Trends in IDAAS: Secure Workforce Access with Strong Identity Proofing

Unlock On-Demand Webinar

Video Transcript
Mike Engle:
All right, everybody. Welcome to our webinar titled Trends in Identity as a Service: Secure Workforce Access with Strong Identity Proofing. My name is Mike Engle. I'll be your MC today. I'll share a couple slides as well. I'll just ask my colleagues here to introduce themselves, starting with Mr. Ryan, if you wouldn't mind saying hello and tell everybody who you are.

Sean Ryan:
Sure. You bet, Mike. Thanks for having me. So Sean Ryan. I'm a senior analyst on the security and risk team at Forrester. And I look at identity and access management, specifically for workforce use cases and things like multifactor authentication, identity management governance, privileged identity management. Really everything to secure the front door and manage the identities of the workforce and partners in the organization.

Mike Engle:
Great. Thanks. And Andrew.

Sure. My name is Andrew. I run identity access management for Jefferies. Hopefully some of you have heard of it. Jefferies Financial Group, Jefferies Investment Bank. The IAM group that I run manages all the privileged access management, SSO, pretty much anything that's standard under IAM, plus a lot other non-standard areas as well.

Mike Engle:
Great. Thanks. And my name is Mike Engle. I run strategy for 1Kosmos. 1Kosmos focuses on identity proofing, strong authentication, and runs their technology on a blockchain back end. We'll cover some of these topics today. I'd like to start with letting Mr. Ryan run through some of the material from Forrester and some of the trends in the industry on passwordless and its application in the workforce. So with that, Sean, I'll hand it over to you and we can get going.

Sean Ryan:
Perfect. Sounds good, Mike. And you'll be ... I can't see my slides. Perfect. So thanks for having me. Really, I want to say about strong authentication and trends that I'm seeing across the industry as organizations look to improve their security posture and improve their operational efficiency with how they grant access to their employees and let them into different applications and systems on their network. So just to set the stage first off here, we can see that based on some survey data that we've done here in 2020, authentication credential are still one of the top. It's tied with PII for the top type of thing that hackers are going after. It makes perfect sense.

They want to go in, steal credentials, and it gives them access to do more damage, to steal more things. So it really is still the most critical thing to protect from a security and risk perspective for any organization today. So with that, if we jump to the next slide. Really just want to take you into what we're seeing really across the board here and why this is such a problem. So I think we all know that passwords are miserable to deal with. They're difficult to remember. We've got hundreds and hundreds across our professional and personal lives that we have to remember.

So what happens, we practice bad behaviors. We use weak passwords. We forget our passwords, have to reset them again and again, which is expensive, time-consuming, frustrating. And people start to undermine password rules to get around this, "Oh, you're going to make me out a number, I'm just going to put a one in the end of the time. Oh, you're going to make me out a symbol, I'm going to put a dollar sign at the beginning." And they just repeat this process. And the other thing is these passwords get stolen from other places. People are reusing the same password across multiple websites. They end up on the dark web for sale, and then they're transferable.

And people will try credential stuffing attacks across multiple sites. They'll go for weak passwords, password spray. Let's just see who did password 12345! and we'll break in that way. So they're really a weak vector. They're the low hanging fruit for a hacker. You don't have to be a very sophisticated malicious attacker to take advantage of it. But what we see is people trying to password policy their way out of the problem. So it is this, we're going to make you rotate it every quarter. We're going to add these wingding characters and numbers, and we're going to do these things to make it more difficult for hackers, but it also makes it more difficult for users. And so we end up back where we were with more complexity, but still extremely hackable.

So as you can see, I've got some more survey data here. 78% of organizations still investing in password management. So we can't seem to get away from it. I'm probably preaching to the choir here. I'm sure everybody finds these miserable, understands they're not secure, but why do we still have 78% of organizations still investing in password management? So if we go to the next slide, I maybe shed some light on why this is still happening. It is difficult. I don't want to make light of this and make it seem like you can just flip a switch and move to other factors beyond password quickly and easily. But we are getting there. There's some enabling technologies. There's standards like FIDO2 that make it easier for organizations to start on this journey and move away from passwordless.

So just to orient you on this slide, this is based on some research that I did last year, and I've since updated my estimates. I'm really categorizing organizations into three stages for their maturity level on what they're doing with authentication. So the lowest stage here, the stage one that I call password centric. As an organization, you may be doing things like two-factor authentication, but you're really password centric across all of your applications. It really comes down to the password. That's always the first factor. And that second factor is only used periodically, maybe for step up authentication or for certain user segments.

So you're very susceptible, it's inefficient. And the work from home world that we live in now because of the world changing with the pandemic did accelerate a lot of companies plans and move them into that second stage of layered authentication. So last year when I looked at this, the percentages were lower. You can see under the box, I've got probably 50, 60% of orgs are still password centric. I'm putting 30, 40% at this layered authentication stage. That's an increase of about 10% in that second stage compared to when I initially did this study and had over 70% of organizations being password centric.

