Upgrading Authentication Models MFA, Password-less and more
Unlock On-Demand Webinar
Video Transcript
Doug Simmons:
Here we go. I am going to talk about upgrading authentication models, starting with multifactor authentication, moving to passwordless authentication and more. And the more I think will be what our distinguished presenters will talk about. Mike Engle from 1Kosmos, Gerry Grebel, head of standards at Strata.io and Wolfgang Goerlich from Cisco / DUO, if he's able to make it. And what I want to talk about here is I'll share this in a full screen mode. All right. We've talked about the demise of password based authentication for decades, right? It's actually taken quite a while for many of you, for many of us, right? But I'd like to say that due to device and network ubiquity like mobile devices and global coverage that we now have on cellular networks, not infallible, but still relatively ubiquitous, the reliability is bring your own device initiatives coupled with the accelerating levels of fraud associated with password based authentication. The time has arrived to deploy multifactor authentication or other means of dynamically authenticating, given the risk profile within your enterprise.
There's a lot that I say here, right? The risk profile of your enterprise is important to understand. This is something every enterprise needs to look at because you don't have to lock everything down like it's Fort Knox, if it doesn't deserve to be so, but for the most part, we have very important, sensitive information assets that need to be protected and being able know someone is who they say they are from an authentication standpoint has become Uber critical. Now MFA is becoming the standard. Multifactor authentication and passwordless authentication biometrics and other advances in the authentication, which we're going to talk about today are being brought to market to support the digital enterprise.
We're going to talk about... I'm going to go through about five or six slides here of a level set on this authentication. The conundrum MFA passwordless and perspectives from selected vendors will be brought up on an individual basis after I am done my spiel. The thesis, alternative user authentication methods are gaining traction as best practice for enterprise security programs. This is a big deal because 10 years ago, multifactor authentication was really minimal. It was largely, in my experience, only handed out to remote access people, employees needed to access an enterprise remotely or to administrator the system administrators who were doing highly sensitive configuration function on servers in the data center. But everything's changed in the past 10 plus years. Proliferation of cloud, as I said, ubiquity in mobile devices and networking and wonderful advancements in technology to support things like alternative authentication has come. So the traditional single factor authentication scheme, like your user ID and password of which, if you're like me, you probably have many, relatively easy to break and as threats escalate, simply not good enough.
We're not going to beat that dead horse. I think everyone would agree. Now there, again, based on risk profiles sometimes where user ID and password is just fine. We're not talking about those low risk profiles here. It is a good time to consider making upgraded authentication schemes a cornerstone of your enterprise. IAM infrastructure given improved vendor offerings and the inherent weaknesses in passwords. So we're requiring multiple authentication factors for high risk or high value transactions, however you define those in your organization from a risk standard management standpoint. It is an emerging security best practice and I'd like to think that it's become beyond emerging. Although I know still working with many of our large enterprises that enhanced or strong authentication is still in this relatively nascent stages in terms of rolling out to the general workforce population.
And I don't want to just be focused on enterprise IAM, but consumer IAM too, right? And the ability to use multifactor authentication now for online banking or access to web mail or shopping sites. Things like that is becoming much more prevalent in the past two to three years, again, with the pandemic, bringing much more online things to the table. Typical authentication business requirements. Now I am going to say a shameless plug right here, like I was saying on the previous panel around privileged access management, we have a lot of documentation, a lot of research written that is very current within the past 18 months. So it's not stale. The most recent one we wrote on authentication is only about four or five months old. On our website, techvisionresearch.com. So you can find this really blown out and described in more detail there by going and getting those reports.
The requirements are typically business facilitation, the need to improve interoperability and efficiency through interconnected systems that support employees, affiliates, business partners, and customers. You name it right? Any basically human being and I don't even want to limit it to a human being. Strong authentication to facilitate business in these regards as largely in the eyes of single sign-on, federation to multiple sites on the backend once we're sure you are who you say you are. That's business facilitation. Enhancing the user experience. Simply not having to remember multiple IDs and passwords is a big deal. Not having to stoop to weak passwords because those are the only ones you can remember is also a big deal too. And having this single sign on experience, as I mentioned, the business facilitation one is also a user experience enhancement. Cost containment, reduce the cost of management of multiple disparate authentication and authorization systems and processes.
The reason I bring that up is, I mentioned most of the organizations that I've worked with over the past 10 years have had some form of multifactor authentication just rolled out to remote access employees or systems administrators. And they were using things like secure ID tokens or some smart cards and things like that, which were definitely not in their mind, and I would tend to agree, ubiquitous enough to roll out. They were costly and somewhat difficult to roll out to a 50,000 person organization. So cost containment is important. Security effectiveness and IT risk management, improving the level of assurance, knowing who somebody is, who they say they are, it's just, I should hope, table stakes in these days of security discussions and supporting administrative and end user efficiency and effectiveness by consolidating that authentication authorization infrastructure. And I might even add developer effectiveness as well, right, with being able to provide a uniform authentication experience that engineers, developers can incorporate so that there's not different one-offs floating around in different business units in an organization.
So this can go on and on. Multifactor authentication, subset of the authentication market. It's often evoked based on what we call adaptive authentication or step up authentication. Traditionally, it's getting beyond that now, but it's based on contextual data regarding a person requesting access. Meaning that, in a traditional sense, if somebody is accessing general office applications, then a user ID password is okay. I'm just saying generally speaking, but if they're going to access the HR or payroll system, then they are forced to authenticate with a stronger token or mechanism. But that has moved on beyond that today to just being able to log into the network environment and then being able to elevate privileges because we already know you are who you say you are, if we have deployed MFA.
There's a multifactor. What does that mean? Well, one is something that you know typically a username or password or a pin, but that's not the only thing that gets you in. Then you have to have something, the second factor. Something that you have, like a smartphone, card, token fob, or other such device. When paired with the first factor, something that you know, and something that you have, bingo, multifactor. Third factors are being brought in more and more and as we talk about passwordless, you'll see it's even becomes an even more important element, this third factor, typically biometrics that allow you to add a facial recognition, fingerprint, retina scan, voice print, those kinds of things to have the something that you are. Now, you're really talking multifactor. And the fourth is something that you have done. This is an interesting one. This is your contextual awareness. We talked a great deal about this yesterday in many of our sessions where being able to look at the historical record, typically of how an individual interacts with systems can give you a decent view as to whether something is irregular.
So something that you have done fits into this is traditional how you work so we're not worried about you. Well, wait a minute, you're doing something completely orthogonal, never done this before and you're doing it from a different part of the world. Whoop, you have a problem. So these multifactors become really important during the authentication phase to help an organization understand you are who you say you are. Now passwordless authentication is an area that is gaining a lot of attention in the past year or so under this zero knowledge proof model you may have heard of, ZKP. It eliminates the password or pin from the picture. So if I go back here, you can see that well, something that you know is that typically that first factor. Let's get beyond that so you don't have to know something.
Passwordless authentication relies on a cryptographic key pair, private in the public key. That's typically what asymmetric key payers are. Public key is provided during a registration ceremony, to the authentication service, to the remote server and application or website and we hand it over to the vendors here in a few minutes and ask them to talk about their ceremony, if they support passwordless. And the private key is kept on the device in terms of, well, we talked about wallets, whatever you want to consider it to be, but the private key and the public key are kept separate. And the individual user, the individual is the one who maintains the private key and it can only be accessed with a biometric signature like facial recognition or voice print, hardware token, or other passwordless factoring. Again, not a pin or a password. Most common implementations, users are asked to enter their public identifier and then complete the authentication process by providing secure proof of identity in the form of an accepted authentication factor. Something they have like the mobile device again, that is probably today the most pervasive and ubiquitous model moving forward.
