say they do have a plan to go fully passwordless, but of course it is a complicated journey. It's just getting traction. 85% said they're working on it. That's great. And only a couple people said they worship General Ludd. So we'll see if we can change their minds on this one as well. So we're going to wrap up. We just have one or two questions that I want to shoot out. And the first one, this is a great question, how MFA will work in a passwordless environment? And that's the key, is passwordless typically has inherent multifactors built into the process. So when I walk up to that screen with the QR code and I scan it, I am presenting a digitally signed challenge response and my biometric in one process.
So it's a single touch multifactor experience. And so it's really, MFA is really implied in a passwordless experience. So hopefully that makes sense. And the other question, because we use a blockchain, private blockchain technology to keep identity information safe and easy to share. People ask if they're related, they are not. But most identity frameworks that are proposed in the future do leverage what's called decentralized identity where you can prove your identity once and use it over and over again. So we have a bunch of webinars, we've talked on that topic and we have a couple more coming up. So any final thoughts from either of you before we call it a day?
Gopal Padinjaruveetil:
Yeah, I think I would say that I've used the Chinese curse. We are living in interesting times. So let me, right, so I mean it's really, truly, we're living in an age where, so we are living in interesting times.
Mike Engle:
For sure, for sure.
Julie Talbot-Hubbard:
And the only thing I would say is, I think from just a security professional's perspective is anything that you and your organization can do to reduce complexity within your own environment from a security tooling technology across your IT teams that you need to manage, I think is critical. I'm going to be critical this year and going to the next. And the other I think is that user experience. And you can say, you pull that in to the simplicity, but I also think that that user experience, again, when you design controls, you put controls in, I'm always a big believer if you make them simple, you make them frictionless, your users are going to love you. But more importantly, I think it's going to better secure the environment. So user experience and reducing complexity are key.
Mike Engle:
Perfect. I'll take two. So thank you so much for joining. With that, we are going to call it a wrap and move on to the next Zoom meeting, right? So thank you so much for coming. I really enjoyed the conversation with both of you and we'll see you online and at the next show.
Julie Talbot-Hubbard:
Great. Thank you, Michael.
Mike Engle
CSO
1Kosmos
Gopal Padinjaruveetil
VP, CISO
AAA
Julie Talbot-Hubbard
SVP, GM-Cyber Protection & Identity
Optiv
This webinar focused on a passwordless strategy for the enterprise, not just the latest federated apps. We covered:
- Overcoming the timeless tradeoff between security and convenience
- The benefits of a single-platform approach to a multi-platform environment
- Using verified biometrics for password reset and legacy 2FA replacement
- How to achieve interoperability and prevent vendor lock.
- Essential tools for Admin and DevOps
Verified biometrics can address some of the most significant gaps in authentication, but what about backward compatibility with legacy applications and disparate operating systems?
Mike Engle
CSO
1Kosmos
Gopal Padinjaruveetil
VP, CISO
AAA
Julie Talbot-Hubbard
SVP, GM-Cyber Protection & Identity
Optiv
Video Transcript
Mike Engle:
We are going to kick it off. Today we're here to talk about deploying passwordless technology in complex environments, and we're going to get really into the weeds on what passwordless is and really what we're trying to accomplish, passwordless as kind of a feature. But first, just a round of introductions as to who we have on the line. I'll go first real quick. My name is Mike Engle, head of strategy and co-founder here at 1Kosmos. Long background in InfoSec, so I'm kind of a security geek, but then became more of an identity geek in the past five years or so. All identity, all the time. And Julie, would you like to say hi?
Julie Talbot-Hubbard:
Yes, hi. Julie Talbot-Hubbard. I'm at Optiv leading actually our clients and markets organization, but lengthy background in cybersecurity in the last four years. Specializing in identity and data privacy and data protection.
Mike Engle:
Excellent. And Gopal.
Gopal Padinjaruveetil:
Gopal Padinjaruveetil, Chief Information Security Officer at AAA Auto Club Group. I've been in this position, I'm starting the sixth year and like you said, I'm a geek. I'm an identity geek in that sense of the word.
Mike Engle:
Excellent. Well, so great to have you here. I know we're going to have a fun discussion. Just a couple things, the format of this is going to be a little bit of a visual and some dialogue around it. And if you're looking to meet with any of us in the future, we have monthly webinars we do. In the past we've covered things like decentralized identity and new hire contractor onboarding. There's over a dozen of them out there. Next month we're talking about modernizing customer onboarding, synthetic identity, account takeover, focusing more on the consumer side of things. And I think all of us, many of us on the Zoom will be at some of the upcoming identity events. The big ones are Gartner, the IM conference coming up in March. It's in Texas. And then of course RSA, not necessarily an identity conference, but it's where you go to meet everybody. We'll be there if anybody's there. Give us a shout out. And Identiverse in Las Vegas as well. Gopal. Julie, either of you go into some of these events.
Julie Talbot-Hubbard:
Yeah, both Gartner, Identiverse and RSA. And then also want to put the plug out for the IDSA. They have an identity day coming up in March and there'll be a lot of great information coming out about that, too.
Mike Engle:
Perfect.
Gopal Padinjaruveetil:
And probably same. Gartner and Identiverse, I did actually did the keynote at last year's Identiverse on the topic of identity and metavers, and passwordless, right. So from the customer, so I was talking about how do you do identity in metaverse? So I was a keynote last year in Identiverse.
Mike Engle:
Excellent. Yeah, I think I remember that. So great. And maybe we'll do our next webinar in the Metaverse next month or something. That'll be fun. We'll have our goggles on and everything. So we're going to ask the audience a couple of questions. There's three total, just to keep it interactive a bit. So Maureen, if you could tee up the first question here, which is what percentage of hacks today involve stolen credentials? So you have 65%, 82% or 100%. We'll see where the audience goes with this one. Give it a couple seconds. I heard a really catchy phrase on this topic. It's that hackers don't hack in anymore, they log in. I just love the way that resonates. It is the truth, right? So I've seen in the identity security monitoring space getting really hot. So I'll give this just another second here.
Julie Talbot-Hubbard:
And I think that's what we've seen, just the increase on insider threat, Michael. I mean that's really a big portion of that.
Mike Engle:
Exactly. That's right. Yeah, you can give your credentials if they're not done right away so easily, they may be fishing resistant, but we call them collusion resistant credentials as well. It's a whole new term that we're looking to coin there with our peers in the industry. Great. Let's end this poll, Maureen. And yeah, we got 75% of people said 82%, and 17% said 100% percent. And that is actually the right answer. So this comes from a piece here that if anybody wants to look it up. Gopal, I believe you shared this one with me. Why does every hack involve stolen credentials? Now I'm sure there's still some of those solar whimsy things out there, but you just don't hear about them anymore. It is the help desk got compromised, a credential got stolen and that's what we're here today to try to mitigate and talk about a bit. All right.
Gopal Padinjaruveetil:
Yeah. Credentials have being problematic. And even Verizon, DBIR, everybody, I mean they've been saying that credential harvesting, credential privilege escalation and all those things. So everything without a credential involved, there's not much you can do. So.
Mike Engle:
That's right. If you know who it is, it really mitigates the risk of it, right?
Gopal Padinjaruveetil:
Yeah.
Mike Engle:
And that's what we're going to talk about. So we're trying to get this really simple for today's discussion, but it is a complex issue because you're trying to change the behavior of literally everybody. Some people actually like usernames and passwords. But then when you introduce 2FA on top of that, all of a sudden they're like, yeah, there's got to be a better way. And you need the 2FA, right? That's no-brainer. If you don't have 2FA, you're just asking to get taken to the shed for a good beating.
And so two key issues are how do you make deploying password lists or modern authentication tools convenient, consistent? And the key theme here is multi-factor, right? Something you have, something you are, something you know. Those types of things coming together. And second is how do you apply that to your business risk? Gopal, before the show started here, we were talking about it's not about cyber risk, it's about business risk.
So you can't apply draconian controls to places that don't need it. You'll alienate your employees, your customers, et cetera. So we call this a custom journey depending on what you're trying to accomplish. All right, so hopefully this resonates and we kept this really simple and we're going to jump in here. But just kind of breaking that down a little bit further. And I just want to ask both of you, is passwordless really the objective? So it's a term, it's everybody's throwing it around now. The platform vendors, you have really amazing efforts with [inaudible 00:06:59] authentication. But do we just need passwordless? Or as I put here, is identity the objective? Julie, what do you think?
Julie Talbot-Hubbard:
No, I mean I would say on the identity and really managing an authenticated identity, I think passwordless is a way to simplify the environment, also reduce the risk. So I look at the passwordless as a method.
Mike Engle:
Yeah.
Gopal Padinjaruveetil:
And I think the whole password came because you needed to identify in a distributed system, right? Way back, I think it was 1980s or 90s when Fernando Roberto started the, when two computers were talking, he introduced this. He is the one who coined the word "password". That was not the objective. The identity is that how do you prove that you are who you claim to be in a digital world? Especially if you're talking about internet, it's a stateless world. And it's a beauty of internet is it's stateless. Curse of the internet is it's stateless. So the clear objective is identity and password is a means to the end. And unfortunately it's not working.
Mike Engle:
That's right. That's, and something that both of you are incredibly familiar with is you have a complex environment. So have you even thought about trying to get rid of passwords everywhere? Some of my prior companies that I've sold to have literally thousands of applications. So we're going to talk about this today, and the best approach. I mean Gopal, how complicated is the environment over there at ACG?