The second stage, the layered authentication, you're starting to do more with other factors. You're getting more sophisticated with multifactor authentication. You may be doing some things even with authenticator apps or biometrics, but you're dabbling with it. And in no cases are you using one of those factors as the primary factor. They're always a backup. It's good. It's a better security posture, but it still creates friction for the user and you still get that weak link of the password sitting in the pole position.

So moving from there is getting to that stage three which is passwordless. And I put less than 10% of organizations are using another factor besides a password as their primary in any part of the organization. Really, if we set an organization wide passwordless, I'd peg that down 2, 3% maybe. And that's going to be born in the cloud companies most often and few large tech companies that started this journey decades ago. Again, we're getting there. We're starting to overcome some of these challenges. The three biggest that I have on the slide or that I hear again and again, legacy infrastructure. We've got these legacy applications and systems. They are built only to accept passwords. We can't use another factor with them. That's a limitation. Again, there's strategies for overcoming that, but it's challenging.

Employee resistance. I think one of the few silver lines of the pandemic is it did change people's perception. And really, I think it gave security and risk teams the opportunity to try something new. People were willing to accept that this was a major change and they needed to adapt to this work from home scenario. But still there's going to be pockets of resistance. And again, there's training and other strategies to try and overcome that. And then the last is making the financial case for it. Like anything, there's an upfront technology investment and you have to make the business case that it's worth spending that money on a passwordless journey as opposed to something else that might be important. Always competing priorities. And you do want to make sure that you're going to get a return on investment over time with that.

So if we go to the next slide, again, there's some good news on the horizon. So I showed you earlier, 78% of companies investing in password management. We're at least getting close to that. We're catching up with two-factor authentication, multifactor, and passwordless. So 71% of organizations investing in that today or expanding what they're doing. And the other good news, another 12% on top of that are planning to. So they're at least looking at it. They're at least considering this and making it a priority. So I'm optimistic that we've got more organizations on that journey moving into stage two, and some of those even starting to get to stage three with achieving passwordless.

So there are multiple ways that you can adopt passwordless. So just to step back and really think of what the factors of authentication are, there's three factors. There's the something you have, the something you are, and the something you know. With passwordless, you're putting the something you know as the primary factor. So the case for passwordless is to deprecate that, move that to the background and make that something that becomes supportive. And you hopefully avoid using it at all. Ultimately, you want to get to the point where either something you have, like your smartphone with a certificate on the device, using something with a QR code or a one-time password coming down to an authenticator app as your primary, or biometrics, your facial recognition, thumbprint as a primary. But these aren't foolproof, there's still challenges as to how you implement this.

So there's some other best practices that I would recommend. First off, if you are using something like a smartphone or another endpoint device, you want to make sure that that is very protected. You have to make sure that you're either integrating in with things like mobile device management, or you have your own capabilities in-built in the authentication solution to make sure this isn't a jail broken device, to make sure it doesn't have a virus on it, to make sure you don't have an attacker just piggy backing on the communication channels. The other thing would be using passwordless in combination with something like an IDaaS solution for single sign on.

So using that as your gateway, and you're helping to enable users to not have to re-log in every time. So you're getting away from that fatigue, and you're still putting strong authentication on the front end. I would argue if there's applications that are on-prem and you still need to use a VPN for that, if it's possible to add passwordless on the front end of that VPN. Also, a better user experience, stronger security posture. And then the other thing to think through is just as you have to deal with password resets and make sure that's secure and a user friendly process. If you move to passwordless, you have to have that same process for what happens if somebody's device is lost or stolen. What happens if it breaks?

You need to have your backup plan, make sure that's secure. Maybe there's some temporary access until you get a new device shipped or they get their new device and you have a good policy for how you register that and prove the user is who they say they are. And then lastly just monitoring for high-risk scenarios. So whether you're using some level of conditional access to identify, "Hey, somebody's logging in, in the middle of the night from a country they never logged in for. Let's just block that," or they're logging in from someplace new, but it's reasonable. Let's just ask them for one more factor to prove they are who they say they are.

So those are some best practices to employ as you look at how you might implement passwordless. And I just want to close with some final thoughts on really the key benefits as you're making the business case to management for why you should do this. Three big areas; cost reduction, improving your security and gaining agility in how you deliver the service. So you can reduce cost around the help desk costs for password resets, password issues. You're reducing user friction. You can think of the time it takes them to type in, retype in passwords. It's lost hours across the business. And the larger the organization, the more this multiplies.

We've had large organizations tell us they spend a million dollars a year on password resets with their help desk. So it adds up, a lot of money. Next is improved security. We went through that whole spiel upfront about how many ways there are to crack passwords, how easy it is and how users undermine password policies. And then lastly, with these types of solutions, you get more of a dashboard. You get telemetry. You can define test port and really maintain these authentication policies in a much more centralized and logical way. And then last thing here is you're reducing friction for users. You're enabling faster login. You're making it so they don't have to remember passwords anymore, except in extreme cases.