But we still have one time password OTP tokens and smart cards and hardware tokens, such FIDO-compliant key fobs, USB fobs. So not to belittle the importance of them, but the ubiquity of the mobile phone is definitely something that you can't ignore. And it's something the user is given the biometrics, typically. In many cases, if the fingerprints or the biometrics span this thing the person have match, then they don't even have to put in that username, mobile phone number, email address, or any other registered ID that can be gleaned from the something the user has and something the user is. But we'll talk about that as vendors go into this.
Many emerging passwordless authentication designs also accept a combination of other metadata and contextual factors, such as geolocation, network address, behavioral patterns, gestures, and so on. So I was talking about that a few minutes ago when we take that something you have done, where is it right here, or something that you have done, right. All are considered passwordless as long as no memorized password or pin is involved. So you don't have to go around remembering your user ID and your password anymore. You just have to go around carrying this thing and having your voice, facial biometrics, whatever there to be able to identify yourself in theory. It sounds really good.
There's also something called Fast Identity Online, Fido Alliance. Gerry, you might want to talk about this. I don't want to dump it on you so you don't have to, if you don't want to, but it is one of the key open industry associations that whose mission has been to develop and promote authentication standards. And most of, if not all of the devices and MFA tokens and approaches that are out there tend to be FIDO-compliant these days, which is a good thing for interoperability.
Like anything, I mentioned this at the outset, you don't need to put in a Fort Knox security model if you have really low risk information. The [crosstalk 00:13:19] or red category here, and you have to balance the cost of deploying certain things with the risk associated with a breach through password sniping or however passwords are misused. The good news is that the cost is coming down, is coming down considerably from what it was 10 years ago or 15 years ago. And again, I give a lot of that credit to just the general ubiquity of the mobile phone and mobile mobile networks that are out there.
All right. Panel, my distinguished friends. I would like you to talk about how your particular solution addresses stronger authentication, whether it's MFA, whether it's passwordless, whether it's both, whether it's neither or something even better because I would be the first one to tell you, I don't know everything about everything, not even close. What are the typical obstacles you may be seeing when your customers a prospect? Want to improve their authentication capabilities and you bring your old ware into them. What do you see them spinning their wheels over in terms of being able to roll this out? What are one or two of the most significant areas that your product team is attempting to address in the authentication market to make it better than what I have described thus far? All right, Gerry, I think, I don't know. Are you going to share a screen?
Gerry Gebel:
I will but I was thinking, Doug, that maybe I should go after Mike and Wolfgang.
Doug Simmons:
Yeah. Would you have, somebody...
Gerry Gebel:
It's a good question but Dave Englehart is... Oh, here's Mike. Good. That's good.
Doug Simmons:
And there's Wolfgang. We're good. Yay. Okay. Were you guys listening to my spiel?
Mike Engle:
It was fantastic. Seriously.
Wolfgang Goerlich:
All right.
Doug Simmons:
Then you get to go first, Mike.
Mike Engle:
Lucky me. That's great. Happy to. No, thanks for framing that out. We've been wrestling with these passwords since they say 70 years is when the first one was invented, right.
Doug Simmons:
I'm going to add a question though to what I had when I put this back up here, hang on. I'm all over the place, aren't I. But Dave [Inglehart 00:15:33] one of our customers who are listening in here and says, "Have you seen companies deal with users not wanting to install apps on their personal devices and the company not wanting to buy expensive devices for thousands of users that only need passwordless, right." That is a big problem. So factor that into your speech here as you get going. Okay?
Mike Engle:
Yeah. Yeah. Let me jump in. I'll steal your screen.
Doug Simmons:
I'm going to stop there.
Mike Engle:
All right. So yeah, thanks for having me. My name is Mike Engle. I run strategy for 1Kosmos. We are solving identity. We really think about it as identity and not just authentication. A little bit differently than some others in the industry. You mentioned standards, interoperability. That really is key for us. And for us, there's two key identity standards that we have applied to our solutions and ultimately our customers. Think about why you need MFA. And you said it a couple times, Doug, it's to prove who it is that's accessing our systems. Well, how do you prove who that is? It's not a username, a password and a code. I mean, I deployed my first RSA server in 1990, I think '97 or '98, and we're still struggling with six digit codes, which can be man in the middle, right? The bad guys have gotten really good at figuring out how to get those through social engineering or whatever. And there's just all kinds of problems with them, usability. Costs, right? The user experience is terrible.
So if you come back to identity, there's the NIST 363-3 standard, which proves the government standard came out in 2017, it proves who somebody is remotely. And it has three levels of what they call assurance, IAL 1, 2 and 3. If you do this when you hire a new employee or onboard a high valued account, crypto, banking, they have to do this anyway. And you issue them- you mentioned public private key pairs, which are a key part of FIDO and passwordless - but you issue them cryptographic proof. This is, in our opinion, the first stage, and it doesn't have to be a heavy document scanning onboarding process, right?
You don't have to go scan 10 forms of government ID, but sometimes you have to do that anyway. So do it the right way, onboard them digitally and then issue them the credentials. And there's two sides to the standard, 863-3A, which says, "This is how you get identity assurance." And then 63-B, which is referenced in the FIDO standard. It's how you use that assurance in an authentication experience. So AAL stands for Authentication Assurance Level. And so solutions that meet these standards have the most interoperability and the best trust and meet the government's requirements for onboarding somebody before they get unemployment benefits, for example, right? So you put these together and it's a different equation and this is what we refer to then as identity based authentication and there's two standards bodies, you already mentioned FIDO and Kantara is the other one that does the identity assurance level.
So what tends to happen then is, we do these things separately and manually is the idea is to bring them together. And then you have cryptographic proof every time of who it is that's accessing your systems. Now you can't do this all the time, right? Not every system is capable of being turned into a modern authentication scenario, right? The mainframe still has eight character passwords and so forth, but however, for like 80% of your systems, by just deploying on remote access, Citrix, VPN, VDI, et cetera, Zscaler, and then your operating systems, and then in front of your single sign on system, is your ID, et cetera, you've now covered 80% of that journey. And so this allows you to address not only how you onboard existing, but also new employees or customers.
And so to answer that question that you just brought up last, right, there's a fourth question, there's a couple ways to go appless or use an app. But the onboarding process in general is done typically from... This is how it's done everywhere - and this is how FIDO does it - is you link an existing account and exchange it for a public-private key pair and biometrics. When it's time to then you proof them with citizen documents and this could be as a step up, "As a new policy before you root into my infrastructure, I want to prove your citizen identity and give you the cryptographic proof to use it over and over again." So that's really the way we think about, and to answer the question about appless versus app based, one of FIDO's strengths is the ability to use your browser as in a passwordless experience, right?
So if you have Safari, Chrome, On Windows, Mac, or iOS or Android, you can go passwordless today without an app, right? So you need both an app and an appless experience as part of that. [crosstalk 00:20:34] suck all the oxygen out of the room. I'll take a break.
Doug Simmons:
That is pretty cool. All right. So what we're saying is that by default, everybody has this app on their mobile device anyway, right. Chrome or Safari. So you're not adding another app, but you're leveraging that existing app through this ceremony, this registration process. Is that what you're saying?