Gopal Padinjaruveetil:
Yeah, I mean I think just like any other enterprises, we have multiple application, on-premise applications, cloud applications, third party SAAS, right? I mean when you move towards borderless or decentralized world, I mean when you move towards everybody's working from home and I mean everything, there's no more protected perimeters and all those things. So all applications are moving to the cloud. So the environment itself is becoming complex. And there are applications galore, I mean if I can use that word right. So when you're talking about every application, unless you're a B2C where unauthenticated, it's a public facing application, most of the business applications would require identity or authentication in some form, right? So there's a journey that you have to start somewhere, right? So we'll talk about what's the right place to start, but end of the day the goal is to get to the applications because that's what the business users are using.
Mike Engle:
Exactly. Exactly. And then both of you obviously have done a lot of work with both the customer and the employee side and then we've treated those populations different. You have your customer processes over here, your employee processes over here. I will present the case on today's discussion that you can have one way to just prove who somebody is regardless of whether they're a customer or an employee. So we'll dive into that. And lastly, how do I do this without killing my staff? They're already overworked, doing more with less. Julie, like you pointed out, the environment's getting so complex. So keeping it simple, the KISS principle. So first I want to define the term identity, because it's meant different things at different times in the computer evolution and, in fact, in the human evolution really, too. So digital identity from my perspective is actually kind of, we can quantify it today.
And it's how you prove who you are online remotely a username and password doesn't prove anything. So there's some standards that I'm sure many in the audience know that we're going to talk about here today. And they're really important because everything we do in technology is based on standard. Try doing something other than HTTP and see how far you get on the web. And the two coming together are proof of who you are and using that proof over and over again. AKA, authentication. So on the proving who you are, the kind of golden standard for this is the NIST 800-63-3 standard. And what it says is, how do you prove who you are remotely? It's presenting valid claims. I have a driver's license matching your identity to that claim, et cetera. It's very well quantified. And once you do that, then presenting that over and over again.
And up until about five years ago, maybe seven years ago, it was really hard to do these things remotely until the advent of modern computing systems. So not only the smartphone but a high res camera, take a picture of a driver's license, scan your face, those types of things. But also a safe place to keep a credential. Your TPM in phones and in your desktops, laptops, computers is now a safe place to keep a credential. And those aren't the only way. There's smart cards and UBI keys and all that stuff, but this is what's the big enabler today. And we refer to this putting these two together. NIST 800-63-3, Fido, and biometrics together as identity-based authentication. And so Julie, since you have so much exposure to so many clients at Optiv, are you seeing these technologies really resonate with your clients?
Julie Talbot-Hubbard:
No, we are. And I think it's also around, we talked more about reducing the risk in the environment, but it's also more on the user experience. And when you think about just the complexity we talked about a bit there, as organizations continue to increase in the multi-cloud environment, I will say I had not heard them talk about decommissioning the old jet. And so that's still out there. So then they've got the opportunity. It could be where you've got systems that are put through MFA, SSO. You've got one kind of password authentication structure and then you've got multiple others. So I have seen mean organizations, I would say I haven't seen any 100% deployed yet across, but definitely moving towards passwordless in kind of a phased approach.
Mike Engle:
Right. And Gopal, I mean you have an amazingly large customer base and of course lots and lots of employees. What are your thoughts on this?
Gopal Padinjaruveetil:
So one of the things that I've been, I mean I think this is becoming the defacto standard and the history of the state [inaudible 00:13:36] is really interesting. I won't go to that, but I think the way that I've been talking about it is carbon identity, which is because we are all human and we need to prove in a digital world. So we are calling it as the user identity, like carbon identity. And then I interact with systems, digital systems through my phone or through my devices or my laptop. So I'm calling this as a carbon identity. So the way that we are moving towards is that not only establishing the human identity and the carbon identity, but we are device binding. And some of the passwordless and this whole world where we are going with the standards is both the device and the authentication together provides a very secure way of identifying who is, right?
Because without knowing which device you're coming from, I mean things can be spoofed. I think we are moving to a world where we are looking at both the carbon and the human and the silicon. I'm calling it silicon, carbon and the silicon. Because computers are silicon. So I'm looking about the overlap or the marriage of carbon and silicon to provide a seamless authentication. That's where we are going towards, right?
Mike Engle:
Sure, yeah. I've never been called a carbon entity before, but I'm with you. I feel very carbon today. No, that's spot on. The human element is the weakest one. We'd make it easier on them and they'll use it and love it. And hopefully we fix some security challenges along the way. Speaking of just segued myself, we've been deploying single sign-on technology since Kerberos in my life, way back in the day. And it seems like we're spreading around the problem a bit. And I just want to build this out here. We have lots of single sign-on systems, which are doing great work. Give you one place to go and pass that down to 200 downstream web-based applications or whatever it is. Unfortunately, we use lots of different authenticators. I call this authenticator sprawl. I just went onto my phone this morning, I swept down from the top to search for apps and I type AUTH and I have eight icons that have start with the word "auth".
This is a problem. I don't have a consistent way to prove my identity. So SSO systems use authenticators to access lots of operating systems and applications. And what this creates is, of course, complexity. So what happens then when you have just look in this pile and the bottom left here, when you have so many different ways to access so many different applications, it creates a lowest common denominator for the bad guys to get in. So when they call the help desk, you can take your pick of which one of these things they can target. So how many authenticate have you seen come and go over the years? Julie, are you seeing a trend with Optiv clients who want to consolidate this and possibly save money? Or is it more about the user experience?
Julie Talbot-Hubbard:
I mean, I would say it's more towards the user experience now, but I can see from a cost savings, and I say that more from a system, but then also a support component too. I can see that increasing as we go through the year. And again, just with the complexity of their environments. But I've seen it more from a user experience today, Michael. But if you think about even this graphic here, we've got multiple SSO systems really going the authenticator, I mean there's organizations today, many of them that aren't from an SSO perspective, they don't have their full kind of application suite infrastructure even going through those today. Many of them have started with still maybe on their compliance or on their key systems there, and not necessarily have that really covering their environment either.
Mike Engle:
Yeah, for sure. Yeah. And Gopal, I mean how many of these have you used in your days at various points in your career deployed or had to wrangle in? And what would it be worth for you to get rid of three of them, to pick any three? Secure ID tokens are kind of the gold standard going way back, but they're getting along in the tooth.
Gopal Padinjaruveetil:
And I think if you're working companies that's been there for 100 years, 50 years, so you kind of abide this problem. I mean because at any given point of, because it's a journey. So you will have these things, but we are now, at least from an identity perspective, I'm just flipping the conversations because complexity is unavoidable. So you open the tab in your home and you get water, but what you don't understand is behind that water, there's, I mean if you remember the Flint Crisis, a small change could cause a big problem behind that. There's huge complexity. The users doesn't understand that and users need not understand that. So we are talking about identity through a different dimension that what matters to the business and the users is this concept of trust and experience. I want to trust something and I want to have a better experience.
So we are now talking about identity and authentication, everything that how do we provide that trust at the same time simplifying the experience? That's a language that I want to take to my business leaders, to my board and everybody to talk to them about how do we bring on trust at the same time making it easier for the users to, because it is a friction and whether we like it or not, authentication, that is a friction point. I mean that's not the purpose of a business application, but you have to get through that gate. And we are to make it seamless and trusted for them to actually go and do what they want to do with the business application. So unfortunately, we have made it so difficult. I mean we have been adding friction by MFA, right? Password strength, you need to have eight characters. All these things, you need change your passwords. I mean we have made it so, we have added friction and it's not helping. I mean that's where we want to move to a new way of looking at removing that friction through, but maintaining that higher trust and a better experience.
Mike Engle:
Right.
Julie Talbot-Hubbard:
Well, and one thing I would add, I mean a few things there Gopal. And I agree completely, but I mean if I look back at my career for 15 years ago, I mean I've always said the more complex you make the control, users will go around it or they'll find a way to go around it. And if you think about that from a password complexity perspective, I mean writing down passwords, sharing passwords, using the same password wherever you go. Your one comment on trust, one thing that also I look at as a lot of organizations may use step up authentication based on risk of the user. And when you've got more of that fragmented authentication in your environment, I mean I think it's challenging for an organization to really look at that holistically when they're leveraging so many different authentication mechanisms and really trying to understand where do we use that step up authentication. And then maybe you get more authentication fatigue every day as a user where you're authenticating every time you leave your desk. That's more the friction I've seen I guess.
Mike Engle:
Yep. Yeah, it's seen the authentication go from 15, 20 seconds down to 3 in some of the ways these technologies can be deployed. And it's rare for the security department to get a high five from any user ever, but this is one of the areas where we can make a difference, especially in some of these esoteric systems. So these complex, any Global 2000 company has just so many applications. Of course things migrating to the cloud and being put behind various gateways is helping, but there's a lot of things that you just can't reach. It's hard to reach places with just SAML and OIDC. So you need a comprehensive strategy, and we're going to come up with a suggestion here in just a minute. But what I want to do is kind of flip the script a bit and suggest that you could actually use identity, not an authenticator, to log in.
If you go back to those two standards that we had on the opening slide, if you use identity to access everything, just like you do in the real world, you get pulled over. They don't ask you for your password or a code or what your mother's shoe size was when you were six years old. They ask you for your identity. And so if we can do this and get rid of, consolidate, rethink about these authenticators, it'll make a big difference. And I'm sure everybody in the audience right now is like, all right, well that big red box there really doesn't mean anything to me. What the hell? How do I do that? It's kind of like that internet cartoon where you say a miracle occurs, right? But it is actually very quantifiable. So if we take those standards and break them down to a couple of key things that matter, it's how sure are you of the authenticator?