And as a backup, you could even potentially go with a pin, depending on your risk levels. And the other thing is just making sure that you use the flexibility of password solutions that can offer different factors. And you might want to use biometrics with some users. Other users may not have a preference for that, or you may determine that a hardened security key, a UB key or something like that is what's required for a certain set of users for higher level of security. So with that, Mike, I'll turn it back to you, and I just thank everyone for listening.

Mike Engle:
Oh, thanks, Sean. That was great. So I'm going to take what you just presented and expand on a couple very specific aspects of it. I'm going to focus on two standards that are relatively new in the industry. You mentioned FIDO and another one around identity proofing and how they can be applied to really any organization to change how we engage with each other. And really, for us, it goes beyond just passwordless because we're focusing now on identity. As you mentioned, there's a number of different ways to go passwordless. You can just give somebody a token, replacing something you know with other factors. At the heart of it though is something that is in control of the user. A secret. A password is not just in control of the user if somebody else knows it.

So we've introduced a relatively new term not too long ago called identity based authentication. Removing that something you know, passwords and secrets and putting the user in control is the key. And speaking of keys, we start with a private key that can be stored on any phone, Windows, Mac, doesn't matter. Almost every computer supports the concept of what's called a trusted platform module, a safe place to keep a key. This is the equivalent of having your own smart card and reader with you at all times. And the private key represents one of the factors that you use in multifactor, something you have. And then we introduce the concept of biometrics to go along with it. And this is typically Touch ID, Face ID, or even Windows Hello. And there's a growing trend to use real biometrics, not just a device biometric. We call our implementation as Live ID.

And this trend is one of the game changers for proving a user's identity that I'll cover on the next slide. The biometric represents that second factor, something you are. And we now have what we need for strong user authentication. So anytime the user attempts to access a resource, we can prove every time that they are who they say they are, because they're presenting these two factors and nobody else can present them. And this is one of the key principles of zero trust. So in addition, every time the user interacts with their mobile or a webpage or a workstation, we can detect when behavior changes.

And if a fraudulent session is suspected, for example, if somebody's spouse grabs a phone and starts using it, we can ask them to provide proof of identity again, with real biometrics. Now, we're authenticating without usernames, passwords, external 2FA, because multifactor is built into this entire process. And it's important to tie two emerging standards together for what is an indisputable proof of identity. The two standards I'd like to review are at the heart of strong remote digital user identity. And they've both exploded in popularity over the past year plus because of COVID. So the use of cryptographic keys is a growing trend in the industry, and it's backed by a nonprofit standards body called the FIDO Alliance. The acronym FIDO stands for Fast IDentity Online, and their goal is to get rid of usernames and passwords.

And they set the bar on how an organization can implement a bunch of different passwordless technologies. So in essence, they give the user a public and a private key, and they let them use that together with the biometric, like I touched on the last slide instead of the username and password. If you've ever used Touch ID or Face ID to authenticate into your mobile banking app, you've experienced something like this. And they also have a way to do this on the web channel via a standard called WebAuthn. This lets you keep your private key basically in a browser, which keeps it in a safe place on your computer, whether it's a Mac or Windows or even your mobile phone browser. So you don't even need an app.

But FIDO is only one step in a strong digital identity. By itself it doesn't have any real proof of identity as part of that standard, for example, verifying against government documents. So to compliment this, you need to include proven digital identity. In 2017, the U.S. federal government introduced the standard NIST 80063-3. It's called the identity proofing standard. And it gives guidance on how to capture identity documents, to validate them and compare the images with the user's live selfie, what we call. So for organizations, for example, that are hiring new employees, this means that they have verifiable proof backed by a very rigorous standard that everyone signing into their systems is who they say they are, every time.

And another application would be for KYC, know your customer, anti-money laundering type purposes for online banking or crypto accounts. This allows you to meet these regulatory requirements. And there's been a bunch of breakthroughs in several technologies that make this much easier for the end user and for the organizations adopting them. First, you have billions of smartphones that have very capable cameras, image capturing, et cetera. And then we have that strong cryptography that FIDO uses under the hood, that decentralized identity uses at its core. So now somebody can take documents, scan them, take a selfie and the system does the rest, guiding the user through the capturing of quality images. And the standards will set the bar for how this is done.

And it's important to distinguish that this form of biometric enrollment is not the same as Touch ID or Face ID, another device-based biometrics. Those forms are not based on a true user's identity. It's somebody's thumb on a phone at a point in time. So the biometric must be a representation of one user and instantly matched to the government documents. Now, the standards, we've covered those. I'm going to give a couple of real world examples of how they can be used by individuals. And there's two different workflows. One is for existing users. So you have a thousand employees in your organization. You already know who they are. You don't need them to prove their identity again.

