Vlog: Overcoming Resistance to Change on the Journey to Passwordless MFA
Join Michael Cichon, CMO of 1Kosmos, and Mike Engle, CSO, as they discuss the journey to passwordless multifactor authentication in their insightful vlog. Discover the nuances between the passwordless feature and implementing it across an entire organization, the importance of addressing edge cases, and strategies for successful adoption. Watch now for valuable insights and download the whitepaper to learn more.
Michael Cichon:
Well, hello everybody. This is Michael Cichon, Chief Marketing Officer at 1Kosmos. I’m here with Mike Engle, our Chief Strategy Officer. Mike, it’s been a heck of a quarter, a lot of busy activity. I haven’t talked to you in a while, but we do have a new white paper on our website, and this is about a topic that’s come out quite a bit about overcoming the resistance to passwordless multifactor authentication. So I wanted to take a few minutes to talk to you about this. Can you tell us a little bit about passwordless, the feature or the shiny object, if you will, versus the task of getting an organization to go passwordless across the enterprise? Seems to me there’s a little difference there. Can you shed some light on that?
Mike Engle:
Sure. Yeah. It’s great to be here again. The term passwordless is not clearly defined. In fact, at the conference a few weeks ago, I put up 10 definitions that you can get of the first 10 places you look, and they’re all different. People will call emailing you a magic link passwordless. But it’s important to start with the objectives. We want to get rid of passwords because they’re bad, they’re stealable, and the number one cause for breaches. But we also want to fix a broken user experience. We have customers that hate logging in, employees that hate coming to work, and it’s not about just getting rid of a password in a system somewhere. It has to be done with a holistic plan across the enterprise.
Michael Cichon:
Okay. Well, that leads to the very second question I was going to ask you, which is the mini edge cases, authentication edge cases around the enterprise. How important is it to get your arms around these versus, for the sake of discussion, just duct taping passwordless onto one or two systems?
Mike Engle:
Yeah. No, the reality is you can get rid of, I’d say, 80% of your passwords if you target the heaviest used systems. And in an organization, they are your remote access, your operating systems and your SSO gateway, paying Okta, ForgeRock, Azure AD. And so you start there. You just do remote access and that’s a major point of friction because typically they’re using secure ID tokens and it’s where the bad guys would try to get in first. So you start there, but you do need a plan to cover that remaining 20%, otherwise you actually introduce more friction. And so it starts with a holistic inventory. Here’s the 12 ways that people have to authenticate today. Prioritize them and go after them. It’s pretty straightforward, but for some reason, people will start with one feature on one platform and go after that.
Michael Cichon:
Oh, okay. So you’re saying we don’t kind of tiptoe into this with some lightly used systems. It’s not a big bang, but we’re going to dive into some of the heaviest used systems and go passwordless there. So how do you do that? What’s a simple way of doing that without risking business disruption?
Mike Engle:
Yeah, so there’s a couple strategies we have. One is we have a term called coexistence, and you don’t do a big bang changeover on any system. For example, when you hit that remote access portal, you’ll have a path for users to do it the old way and do it the new way, and it’s usually split that black and white. Here’s the new stuff, use your modern identity software like 1Kosmos, and here’s the old way. Maybe you haven’t gotten there yet, or you’re having problems, or you’re one of those 8% of users that refuse to use a phone or whatever it is. You have to handle exceptions, edge cases and a gradual rollout. So coexistence is one strategy, and the other is self onboarding. So let users learn about it and come to a portal and say, “Sign me up.” And the way we do that is we have them authenticate one last time the way they do today, prove who they are from the company’s standards, and then enroll into a modern identity based authentication system. So those are two strategies that make it can really go viral if you do that right.
Michael Cichon:
That makes sense. I mean, give the user or employees, so to speak, an option to do it at their own, I guess, appetite.
Mike Engle:
That’s right.
Michael Cichon:
So I know that we’ve worked with a handful of companies that have tried passwordless and failed and we’re kind of coming in and helping to reenergize that initiative. Can you talk a little bit about the egg on your face moment when you’ve kind of tried to do it, it failed? How do you go about recovering from something like that?