We call this the authentication assurance level. It's part of the standard. You need an AAL authenticator level two or three. It's just kind of table stakes these days. And most authentication companies can do that. And then when you need to prove somebody's identity, you need the identity assurance level, the IAL side of it, that's the first part of the standard on the left. And just as important, if you deploy a system that doesn't have a privacy first design that you aren't thinking about your employees biometrics and how their consent is being done, you'll create real trouble. And here's one that I want to tee up in our next polling question is coming here. I'd love both of your thoughts on real biometrics. So we've all come to love and enjoy touch ID, face ID and the Android equivalence. Look at your face, unlock your phone, log into your banking.
That doesn't prove your identity. For example, both my wife and my face are enrolled on my phone and I can use it to log into my banking application. So can she, that's fine, but the bank doesn't know who's doing it and then you really can't because it's bound to the device. So the alternative, as I mentioned in the beginning, is you now have an 18 megapixel camera, you've got voice scanners and all this stuff. Do you see a place for that? Are your customers talking about it and thinking about it? And this answer's very different in the US versus abroad, but love your thoughts on that Julie, if you want to kind of tee that one up a little bit.
Julie Talbot-Hubbard:
Yeah, I think I would say we've had some client conversations. I think that there's, with the privacy component and then also more from a compliance perspective, I think we're getting there, but I think there's been maybe more concern around ... More from a compliance and privacy perspective more than anything. When I say compliance, Michael, it's not more compliance to a standard, but it's really around if it's a regulated environment, how auditors, how everybody's going to look at that. But I think there's definitely an interest in that and a need across the environment. I just haven't seen much adoption yet.
Mike Engle:
Right, right. Gopal, your thoughts on may I scan your face to let you in, please?
Gopal Padinjaruveetil:
Yeah. And I think I'm going to be honest with you and please, it's my age. My kids have no problem in using biometrics. But I personally, I mean I think I don't want to end up in a situation 20, 30 years from now because if I lose my password, I can create password. But if I lose my, somebody loses my biometric right? I mean that is where I mean once you're capturing the biometric and all those things and it's converted into a machine thing. So absolutely as an industry, we need to make sure that these are, I mean, a person's biometric information, both from a privacy perspective that we respect, I mean obviously beyond consent. So we need to treat that as sacred and we need to make sure that it is, nobody can get access to that, right?
I mean because we can use it to authenticate. I mean when you're talking about biometric, it's not just face, finger. I mean you can use your voice, you can use, I mean we can even use DNA. I mean there is many ways you can take this approach to [inaudible 00:26:48], but I think the key thing is it is a great way for authentication because it has uniqueness. There's no question whether your fingerprint, your face, all those things. But as an industry, 30 years from now, we don't want to be talking about, oh my gosh, we didn't, I mean, right? This is not going the right direction because there is no coming back at that point of time. I mean that is my, on this topic, I'm a little skeptical because I personally feel that we as identity professional have to think deeply and not make the mistakes really 20, 30 years ago when we started with passwords.
Mike Engle:
Yeah, you're absolutely right. It has to be done. And we've seen some issues with one of the big three letter agencies last year where there was improper use and of face against databases of faces, things like that. So yeah, we'll see how this evolves. It's I think an important tool. I would love that before I let some contractor in Eastern Europe, SSH's root into my AWS infrastructure, that we look them in the face. And that stuff is now possible. So we'll see where it goes. And that tees up the next polling question. Maureen, if you would pop this up, and this is a very simple yes no question. Just like Gopal, would you be comfortable using real biometrics for critical internal applications? Before you log into the domain controller, look them in the face. So this will be interesting. And while we're doing that, I just want to point out one article that came out recently. I saw somebody point out, so [inaudible 00:28:30], this is an article from the UK I think. Said that they're doing some kind of surveillance facial recognition on to determine if something's a rat. I don't know, I saw this and I had to put it on the slide, I didn't digest it, but if they're doing it even for a rats, Gopal, come on. We can do it for anybody. So don't be shy.
Julie Talbot-Hubbard:
One thing I was going to say, Michael, I've seen more this being used right now with clients more like when they're out in the field or if they could be trying to authenticate on a iPad or larger device and just from a user experience is what they're using it for. But I've seen that probably wider adoption thus far. ,
Mike Engle:
Okay, great. No good feedback. At some states, it varies state by state, country by country, industry by industry. In Illinois, they have BIPA, which has been plaguing a lot of the tech giants like Microsoft and Walmart and et cetera. So we have to proceed carefully. And our stats came in, we can end the poll. It's a 60-40 split. 60 yes, 40 no. And of course there's going to be more yeses on this audience because there's a lot of identity geeks on this call here today as well. All right, so now where do we start based on what you guys have seen and what you're thinking about in your customer's environments or your environment, Gopal. We have reorganized these icons and where we're seeing the most traction at one cosmos. So it's the front door remote access your operating systems and your SSO system. These are really the 80-20 of where you spend a lot of time either control, delete, logging in and where the bad guys would probably get the most bang for their buck as well. So Gopal, you want to go first and think about as you deploy passwordless in your environment, where you would start and any thoughts on that?
Gopal Padinjaruveetil:
So I think one of the things that I would highly recommend, that's what we are doing. So do you have an overall cybersecurity or a security strategy defined? And then in that strategy, where does identity and access, and we talked about customer identity, there are third party non-employee identity partners and contractors, and then you have your employee identity. So what is your strategy around identity and access? And then how do you map out? So I think one of the things we have done is for the identity part, so we do have an enterprise security strategy and we have an identity strategy. What we did was we took the identity strategy and created a reference architecture and then we said, hey, this is where we are today and then we want to go to tomorrow. And then that reference architecture and our identity strategy is driving us towards passwordless.
I mean also from all this technologies that we have been talking about. So you really need to understand where you are today, and what is your environment look like? Are you ready for something like this? And how do you move, right? Because Rome is not built in one day, and most of the companies are legacy. I think it was Gartner when it came to identity coin, this really wonderful term called bimodal, right? So there said you need to live in both worlds. I mean for some point of time, I think there was probably 10 years ago when Gartner talked about bimodal identity architecture. So that is where, do you have a strategy? Do you have an architecture? And then you have transitional architectures on here. This is where we are going to go and keep updating that on a different basis. And I think, like I said, remote access login, these are SSO, right?
I mean these are very easy. I would say these are low-hanging fruits if you want to, from an ID strategy perspective. So I agree, typically 80% of the users, this is where the users are going. When I wake up in the morning, I need to log into my machine and I'm working from home. I need to log into before I log, I need to have remote access. So this is where we are today. So this is an easy problem to, I mean this is a low-hanging fruit, but this needs to tie into your larger strategy and the larger direction you want to take your organization too.
Julie Talbot-Hubbard:
So one thing I would just add on that, too, and I agree, Gopal, but we talk about 80% of user logins occur in those. I think another way to look at it too is in terms of what's the strategy wrapped around them, and what are you trying to solve for? So is it the user experience, is that the driver? And if so I think that the one selected or a key, but I also look at there could be new hire, there could be other pieces you include in that kind of first phase. If you're concerned more about from a threat perspective, and how do you mitigate that, we talked about the insider threat, we talked about where still the largest organizations are getting breached. Then you look at to me, where are those passwords, where's that occurring? And I still think that you would still end up probably more on the phase one line there, but you could have some more of the privileged access management and some of those pieces really kind of roll into that, too.
Mike Engle:
And that's a key part of the deployment consideration is if you do one of these, you're basically giving a modern authenticator now to all of your employees or very large population. So then sprinkling it on top of your CyberArk or your psychotic, whatever it is, it's just another integration that you've done all the hard work already of getting it out to the user. So these downstream ones become much easier once you get started. I know the thousand-mile journey starts with the first step. Yeah, no, thank you for that. One of the deployment considerations that can really crush a passwordless deployment, we've gone into organizations that have bought a technology and a year or two later they just could not get it deployed. All right, looked great. But when the rubber hit the road and we've come in and given them a better path, and one of the reasons that it can fail is when you force a change to everybody at the same time.
If you switch from secured tokens to UV keys and you have to push them all out to everybody and say, next weekend we're switching over, that's just a terrible example. But if you force password lists, flip a switch, it's going to fail because you have so many edge cases, things will go wrong. Orchestrating the help desk and all that as well. So this is an example of a real world authentication for one of our clients. This is sitting on top of Ping and they augmented their traditional on the right, Windows User ID password, 2FA would come after that, with a passwordless experience on the left. So you could roll us out to one user. Well you figure out all the mechanics and things might go wrong or whatever it would be, and then you can roll it out to a thousand the next day. It does not matter because they could still continue to use option A on the right. But option B, once they do it once, they will never go back. And of course over time, the goal would be to phase this out. So in terms of a password list deployment strategy, Julie, what have you seen work for some of the clients that you've worked with?
Julie Talbot-Hubbard:
I mean definitely doing it in phases like you mentioned. And then the other piece because it is change and it can cause, I mean again, there can be a lot of challenges or issues and what I've seen when you have those issues when you're trying to do a large scale deployment, once you have some, it's going to take the security team probably much more just political capital to get that moving quicker if you've had those issues. So I think that the phasing is correct, but also the communication and not just communication to the employees and everybody what's going on, but also like you mentioned, the service desk and all those components, I think that's really key. And I also mean from a user group, I mean find a group of users that are going to be your champions across the enterprise and ones that are known for that.
Mike Engle:
Excellent. And how about you Gopal?