Obviously you could, but you don't need to ask them for government documents. You're letting them into your system every day today with username, password, MFA. So instead, we'll go through a binding process. It's very straightforward. Typically, they'll be given a magic link. They click it, they enter their existing username, password, MFA, whatever, provide their biometric, and now we'll give them their keys. And this is the last time that they'll have to enter the username and password. And the process for them to log in is simply engage with the remote system as Sean mentioned via a QR code or a click, a push message and authenticate with their biometrics. No more passwords involved in the process.

Where identity proofing comes into play is the onboarding of new hires or account holders. Historically, we've all been through this. We've been through either joining a new company or opening a new account. These documents are usually scanned, emailed, faxed, snail mailed or whatever to the requesting company. And this is all kinds of challenges around it. The goal is to get the documents into the onboarding process, whether it's i9 in the U.S. or whatever regulations are needed. But by emailing and faxing them, we have them floating all over the ether in places where we don't want them. We have sitting in somebody's mailbox, they might be printed, et cetera, creating all kinds of PII issues.

In addition, you don't have a very good quality of the image. You've seen what a scanned driver's license looks like. And most importantly, even after all that's done, you haven't matched the user's live phase to the document. And that's where the identity proofing standard comes into play and allows you to create the equivalent of a digital wallet to prove the identity at the time the documents are presented, as if they're standing in front of you and you're comparing them in a very methodical way. So let's use this technology that's in the billions of devices to facilitate the process and give them the tools that they need to interact with digital systems.

So I'll just walk through one end-to-end flow of how this works in practice, and then I'm going to hand it over to Andrew to talk about some of his thoughts. First, a typical flow is that a user gets invited into an onboarding process. In this example, an email comes from HR to our new hire, Kate. And Kate is instructed to download the company authenticator app that has identity proofing built in and enroll her own government credentials. So these documents now are validated in real time. The data is encrypted with her private key, including the images and only she can access it. Now, her identity has been proved and validated to meet that NIST 80063-3 standard. And best of all, now Kate already has a strong digital wallet that she can use via the phyto mechanisms or other ways to authenticate on day one.

So on the second step of this, Kate comes to an HR onboarding portal, is prompted for consent to transmit her documents. And her documents and documents are decrypted and data flows directly into an HR system. And then the final step in the process is an HR rep would come in, validate the data, go through whatever checks, maybe they have to send them off to a background checking process, which could also be automated. And with the press of a button, her company profile is set up, the data is entered directly from say the driver's license into the system. So there's no room for human typo error. And then now the IT process can start to provision into their identity governance system, their downstream account creation and entitlements.

And as part of this process, Kate can be given her Active Directory or other corporate credentials automatically without having to have a line manager get them as an interim party, call up Kate, give her her username and password over the phone, or however else it's done and make her change it. She won't even need to know what her password is if you employ the best practices around password management. All right. So that's really all I had to cover here. I'm going to hand it over to Andrew, and he can talk about his view on life and all kinds of things passwordless.

I'm pretty good with that, talking about my life. Thank you, Mike. And thank you, Sean. You guys covered a lot of the framework and the groundwork of why we do these things. I'll talk about some of the proposed use cases that we have. Some of these we're live. Some of these we're going live. Some of them we're developing, but these are all the journey that we want to get to with a passwordless solution, which includes the identity proofing side that Mike talked about. One of the things that really resonates is the fact that everything starts with identity. Today, you have so many different systems, so many different processes. And usually they flow off of a common identity if that's in a company or you have your HR systems, you have your identity management systems. You have identities that sit within your environment, sit within your systems.

Some of these are connected, some of them are not, but you usually it with some authoritative source for the onboarding process. The problem is that even with the authoritative source, whether that's your HR system, whether that's even your identity management platform, the process is extremely disconnected. You go through an HR onboarding process, you may use a recruiting tool to bring those people in. Then you create an HR ID and then your hiring manager will go into your IT portal and they'll request IT access. And then that person, you need to figure out how to get the password to the user.

There's been so many conversations and meetings and I haven't done one of these webinars in a while, but I attend the meetings and I listen to people's concerns. And I can't tell you, probably every meeting that I'm on, the question that comes up is, well, how in this environment do we give credentials to someone? How do we share securely without the person calling up the service desk and saying, "Hey, I'm John, give me my password or set my ...?" These processes are universal even if the technology is different from organization to organization. So one of the things that we start with is really how do we onboard a user as part of a workflow? HR gets identity, HR does documents, they get driver's license, they get passports.

What we want to do, as part of the passwordless journey using the products that we are looking to implement, is use that process as a one-stop shop. You have a trusted device. Everyone's got a trusted smartphone that's usually biometrics enabled. And if not, as Mike and Sean indicated, you go through your MDM processes, through the products that you enroll, you have certain requirements. You have to have a passcode, you have to have a six-digit passcode. You have to sue your Face ID. You have to use all these products. You have a process that can be trusted through the device, which is what we're trying to do.