Mike Engle:
That's right. Yeah. So, in an employer environment, you give them an app, right? 90% of your employees will use an app and get in. The other 10%, well, if they're unwilling to put an apple on their phone, they make them do it the old way, username, password and six forms of 2FA, 3FA on top of that. It's their whatever. It's still good and then for the customer side, you can't always make them use an app. So if you can, great. You've got a very rich... Your bank app, very rich mobile experience. But if not, then you use WebAuthn which is the FIDO standard that embraces your browser to let you go passwordless.
Doug Simmons:
But you couldn't do that for an enterprise employee?
Mike Engle:
You could, but the WebAuthn is really geared towards web-based systems and a lot of times we're logging into Windows work stations and there you could typically leverage "Hello" on Windows, but you're not seeing a lot of WebAuthn in the enterprise at least from our perspective.
Doug Simmons:
I know what you're saying. Yeah. Okay. Okay. False alarm on my part. Got it.
Mike Engle:
Yep. I don't know who wants to go next.
Doug Simmons:
That's all you're going to say, Mike?
Mike Engle:
No, I got plenty more. I just don't how much time we have. We got four speakers, so.
Doug Simmons:
All right, Gerry, I'm going to save you for last, if that's okay, because you're coming at us from a slightly different angle, right?
Gerry Gebel:
Sounds good. Yes. Okay.
Doug Simmons:
Thank you. Wolfgang, you there?
Wolfgang Goerlich:
Hello. Hello. Hello. [crosstalk 00:22:24] Can you hear me? Let me share real quick. All right. That coming through okay?
Doug Simmons:
Yes, sir. Beautiful. Thank you.
Wolfgang Goerlich:
Good deal. So I really like the point that was just made about how we've been dealing with this prompt for six, seven decades. And it's really fascinating too, to go back and look at the very first password, because within a couple months we had the very first password breach. I mean, right off the bat. We've known this isn't a good approach. So with passwordless from a duo perspective, we're really looking at it as two things. One reducing the user friction and secondly, increasing the security. I think those have to go hand in hand with passwordless. I think if you look back at it, the decades, every time the adversaries have gotten a little bit better, we've really had two effective choices. We've demanded more of the user, have a longer password, rotate the password, change the password, have multiple passwords, have different passwords, have passwords that are not in the English dictionary.
We've asked more from the user or we ask more from the machine and it really has gotten to the tipping point where if you look at the strength of multifactor, where we're asking from the user is the weakest factor and it's the easiest place where we can increase the performance. So first thing in terms of passwordless it has to make the user experience better. The second thing I think is incredibly important is all right, just let's take the name itself. We tend to define innovations by what they're not, and this is passwordless. We're authenticated without a password. Sure. Makes sense. Now I'm calling in from Detroit and 100 years ago, what was high tech was the horseless carriage. What do you get? You get a carriage without a horse. That makes perfect sense. That name belied all the improvements in safety and comfort and speed. And again, reduction in friction that came with the automobile.
I think in the same way, what we're calling passwordless today is going to involve more than just getting rid of the password. It's going to involve and evolve into an entirely new way of looking at authentication and enforcing security. And just like you were presenting in the beginning, using things like the context, the conditions, the behaviors, all those sort of things. So what passwordless is not, really it can't just be removing the password. That's great. It's a great start. Users will be happy, but that won't necessarily increase security. And we'll still be in a situation where we've got a single factor. And we've known with terms of compliance that we really do need to have multiple factors for assurance, let alone for handling things like people losing things. So at DUO, our vision for passwordless is something you are, plus something you have, and combining those multiple actors into a single action, which is an increase in simplicity and then removing that shared secret, which of course is the increase in security by moving to something like public private keys.
Now that creates an authentication that is one step that is easy and simple. That means we can use different factors. So the question earlier about what if people don't want to use their phones. Obviously I'd rather people use their phones. It's convenient, it's easy. You're less likely to leave the ... I left the house the other day without my car keys, but I had my phone. I tried to leave the driveway then I realized I was missing something. We're pretty connected with our phones, but for those people who are concerned about that, this allows us to use security keys and other tokens. And along that path, at that point of authentication, using device identification, behavior analytics, to reduce fraud and have a greater level of trust and a greater level of assurance that the authentication is coming from where we think it is.
This is over the 502 standard, which was previously mentioned. This will work best with SaaS apps, with single sign-on, with anything through the browser, as you might expect from 502 with WebAuthn. It'll work best with applications that are integrated with SAML, such as your VPN connection and those things. Our long tail, right, I think I saw someone in the shadow asking about this in terms of OT and SCADA. Our long tail here is really going to be legacy systems and systems that have been around for a long time that are relying on proprietary authentication mechanisms. So that's the general approach.
In terms of DUO really focusing very heavily on keeping it incredibly simple for the users to use, I mean, you're already doing multifactor. We're just getting rid of one of the factors. We're getting rid of the weakest factor from a user perspective and banking it very easy to try trust because in addition to that multifactor using things like device health, insights, behavior analytics, and then really emphasizing the integration component. So if organizations are doing IAM or have an IDP through someone else and, let's face it, we all do. Most us had multiples. Most of us are dealing with, I am sprawl at the moment as I have a lot of conversations. We will be focusing in on running on top of that so there isn't a rip and replace scenario.
I did mention single sign-on. I do want to pull this part up in front and center because when I think about the long tail pass list, the longest part is the OT and the SCADA equipment. My apologies, whoever in chat asked that question. I haven't seen that solved yet. It's going to be a while. But closer. What's really fascinating is legacy. Your legacy used to be our OnPrem stuff and in the cloud was the new stuff, but we've had stuff in the cloud long enough, and it's not how many of us are dealing with SAS apps themselves that are legacy. And we know SAS apps don't necessarily keep up always with the modern authentication. We know they came late so it's also incredibly important to look at things such as your single sign-on SAML, because if the app supports SAML, we can connect it to single sign-on and if the single sign-on supports passwordless, which DUO does, then we can bootstrap those apps into a passwordless environment well before the SaaS provider gets around to supporting 502 and WebAuthn.
So very broadly, that's our approach and I'll stop sharing and answer any following questions.
Doug Simmons:
That was great, Wolfgang. Here's what I want to do. I'm going to give Gerry the stage.
Gerry Gebel:
Okay.
Doug Simmons:
And I think we'll have enough time for you guys to answer questions directly because I think the audience is all ears. This is a great discussion. Go ahead, Gerry.
Gerry Gebel:
All right. Thanks Doug. Yeah. So I'll start out by saying that STRATA is not an authentication vendor, although we work to make implementation of authentication easier. So I think we're tackling one of the obstacles, Doug, that you asked about in your slides, how do we get MFA and passwordless and other modern authentication scheme deployed faster and more easily? And especially to some of those legacy apps that Wolfgang was just referring to that sometimes are difficult to deal with. So we do this by implementing an orchestration platform. So we have a connectivity layer that can integrate with MFA providers and other identity services or we can build recipes so we can direct users to the right authentication provider, whether that's the IDP or an MFA service to augment that authentication step and then these configurations are deployed out in runtime in a control plane that sits in front of your applications, be it on a cloud environment, a SaaS app or legacy applications.
Looking at it slightly different, we'll see the orchestration system again in front of the application and we can connect, we can broker the right mix of authentication, two different applications, again, depending on the configuration settings, depending on what is your risk profile for a certain set of [inaudible 00:31:43] applications versus others? And we think these are some of the deployment challenges is that we address, Doug. Deployments can be slow because in many cases, particularly with legacy applications, you otherwise might need to change the app, right, to refactor the authentication code and we just don't have the bandwidth, the time, the resources to do that. So STRATA can integrate with those apps without changing those applications. That's a key aspect here.