Gopal Padinjaruveetil:
And I think my philosophy is choice is good and at some point of time choice is bad. So I think going back, I mean like you said, you want to start with deploying passwordless in parallel. And then I would say nudging users from one to another. I think our end goal is obviously to get everybody to a passwordless world. And I think the adoption is going to be a challenge when you are living in both world, like I said, once you have a choice, you can't control what choice a user will go to. So that is where we want to give it start with choice, but that could technically become a bottleneck. So you need to have a strategy on a how am I going to nudge, I mean to drive adoption? Because some people really, I mean no, some people do like to hold your nose like this.
I mean that's if I said that's my preference, who are you to question that, right? So that is where I think we need to start thinking while ... Hey, my gosh, just scan your QR code on this, look at the [inaudible 00:37:59]. It's a no-brainer, right? But there are people who will say, no, I like my old ways. And so that is where you need to start giving them choice at the beginning. But you need to have a strategy on how are you going to drive adoption, whether it's through communication, handholding and maybe subtle pressures, nudging them to get to where you want. I mean that is where, that is the key thing. But as you said, from a deployment perspective, you need to start deploying this in parallel. I don't see any other option.
Mike Engle:
That's right. Yeah. And this has the kind of potential to go viral. So what we've seen is if you're in a conference with a bunch of people and somebody sees the QR code, you whip out your phone, scan it, and one second later they're staring at their desktop and the shmoes to the left and the right are sitting there and they see that, they're typing the way and they're doing the 2FAs out, they will want it. And they're like, how do I get that? Some of our customers have put it up on the screens in their conference rooms, go to this URL and self-provision yourself. So that's a part of the onboarding journey. There's lots of ways that we've seen that cat get skinned. So thank you for that. And we're just really going to hit on one more point before we bring up our final poll here.
We'll make sure everybody gets off before the top of the hour and has time for a refreshing beverage. We won't hold you hostage the whole hour. So another deployment consideration, in addition to doing it in parallel, we call coexistence, is flexibility. So one of the big use cases that we see for large shops, lots of legacy is consolidation of multiple either directory accounts. You know, you have four AD Forests that you need to consolidate. You have UNIX accounts, you have X509 certificates, they all need to be addressed with the same framework. Otherwise you'll have two, and that's what we're trying to avoid here. So a key deployment consideration. And the second one is your self-service password reset. Lots of different ways to do this. The one most common is calling up an 800 number, using your voice or answering some secrets, which of course open up, it's a vector.
If you can use the same tool, press a button, scan your face, reset the password. Now it may sound ironic that you have to reset passwords as you go passwordless, but even if you read Microsoft's guidance or Gartner's guidance on this, as soon as you get rid of passwords, you can't get rid of them all. In 87 days, you're going to need that password again for something. Well what do you do then? You just created possibly more friction. I don't know it, you just taught me to forget it. Now I have to do my benefit enrollment and log in with my AD user password. I just spent 87 days forgetting it. So press a button, set it, you're in, and then forget about it for another 87 days until you get rid of it for good. So again, just mechanics that make the end user's lives and IT administrator's lives much easier. Any of this stuff resonate with you, Gopal?
Gopal Padinjaruveetil:
Absolutely. And I think we are living on the first point, an under meter of target accounts must be supported. I think we are living in a world of mergers and acquisition. So this is unavoidable that you will over a period of, if you're a company in the, I mean doing an MNA kind of factor with this, you can't, right? So that you need to, this is a given that you will at any given point of time, you'll have multiple AD [inaudible 00:41:46]. Over a period of time, and you need to make sure that you can support both these things and just as a strategy you need to do that. And then I think, like you said, no matter what, you need to have some kind of a legacy passwords. I 100% agree that if you tell people, "Hey, no, don't use your password," and they're not using it for many of the application, but here I want to use it, you absolutely need to make it easier for them to recover the password. Because otherwise you've added more friction to that. So as part of your, and again, it is self-service, right?
You don't want your users to call your help desk. You want to actually make it easy for them to recover their or reset their passwords through the platform itself. So absolutely, it is an important consideration for people who are undertaking this journey. So I think you did a good job and bringing this point up. It's a boring, I mean, the nitty-gritties of this is boring, but it is an important aspect of the environments that we are living in.
Mike Engle:
Right. And Julie, thoughts on this?
Julie Talbot-Hubbard:
Yeah, I mean I would say I think the legacy password kind of reset support I think is really critical. Again, if you look at the user experience. But your example there, I think more on the benefit benefits there. I mean I think that I would venture to guess there's a lot of organizations that may not even know, or people might not even remember all of these other legacy systems, passwords, frequencies, all of that. So I think that's a really key, not only for the user experience, but also for your service desk helped desk, all the kind of noise that could create there too.
Mike Engle:
Yeah, no, for sure. One of our clients, we just had them in to talk to the whole company last week and there's one little tweak that we made to the user experience. He said that was just a game changer. This is the kind of things that you'll learn over time. And it was one less step in a process. Those is what, typically you see that on the consumer side, you dare ask my consumers to click something else. So yeah, mechanics are important. And the last topic I want to make before we bring up a question, the final question, and I have a question for everybody in the audience, do you know who Ned Ludd is? LUDD? Because I bring it up on my third polling question. So if anybody knows who General Ludd or Ned Ludd is, just throw it into the Q and A in there for me.
But the concept of us having different systems for identifying a consumer, a customer citizen versus a contractor or an employee has been the standard. Let's go build a customer system because it needs customer things. Let's go deploy workforce stuff because there's workforce, you're seeing the industry try to consolidate this, right? Octa buying off Zero, everything Tom Bravo's doing is heading in that direction. So I think I probably already answered my question, but for the two of you, do you see a way to address the needs with a common either framework, set of reference, architecture, et cetera? These bullets that I put on here are the differences between them. You hand your employees an authenticator, you make them use it, but you have to give your customers 10 options, 2FA maybe in there. One time codes, magic links via email, all those things. So just really no specific question here, but just your general thoughts, Julie, on the consolidation of some of these technologies, because you're solving the same problem.
Julie Talbot-Hubbard:
Yeah, I think to your earlier point about all the different, I would say consolidations of the larger identity players out there today where you see them talking about consolidating both workforce and the consumer kind of identity, trying to solve the same problem. I think that we'll get there. I think as we see more workforce, I mean if you think about just the consumer, the digitalization of everything, especially through Covid, I think that really created a different expectation from employees as well, just based on what they started seeing more as they shopped online than everything else online ordered. I mean just everything online. So I do think that we'll get there. I think it's also, it could be more from the biometrics and as we see some movement there as well. The one part though that I look at from an enterprise perspective is you typically have different stakeholders there too.
And even from an identity team, I've seen organizations that have a consumer identity team could be sitting within security, could be sitting within infrastructure, could be sitting within the digital officer or the business. And then you've got the identity team that's really managing the workforce identity. And they're even disparate groups within the organization. I, and maybe it is more from a framework perspective, but when you start pulling even those teams together, it's going to be needed as well to get them on board on even just business requirements. So you brought up more from a, you can call it, you got their gentle step up options for consumers when you think about who you've got to get on board inside an organization to allow this. Again, it's different than from an employee perspective where it's going to be just maybe pushed to them and they're going to do. So I think it'll come down to also getting alignment across your stakeholders within an organization, too, on use cases. And then also really kind of the level, level of security and trust. They want to establish what their customers and their employees.
Mike Engle:
Excellent.
Gopal Padinjaruveetil:
And I agree with everything that Julie said. I want to just make a small differentiation here. I think what we will see is not consolidations, what we'll see is a convergence. So you're talking about customer IT work for society, I think that I'm going to make a prediction here, maybe that way you'll see, I think that these things are going to converge. Because end of the day, IT is IT. So I think that more than consolidation, we'll actually see some level of convergence between customer, because I am a customer, but I'm also an employee. So that is where, if there's an opportunity for me to us to get that converged. So I think that the architectures will evolve, the industry will evolve towards convergence. So again, we are talking about identity, I mean we started this conversation with identity. Let's end this conversation with identity. I think that we'll see more and more direction towards convergence of identity, whether it's, and we have labels, right? Workforce, customers and all those things. I think that we should and we will see a convergence of this. So that's my thought.
Mike Engle:
No, thank you for that. Thank you for that. And that was kind of the final word. So we're just going to pop up one more polling question here. Maureen, if you're ready. For anybody out there, does your company have a plan to go 100% passwordless? There's really, really two answers, but I put a third one on there. This is where I talk about General Ludd. So yes, we're working on it. Or yes, we do have a plan. No, we're working on it. Or General Ludd, if you ever heard the term, Luddites was a group of people, it was like a secret oath based organization that came out in the textile industry in the 18 hundreds. And they went out and smashed the textile machines because they were taking away high paying jobs from the textile workers. So if you ever heard the term Luddite, it comes from this fictitious person called General or Captain Ludd.
And of course, nobody wants passwords around. This is obviously a silly thing here, but I just like the picture of the ax and wanted to use it somehow. So yeah, results are in and we have about 8% say they do have a plan to go fully passwordless, but of course it is a complicated journey. It's just getting traction. 85% said they're working on it. That's great. And only a couple people said they worship General Ludd. So we'll see if we can change their minds on this one as well. So we're going to wrap up. We just have one or two questions that I want to shoot out. And the first one, this is a great question, how MFA will work in a passwordless environment? And that's the key, is passwordless typically has inherent multifactors built into the process. So when I walk up to that screen with the QR code and I scan it, I am presenting a digitally signed challenge response and my biometric in one process.