Mike Engle:
Yeah. Most times it fails because they didn’t take user experience into consideration, so if you try rolling something out that’s worse than what it is today from a user experience. And that could even be the enrollment was too painful, you couldn’t get it done. There’s security considerations as well. Does my system create a security vulnerability by maybe storing something on the workstation, something secret? We’ve seen that happen to some of our competitors, and that excludes them from the race before they even get to the starting line. So yeah, there’s a number of really important factors that we’ve learned, and we love sharing those in RFPs and things like that.
Michael Cichon:
When you do a passwordless project, what’s the ultimate success indicator? How do you know that you’ve done your job or you’ve done it well?
Mike Engle:
Yeah, there’s a handful of metrics that you can use to get that high five moment from your peers in the C-suite. And the one is, there’s a clear path to ROI within six months. It’s I got rid of these three other authenticator platforms. These tokens cost $5 or all these SMSs that are going out to authenticate cost $100,000 a month, whatever. Put those in a bucket, you’re going to get rid of them, and take credit for it when you do.
The second is you have all this data in your logs. How long does it take to log in with username, password, and then fetching a code? It takes about 15 seconds, even if you’re fast. And then you can very clearly measure how long it takes with a usernameless and passwordless system like ours, and that’s going to be about four seconds on the high side. So take that 11 seconds and add them up. Just have somebody analyze six months of logs and you saved about 6,000 man-hours. And that’s soft ROI, but it’s really powerful. But even more important is you measure customer satisfaction. So before you even get started, ask them, how much do you logging into these three systems, A, B, and C, one to 10? And you’ll get a one, a two if you’re lucky, on the before, and then on after, we’re consistently getting eights and nines. So take credit for that as well. It’s very rare that a security system will make people’s lives easier and more secure. So yeah, they all add up.
Michael Cichon:
Okay. Well, in dealing with the number of companies you have, have you seen the aha moment where companies go from passwordless, how am I going to wrestle this beast, to passwordless, I got this, I’ve got it covered?
Mike Engle:
Yeah. Yeah. We walked into one of our big Wall Street clients and it was up on the monitors. So click this QR code, it takes them to an intranet site to get onboarded. And we then went down to a meeting down the hall, and it was an all hands with 70 people in this group, and they had to log into one of these big kiosks here in front of everybody. And normally, you’d have to get out the keyboard or type on the screen and type in J Smith and the 16 character password in front of everybody. And what he did is he whipped out his 1Kosmos authenticator, he scanned here, touched, and he was in in one second. And you could hear the little gasps from the audience from the four people that weren’t enrolled yet, like, oh, I’m really embarrassed now. That was aha moment.
Michael Cichon:
That’s awesome. That’s awesome. Well, when it’s that easy, I imagine users buy in. You talked a little bit about coexistence before and getting users to buy in. Just maybe a parting shot, how do you get users to buy in to this type of initiative?
Mike Engle:
Just give them a choice. If you had a choice today of using face ID versus typing in your Apple ID username and password, which would you choose? It’s a no-brainer. The one or two times on your mobile phone when it says, what’s your Apple ID password? You’re like, oh my God, what am I, in a stone ages here? Right? It happens every once in a while. If you try to turn off find my iPhone, all of a sudden you got to type in. I don’t know my Apple ID password. Well, I do. So just give them a choice and they’ll make the right choice and in turn be more secure.
Michael Cichon:
Well, personal anecdote, it took me about three weeks because my iCloud ran out of space and my phone was screaming at me, but I couldn’t add, iCloud without knowing my password. So I went about three weeks without having my phone backed up. And finally I bit the bullet and I reset the password this past day.
Mike Engle:
There you go.
Michael Cichon:
All right. Listen, I appreciate your time, Michael. Again, the white paper on our website, Overcoming Resistance to Change on the Journey to Passwordless Multifactor Authentication, it’s on the 1Kosmos website. Click the insights, go to white papers, download your copy. It’s complimentary, just a short form fill. I think it might help you quite a bit in understanding the difference between passwordless as a feature and the job of getting passwordless done. Mike, thank you very much for your time.
Mike Engle:
Great to be here. Thank you.