Then of course, if we're dealing with a multi-cloud environment, which almost everyone is, and we're deploying applications and utilizing SaaS apps across a whole range of cloud providers, we can, again, coordinate broker and choreograph the authentication across that whole range of applications. And we allow this to be done in an incremental way. So any big bang implementation is going to be rough on users in particular. So we have the ability to phase in incrementally an MFA rollout, again, to support those needs. So we can be implemented in essentially a no code or a no custom code way for the vast, vast majority of applications. So no rewriting needed there. Also plug and play across cloud providers, SaaS applications, or OnPremise legacy apps. And then interestingly enough, for those of us who are familiar with those great old secure ID cards, they were great at the early MFA, but are expensive and hard to deploy to a vast majority of users or larger population for those cost reasons.
But we can connect with them and allow them to co-exist as we transition over time, incrementally over to those more modern MFA providers that are out there today. So I think I'll pause there, Doug, and turn it back over to you so we do address the questions that have come in from the audience.
And did we lose Doug? I don't see him on the panel anymore.
Wolfgang Goerlich:
Oh, man. [crosstalk 00:34:09] have control of the asylum.
Gerry Gebel:
That's right. I guess we better just take over then, Wolfgang. Have you or Mike looked at the questions that have come in to see how they could be answered? I think many of them are more technology focused.
Wolfgang Goerlich:
So the one that I alluded to came in from Chris Wallace and he asked, "How is the industry responding to boutique needs of industrial networks like SCADA, ICS, XMLT." I don't know if you guys have a good answer for those environments.
Gerry Gebel:
I do not. What about you, Mike?
Mike Engle:
Well, not using traditional IAM technologies where you can just snap on your SCADA system doesn't support SAML, unfortunately. What I've seen is this has nothing to do with this conference, but there're devices monitoring now that can detect when they've changed. So you're almost a little more reactionary. So one technology I've seen is called [V Fortified 00:35:08] and they have this little device that you put near some [inaudible 00:35:13] device and they'll detect if the firmware has changed or anything out of spec. If you think about Stuxnet, they modified the centrifuges by putting different code [crosstalk 00:35:21] So it's almost like the identity of the device from its activity and its action. So I think the industry's getting creative in trying to figure out ways to solve that.
Doug Simmons:
Oh boy, I don't know if you guys noticed, but I lost my internet connectivity.
Gerry Gebel:
We did. We were just [crosstalk 00:35:40].
Gary Rowe:
Actually Gerry jumped in and then I was getting ready to jump in, but back to you.
Doug Simmons:
All right. So Gerry, could you do go through that again because I missed all of it. No, I'm kidding.
Gerry Gebel:
We'll do a one on one with you, Doug.
Doug Simmons:
I think I understand where you were coming from anyway, Gerry and Mike and Wolfgang appreciate perspectives. I think we're again, we've run similar paths in terms of this journey of bringing less intrusive, highly or more secure, I should say, mechanisms for authentication to the table. There were some good questions and I think I lost them. Did you guys have a chance to look at them?
Gary Rowe:
Yeah. So, do you want me to just raise them, Doug?
Doug Simmons:
So yeah, if you can see them, would you please?
Gary Rowe:
Yeah, sure. So one question from David Engelhart is, "The proof with citizen docs can be difficult with vendors that have employees from all over the world. Most can do DM the verification, but what about a developer from India, for example?" So that's the whole outsource thing we keep talking about, Doug.
Mike Engle:
Yeah. I posted one answer in there. I mean, there's no one solution fix all. I think that's been said a few times. So your global Fortune 100 company, you've got 25 different companies to onboard. You're going to need multiple document onboarding companies, most likely, although there are some that will do something, for example, what they call agent assisted verification. So even if you have an identity in some country that's not covered by anybody, they'll go to the templates out there, right. There's a book of 4,000 different documents and they'll do their best to try to match it. So it's more of an art than a science sometimes, but the science has gotten very good with scanning and AI and matching your face to the document as well. So it's kind of a hybrid approach that gets it done.
Doug Simmons:
Yeah. Instead of an 80 20, it might be down to a 99 1, right. But the [inaudible 00:37:40] one and what we hate to see is not doing anything because of that one case, right?
Mike Engle:
Yeah. Yeah. Perfect is the enemy of good and great, right?
Doug Simmons:
Now, there was a good question there too, that was asked about the facial recognition and you answered it quite well. Maybe you want to bring that up. And I would also like you to, the way I responded to is that passwordless authentication in my mind is still multifactor. So it's not just biometric. You still have to have something, it's that key. Right? The key pair is associated with you. And am I wrong in thinking that passwordless is just an extension of multifactor or do you view it as something completely different?
Gerry Gebel:
No, I think passwordless is one step, right? It's one mechanism of a key exchange in a biometric, but there're different strengths for that. So for example, all of our devices have device biometrics built in that doesn't show up and the problem with that is that doesn't really verify your identity. For example, my wife and kids have their fingers and face, whatever on my phone. If my son picks it up, he's opening my brokerage account because Apple can't tell the difference, right. Do you want that to happen with your corporate email or your whatever? And the answer's probably no.
That's where you need real biometrics and the world has really opened up there. So now you can... If that app will scan my face and compare it to the face that I enrolled with when I joined the company, my son can't spoof that, right. He might be able to wave it on my face when I'm sleeping, but I'll probably catch him, right. Yeah. It's a lot harder. And then they also make you interact with the camera, like turn your head, blink and smile. So now you have much more unspoofable biometrics, which is a much higher level. Yeah.
Doug Simmons:
Okay. I'm learning. Thank you. Thank you.
Wolfgang Goerlich:
So I'd like to say something into that one, I really appreciate Doug. You pointing out passwordless is still multifactor. There's some ways of doing this that are not multifactor and I think that reduces the strength of the security as well as going to get us into some compliance issues. But to Mike's point, if we think about it and there's some people are like, "Oh, I won't go to this because there're problems with it." If we think about it, no one can make a better type... Or a keyboard. I was typewriter, oh boy! No one could make a better keyboard that can detect if I'm typing the wrong password or detect if someone is sending key strokes across the country. However, with biometrics to Mike's point, we've got a variety of ways that we can increase the strength of those. We've got a variety of different ways that we can address fraud and while there may be that cat and mouse game that we've had with passwords, we're not going to be requiring that much more from the person to, "Turn your head and smile," is not the same as, "Please remember 232 character passwords."
Doug Simmons:
Exactly. Right. The Google Chrome saves screen, that's it. That's the only way I can log in here. Okay. Excellent. I think we're at the end of our time. You guys are stupendous. I wish I could have heard your speech, Gerry. I'm going to listen to the recording.
Gerry Gebel:
All right. Sounds good, Doug.
Doug Simmons:
All right. Thank you guys.
Gerry Gebel:
Thank you.
Doug Simmons:
Wonderful. I appreciate your time.
Gerry Gebel:
Thanks everybody.
Gary Rowe:
Thanks everyone. Next on will be Nick Nichols talking about future state security, starting with resiliency.
Doug Simmons:
That's in 10 minutes, right?
