Aligning Passwordless Authentication with the Requirements of a Zero Trust Strategy
Unlock On-Demand Webinar
All right. We are going to get started here in just a second. Let these people stream in. We're broadcasting this on Zoom and a couple of other platforms for those joining us on LinkedIn Live. Harish or Nitin, have you guys enjoyed your summer?
Harish Bangalore:
Yep, I think it is good. I think Atlanta has been spared a bit, although it's hot. It's known for a reason. It's called Hot Atlanta.
Mike Engle:
That's right.
Harish Bangalore:
It's still better off than many other places who are experiencing global warming.
Mike Engle:
Yeah. There's some terrible things going on. Summer is almost over sadly though.
Harish Bangalore:
Yeah.
Mike Engle:
Back to school.
Harish Bangalore:
Back to school and back to hurricane season.
Mike Engle:
Yes, that's right. They are forming in the Atlantic as we speak.
Harish Bangalore:
That's true.
Mike Engle:
All right, well let's get the show on the road. Thanks everybody for joining us. My name is Mike Engle and we're here today to talk about aligning passwordless authentication with a zero trust strategy. I'm Mike Engle, co-founder and head of strategy here at 1Kosmos, and I'm joined today by Harish Bangalore. Harish, if you wouldn't mind saying hello and telling people who you are, where you come from.
Harish Bangalore:
Sure. Hey everyone, I'm Harish Bangalore. Again, thanks Mike for having us today. We're excited to be partnering with 1Kosmos. And again, passwordless is such an important topic in today's world. I'm responsible for cybersecurity practice across East America and Canada. I'm based out of Atlanta.
Mike Engle:
Excellent. And Nitin?
Nitin Bajpai:
Hey Mike. [inaudible] and I'm based in India, Bangalore. And part of Infosys editory and access management practice as a part of a cybersecurity. And I have been in this area for quite some time and I think more than 15 years or so. So living and breathing in the identity and we have seen lots of ups and down and a lot of innovation going up, going down, hype cycles on that and cover purely tracking as well as helping our clients to cover this journey.
Mike Engle:
All right, well let's jump in then, but first I just must say that I like all three of our profile pictures much more than our real pictures. I think we're all dated about 15 years on our photos as well, so that's okay though. That's what you do, right? But yeah, let's set the stage.
Harish Bangalore:
We always believe we are young at heart, right?
Mike Engle:
That's right. My Instagram picture, I'm 18. So yeah, let's set the stage here. There's a lot for us to talk about today, specifically on better ways for us to prove who we are when we're working with online systems. And the reasons are many, but one of the biggest reasons are security risks. We've been dealing with passwords since the 60s and we're seeing just a continuous upward trend in the number of attacks and number of breaches that involve what they say is the human element. And the goal is really to get rid of these credentials.
And so passwordless is one of the hot topics, but it needs to be done. It needs to be aligned with your current processes and also needs to keep identity in mind. And we're going to talk a lot about that here today. Harish, maybe comment briefly on what you're seeing your clients, an uptick in this type of conversation, I'm sure.
Harish Bangalore:
Yeah. I think today, based on my conversation with a lot of the customers across the verticals, so password happens to be, end of the day, passwords are used by the users and users happen to be the weakest link in the cyber world. And password is extremely vulnerable when it comes to phishing attacks or any, they're always one of the, or attack compromise or password compromise when it comes to end users and things like that, which essentially is a root cause of all the breaches.
And not just that, so we have enough number of applications that we use on our mobile apps or desktop apps on a personal level as well as we have a whole bunch of passwords that we need to remember at the enterprise level. It's not easy. And I think having a solution like a passwordless where I really don't have to remember any number of passwords for the application that I use, I think it's a great deal. And then it significantly improves user experience and if you're able to bring in continuous authentication to the passwordless solution, it improves the security. And I think that's basically what I'm seeing a lot of customers embarking the passwordless journey, Mike.