So part of the journey that we're looking to get to is HR talking to these people and recruiting these people, use that process to securely transmit the documents, verify the identity. And once HR has basically signed off on the user, convert that into an IT account. So there's no more process of user gets an ID, they have to call the service desk, the hiring manager has to do all these things. You can create a seamless process from start to IT onboarding that doesn't require a lot of overhead. And then we talk about things like remote access. Obviously during COVID and this whole process, it's fundamentally shifted. And if anyone's saying that we're going to go back to the way it was, they're completely wrong.

There's always going to be this hybridized workforce, this hybridized remote in and out process. It's fundamentally changed. And one of the things that is really important these days is your remote access process. Whether you're using VPNs, whether you're using any remote process is integrating this. We have virtualized a lot of our environment. We have offered our employees VDIs, our consultants and vendors VDIs. And one of the main challenges was how do we securely give remote access to people without exposing ourselves? And this was one of the first use cases that we covered. The next is, when we do go back into an office or people have home laptops, and they're not connecting to a virtual device is integrating this process.

So the whole point of this is to make sure that regardless of whether the user's coming in externally, whether the user's inside the office, whether the user's logging into a physical device, whether the user's logging into the machine and they're going to a website, we have our passwordless process that allows them to enable and access everything from a very secure and clean process. And I know I skipped a couple things. So Mike, if you want to go the next one. I want to be conscious of time. So one of the things that you'll see, and I know Mike and Sean have pointed this out is that stronger passwords, it's the trend now. Everyone spends so much time effort, money on trying to make passwords more secure.

And the fundamentals of it is no matter how complex your password is, it's the user who maintains the password. Users can be tricked. They can be socially engineered, they can be targeted. They reuse passwords. They use common passwords. I can't tell you probably how many people have a password to Amazon, and they use a slight variation of that to access their work environment. It's just a common thing. So they're barely changed. The standards that you may use at external companies are different than the standards you may use in internal companies, and people try to reuse these. And with this whole process, you go through this life cycle of constantly trying to keep up. You increase your character, you increase the complexity, you offer internal tools to allow for password reset.

You try to make the process better without actually looking at maybe the process shouldn't exist. And that is where we are trying to look at this. So one of the things that we've also noticed is that when you incorporate passwords, you are always having to develop new devices, new processes, to reset those passwords. So the help desk costs and the service desk costs becomes astronomical. And I think it was either Sean or Mike who indicated the cost of overhead, I think you talked about one of your clients is a million dollars a year. I don't doubt that. Our top call drivers at any ... Common questions across many organizations, and they're prone to attack, and they're prone to compromise.

We're trying to say everyone has a device and we can control the policy from that device to make sure that they have a strong enough security to use our process. So people use Android devices, they use iOS devices, and these are very secure devices, assuming you have the correct policy applied. So we want to take those devices that people have, and we want to allow them to log into our network. They have devices, they have pin codes, they have Face IDs, they have fingerprints. These devices will allow them to securely log into our network. And as part of this process, we're basically saying that through the fact that they're not putting in a password when they enroll the device, we're using certificate based. They're verifying their identity and enrolling a certificate on the device.

It's very secure. So if the device does get compromised, we can revoke the certificate, but the person with a compromised device will never know the password to our environment. It also allow us as part of this thing to do digital identity proofing. So the passwordless processes is one component of it. The other part of this is the identity proofing. And as I said in the beginning, it starts with identity. The process from verifying the identity of a person who's sitting in front of that device with an iPhone, with an Android. When someone unlocks their device, you're essentially verifying that that person has access to the device. But how do you verify that it's the ID of the person, that it's actually Andrew, that it's not my wife using the device?

And as part of this, what Mike had talked about, like the live ID is doing continuous verification, that when Andrew goes and he logs into the Jefferies network, or he logs into a Jefferies trade system or a secure system, we verify that not only can he access the device, but he's also the person who's authorized to use that device and use the Jefferies network. And with that process, we're integrating this into our SSO services, which will allow us to seamlessly and bootstrap ourselves into a process where once we enable the product, we can do remote access. We can log into workstations, our thin clients, our web applications, eventually servers, and the legacy apps will also allow this to be done.

And I won't get into specific here, certainly if anyone has any questions. It's a hot topic that I get asked a lot is how do we cover the legacy as part of this process? And it's not easy, but we have a few options that we put in. So some of the key features is passwordless authentication, obviously, use of certificates instead of passwords on the device, identity proofing to confirm that the user who's using the device is the person who's authorized, integration with our SSO and federation services. So allowing these systems to integrate so that we can bootstrap. If you have a Ping, if you have an Okta, you could integrate the product that you're looking to roll out into those things.

So if they're covered as part of those SSO services, you can quickly ramp up the deployment within your environment. And then obviously very basic, use of the blockchain. The fact that is all cloud based, it's blockchain based. There's a lot of security benefits behind this that some products out there don't have. So I touched on this and so this may be a little bit redundant, but I'll try to breeze through this. One of the main things that we're looking to do, and we're not live, so I'm not going to mislead anyone on this, but we are in the process of doing it is making sure that lifecycle identity from onboarding to IT access is consistent and using a singular product and process so that we don't have a lot of experience where a user has to get one user credential from a recruiting tool, then get an employee ID, then get a user ID, a Windows ID, then an identity ID.