So it's a single touch multifactor experience. And so it's really, MFA is really implied in a passwordless experience. So hopefully that makes sense. And the other question, because we use a blockchain, private blockchain technology to keep identity information safe and easy to share. People ask if they're related, they are not. But most identity frameworks that are proposed in the future do leverage what's called decentralized identity where you can prove your identity once and use it over and over again. So we have a bunch of webinars, we've talked on that topic and we have a couple more coming up. So any final thoughts from either of you before we call it a day?
Gopal Padinjaruveetil:
Yeah, I think I would say that I've used the Chinese curse. We are living in interesting times. So let me, right, so I mean it's really, truly, we're living in an age where, so we are living in interesting times.
Mike Engle:
For sure, for sure.
Julie Talbot-Hubbard:
And the only thing I would say is, I think from just a security professional's perspective is anything that you and your organization can do to reduce complexity within your own environment from a security tooling technology across your IT teams that you need to manage, I think is critical. I'm going to be critical this year and going to the next. And the other I think is that user experience. And you can say, you pull that in to the simplicity, but I also think that that user experience, again, when you design controls, you put controls in, I'm always a big believer if you make them simple, you make them frictionless, your users are going to love you. But more importantly, I think it's going to better secure the environment. So user experience and reducing complexity are key.
Mike Engle:
Perfect. I'll take two. So thank you so much for joining. With that, we are going to call it a wrap and move on to the next Zoom meeting, right? So thank you so much for coming. I really enjoyed the conversation with both of you and we'll see you online and at the next show.
Julie Talbot-Hubbard:
Great. Thank you, Michael.
We are going to kick it off. Today we're here to talk about deploying passwordless technology in complex environments, and we're going to get really into the weeds on what passwordless is and really what we're trying to accomplish, passwordless as kind of a feature. But first, just a round of introductions as to who we have on the line. I'll go first real quick. My name is Mike Engle, head of strategy and co-founder here at 1Kosmos. Long background in InfoSec, so I'm kind of a security geek, but then became more of an identity geek in the past five years or so. All identity, all the time. And Julie, would you like to say hi?
Julie Talbot-Hubbard:
Yes, hi. Julie Talbot-Hubbard. I'm at Optiv leading actually our clients and markets organization, but lengthy background in cybersecurity in the last four years. Specializing in identity and data privacy and data protection.
Mike Engle:
Excellent. And Gopal.
Gopal Padinjaruveetil:
Gopal Padinjaruveetil, Chief Information Security Officer at AAA Auto Club Group. I've been in this position, I'm starting the sixth year and like you said, I'm a geek. I'm an identity geek in that sense of the word.
Mike Engle:
Excellent. Well, so great to have you here. I know we're going to have a fun discussion. Just a couple things, the format of this is going to be a little bit of a visual and some dialogue around it. And if you're looking to meet with any of us in the future, we have monthly webinars we do. In the past we've covered things like decentralized identity and new hire contractor onboarding. There's over a dozen of them out there. Next month we're talking about modernizing customer onboarding, synthetic identity, account takeover, focusing more on the consumer side of things. And I think all of us, many of us on the Zoom will be at some of the upcoming identity events. The big ones are Gartner, the IM conference coming up in March. It's in Texas. And then of course RSA, not necessarily an identity conference, but it's where you go to meet everybody. We'll be there if anybody's there. Give us a shout out. And Identiverse in Las Vegas as well. Gopal. Julie, either of you go into some of these events.
Julie Talbot-Hubbard:
Yeah, both Gartner, Identiverse and RSA. And then also want to put the plug out for the IDSA. They have an identity day coming up in March and there'll be a lot of great information coming out about that, too.
Mike Engle:
Perfect.
Gopal Padinjaruveetil:
And probably same. Gartner and Identiverse, I did actually did the keynote at last year's Identiverse on the topic of identity and metavers, and passwordless, right. So from the customer, so I was talking about how do you do identity in metaverse? So I was a keynote last year in Identiverse.
Mike Engle:
Excellent. Yeah, I think I remember that. So great. And maybe we'll do our next webinar in the Metaverse next month or something. That'll be fun. We'll have our goggles on and everything. So we're going to ask the audience a couple of questions. There's three total, just to keep it interactive a bit. So Maureen, if you could tee up the first question here, which is what percentage of hacks today involve stolen credentials? So you have 65%, 82% or 100%. We'll see where the audience goes with this one. Give it a couple seconds. I heard a really catchy phrase on this topic. It's that hackers don't hack in anymore, they log in. I just love the way that resonates. It is the truth, right? So I've seen in the identity security monitoring space getting really hot. So I'll give this just another second here.
Julie Talbot-Hubbard:
And I think that's what we've seen, just the increase on insider threat, Michael. I mean that's really a big portion of that.
Mike Engle:
Exactly. That's right. Yeah, you can give your credentials if they're not done right away so easily, they may be fishing resistant, but we call them collusion resistant credentials as well. It's a whole new term that we're looking to coin there with our peers in the industry. Great. Let's end this poll, Maureen. And yeah, we got 75% of people said 82%, and 17% said 100% percent. And that is actually the right answer. So this comes from a piece here that if anybody wants to look it up. Gopal, I believe you shared this one with me. Why does every hack involve stolen credentials? Now I'm sure there's still some of those solar whimsy things out there, but you just don't hear about them anymore. It is the help desk got compromised, a credential got stolen and that's what we're here today to try to mitigate and talk about a bit. All right.
Gopal Padinjaruveetil:
Yeah. Credentials have being problematic. And even Verizon, DBIR, everybody, I mean they've been saying that credential harvesting, credential privilege escalation and all those things. So everything without a credential involved, there's not much you can do. So.
Mike Engle:
That's right. If you know who it is, it really mitigates the risk of it, right?
Gopal Padinjaruveetil:
Yeah.
Mike Engle:
And that's what we're going to talk about. So we're trying to get this really simple for today's discussion, but it is a complex issue because you're trying to change the behavior of literally everybody. Some people actually like usernames and passwords. But then when you introduce 2FA on top of that, all of a sudden they're like, yeah, there's got to be a better way. And you need the 2FA, right? That's no-brainer. If you don't have 2FA, you're just asking to get taken to the shed for a good beating.
And so two key issues are how do you make deploying password lists or modern authentication tools convenient, consistent? And the key theme here is multi-factor, right? Something you have, something you are, something you know. Those types of things coming together. And second is how do you apply that to your business risk? Gopal, before the show started here, we were talking about it's not about cyber risk, it's about business risk.
So you can't apply draconian controls to places that don't need it. You'll alienate your employees, your customers, et cetera. So we call this a custom journey depending on what you're trying to accomplish. All right, so hopefully this resonates and we kept this really simple and we're going to jump in here. But just kind of breaking that down a little bit further. And I just want to ask both of you, is passwordless really the objective? So it's a term, it's everybody's throwing it around now. The platform vendors, you have really amazing efforts with [inaudible 00:06:59] authentication. But do we just need passwordless? Or as I put here, is identity the objective? Julie, what do you think?
Julie Talbot-Hubbard:
No, I mean I would say on the identity and really managing an authenticated identity, I think passwordless is a way to simplify the environment, also reduce the risk. So I look at the passwordless as a method.
Mike Engle:
Yeah.
Gopal Padinjaruveetil:
And I think the whole password came because you needed to identify in a distributed system, right? Way back, I think it was 1980s or 90s when Fernando Roberto started the, when two computers were talking, he introduced this. He is the one who coined the word "password". That was not the objective. The identity is that how do you prove that you are who you claim to be in a digital world? Especially if you're talking about internet, it's a stateless world. And it's a beauty of internet is it's stateless. Curse of the internet is it's stateless. So the clear objective is identity and password is a means to the end. And unfortunately it's not working.
Mike Engle:
That's right. That's, and something that both of you are incredibly familiar with is you have a complex environment. So have you even thought about trying to get rid of passwords everywhere? Some of my prior companies that I've sold to have literally thousands of applications. So we're going to talk about this today, and the best approach. I mean Gopal, how complicated is the environment over there at ACG?
Gopal Padinjaruveetil:
Yeah, I mean I think just like any other enterprises, we have multiple application, on-premise applications, cloud applications, third party SAAS, right? I mean when you move towards borderless or decentralized world, I mean when you move towards everybody's working from home and I mean everything, there's no more protected perimeters and all those things. So all applications are moving to the cloud. So the environment itself is becoming complex. And there are applications galore, I mean if I can use that word right. So when you're talking about every application, unless you're a B2C where unauthenticated, it's a public facing application, most of the business applications would require identity or authentication in some form, right? So there's a journey that you have to start somewhere, right? So we'll talk about what's the right place to start, but end of the day the goal is to get to the applications because that's what the business users are using.
Mike Engle:
Exactly. Exactly. And then both of you obviously have done a lot of work with both the customer and the employee side and then we've treated those populations different. You have your customer processes over here, your employee processes over here. I will present the case on today's discussion that you can have one way to just prove who somebody is regardless of whether they're a customer or an employee. So we'll dive into that. And lastly, how do I do this without killing my staff? They're already overworked, doing more with less. Julie, like you pointed out, the environment's getting so complex. So keeping it simple, the KISS principle. So first I want to define the term identity, because it's meant different things at different times in the computer evolution and, in fact, in the human evolution really, too. So digital identity from my perspective is actually kind of, we can quantify it today.