Mike Engle:
Yeah. No, thanks for that. And passwordless doesn't just mean less passwords. It's another way of we want to get rid of them, they shouldn't even be in the equation. And so the solution in all this is yes, get rid of the password, but you want to do it in the way that not only creates a better user experience but gives you some assurance about the person who is at the other end of the connection with verified identity. Because I can give you a token and have you press yes on some app somewhere, but it doesn't necessarily prove that it's Nitin. And that's what we're going to demonstrate a bit of that here today. But first I'll ask the two of you just to run through a bit of the Infosys perspective. So let's dive in here and talk about some of the steps that you guys will implement for your clients along the way.
Harish Bangalore:
Yeah, as I just mentioned Mike, passwordless is not something you just click a button and you're done. It's a journey. It's a journey where you need to really look at it, a delicate balance between security as well as user experience. It cannot be that you try to secure it way too much, then it starts creating a user inconvenience. I think that's where we are saying that we need to really look at it holistically from a security perspective, from a privacy perspective and from a risk perspective, especially when you talk about financial organizations and things like that. And lastly, but most important is the user experience. So that's basically what we see as if you really look at it as a three step process.
And the second one is how do we bring in ROI? Because today every customer has multiple IM solutions. You have one for IGA, you have one for PAM, one for single sign-on, one for CIAM, the customer identity access management, which caters to basically your B2E, B2B and B2C requirements. And how do you ensure that bringing a solution like this really benefits the enterprise? Creating that ROI so that everybody understands the value of it.
And then from an adoption perspective, for example, as 1Kosmos and Infosys, I've been working on some of the reference architectures, deployment guides, frameworks that we have been working together. So to accelerate, expedite the deployment, which Nitin will be talking about in a bit more detail. Again, something how we can help some of our customers in adopting the passwordless journey. And I think that's what we have represented right at the bottom of the screen. Essentially looking at it from a security perspective, user experience, and how do we really bring in the total cost of ownership rather than implementing passwordless across each of the IM tools in the enterprise.
Why don't we look at implementing it in one solution like 1Kosmos that caters to the entire enterprise need? And this is very important because there's no standard for passwordless today, and I think as the standards are evolving a solution, 1Kosmos actually helps cater or they're more closer to what the industry standard would look like because there's so many different definitions of passwordless in the environment. So I think with that I would hand it over to my colleague Nitin, who will talk about from a technical perspective, what are the considerations that we need to take into account for implementing a passwordless solution.
Nitin Bajpai:
Yeah, thank you Harish. Harish, as you rightly mentioned, that it's a journey and when we are actually talking about how passwordless strategy within an enterprise is going to take its shape, so there are multiple conduits into it and also there are multiple stakeholders that we need to actually bring it up and write, forming a consensus across multiple stakeholders. So for example, when we actually recommend talk to the security, there's a security, stakeholders are having different objectives. They're actually talking about the security of the user data as well as the privacy perspective.
And then there are right to the risk management team. They are again, basically talking about from the compliance perspective also, because if you say that the NIST has clearly stated that the authentication maturity level that we have it as of now in the organization, whether it is for the B2C or for the B2E scenarios, it's actually the output of the authenticator that is being used.
It is not tied up with the session of a particular application or a service that we are actually recommend using. So even the NIST is recommending that we need to actually recommend get into the authenticated output, totally bind with the session and it should be asymmetric, public and private key based. And there are multiple ways to deliver that kind of maturity. But how we will come into that one? Now there are customers who are already using some sort of MFA. We need to actually assess in comparison to what NIST is actually saying, because there are no such very good standards available as of now as Harish stated.
So it's a step-by-step process. One, whatever you have it, make it sure that you are fully utilizing it. So enterprises may have their own IDP solutions in place. I can actually recommend corset and examples also, but the just is this that are we utilizing their own capabilities first? So that is something. You are going one step above and making your authentication posture very strong with the existing capability.
And then you talk about how we can reduce the overall password exposure area? So can we actually recommend, adopt certain tricks and solutions where that dealing with the password is going to be the lesser. So that is something, as Mike was also saying, it is utilization of the password in a lesser one, but the end goal is actually eliminating all the passwords. So then you are actually recommend talking about the solutions which are actually recommend helping us eliminating the passwords at all. And there are multiple passwords available. That scenario, the solutions available in that scenario, which are actually recommend going to help you in that.