All these systems, there's no reason for the user to have to go through all these processes. So the digital identity and the onboarding process will allow us to solve quite a few problems. Number one is from an HR onboarding process, how do you actually verify the person? How do you present documentation in a secure manner? How do you take that ID and convert that into IT access within your environment? And now I'm sure every person on this call company has a slightly different variation of it, and understands how much friction is involved in that. This process that we're trying to do is trying to eliminate that.

So identity proof the new hires and perform real-time verification. So user comes in, HR sends out a verification. They download the application they want to use, they put in their IDs. If they verify their identity, they securely transmit their documents. And then HR can do their part knowing that the person who provided the documents on the other end is the person who they're actually looking to recruit. Securely collect all that verified identity, and then allow the verified new hires to link their digital identity with their corporate identity. Because once I've pointed that device that's trusted can easily be converted to now allow for IT access within the organization or application access.

It could be used as an MFA product if we needed it to. It could be used as an identity proofing source, which is what it's designed to do. These are all the process that we're trying to do to streamline the end-to-end workflow. Digital identity proofing of new hires, real-time identity verification against trusted sources, secure transmission verified information to Jefferies IT. Ability to link digital and corporate ID. That's all redundant. And the idea here for us is the end-to-end flow creates this unified process where users don't have to be handed off from one system to another. They know, clearly defined, once they've registered their device what that end result is. If you want to go to the next one.

So this is a pretty common one that I know the Mike has on the 1Kosmos BlockID site. The bottom line is for us. We talked about integrating into our SSO and federation services. The bottom line is once you authenticate to your desktop, you basically connect it to a lot of your systems. And if you integrate with your SSO application, if you integrate into your remote access, and you integrate into all these processes, once you authenticate one time to your desktop, whether that's through remote access, whether that's through directly on a hardware, you have access to your entire environment. And obviously there are legacy applications that may require additional connections, that may require step-up authentication, adaptive authentication, depending on the circumstances, the user at the right location.

These are all services that traditional SSO providers, whether they're Ping or Okta can handle. And if you integrate into your passwordless product with those processes, you can really bootstrap and jump your process up. I know a lot of people that I talk to talk about the overhead and being able to do it. It's like one of those things where they look at passwordless and they think that they need to rip out all of their infrastructure to implement this. It's not the case. You can start a gradual journey where you can easily bootstrap yourself by integrating into your existing services. And certainly if anyone is interested, I can give more details on that, but that's the process that we did.

And we were able to bootstrap by putting this into our existing SSO infrastructure, existing technology, which allows us to basically rapidly deploy this across the environment, and also limit the amount of overhead that our IT teams need to do in migration or our team in general has to migrate. We integrate with one system that integrates with all systems. And that's from a tactic perspective that we put in. If you want to go to the next one. So how do we measure success? There's a lot of ways to do this. And I think every organization's going to be different. Every organization's going to look at their goals differently.

Some are going to be focused more on security. Some are going to be focused on cost reduction. Some are going to be focused on just presenting to the board that they did something different with all these cyber attacks that are occurring in the environment these days. But for us, really there's three core things that we were looking to do. The better experience for the users. That process, where they're handed over to multiple systems, we wanted to address that. We don't want to have to have them register multiple MFA products. We don't want them to have to have password reset tools. We don't want them to have to have another process for verifying their identity if they call into our service desk.

So part of the way that we've been aiming this is, yes, we're going to deploy another tool. Yes, you're going to have to migrate another tool, but we're going to offer you all these services. We're going to offer you benefits of going to this. You now have one product to log into the network, to log into your workstation. Maybe you have one product now to log into your collaboration devices. You're in the conference room and you need to log into one of your boards. You can use this to log into the board. You don't have to remember. So offering that process where the users know that, hey, instead of three products, instead of four processes, I have one process. That is how we've taken the tactic to sell this, to make sure that people understand that yes, it is another product that IT is rolling out, but there are benefits and there's benefits to you in doing this.

And obviously the pandemic, as Sean and Mike alluded to, have bootstrapped this. People understand the importance of identity, of verification, of logging in. They understand being remote. There's more tolerance for that. But also there's more tolerance for people making sure that the process is consistent and it's coherent. And that's a big area that we're trying to solve with this. Cost and time savings for IT. Every company has different calculations. I put in that $50 Forrester. I think BMC and ServiceNow have different calculations, but the bottom line, there is a dollar amount tied to every call.

And in most organizations, password is the number one call that is made to the service desk. And if you are able to address that, you go a long way to basically recouping the ROI. You're able to actually drive the cost down. There's tangible results to show that, "Hey, you had a thousand calls to the service desk this month for password reset. Now you've got 50." Those are areas that we can clearly define as part of the program to point to and say, "This was a benefit." We talk about the experience. Everyone these days is competing for new hires. The market is very hot, especially within IT, especially within financials. Having a good experience for people. Having an experience that new joiners come in and say, "Wow, that was easy. I've been to five other companies and I got to be handed off to 20 systems. I got to call the service desk. My first day, I was on a call for 24 hours trying to get my access set up."