And it's how you prove who you are online remotely a username and password doesn't prove anything. So there's some standards that I'm sure many in the audience know that we're going to talk about here today. And they're really important because everything we do in technology is based on standard. Try doing something other than HTTP and see how far you get on the web. And the two coming together are proof of who you are and using that proof over and over again. AKA, authentication. So on the proving who you are, the kind of golden standard for this is the NIST 800-63-3 standard. And what it says is, how do you prove who you are remotely? It's presenting valid claims. I have a driver's license matching your identity to that claim, et cetera. It's very well quantified. And once you do that, then presenting that over and over again.
And up until about five years ago, maybe seven years ago, it was really hard to do these things remotely until the advent of modern computing systems. So not only the smartphone but a high res camera, take a picture of a driver's license, scan your face, those types of things. But also a safe place to keep a credential. Your TPM in phones and in your desktops, laptops, computers is now a safe place to keep a credential. And those aren't the only way. There's smart cards and UBI keys and all that stuff, but this is what's the big enabler today. And we refer to this putting these two together. NIST 800-63-3, Fido, and biometrics together as identity-based authentication. And so Julie, since you have so much exposure to so many clients at Optiv, are you seeing these technologies really resonate with your clients?
Julie Talbot-Hubbard:
No, we are. And I think it's also around, we talked more about reducing the risk in the environment, but it's also more on the user experience. And when you think about just the complexity we talked about a bit there, as organizations continue to increase in the multi-cloud environment, I will say I had not heard them talk about decommissioning the old jet. And so that's still out there. So then they've got the opportunity. It could be where you've got systems that are put through MFA, SSO. You've got one kind of password authentication structure and then you've got multiple others. So I have seen mean organizations, I would say I haven't seen any 100% deployed yet across, but definitely moving towards passwordless in kind of a phased approach.
Mike Engle:
Right. And Gopal, I mean you have an amazingly large customer base and of course lots and lots of employees. What are your thoughts on this?
Gopal Padinjaruveetil:
So one of the things that I've been, I mean I think this is becoming the defacto standard and the history of the state [inaudible 00:13:36] is really interesting. I won't go to that, but I think the way that I've been talking about it is carbon identity, which is because we are all human and we need to prove in a digital world. So we are calling it as the user identity, like carbon identity. And then I interact with systems, digital systems through my phone or through my devices or my laptop. So I'm calling this as a carbon identity. So the way that we are moving towards is that not only establishing the human identity and the carbon identity, but we are device binding. And some of the passwordless and this whole world where we are going with the standards is both the device and the authentication together provides a very secure way of identifying who is, right?
Because without knowing which device you're coming from, I mean things can be spoofed. I think we are moving to a world where we are looking at both the carbon and the human and the silicon. I'm calling it silicon, carbon and the silicon. Because computers are silicon. So I'm looking about the overlap or the marriage of carbon and silicon to provide a seamless authentication. That's where we are going towards, right?
Mike Engle:
Sure, yeah. I've never been called a carbon entity before, but I'm with you. I feel very carbon today. No, that's spot on. The human element is the weakest one. We'd make it easier on them and they'll use it and love it. And hopefully we fix some security challenges along the way. Speaking of just segued myself, we've been deploying single sign-on technology since Kerberos in my life, way back in the day. And it seems like we're spreading around the problem a bit. And I just want to build this out here. We have lots of single sign-on systems, which are doing great work. Give you one place to go and pass that down to 200 downstream web-based applications or whatever it is. Unfortunately, we use lots of different authenticators. I call this authenticator sprawl. I just went onto my phone this morning, I swept down from the top to search for apps and I type AUTH and I have eight icons that have start with the word "auth".
This is a problem. I don't have a consistent way to prove my identity. So SSO systems use authenticators to access lots of operating systems and applications. And what this creates is, of course, complexity. So what happens then when you have just look in this pile and the bottom left here, when you have so many different ways to access so many different applications, it creates a lowest common denominator for the bad guys to get in. So when they call the help desk, you can take your pick of which one of these things they can target. So how many authenticate have you seen come and go over the years? Julie, are you seeing a trend with Optiv clients who want to consolidate this and possibly save money? Or is it more about the user experience?
Julie Talbot-Hubbard:
I mean, I would say it's more towards the user experience now, but I can see from a cost savings, and I say that more from a system, but then also a support component too. I can see that increasing as we go through the year. And again, just with the complexity of their environments. But I've seen it more from a user experience today, Michael. But if you think about even this graphic here, we've got multiple SSO systems really going the authenticator, I mean there's organizations today, many of them that aren't from an SSO perspective, they don't have their full kind of application suite infrastructure even going through those today. Many of them have started with still maybe on their compliance or on their key systems there, and not necessarily have that really covering their environment either.
Mike Engle:
Yeah, for sure. Yeah. And Gopal, I mean how many of these have you used in your days at various points in your career deployed or had to wrangle in? And what would it be worth for you to get rid of three of them, to pick any three? Secure ID tokens are kind of the gold standard going way back, but they're getting along in the tooth.
Gopal Padinjaruveetil:
And I think if you're working companies that's been there for 100 years, 50 years, so you kind of abide this problem. I mean because at any given point of, because it's a journey. So you will have these things, but we are now, at least from an identity perspective, I'm just flipping the conversations because complexity is unavoidable. So you open the tab in your home and you get water, but what you don't understand is behind that water, there's, I mean if you remember the Flint Crisis, a small change could cause a big problem behind that. There's huge complexity. The users doesn't understand that and users need not understand that. So we are talking about identity through a different dimension that what matters to the business and the users is this concept of trust and experience. I want to trust something and I want to have a better experience.
So we are now talking about identity and authentication, everything that how do we provide that trust at the same time simplifying the experience? That's a language that I want to take to my business leaders, to my board and everybody to talk to them about how do we bring on trust at the same time making it easier for the users to, because it is a friction and whether we like it or not, authentication, that is a friction point. I mean that's not the purpose of a business application, but you have to get through that gate. And we are to make it seamless and trusted for them to actually go and do what they want to do with the business application. So unfortunately, we have made it so difficult. I mean we have been adding friction by MFA, right? Password strength, you need to have eight characters. All these things, you need change your passwords. I mean we have made it so, we have added friction and it's not helping. I mean that's where we want to move to a new way of looking at removing that friction through, but maintaining that higher trust and a better experience.
Mike Engle:
Right.
Julie Talbot-Hubbard:
Well, and one thing I would add, I mean a few things there Gopal. And I agree completely, but I mean if I look back at my career for 15 years ago, I mean I've always said the more complex you make the control, users will go around it or they'll find a way to go around it. And if you think about that from a password complexity perspective, I mean writing down passwords, sharing passwords, using the same password wherever you go. Your one comment on trust, one thing that also I look at as a lot of organizations may use step up authentication based on risk of the user. And when you've got more of that fragmented authentication in your environment, I mean I think it's challenging for an organization to really look at that holistically when they're leveraging so many different authentication mechanisms and really trying to understand where do we use that step up authentication. And then maybe you get more authentication fatigue every day as a user where you're authenticating every time you leave your desk. That's more the friction I've seen I guess.
Mike Engle:
Yep. Yeah, it's seen the authentication go from 15, 20 seconds down to 3 in some of the ways these technologies can be deployed. And it's rare for the security department to get a high five from any user ever, but this is one of the areas where we can make a difference, especially in some of these esoteric systems. So these complex, any Global 2000 company has just so many applications. Of course things migrating to the cloud and being put behind various gateways is helping, but there's a lot of things that you just can't reach. It's hard to reach places with just SAML and OIDC. So you need a comprehensive strategy, and we're going to come up with a suggestion here in just a minute. But what I want to do is kind of flip the script a bit and suggest that you could actually use identity, not an authenticator, to log in.
If you go back to those two standards that we had on the opening slide, if you use identity to access everything, just like you do in the real world, you get pulled over. They don't ask you for your password or a code or what your mother's shoe size was when you were six years old. They ask you for your identity. And so if we can do this and get rid of, consolidate, rethink about these authenticators, it'll make a big difference. And I'm sure everybody in the audience right now is like, all right, well that big red box there really doesn't mean anything to me. What the hell? How do I do that? It's kind of like that internet cartoon where you say a miracle occurs, right? But it is actually very quantifiable. So if we take those standards and break them down to a couple of key things that matter, it's how sure are you of the authenticator?
We call this the authentication assurance level. It's part of the standard. You need an AAL authenticator level two or three. It's just kind of table stakes these days. And most authentication companies can do that. And then when you need to prove somebody's identity, you need the identity assurance level, the IAL side of it, that's the first part of the standard on the left. And just as important, if you deploy a system that doesn't have a privacy first design that you aren't thinking about your employees biometrics and how their consent is being done, you'll create real trouble. And here's one that I want to tee up in our next polling question is coming here. I'd love both of your thoughts on real biometrics. So we've all come to love and enjoy touch ID, face ID and the Android equivalence. Look at your face, unlock your phone, log into your banking.
That doesn't prove your identity. For example, both my wife and my face are enrolled on my phone and I can use it to log into my banking application. So can she, that's fine, but the bank doesn't know who's doing it and then you really can't because it's bound to the device. So the alternative, as I mentioned in the beginning, is you now have an 18 megapixel camera, you've got voice scanners and all this stuff. Do you see a place for that? Are your customers talking about it and thinking about it? And this answer's very different in the US versus abroad, but love your thoughts on that Julie, if you want to kind of tee that one up a little bit.
Julie Talbot-Hubbard:
Yeah, I think I would say we've had some client conversations. I think that there's, with the privacy component and then also more from a compliance perspective, I think we're getting there, but I think there's been maybe more concern around ... More from a compliance and privacy perspective more than anything. When I say compliance, Michael, it's not more compliance to a standard, but it's really around if it's a regulated environment, how auditors, how everybody's going to look at that. But I think there's definitely an interest in that and a need across the environment. I just haven't seen much adoption yet.