Gary Rowe:
Yeah. Which is a really good topic in about 10 minutes. Thanks everyone [crosstalk 00:41:10]
Here we go. I am going to talk about upgrading authentication models, starting with multifactor authentication, moving to passwordless authentication and more. And the more I think will be what our distinguished presenters will talk about. Mike Engle from 1Kosmos, Gerry Grebel, head of standards at Strata.io and Wolfgang Goerlich from Cisco / DUO, if he's able to make it. And what I want to talk about here is I'll share this in a full screen mode. All right. We've talked about the demise of password based authentication for decades, right? It's actually taken quite a while for many of you, for many of us, right? But I'd like to say that due to device and network ubiquity like mobile devices and global coverage that we now have on cellular networks, not infallible, but still relatively ubiquitous, the reliability is bring your own device initiatives coupled with the accelerating levels of fraud associated with password based authentication. The time has arrived to deploy multifactor authentication or other means of dynamically authenticating, given the risk profile within your enterprise.
There's a lot that I say here, right? The risk profile of your enterprise is important to understand. This is something every enterprise needs to look at because you don't have to lock everything down like it's Fort Knox, if it doesn't deserve to be so, but for the most part, we have very important, sensitive information assets that need to be protected and being able know someone is who they say they are from an authentication standpoint has become Uber critical. Now MFA is becoming the standard. Multifactor authentication and passwordless authentication biometrics and other advances in the authentication, which we're going to talk about today are being brought to market to support the digital enterprise.
We're going to talk about... I'm going to go through about five or six slides here of a level set on this authentication. The conundrum MFA passwordless and perspectives from selected vendors will be brought up on an individual basis after I am done my spiel. The thesis, alternative user authentication methods are gaining traction as best practice for enterprise security programs. This is a big deal because 10 years ago, multifactor authentication was really minimal. It was largely, in my experience, only handed out to remote access people, employees needed to access an enterprise remotely or to administrator the system administrators who were doing highly sensitive configuration function on servers in the data center. But everything's changed in the past 10 plus years. Proliferation of cloud, as I said, ubiquity in mobile devices and networking and wonderful advancements in technology to support things like alternative authentication has come. So the traditional single factor authentication scheme, like your user ID and password of which, if you're like me, you probably have many, relatively easy to break and as threats escalate, simply not good enough.
We're not going to beat that dead horse. I think everyone would agree. Now there, again, based on risk profiles sometimes where user ID and password is just fine. We're not talking about those low risk profiles here. It is a good time to consider making upgraded authentication schemes a cornerstone of your enterprise. IAM infrastructure given improved vendor offerings and the inherent weaknesses in passwords. So we're requiring multiple authentication factors for high risk or high value transactions, however you define those in your organization from a risk standard management standpoint. It is an emerging security best practice and I'd like to think that it's become beyond emerging. Although I know still working with many of our large enterprises that enhanced or strong authentication is still in this relatively nascent stages in terms of rolling out to the general workforce population.
And I don't want to just be focused on enterprise IAM, but consumer IAM too, right? And the ability to use multifactor authentication now for online banking or access to web mail or shopping sites. Things like that is becoming much more prevalent in the past two to three years, again, with the pandemic, bringing much more online things to the table. Typical authentication business requirements. Now I am going to say a shameless plug right here, like I was saying on the previous panel around privileged access management, we have a lot of documentation, a lot of research written that is very current within the past 18 months. So it's not stale. The most recent one we wrote on authentication is only about four or five months old. On our website, techvisionresearch.com. So you can find this really blown out and described in more detail there by going and getting those reports.
The requirements are typically business facilitation, the need to improve interoperability and efficiency through interconnected systems that support employees, affiliates, business partners, and customers. You name it right? Any basically human being and I don't even want to limit it to a human being. Strong authentication to facilitate business in these regards as largely in the eyes of single sign-on, federation to multiple sites on the backend once we're sure you are who you say you are. That's business facilitation. Enhancing the user experience. Simply not having to remember multiple IDs and passwords is a big deal. Not having to stoop to weak passwords because those are the only ones you can remember is also a big deal too. And having this single sign on experience, as I mentioned, the business facilitation one is also a user experience enhancement. Cost containment, reduce the cost of management of multiple disparate authentication and authorization systems and processes.
The reason I bring that up is, I mentioned most of the organizations that I've worked with over the past 10 years have had some form of multifactor authentication just rolled out to remote access employees or systems administrators. And they were using things like secure ID tokens or some smart cards and things like that, which were definitely not in their mind, and I would tend to agree, ubiquitous enough to roll out. They were costly and somewhat difficult to roll out to a 50,000 person organization. So cost containment is important. Security effectiveness and IT risk management, improving the level of assurance, knowing who somebody is, who they say they are, it's just, I should hope, table stakes in these days of security discussions and supporting administrative and end user efficiency and effectiveness by consolidating that authentication authorization infrastructure. And I might even add developer effectiveness as well, right, with being able to provide a uniform authentication experience that engineers, developers can incorporate so that there's not different one-offs floating around in different business units in an organization.
So this can go on and on. Multifactor authentication, subset of the authentication market. It's often evoked based on what we call adaptive authentication or step up authentication. Traditionally, it's getting beyond that now, but it's based on contextual data regarding a person requesting access. Meaning that, in a traditional sense, if somebody is accessing general office applications, then a user ID password is okay. I'm just saying generally speaking, but if they're going to access the HR or payroll system, then they are forced to authenticate with a stronger token or mechanism. But that has moved on beyond that today to just being able to log into the network environment and then being able to elevate privileges because we already know you are who you say you are, if we have deployed MFA.
There's a multifactor. What does that mean? Well, one is something that you know typically a username or password or a pin, but that's not the only thing that gets you in. Then you have to have something, the second factor. Something that you have, like a smartphone, card, token fob, or other such device. When paired with the first factor, something that you know, and something that you have, bingo, multifactor. Third factors are being brought in more and more and as we talk about passwordless, you'll see it's even becomes an even more important element, this third factor, typically biometrics that allow you to add a facial recognition, fingerprint, retina scan, voice print, those kinds of things to have the something that you are. Now, you're really talking multifactor. And the fourth is something that you have done. This is an interesting one. This is your contextual awareness. We talked a great deal about this yesterday in many of our sessions where being able to look at the historical record, typically of how an individual interacts with systems can give you a decent view as to whether something is irregular.
So something that you have done fits into this is traditional how you work so we're not worried about you. Well, wait a minute, you're doing something completely orthogonal, never done this before and you're doing it from a different part of the world. Whoop, you have a problem. So these multifactors become really important during the authentication phase to help an organization understand you are who you say you are. Now passwordless authentication is an area that is gaining a lot of attention in the past year or so under this zero knowledge proof model you may have heard of, ZKP. It eliminates the password or pin from the picture. So if I go back here, you can see that well, something that you know is that typically that first factor. Let's get beyond that so you don't have to know something.
Passwordless authentication relies on a cryptographic key pair, private in the public key. That's typically what asymmetric key payers are. Public key is provided during a registration ceremony, to the authentication service, to the remote server and application or website and we hand it over to the vendors here in a few minutes and ask them to talk about their ceremony, if they support passwordless. And the private key is kept on the device in terms of, well, we talked about wallets, whatever you want to consider it to be, but the private key and the public key are kept separate. And the individual user, the individual is the one who maintains the private key and it can only be accessed with a biometric signature like facial recognition or voice print, hardware token, or other passwordless factoring. Again, not a pin or a password. Most common implementations, users are asked to enter their public identifier and then complete the authentication process by providing secure proof of identity in the form of an accepted authentication factor. Something they have like the mobile device again, that is probably today the most pervasive and ubiquitous model moving forward.