Those are areas that people talk, and people talk to other people about. And it gets a reputation. So for us, addressing that, making that process easy, where someone comes in and is like, "Wow, this was easy. I got my idea as part of HR and that went all the way to IT." It goes a long way to selling a program, to making the experience better, to making people turn around and say, IT is not just some burden, especially infosec. That there's a benefit. That there's something that they're doing for me as part of this. And then obviously improved security for our users and partners. That's the name of the game for us.

We are trying to make sure, from me being an infosec, the number one goal. Yes, I want to make the experience better. Yes, I want to save the company money. But my goal, the reason I am here is to secure our environment, to secure the people, to secure the identities of the people and make sure they're not compromised. And this process, hopefully in the end history will tell, at least for us, will allow us to handle all three. So for us, it's a no-brainer. It's a no-brainer because of the way that we're doing it and we're implementing it, but there's also demonstrateable results that we can point to at the end of the day and say, "Hey, here's the benefit. Here's why it was good." And that's really our journey, and I'm certainly happy if anyone has any questions or wants some specifics. I'm happy to have follow up conversations about it, but I think-

Mike Engle:
No. Thanks, Andrew. That was great. You tell the story well. We do have a couple questions that I'll just go through in order here. So what is the primary factor driving large organizations towards passwordless? Is it security, user experience or both? I think maybe Sean, if you want to take a stab at that one.

Sean Ryan:
No, that's a good question. I think that really came up across all three of our discussions in trying to address what are some of the benefits. I'd say again, based off of what we've been seeing with all these ransomware attacks and Solarigate, all kinds of sophisticated attacks, unsophisticated attacks, they often involve compromised credentials. So I'd say often the driver is security, but to Andrew's point, I love seeing what he's doing to consider this for operational efficiency and try to make it a better user experience for people, because it does have that double benefit.

So I think there's no reason to focus just on one of those benefits. I think you can bring all of those to bear and it does sound a little too good to be true. Wow, we can make it more secure and we can actually reduce friction, make this easier for people, make them more productive. But I've seen it in action. It's clearly much easier just to hold your phone up to your face or put your thumb onto a device or to leverage the certificate on your device, hold it up, have it do a QR code than it is to try and type a password again, again and again. And I think Andrew also you made some great points about how you can integrate this in with something like your single sign on.

And again, that's bringing another enabling technology to bear to make this easier, but you're still channeling everything through a consistent, secure channel. You can monitor it. You can look for anomalous behavior signals. Again, so you can really benefit from additional security that's invisible and behind the scenes.

Mike Engle:
Great. Thanks, Sean. And then I have two questions there in the same spirit. So I'll merge these together, but maybe this one's for Andrew. Do you expect or should an adopter expect to run into resistance from users to get to that final passwordless stage or even in their early process? So you're doing something different. It's always different when you do anything that's out of the norm. One example I'll throw out before you answer is the first time I had to whip out my phone, set up Apple Pay and then use it at Home Depot, there was a couple steps involved and I had to get my head through the process of it, but I can't live without it now. So I guess if you can comment on that, Andrew, from a passwordless perspective.

It's funny. Every product that you implement, you will always have people say, "Well, we've done this the same way for 10 years, 20 years. Why do we need to change? This has worked. Why do we need to introduce something else?" And the bottom line is things do work. Password with no MFA worked. Doesn't mean it wasn't secure. Passwordless with MFA works, but it doesn't mean that there's not a lot of friction. These systems create dependencies. As technology evolves, as the complexity of the systems you're rolling out and you use evolve, the processes that you have in place have to change, and you have to adopt different things. Everyone complains. And even I complain. I don't want to do a project for the sake of doing a project. But at the end of the day, a lot of it is how you sell it.

Yes, people are going to be concerned about, "Hey, now you're scanning my driver's license to do something," or I have to enroll another device, that I download another application. Before Ping ID, I could do it on my Apple Watch and now this I may not be able to do. There's always going to be those things, but it's always about how you sell the product and what you offer as a benefit. We never try ... Sometimes it's inevitable. We never try to roll out technology for the sake of technology. Building the use case, building the demonstrated value to the user, showing them the benefit, getting key stakeholders involved to explain why this is better for them is a key tactic.

I shouldn't say it's tactic. It's basic common sense in rolling it out. And a lot of organizations will pull a product and try to push it without actually trying to make any benefit of it other than the security factor. So we do get pushback. We do get people concerned, but once we show the differences in the process and we are able to conceptualize to our COOs and our business leaders why the benefit is there to be able to do it, what the benefit will be for their new hires, why their new hires may be more likely to recommend Jefferies. Why if I have one device and I go into a conference room, I can log into my conference room.

