Password Reset with LiveID
Join Robert MacDonald, Javed Shah, and Sheetal Elangovan for an IBA Friday session! They will be discussing password resets with LiveID.
Video TranscriptRobert: Hello everybody, welcome back to our IBA Friday, and we've got myself and Javed. Hi, Javed, how are you doing?
Javed: Hey Robert, how are you?
Robert: I'm good. And for those of you that are paying attention, I don't know if we talked about this before, but Javed, his background looks a little bit different because he moved, he's no longer where he was before. He is in a new state.
Javed: Yeah, I'm in Chicago now, in Illinois.
Robert: Very, very good. Welcome to the Midwest.
Javed: Left California for good.
Robert: There you go.
Javed: Loving Illinois.
Robert: Well, we still appreciate our fans in California. Hi, California. How are you doing?
Javed: Yes, yes.
Robert: And we've got a returning special guest. Sheetal, you're along for the ride again today. How are you doing?
Sheetal: I'm good. How are you Robert?
Robert: I'm doing very well, thank you. Thanks for asking. Javed didn't ask me how I was doing, so I appreciate that. So today everybody, we are going to talk about passwords, and you're probably thinking to yourself, well Rob, Javed, Sheetal, why would you do that? Because you're a passwordless company. And that is very true, we are trying to rid the world of passwords. However, as organizations transition to a passwordless environment, there are going to be technologies that can't go passwordless. And because of that, there will still be passwords, and as a net result, because you did take your company passwordless, anytime somebody has to use that said password, they're going to forget it, which means that they're going to have to do what, Sheetal?
Sheetal: Password reset.
Robert: That's right. Password resets. Or password forgots. So when you forget your password, you need to reset it. And there are ways in which that people go about doing that today, there are self-service password reset technologies that you have to buy, typically on top of everything else that you've purchased to do multifactor authentication or to manage passwords. It's another cost. But one of the cool things that we've done here is we've made it part of our platform. Right, Javed?
Javed: Mm-hmm. Absolutely,
Robert: Absolutely. So in doing so, you can use all of the goodness that we have here at 1Kosmos, like Live ID, as an example, to reset your password. And Sheetal, you're going to show us a little bit of that today, right?
Sheetal: Mm-hmm, I am. So I'm just going to show you a quick snapshot of how we actually make it easy for an enterprise to do password resets with us. Typically, if you have a user who's lost their password, or they can't remember it, or they can't remember the policy that you need to use to reset your password, then the first thing you'll do is you're going to call the help desk. And of course, we all know about the cost of running a help desk. So instead, what we've built out is to make sure, on our product, you are able to support a self-service password reset that is completely secure, meaning anybody who's doing it is doing it through an authenticator that has been onboarded. So in our case, you're going to be using the BlockID mobile app. What we do is I'm going to really quickly share my screen, Rob, so we can take a quick look at what I'm talking about. Are you able to see my screen?
Robert: Yep, we got you.
Sheetal: Okay, so we have the control plane. The control plane tells you, do you want this directory to support password resets? And we support Active Directory, Azure, any kind of internal DB that you're using in-house. We're able to tell you, when a user is performing a password reset, what do you want them to use? Do you want them to use live ID? Which is your live biometrics, meaning your face or your biometrics that you used on day one when you were onboarding, or just a simple face ID or touch ID. What do you want to use to make sure that you are validating that user before you allowed them to do a password reset? You're also able to define some sort of password policy restrictions so that you want to let the user know, hey, you're probably not headed down the right way, when you are trying to reset their password.
So the control plane makes it very easy for you to set up, either to enable a user to do a password reset or you're now disabled and tell them, hey, you can't use your mobile app to do this. But now let's say you've already done all of this and you have your BlockID mobile app set up as an authenticator. Then what happens?
Every customer who comes in, or every end user who comes in, opens up the BlockID mobile app and they're going to find their linked account or persona on the app. So this is my account. I've linked my account here and you can see I have a little reset password right here. Once I hit reset password, because this particular account has been configured to prompt for live biometrics, I am doing a quick live ID here. So even before I get at the screen where I'm being prompted to enter my password, I have live biometrics here. You don't need to call help desk. This is as good as it gets, right? And then I can go ahead provide a password. You can't see it here because it's part of screen recording, but I am providing a password here and I'm confirming my password here.
You can also optionally present some text here, which gives the user some information about, hey, a reminder. Usually, I always forget what my password is, so it's just a little tip for your users just to remember what their password policy is. So you can go ahead and plug that all in and that's it, your users are done, they're ready to password reset, and just says successful, they can go ahead and log in with their new password. The amazing thing is it works even with an AD password reset, which means when you're logging into your Windows laptop, if you've forgotten your AD password, you can use this to reset your password.