But we still have one time password OTP tokens and smart cards and hardware tokens, such FIDO-compliant key fobs, USB fobs. So not to belittle the importance of them, but the ubiquity of the mobile phone is definitely something that you can't ignore. And it's something the user is given the biometrics, typically. In many cases, if the fingerprints or the biometrics span this thing the person have match, then they don't even have to put in that username, mobile phone number, email address, or any other registered ID that can be gleaned from the something the user has and something the user is. But we'll talk about that as vendors go into this.
Many emerging passwordless authentication designs also accept a combination of other metadata and contextual factors, such as geolocation, network address, behavioral patterns, gestures, and so on. So I was talking about that a few minutes ago when we take that something you have done, where is it right here, or something that you have done, right. All are considered passwordless as long as no memorized password or pin is involved. So you don't have to go around remembering your user ID and your password anymore. You just have to go around carrying this thing and having your voice, facial biometrics, whatever there to be able to identify yourself in theory. It sounds really good.
There's also something called Fast Identity Online, Fido Alliance. Gerry, you might want to talk about this. I don't want to dump it on you so you don't have to, if you don't want to, but it is one of the key open industry associations that whose mission has been to develop and promote authentication standards. And most of, if not all of the devices and MFA tokens and approaches that are out there tend to be FIDO-compliant these days, which is a good thing for interoperability.
Like anything, I mentioned this at the outset, you don't need to put in a Fort Knox security model if you have really low risk information. The [crosstalk 00:13:19] or red category here, and you have to balance the cost of deploying certain things with the risk associated with a breach through password sniping or however passwords are misused. The good news is that the cost is coming down, is coming down considerably from what it was 10 years ago or 15 years ago. And again, I give a lot of that credit to just the general ubiquity of the mobile phone and mobile mobile networks that are out there.
All right. Panel, my distinguished friends. I would like you to talk about how your particular solution addresses stronger authentication, whether it's MFA, whether it's passwordless, whether it's both, whether it's neither or something even better because I would be the first one to tell you, I don't know everything about everything, not even close. What are the typical obstacles you may be seeing when your customers a prospect? Want to improve their authentication capabilities and you bring your old ware into them. What do you see them spinning their wheels over in terms of being able to roll this out? What are one or two of the most significant areas that your product team is attempting to address in the authentication market to make it better than what I have described thus far? All right, Gerry, I think, I don't know. Are you going to share a screen?
Gerry Gebel:
I will but I was thinking, Doug, that maybe I should go after Mike and Wolfgang.
Doug Simmons:
Yeah. Would you have, somebody...
Gerry Gebel:
It's a good question but Dave Englehart is... Oh, here's Mike. Good. That's good.
Doug Simmons:
And there's Wolfgang. We're good. Yay. Okay. Were you guys listening to my spiel?
Mike Engle:
It was fantastic. Seriously.
Wolfgang Goerlich:
All right.
Doug Simmons:
Then you get to go first, Mike.
Mike Engle:
Lucky me. That's great. Happy to. No, thanks for framing that out. We've been wrestling with these passwords since they say 70 years is when the first one was invented, right.
Doug Simmons:
I'm going to add a question though to what I had when I put this back up here, hang on. I'm all over the place, aren't I. But Dave [Inglehart 00:15:33] one of our customers who are listening in here and says, "Have you seen companies deal with users not wanting to install apps on their personal devices and the company not wanting to buy expensive devices for thousands of users that only need passwordless, right." That is a big problem. So factor that into your speech here as you get going. Okay?
Mike Engle:
Yeah. Yeah. Let me jump in. I'll steal your screen.
Doug Simmons:
I'm going to stop there.
Mike Engle:
All right. So yeah, thanks for having me. My name is Mike Engle. I run strategy for 1Kosmos. We are solving identity. We really think about it as identity and not just authentication. A little bit differently than some others in the industry. You mentioned standards, interoperability. That really is key for us. And for us, there's two key identity standards that we have applied to our solutions and ultimately our customers. Think about why you need MFA. And you said it a couple times, Doug, it's to prove who it is that's accessing our systems. Well, how do you prove who that is? It's not a username, a password and a code. I mean, I deployed my first RSA server in 1990, I think '97 or '98, and we're still struggling with six digit codes, which can be man in the middle, right? The bad guys have gotten really good at figuring out how to get those through social engineering or whatever. And there's just all kinds of problems with them, usability. Costs, right? The user experience is terrible.
So if you come back to identity, there's the NIST 363-3 standard, which proves the government standard came out in 2017, it proves who somebody is remotely. And it has three levels of what they call assurance, IAL 1, 2 and 3. If you do this when you hire a new employee or onboard a high valued account, crypto, banking, they have to do this anyway. And you issue them- you mentioned public private key pairs, which are a key part of FIDO and passwordless - but you issue them cryptographic proof. This is, in our opinion, the first stage, and it doesn't have to be a heavy document scanning onboarding process, right?
You don't have to go scan 10 forms of government ID, but sometimes you have to do that anyway. So do it the right way, onboard them digitally and then issue them the credentials. And there's two sides to the standard, 863-3A, which says, "This is how you get identity assurance." And then 63-B, which is referenced in the FIDO standard. It's how you use that assurance in an authentication experience. So AAL stands for Authentication Assurance Level. And so solutions that meet these standards have the most interoperability and the best trust and meet the government's requirements for onboarding somebody before they get unemployment benefits, for example, right? So you put these together and it's a different equation and this is what we refer to then as identity based authentication and there's two standards bodies, you already mentioned FIDO and Kantara is the other one that does the identity assurance level.
So what tends to happen then is, we do these things separately and manually is the idea is to bring them together. And then you have cryptographic proof every time of who it is that's accessing your systems. Now you can't do this all the time, right? Not every system is capable of being turned into a modern authentication scenario, right? The mainframe still has eight character passwords and so forth, but however, for like 80% of your systems, by just deploying on remote access, Citrix, VPN, VDI, et cetera, Zscaler, and then your operating systems, and then in front of your single sign on system, is your ID, et cetera, you've now covered 80% of that journey. And so this allows you to address not only how you onboard existing, but also new employees or customers.
And so to answer that question that you just brought up last, right, there's a fourth question, there's a couple ways to go appless or use an app. But the onboarding process in general is done typically from... This is how it's done everywhere - and this is how FIDO does it - is you link an existing account and exchange it for a public-private key pair and biometrics. When it's time to then you proof them with citizen documents and this could be as a step up, "As a new policy before you root into my infrastructure, I want to prove your citizen identity and give you the cryptographic proof to use it over and over again." So that's really the way we think about, and to answer the question about appless versus app based, one of FIDO's strengths is the ability to use your browser as in a passwordless experience, right?
So if you have Safari, Chrome, On Windows, Mac, or iOS or Android, you can go passwordless today without an app, right? So you need both an app and an appless experience as part of that. [crosstalk 00:20:34] suck all the oxygen out of the room. I'll take a break.
Doug Simmons:
That is pretty cool. All right. So what we're saying is that by default, everybody has this app on their mobile device anyway, right. Chrome or Safari. So you're not adding another app, but you're leveraging that existing app through this ceremony, this registration process. Is that what you're saying?