These are things that you sell a product, but you also sell an a experience, but you also need to live up to that experience. So from our perspective, yes, people complain, there is people who are concerned about adopting it. And that's always going to be the case. You have to make a business case and you have to sell that business case, and you have to offer a product and a process that's coherent. If it doesn't make sense to you, if you're rolling it out and like, "I don't even know how to use it," which you'll be surprised. A lot of people roll products and even their own teams may not understand how the product works and how the flow should work.

If you don't have those things checked off, you're never going to be, regardless of the product, but it's especially true for this. This is a new technology and a new thing. You have to make sure that you not only understand what you're rolling out, but why you're doing it. And if you document those use cases and you present it to your business leaders and you explain why this is beneficial, they'll buy it. They understand it. They understand things are changing. And I think that no one is going to seriously say, "This is the way we've been doing it for 20 years. We're going to keep doing it," if you have a convincing case.

Mike Engle:
And I'll just add to that. There's a couple ways you can measure. So one of the advantages of passwordless is the results are very quantifiable. So day one, you have a thousand calls a week into your help desk. You know how many people are now passwordless and you can measure the trend down. Not only that, but you can actually know who it is that's still calling the help desk versus those that are in the program. And second, the way we deploy passwordless with our clients is in day one, it's a option. So on the left, do it the old crappy way with username, password, 2FA, text message, whatever. And let's put right here on the right side, your passwordless experience and let people ease into it.

So day one, it's not working for them or whatever. Mentally, they can't wrap their head around it, but they can do it on day two. You don't have to force them into it. And that applies to whether it's Windows, Unix or any web technology. You can typically do it in parallel until you then want to force it to increase the security posture. And the second is you can measure your net promoter scores. If you're an organization that does that, ask them what their experience is today, typing a 16 character password into Windows, changing it every 90 days, and then having to go fetch their secure ID token or whatever it is.

And then have them do passwordless and ask them to rate the experience on a simple one to 10. And you'll be able to do that right away. And that is stuff that the C level loves to hear, "Oh, my security got better. And the user experiences, we have high fives." So I'll add that in there. Hopefully that resonates. And Andrew, I believe Jefferies is a net promoter score type shop. You guys do measure those types of things?

Oh yeah, we definitely do. That's common call drivers, all the drivers we do. Yes. We do measure that. A hot topic.

Mike Engle:
And then this question here. Sean, what are your thoughts on passwordless and zero trust? Do they compliment or contradict each other?

Sean Ryan:
No. They compliment each other. Really when you think about zero trust, it's a philosophy and it encompasses lots of technologies. So I would never call a specific technology zero trust, but it absolutely aligns to that strategy. There's a couple key things. One is you always want to verify access. So this is giving you additional layers to verify this person really is [inaudible 00:54:21]. And as you guys are adding this identity proofing, that's strengthening that even more, bringing that down to the beginning part of that value chain.

The other aspects, I've been alluding to some of the telemetry that you can pull from these systems, signals that can inform risk-based [inaudible 00:54:44] based on ways that people are accessing that might be unusual. And those types of things contribute to assuming that you've got a breach. So you assume somebody got in some way somehow. So you're monitoring, you're watching. And again, having these multiple stronger authentication methods makes it so that it's more difficult for people to get in. And when they do get in, you are potentially more likely to notice they're doing something very unusual. That they've had to really take some extreme measures to overcome those security measures.

And then the other thing is by channeling this through your IDaaS platform, using privileged identity management, other solutions that can link in with passwordless. When you're applying that across all these areas, you're just using a lot of these open windows and front doors that you've got all over the organization.

Mike Engle:
Great. Great. Thanks, Sean. Well, I think we're coming up on the top of the hour. I just want to thank everybody for coming on board. Andrew or Sean, if you have any closing thoughts, just shout them out. If not-

I think I covered everything, but certainly as always, this topic is going to be constantly evolving.

Mike Engle:
That's right. That's right. So again, thanks everybody for attending. Hopefully this was insightful. And look forward to a couple of our upcoming webinars. We have one coming out with the FIDO Alliance and Kantara together to talk about these standards specifically that I mentioned on my slide. That's on June 24th. And this webinar and the materials will be available as a link on our website. We'll send a follow up to everybody that has that information in it after the fact. So, enjoy the rest of your day, everybody. And we'll see you online. Watch out for those bad passwords.

Sean Ryan:
You bet. Thanks, Mike.

Mike Engle:
Thanks everybody. Take care.

What’s new with Identity as a Service?

Many companies today watch their data turn from an asset to a liability.

Unfortunately, most teams then play catch-up in an attempt to reverse this trend.

But, this just doesn’t work.

The answer lies in understanding your vulnerabilities.

And user credentials should top that list.

In this webinar, Senior Forrester Analyst Sean Ryan and Jefferies Financial Group VP of IAM Andrew Ehrlich join Mike Engle, the CSO behind the 1Kosmos solution.

Access the webinar now to hear how leaders across far-ranging industries are upgrading to true identity-based authentication.