Robert: That also, as organizations move to Windows Hello for Business, as an example, you need that password the first time you use a laptop. So when you get that new laptop, you have to enter in your username and password to be able to enable Windows Hello for Business, you're going to have to reset that password because after three years you're going to forget what that was. So this stuff all comes in handy for organizations that are looking to roll out passwordless environments, even within their own, the Microsoft ecosystem and then beyond that. It's a pretty powerful tool.
Now, just a quick note, Sheetal, can you tell me, I know that the last time I had a password reset tool, a self-service password reset tool, when I was at a previous organization, I had to be inside the network to make that happen. So if I was away on vacation and my password expired while I was away, I couldn't log in to the VPN to be able to reset my password. Is what we're doing here, is that the same thing? Do I have to be inside a VPN or inside a network able to do that? Or does this password reset work within the app and then it automatically shares out so I don't have to call the help desk, essentially?
Sheetal: So you don't have to be within your corporate network in order to be able to perform a password reset. What we're doing behind the scenes is because you've onboarded this authenticator as a trusted device, we are able to trace the entire password reset. So at the time of performing a password reset, what is the device that the user was using? What is the IP address of the device? And some critical information about the device itself that's being used. Plus we're able to tell, what is the factor that they user used? Did they use biometrics? Did it pass? Did it match with the face that they used initially on day one of onboarding? So all of that information is traceable, so you know it's pretty secure for a user not to be on the network and just use their mobile app from their trusted authenticator to perform a password reset.
Robert: Yeah, for sure. The last thing you want is a bad actor getting into your self-service password reset capabilities and then changing passwords without anybody even really knowing. Because if you change the password, there's no checks and balances to make sure that it was actually the user that wanted to reset the password that's resetting the password. So by implementing something like our live ID where we're verifying the identity of the user to make sure that it is Rob or it is Sheetal or it is, heaven forbid, Javed, that that's the person that's actually requesting the password reset. So that, at the end of the day, much like our authentication, is the most secure way to ensure that the user requesting the activity is the user requesting the activity. And that's super cool. I'm glad you showed that to us, Sheila. That's a pretty slick piece of technology that we've got there. Javed, anything you want throw in on that? I think this might be one of our best and shortest IBAs ever.
Javed: So good question. The VPN was used as a great proxy for security. See how those things happen? The original of obviously a virtual private network is to probably guarantee secure access to assets within the network and it grows to become a proxy for users over time. So I think we just take that problem away. We gate this with live ID, person gets to obviously successfully verify who they are, they are indeed the end user on which the persona is registered, and be able to reset password. Obviously the next journey here would be to have password policy complications on a per organization, per application, so to speak, basis. We also accommodated here, somehow in combination with the control plane, and that's what we are working towards next. We have that on our roadmap to be able to make this more application aware and it'd be more enterprise password policy specific, right?
Robert: Yeah. The big thing here too is that, and it shouldn't be taken lightly, is the experience that we've just shown here too. If you think about resetting your Windows password, it's a control, alt, delete, reset password, and then you've got to make sure that everything that needs to be connected properly, if you're working from home, is connected properly. So there's probably a VPN that has to happen with a one-time password to try to get all of that set up, just so you can go in and reset that password. Where you open up the app, click reset password, scan your face, enter it in, and you're done. The experience behind all that, the steps that you've just saved, the time that you've just saved, is pretty significant. And it's straightforward enough where the help desk calls should all but evaporate.
Javed: This is a great interoperability story. Also, Robert, you and I have done a couple of shows already on the various four or five stages of eliminating passwords, right?
Javed: Just think about this. You eventually run into an application that requires some initial password to even begin the journey for an end user. So it's truly not possible to go fully passwordless. If you're an enterprise worth at salt, you've probably had acquisitions, you probably have legacy applications, you have no choice, even though you may be adopting and moving to a passwordless strategy, you're also not abandoning users and applications, that's vital functions that just happen to be on the legacy side of the house as far as authentication is concerned. So we here at 1Kosmos, we are not building solutions just for the future, clearly, as our IBAs demonstrate, we are truly thinking about both the brownfield as well as the greenfield applications. If you have a persona which maps to an account for an enterprise, it makes complete sense to have a password policy protected reset password that is driven by the end user, gated by live id.
Robert: That's what this is. And then we can ensure that it is the user, it is the persona, it is the user that owns that persona, that's actually resetting the password, which is pretty cool. All right, Sheetal, every time you come on, you always show us something cool, so hopefully you're back developing something else that you can show us next time.
Sheetal: Of course. I'll be back soon, Robert.
Javed: Great demo. Thank you, Sheetal.
Robert: Good. Javed, sorry, go ahead.
Javed: Great demo. Thank you, Sheetal.
Robert: Yeah, absolutely. All right, that's it everybody. I appreciate it. I know, I think last time we chatted we promised that we're going to talk about passkeys. We are going to do that. We had a couple of vacations that got in the way so the next time we come on, I'm pretty sure we're going to be talking about passkeys, which should be a good one as well. So until then, we'll see you next time.
Javed: Yeah. Bye.