Mike Engle:
That's right. Yeah. So, in an employer environment, you give them an app, right? 90% of your employees will use an app and get in. The other 10%, well, if they're unwilling to put an apple on their phone, they make them do it the old way, username, password and six forms of 2FA, 3FA on top of that. It's their whatever. It's still good and then for the customer side, you can't always make them use an app. So if you can, great. You've got a very rich... Your bank app, very rich mobile experience. But if not, then you use WebAuthn which is the FIDO standard that embraces your browser to let you go passwordless.
Doug Simmons:
But you couldn't do that for an enterprise employee?
Mike Engle:
You could, but the WebAuthn is really geared towards web-based systems and a lot of times we're logging into Windows work stations and there you could typically leverage "Hello" on Windows, but you're not seeing a lot of WebAuthn in the enterprise at least from our perspective.
Doug Simmons:
I know what you're saying. Yeah. Okay. Okay. False alarm on my part. Got it.
Mike Engle:
Yep. I don't know who wants to go next.
Doug Simmons:
That's all you're going to say, Mike?
Mike Engle:
No, I got plenty more. I just don't how much time we have. We got four speakers, so.
Doug Simmons:
All right, Gerry, I'm going to save you for last, if that's okay, because you're coming at us from a slightly different angle, right?
Gerry Gebel:
Sounds good. Yes. Okay.
Doug Simmons:
Thank you. Wolfgang, you there?
Wolfgang Goerlich:
Hello. Hello. Hello. [crosstalk 00:22:24] Can you hear me? Let me share real quick. All right. That coming through okay?
Doug Simmons:
Yes, sir. Beautiful. Thank you.
Wolfgang Goerlich:
Good deal. So I really like the point that was just made about how we've been dealing with this prompt for six, seven decades. And it's really fascinating too, to go back and look at the very first password, because within a couple months we had the very first password breach. I mean, right off the bat. We've known this isn't a good approach. So with passwordless from a duo perspective, we're really looking at it as two things. One reducing the user friction and secondly, increasing the security. I think those have to go hand in hand with passwordless. I think if you look back at it, the decades, every time the adversaries have gotten a little bit better, we've really had two effective choices. We've demanded more of the user, have a longer password, rotate the password, change the password, have multiple passwords, have different passwords, have passwords that are not in the English dictionary.
We've asked more from the user or we ask more from the machine and it really has gotten to the tipping point where if you look at the strength of multifactor, where we're asking from the user is the weakest factor and it's the easiest place where we can increase the performance. So first thing in terms of passwordless it has to make the user experience better. The second thing I think is incredibly important is all right, just let's take the name itself. We tend to define innovations by what they're not, and this is passwordless. We're authenticated without a password. Sure. Makes sense. Now I'm calling in from Detroit and 100 years ago, what was high tech was the horseless carriage. What do you get? You get a carriage without a horse. That makes perfect sense. That name belied all the improvements in safety and comfort and speed. And again, reduction in friction that came with the automobile.
I think in the same way, what we're calling passwordless today is going to involve more than just getting rid of the password. It's going to involve and evolve into an entirely new way of looking at authentication and enforcing security. And just like you were presenting in the beginning, using things like the context, the conditions, the behaviors, all those sort of things. So what passwordless is not, really it can't just be removing the password. That's great. It's a great start. Users will be happy, but that won't necessarily increase security. And we'll still be in a situation where we've got a single factor. And we've known with terms of compliance that we really do need to have multiple factors for assurance, let alone for handling things like people losing things. So at DUO, our vision for passwordless is something you are, plus something you have, and combining those multiple actors into a single action, which is an increase in simplicity and then removing that shared secret, which of course is the increase in security by moving to something like public private keys.
Now that creates an authentication that is one step that is easy and simple. That means we can use different factors. So the question earlier about what if people don't want to use their phones. Obviously I'd rather people use their phones. It's convenient, it's easy. You're less likely to leave the ... I left the house the other day without my car keys, but I had my phone. I tried to leave the driveway then I realized I was missing something. We're pretty connected with our phones, but for those people who are concerned about that, this allows us to use security keys and other tokens. And along that path, at that point of authentication, using device identification, behavior analytics, to reduce fraud and have a greater level of trust and a greater level of assurance that the authentication is coming from where we think it is.
This is over the 502 standard, which was previously mentioned. This will work best with SaaS apps, with single sign-on, with anything through the browser, as you might expect from 502 with WebAuthn. It'll work best with applications that are integrated with SAML, such as your VPN connection and those things. Our long tail, right, I think I saw someone in the shadow asking about this in terms of OT and SCADA. Our long tail here is really going to be legacy systems and systems that have been around for a long time that are relying on proprietary authentication mechanisms. So that's the general approach.
In terms of DUO really focusing very heavily on keeping it incredibly simple for the users to use, I mean, you're already doing multifactor. We're just getting rid of one of the factors. We're getting rid of the weakest factor from a user perspective and banking it very easy to try trust because in addition to that multifactor using things like device health, insights, behavior analytics, and then really emphasizing the integration component. So if organizations are doing IAM or have an IDP through someone else and, let's face it, we all do. Most us had multiples. Most of us are dealing with, I am sprawl at the moment as I have a lot of conversations. We will be focusing in on running on top of that so there isn't a rip and replace scenario.
I did mention single sign-on. I do want to pull this part up in front and center because when I think about the long tail pass list, the longest part is the OT and the SCADA equipment. My apologies, whoever in chat asked that question. I haven't seen that solved yet. It's going to be a while. But closer. What's really fascinating is legacy. Your legacy used to be our OnPrem stuff and in the cloud was the new stuff, but we've had stuff in the cloud long enough, and it's not how many of us are dealing with SAS apps themselves that are legacy. And we know SAS apps don't necessarily keep up always with the modern authentication. We know they came late so it's also incredibly important to look at things such as your single sign-on SAML, because if the app supports SAML, we can connect it to single sign-on and if the single sign-on supports passwordless, which DUO does, then we can bootstrap those apps into a passwordless environment well before the SaaS provider gets around to supporting 502 and WebAuthn.
So very broadly, that's our approach and I'll stop sharing and answer any following questions.
Doug Simmons:
That was great, Wolfgang. Here's what I want to do. I'm going to give Gerry the stage.
Gerry Gebel:
Okay.
Doug Simmons:
And I think we'll have enough time for you guys to answer questions directly because I think the audience is all ears. This is a great discussion. Go ahead, Gerry.
Gerry Gebel:
All right. Thanks Doug. Yeah. So I'll start out by saying that STRATA is not an authentication vendor, although we work to make implementation of authentication easier. So I think we're tackling one of the obstacles, Doug, that you asked about in your slides, how do we get MFA and passwordless and other modern authentication scheme deployed faster and more easily? And especially to some of those legacy apps that Wolfgang was just referring to that sometimes are difficult to deal with. So we do this by implementing an orchestration platform. So we have a connectivity layer that can integrate with MFA providers and other identity services or we can build recipes so we can direct users to the right authentication provider, whether that's the IDP or an MFA service to augment that authentication step and then these configurations are deployed out in runtime in a control plane that sits in front of your applications, be it on a cloud environment, a SaaS app or legacy applications.
Looking at it slightly different, we'll see the orchestration system again in front of the application and we can connect, we can broker the right mix of authentication, two different applications, again, depending on the configuration settings, depending on what is your risk profile for a certain set of [inaudible 00:31:43] applications versus others? And we think these are some of the deployment challenges is that we address, Doug. Deployments can be slow because in many cases, particularly with legacy applications, you otherwise might need to change the app, right, to refactor the authentication code and we just don't have the bandwidth, the time, the resources to do that. So STRATA can integrate with those apps without changing those applications. That's a key aspect here.