Mike Engle:
Right, right. Gopal, your thoughts on may I scan your face to let you in, please?
Gopal Padinjaruveetil:
Yeah. And I think I'm going to be honest with you and please, it's my age. My kids have no problem in using biometrics. But I personally, I mean I think I don't want to end up in a situation 20, 30 years from now because if I lose my password, I can create password. But if I lose my, somebody loses my biometric right? I mean that is where I mean once you're capturing the biometric and all those things and it's converted into a machine thing. So absolutely as an industry, we need to make sure that these are, I mean, a person's biometric information, both from a privacy perspective that we respect, I mean obviously beyond consent. So we need to treat that as sacred and we need to make sure that it is, nobody can get access to that, right?
I mean because we can use it to authenticate. I mean when you're talking about biometric, it's not just face, finger. I mean you can use your voice, you can use, I mean we can even use DNA. I mean there is many ways you can take this approach to [inaudible 00:26:48], but I think the key thing is it is a great way for authentication because it has uniqueness. There's no question whether your fingerprint, your face, all those things. But as an industry, 30 years from now, we don't want to be talking about, oh my gosh, we didn't, I mean, right? This is not going the right direction because there is no coming back at that point of time. I mean that is my, on this topic, I'm a little skeptical because I personally feel that we as identity professional have to think deeply and not make the mistakes really 20, 30 years ago when we started with passwords.
Mike Engle:
Yeah, you're absolutely right. It has to be done. And we've seen some issues with one of the big three letter agencies last year where there was improper use and of face against databases of faces, things like that. So yeah, we'll see how this evolves. It's I think an important tool. I would love that before I let some contractor in Eastern Europe, SSH's root into my AWS infrastructure, that we look them in the face. And that stuff is now possible. So we'll see where it goes. And that tees up the next polling question. Maureen, if you would pop this up, and this is a very simple yes no question. Just like Gopal, would you be comfortable using real biometrics for critical internal applications? Before you log into the domain controller, look them in the face. So this will be interesting. And while we're doing that, I just want to point out one article that came out recently. I saw somebody point out, so [inaudible 00:28:30], this is an article from the UK I think. Said that they're doing some kind of surveillance facial recognition on to determine if something's a rat. I don't know, I saw this and I had to put it on the slide, I didn't digest it, but if they're doing it even for a rats, Gopal, come on. We can do it for anybody. So don't be shy.
Julie Talbot-Hubbard:
One thing I was going to say, Michael, I've seen more this being used right now with clients more like when they're out in the field or if they could be trying to authenticate on a iPad or larger device and just from a user experience is what they're using it for. But I've seen that probably wider adoption thus far. ,
Mike Engle:
Okay, great. No good feedback. At some states, it varies state by state, country by country, industry by industry. In Illinois, they have BIPA, which has been plaguing a lot of the tech giants like Microsoft and Walmart and et cetera. So we have to proceed carefully. And our stats came in, we can end the poll. It's a 60-40 split. 60 yes, 40 no. And of course there's going to be more yeses on this audience because there's a lot of identity geeks on this call here today as well. All right, so now where do we start based on what you guys have seen and what you're thinking about in your customer's environments or your environment, Gopal. We have reorganized these icons and where we're seeing the most traction at one cosmos. So it's the front door remote access your operating systems and your SSO system. These are really the 80-20 of where you spend a lot of time either control, delete, logging in and where the bad guys would probably get the most bang for their buck as well. So Gopal, you want to go first and think about as you deploy passwordless in your environment, where you would start and any thoughts on that?
Gopal Padinjaruveetil:
So I think one of the things that I would highly recommend, that's what we are doing. So do you have an overall cybersecurity or a security strategy defined? And then in that strategy, where does identity and access, and we talked about customer identity, there are third party non-employee identity partners and contractors, and then you have your employee identity. So what is your strategy around identity and access? And then how do you map out? So I think one of the things we have done is for the identity part, so we do have an enterprise security strategy and we have an identity strategy. What we did was we took the identity strategy and created a reference architecture and then we said, hey, this is where we are today and then we want to go to tomorrow. And then that reference architecture and our identity strategy is driving us towards passwordless.
I mean also from all this technologies that we have been talking about. So you really need to understand where you are today, and what is your environment look like? Are you ready for something like this? And how do you move, right? Because Rome is not built in one day, and most of the companies are legacy. I think it was Gartner when it came to identity coin, this really wonderful term called bimodal, right? So there said you need to live in both worlds. I mean for some point of time, I think there was probably 10 years ago when Gartner talked about bimodal identity architecture. So that is where, do you have a strategy? Do you have an architecture? And then you have transitional architectures on here. This is where we are going to go and keep updating that on a different basis. And I think, like I said, remote access login, these are SSO, right?
I mean these are very easy. I would say these are low-hanging fruits if you want to, from an ID strategy perspective. So I agree, typically 80% of the users, this is where the users are going. When I wake up in the morning, I need to log into my machine and I'm working from home. I need to log into before I log, I need to have remote access. So this is where we are today. So this is an easy problem to, I mean this is a low-hanging fruit, but this needs to tie into your larger strategy and the larger direction you want to take your organization too.
Julie Talbot-Hubbard:
So one thing I would just add on that, too, and I agree, Gopal, but we talk about 80% of user logins occur in those. I think another way to look at it too is in terms of what's the strategy wrapped around them, and what are you trying to solve for? So is it the user experience, is that the driver? And if so I think that the one selected or a key, but I also look at there could be new hire, there could be other pieces you include in that kind of first phase. If you're concerned more about from a threat perspective, and how do you mitigate that, we talked about the insider threat, we talked about where still the largest organizations are getting breached. Then you look at to me, where are those passwords, where's that occurring? And I still think that you would still end up probably more on the phase one line there, but you could have some more of the privileged access management and some of those pieces really kind of roll into that, too.
Mike Engle:
And that's a key part of the deployment consideration is if you do one of these, you're basically giving a modern authenticator now to all of your employees or very large population. So then sprinkling it on top of your CyberArk or your psychotic, whatever it is, it's just another integration that you've done all the hard work already of getting it out to the user. So these downstream ones become much easier once you get started. I know the thousand-mile journey starts with the first step. Yeah, no, thank you for that. One of the deployment considerations that can really crush a passwordless deployment, we've gone into organizations that have bought a technology and a year or two later they just could not get it deployed. All right, looked great. But when the rubber hit the road and we've come in and given them a better path, and one of the reasons that it can fail is when you force a change to everybody at the same time.
If you switch from secured tokens to UV keys and you have to push them all out to everybody and say, next weekend we're switching over, that's just a terrible example. But if you force password lists, flip a switch, it's going to fail because you have so many edge cases, things will go wrong. Orchestrating the help desk and all that as well. So this is an example of a real world authentication for one of our clients. This is sitting on top of Ping and they augmented their traditional on the right, Windows User ID password, 2FA would come after that, with a passwordless experience on the left. So you could roll us out to one user. Well you figure out all the mechanics and things might go wrong or whatever it would be, and then you can roll it out to a thousand the next day. It does not matter because they could still continue to use option A on the right. But option B, once they do it once, they will never go back. And of course over time, the goal would be to phase this out. So in terms of a password list deployment strategy, Julie, what have you seen work for some of the clients that you've worked with?
Julie Talbot-Hubbard:
I mean definitely doing it in phases like you mentioned. And then the other piece because it is change and it can cause, I mean again, there can be a lot of challenges or issues and what I've seen when you have those issues when you're trying to do a large scale deployment, once you have some, it's going to take the security team probably much more just political capital to get that moving quicker if you've had those issues. So I think that the phasing is correct, but also the communication and not just communication to the employees and everybody what's going on, but also like you mentioned, the service desk and all those components, I think that's really key. And I also mean from a user group, I mean find a group of users that are going to be your champions across the enterprise and ones that are known for that.
Mike Engle:
Excellent. And how about you Gopal?
Gopal Padinjaruveetil:
And I think my philosophy is choice is good and at some point of time choice is bad. So I think going back, I mean like you said, you want to start with deploying passwordless in parallel. And then I would say nudging users from one to another. I think our end goal is obviously to get everybody to a passwordless world. And I think the adoption is going to be a challenge when you are living in both world, like I said, once you have a choice, you can't control what choice a user will go to. So that is where we want to give it start with choice, but that could technically become a bottleneck. So you need to have a strategy on a how am I going to nudge, I mean to drive adoption? Because some people really, I mean no, some people do like to hold your nose like this.
I mean that's if I said that's my preference, who are you to question that, right? So that is where I think we need to start thinking while ... Hey, my gosh, just scan your QR code on this, look at the [inaudible 00:37:59]. It's a no-brainer, right? But there are people who will say, no, I like my old ways. And so that is where you need to start giving them choice at the beginning. But you need to have a strategy on how are you going to drive adoption, whether it's through communication, handholding and maybe subtle pressures, nudging them to get to where you want. I mean that is where, that is the key thing. But as you said, from a deployment perspective, you need to start deploying this in parallel. I don't see any other option.
Mike Engle:
That's right. Yeah. And this has the kind of potential to go viral. So what we've seen is if you're in a conference with a bunch of people and somebody sees the QR code, you whip out your phone, scan it, and one second later they're staring at their desktop and the shmoes to the left and the right are sitting there and they see that, they're typing the way and they're doing the 2FAs out, they will want it. And they're like, how do I get that? Some of our customers have put it up on the screens in their conference rooms, go to this URL and self-provision yourself. So that's a part of the onboarding journey. There's lots of ways that we've seen that cat get skinned. So thank you for that. And we're just really going to hit on one more point before we bring up our final poll here.