Then of course, if we're dealing with a multi-cloud environment, which almost everyone is, and we're deploying applications and utilizing SaaS apps across a whole range of cloud providers, we can, again, coordinate broker and choreograph the authentication across that whole range of applications. And we allow this to be done in an incremental way. So any big bang implementation is going to be rough on users in particular. So we have the ability to phase in incrementally an MFA rollout, again, to support those needs. So we can be implemented in essentially a no code or a no custom code way for the vast, vast majority of applications. So no rewriting needed there. Also plug and play across cloud providers, SaaS applications, or OnPremise legacy apps. And then interestingly enough, for those of us who are familiar with those great old secure ID cards, they were great at the early MFA, but are expensive and hard to deploy to a vast majority of users or larger population for those cost reasons.
But we can connect with them and allow them to co-exist as we transition over time, incrementally over to those more modern MFA providers that are out there today. So I think I'll pause there, Doug, and turn it back over to you so we do address the questions that have come in from the audience.
And did we lose Doug? I don't see him on the panel anymore.
Wolfgang Goerlich:
Oh, man. [crosstalk 00:34:09] have control of the asylum.
Gerry Gebel:
That's right. I guess we better just take over then, Wolfgang. Have you or Mike looked at the questions that have come in to see how they could be answered? I think many of them are more technology focused.
Wolfgang Goerlich:
So the one that I alluded to came in from Chris Wallace and he asked, "How is the industry responding to boutique needs of industrial networks like SCADA, ICS, XMLT." I don't know if you guys have a good answer for those environments.
Gerry Gebel:
I do not. What about you, Mike?
Mike Engle:
Well, not using traditional IAM technologies where you can just snap on your SCADA system doesn't support SAML, unfortunately. What I've seen is this has nothing to do with this conference, but there're devices monitoring now that can detect when they've changed. So you're almost a little more reactionary. So one technology I've seen is called [V Fortified 00:35:08] and they have this little device that you put near some [inaudible 00:35:13] device and they'll detect if the firmware has changed or anything out of spec. If you think about Stuxnet, they modified the centrifuges by putting different code [crosstalk 00:35:21] So it's almost like the identity of the device from its activity and its action. So I think the industry's getting creative in trying to figure out ways to solve that.
Doug Simmons:
Oh boy, I don't know if you guys noticed, but I lost my internet connectivity.
Gerry Gebel:
We did. We were just [crosstalk 00:35:40].
Gary Rowe:
Actually Gerry jumped in and then I was getting ready to jump in, but back to you.
Doug Simmons:
All right. So Gerry, could you do go through that again because I missed all of it. No, I'm kidding.
Gerry Gebel:
We'll do a one on one with you, Doug.
Doug Simmons:
I think I understand where you were coming from anyway, Gerry and Mike and Wolfgang appreciate perspectives. I think we're again, we've run similar paths in terms of this journey of bringing less intrusive, highly or more secure, I should say, mechanisms for authentication to the table. There were some good questions and I think I lost them. Did you guys have a chance to look at them?
Gary Rowe:
Yeah. So, do you want me to just raise them, Doug?
Doug Simmons:
So yeah, if you can see them, would you please?
Gary Rowe:
Yeah, sure. So one question from David Engelhart is, "The proof with citizen docs can be difficult with vendors that have employees from all over the world. Most can do DM the verification, but what about a developer from India, for example?" So that's the whole outsource thing we keep talking about, Doug.
Mike Engle:
Yeah. I posted one answer in there. I mean, there's no one solution fix all. I think that's been said a few times. So your global Fortune 100 company, you've got 25 different companies to onboard. You're going to need multiple document onboarding companies, most likely, although there are some that will do something, for example, what they call agent assisted verification. So even if you have an identity in some country that's not covered by anybody, they'll go to the templates out there, right. There's a book of 4,000 different documents and they'll do their best to try to match it. So it's more of an art than a science sometimes, but the science has gotten very good with scanning and AI and matching your face to the document as well. So it's kind of a hybrid approach that gets it done.
Doug Simmons:
Yeah. Instead of an 80 20, it might be down to a 99 1, right. But the [inaudible 00:37:40] one and what we hate to see is not doing anything because of that one case, right?
Mike Engle:
Yeah. Yeah. Perfect is the enemy of good and great, right?
Doug Simmons:
Now, there was a good question there too, that was asked about the facial recognition and you answered it quite well. Maybe you want to bring that up. And I would also like you to, the way I responded to is that passwordless authentication in my mind is still multifactor. So it's not just biometric. You still have to have something, it's that key. Right? The key pair is associated with you. And am I wrong in thinking that passwordless is just an extension of multifactor or do you view it as something completely different?
Gerry Gebel:
No, I think passwordless is one step, right? It's one mechanism of a key exchange in a biometric, but there're different strengths for that. So for example, all of our devices have device biometrics built in that doesn't show up and the problem with that is that doesn't really verify your identity. For example, my wife and kids have their fingers and face, whatever on my phone. If my son picks it up, he's opening my brokerage account because Apple can't tell the difference, right. Do you want that to happen with your corporate email or your whatever? And the answer's probably no.
That's where you need real biometrics and the world has really opened up there. So now you can... If that app will scan my face and compare it to the face that I enrolled with when I joined the company, my son can't spoof that, right. He might be able to wave it on my face when I'm sleeping, but I'll probably catch him, right. Yeah. It's a lot harder. And then they also make you interact with the camera, like turn your head, blink and smile. So now you have much more unspoofable biometrics, which is a much higher level. Yeah.
Doug Simmons:
Okay. I'm learning. Thank you. Thank you.
Wolfgang Goerlich:
So I'd like to say something into that one, I really appreciate Doug. You pointing out passwordless is still multifactor. There's some ways of doing this that are not multifactor and I think that reduces the strength of the security as well as going to get us into some compliance issues. But to Mike's point, if we think about it and there's some people are like, "Oh, I won't go to this because there're problems with it." If we think about it, no one can make a better type... Or a keyboard. I was typewriter, oh boy! No one could make a better keyboard that can detect if I'm typing the wrong password or detect if someone is sending key strokes across the country. However, with biometrics to Mike's point, we've got a variety of ways that we can increase the strength of those. We've got a variety of different ways that we can address fraud and while there may be that cat and mouse game that we've had with passwords, we're not going to be requiring that much more from the person to, "Turn your head and smile," is not the same as, "Please remember 232 character passwords."
Doug Simmons:
Exactly. Right. The Google Chrome saves screen, that's it. That's the only way I can log in here. Okay. Excellent. I think we're at the end of our time. You guys are stupendous. I wish I could have heard your speech, Gerry. I'm going to listen to the recording.
Gerry Gebel:
All right. Sounds good, Doug.
Doug Simmons:
All right. Thank you guys.
Gerry Gebel:
Thank you.
Doug Simmons:
Wonderful. I appreciate your time.
Gerry Gebel:
Thanks everybody.
Gary Rowe:
Thanks everyone. Next on will be Nick Nichols talking about future state security, starting with resiliency.
Doug Simmons:
That's in 10 minutes, right?
Gary Rowe:
Yeah. Which is a really good topic in about 10 minutes. Thanks everyone [crosstalk 00:41:10]
Watch this Chrysalis Panel Discussion, featuring Mike Engle (CSO) from 1Kosmos, to learn more about the future of the user authentication landscape.