We'll make sure everybody gets off before the top of the hour and has time for a refreshing beverage. We won't hold you hostage the whole hour. So another deployment consideration, in addition to doing it in parallel, we call coexistence, is flexibility. So one of the big use cases that we see for large shops, lots of legacy is consolidation of multiple either directory accounts. You know, you have four AD Forests that you need to consolidate. You have UNIX accounts, you have X509 certificates, they all need to be addressed with the same framework. Otherwise you'll have two, and that's what we're trying to avoid here. So a key deployment consideration. And the second one is your self-service password reset. Lots of different ways to do this. The one most common is calling up an 800 number, using your voice or answering some secrets, which of course open up, it's a vector.
If you can use the same tool, press a button, scan your face, reset the password. Now it may sound ironic that you have to reset passwords as you go passwordless, but even if you read Microsoft's guidance or Gartner's guidance on this, as soon as you get rid of passwords, you can't get rid of them all. In 87 days, you're going to need that password again for something. Well what do you do then? You just created possibly more friction. I don't know it, you just taught me to forget it. Now I have to do my benefit enrollment and log in with my AD user password. I just spent 87 days forgetting it. So press a button, set it, you're in, and then forget about it for another 87 days until you get rid of it for good. So again, just mechanics that make the end user's lives and IT administrator's lives much easier. Any of this stuff resonate with you, Gopal?
Gopal Padinjaruveetil:
Absolutely. And I think we are living on the first point, an under meter of target accounts must be supported. I think we are living in a world of mergers and acquisition. So this is unavoidable that you will over a period of, if you're a company in the, I mean doing an MNA kind of factor with this, you can't, right? So that you need to, this is a given that you will at any given point of time, you'll have multiple AD [inaudible 00:41:46]. Over a period of time, and you need to make sure that you can support both these things and just as a strategy you need to do that. And then I think, like you said, no matter what, you need to have some kind of a legacy passwords. I 100% agree that if you tell people, "Hey, no, don't use your password," and they're not using it for many of the application, but here I want to use it, you absolutely need to make it easier for them to recover the password. Because otherwise you've added more friction to that. So as part of your, and again, it is self-service, right?
You don't want your users to call your help desk. You want to actually make it easy for them to recover their or reset their passwords through the platform itself. So absolutely, it is an important consideration for people who are undertaking this journey. So I think you did a good job and bringing this point up. It's a boring, I mean, the nitty-gritties of this is boring, but it is an important aspect of the environments that we are living in.
Mike Engle:
Right. And Julie, thoughts on this?
Julie Talbot-Hubbard:
Yeah, I mean I would say I think the legacy password kind of reset support I think is really critical. Again, if you look at the user experience. But your example there, I think more on the benefit benefits there. I mean I think that I would venture to guess there's a lot of organizations that may not even know, or people might not even remember all of these other legacy systems, passwords, frequencies, all of that. So I think that's a really key, not only for the user experience, but also for your service desk helped desk, all the kind of noise that could create there too.
Mike Engle:
Yeah, no, for sure. One of our clients, we just had them in to talk to the whole company last week and there's one little tweak that we made to the user experience. He said that was just a game changer. This is the kind of things that you'll learn over time. And it was one less step in a process. Those is what, typically you see that on the consumer side, you dare ask my consumers to click something else. So yeah, mechanics are important. And the last topic I want to make before we bring up a question, the final question, and I have a question for everybody in the audience, do you know who Ned Ludd is? LUDD? Because I bring it up on my third polling question. So if anybody knows who General Ludd or Ned Ludd is, just throw it into the Q and A in there for me.
But the concept of us having different systems for identifying a consumer, a customer citizen versus a contractor or an employee has been the standard. Let's go build a customer system because it needs customer things. Let's go deploy workforce stuff because there's workforce, you're seeing the industry try to consolidate this, right? Octa buying off Zero, everything Tom Bravo's doing is heading in that direction. So I think I probably already answered my question, but for the two of you, do you see a way to address the needs with a common either framework, set of reference, architecture, et cetera? These bullets that I put on here are the differences between them. You hand your employees an authenticator, you make them use it, but you have to give your customers 10 options, 2FA maybe in there. One time codes, magic links via email, all those things. So just really no specific question here, but just your general thoughts, Julie, on the consolidation of some of these technologies, because you're solving the same problem.
Julie Talbot-Hubbard:
Yeah, I think to your earlier point about all the different, I would say consolidations of the larger identity players out there today where you see them talking about consolidating both workforce and the consumer kind of identity, trying to solve the same problem. I think that we'll get there. I think as we see more workforce, I mean if you think about just the consumer, the digitalization of everything, especially through Covid, I think that really created a different expectation from employees as well, just based on what they started seeing more as they shopped online than everything else online ordered. I mean just everything online. So I do think that we'll get there. I think it's also, it could be more from the biometrics and as we see some movement there as well. The one part though that I look at from an enterprise perspective is you typically have different stakeholders there too.
And even from an identity team, I've seen organizations that have a consumer identity team could be sitting within security, could be sitting within infrastructure, could be sitting within the digital officer or the business. And then you've got the identity team that's really managing the workforce identity. And they're even disparate groups within the organization. I, and maybe it is more from a framework perspective, but when you start pulling even those teams together, it's going to be needed as well to get them on board on even just business requirements. So you brought up more from a, you can call it, you got their gentle step up options for consumers when you think about who you've got to get on board inside an organization to allow this. Again, it's different than from an employee perspective where it's going to be just maybe pushed to them and they're going to do. So I think it'll come down to also getting alignment across your stakeholders within an organization, too, on use cases. And then also really kind of the level, level of security and trust. They want to establish what their customers and their employees.
Mike Engle:
Excellent.
Gopal Padinjaruveetil:
And I agree with everything that Julie said. I want to just make a small differentiation here. I think what we will see is not consolidations, what we'll see is a convergence. So you're talking about customer IT work for society, I think that I'm going to make a prediction here, maybe that way you'll see, I think that these things are going to converge. Because end of the day, IT is IT. So I think that more than consolidation, we'll actually see some level of convergence between customer, because I am a customer, but I'm also an employee. So that is where, if there's an opportunity for me to us to get that converged. So I think that the architectures will evolve, the industry will evolve towards convergence. So again, we are talking about identity, I mean we started this conversation with identity. Let's end this conversation with identity. I think that we'll see more and more direction towards convergence of identity, whether it's, and we have labels, right? Workforce, customers and all those things. I think that we should and we will see a convergence of this. So that's my thought.
Mike Engle:
No, thank you for that. Thank you for that. And that was kind of the final word. So we're just going to pop up one more polling question here. Maureen, if you're ready. For anybody out there, does your company have a plan to go 100% passwordless? There's really, really two answers, but I put a third one on there. This is where I talk about General Ludd. So yes, we're working on it. Or yes, we do have a plan. No, we're working on it. Or General Ludd, if you ever heard the term, Luddites was a group of people, it was like a secret oath based organization that came out in the textile industry in the 18 hundreds. And they went out and smashed the textile machines because they were taking away high paying jobs from the textile workers. So if you ever heard the term Luddite, it comes from this fictitious person called General or Captain Ludd.
And of course, nobody wants passwords around. This is obviously a silly thing here, but I just like the picture of the ax and wanted to use it somehow. So yeah, results are in and we have about 8% say they do have a plan to go fully passwordless, but of course it is a complicated journey. It's just getting traction. 85% said they're working on it. That's great. And only a couple people said they worship General Ludd. So we'll see if we can change their minds on this one as well. So we're going to wrap up. We just have one or two questions that I want to shoot out. And the first one, this is a great question, how MFA will work in a passwordless environment? And that's the key, is passwordless typically has inherent multifactors built into the process. So when I walk up to that screen with the QR code and I scan it, I am presenting a digitally signed challenge response and my biometric in one process.
So it's a single touch multifactor experience. And so it's really, MFA is really implied in a passwordless experience. So hopefully that makes sense. And the other question, because we use a blockchain, private blockchain technology to keep identity information safe and easy to share. People ask if they're related, they are not. But most identity frameworks that are proposed in the future do leverage what's called decentralized identity where you can prove your identity once and use it over and over again. So we have a bunch of webinars, we've talked on that topic and we have a couple more coming up. So any final thoughts from either of you before we call it a day?
Gopal Padinjaruveetil:
Yeah, I think I would say that I've used the Chinese curse. We are living in interesting times. So let me, right, so I mean it's really, truly, we're living in an age where, so we are living in interesting times.
Mike Engle:
For sure, for sure.
Julie Talbot-Hubbard:
And the only thing I would say is, I think from just a security professional's perspective is anything that you and your organization can do to reduce complexity within your own environment from a security tooling technology across your IT teams that you need to manage, I think is critical. I'm going to be critical this year and going to the next. And the other I think is that user experience. And you can say, you pull that in to the simplicity, but I also think that that user experience, again, when you design controls, you put controls in, I'm always a big believer if you make them simple, you make them frictionless, your users are going to love you. But more importantly, I think it's going to better secure the environment. So user experience and reducing complexity are key.
Mike Engle:
Perfect. I'll take two. So thank you so much for joining. With that, we are going to call it a wrap and move on to the next Zoom meeting, right? So thank you so much for coming. I really enjoyed the conversation with both of you and we'll see you online and at the next show.
Julie Talbot-Hubbard:
Great. Thank you, Michael.