1Kosmos is one other leader where the organization can actually recommend trust that slowly we can encourage the end users to stop using the password at all. So this cultural change will take some time, but the technology and the solution is already available with the verified identity mechanism. And then as of now, the people say that passwordless is also MFA and which is true. In fact the whole purpose of the passwordless talking about that we are actually recommend signing the first factor, signing the second factor, other factor also within the same token mechanism with the passwordless. At most the username might be required. Yeah, Harish?
Mike Engle:
No. I figured I'd pull up this slide here because it was really in line with what we were talking about. The term passwordless, I googled it and I asked Claude and GPT for some definitions of it. And this is what I got back. It's just all over the map. Is it a one-time code? Is it authenticator app, is it a push app? Is it touch ID, face ID? And I think there's one thing that you said, Harish that I did want to comment on, that passwordless doesn't have a standard. Identity itself has some standards. And I want to comment on, just touch on these real quick. The two standards that are really setting the stage for us to be able to transform digital experiences are NIST 863-3 and FIDO. And I know that these are still loosely used in the industry. The federal government is using this, 863-3 a lot.
Banks use other things for KYC and FIDO is really popping up everywhere, but it's very sporadic. It's implemented in different ways. However, they do give us a good guideline of where we're going to be heading in the future. And so these are standards that we do focus on and enhance and compliment. You can't do just these things. So yeah, thanks for all that commentary, Nitin. And let's keep moving forward here.
As we talk about better ways to authenticate, it's important to know the difference between device-based and identity-based. So Nitin, I'm guessing you have a passport, ad hoc card, some types of credentials in your pocket or your bag. Those are linked back to your identity and they have some type of biometric, a photo. And that biometric is one of the key differences between device-based and identity-based. And since we're here today to talk about zero trust, I think it is important to realize the importance of biometrics in that equation. So Harish, what kind of adoption of biometrics are you seeing at some of your clients at Infosys?
Harish Bangalore:
Yeah, I think definitely iris detection, fingerprint is definitely there. Those are primary ones that I've generally seen, Mike. At least are the primary ones.
Mike Engle:
Yeah, and of course we have all of our iPhone and Android device biometrics. However, they don't prove your identity. That is somebody's face on a phone, but it doesn't say this is Mike Engle's face necessarily. In fact, there's more than one face on my phone. Mine and my wife's right, we share everything. And so she can log into my banking app and if that's not implemented properly, she could possibly get into my work apps if we didn't have the right controls in place. So that's the difference between real biometrics and device biometrics.
And so as we move along this journey, there's a couple of really important considerations when you implement zero trust as it applies to identity. And it has to support your long-term business objectives. So when we work with our clients, these are some of the things that drive us to a really successful deployment. It is having more than one option. You can't force people to use a phone to authenticate. In some states it's illegal, some people can't. Maybe there's environmental considerations as well. And so you need many authentication options. We're going to talk about some of them here today. And I know you mentioned quite a few. And then verified user controlled identity. So Nitin, have you been through a process where you've had to scan a government credential to get into a website?
Nitin Bajpai:
Yes, Mike. And typically it has been a very painful process. If you are actually recommend doing it manually. So now there are some solutions available. Here as a part of a citizen of Indian, with [foreign language] and they actually recommend certain solutions like Digi log codes and you can actually scan the identity. But this is still developing as of now.
Mike Engle:
It's new. It is. Yeah. And our phone has been ringing off the hook. We've had one of the top 10 banks in the US work with us recently to prove new hires, new contractors and employees, lots of banking applications for KYC and anti-money laundering type control. So this is a really hot topic and when done right, it can be linked back to the authenticator. And that's what we're going to demonstrate here in just a little bit. And of course anytime the word biometrics are involved, you have to worry about the privacy of those biometrics.
So the reason literally billions of people like using the iPhone is they're comfortable with its touch ID, face ID model that the device biometrics never leave and go to Apple's Cloud. However, there is a way to have the hash of a biometric be used on a server. I'll give you an example of that here in just a minute as well. And then the only way to do zero trust as it applies to identity is with the type of biometrics that you mentioned Nitin. So maybe just a quick comment on this.
Nitin Bajpai:
Yeah. I think, see there is one more factor as what I was basically trying to share is that device based fingerprinting or the other biometrics for measures that can be taken. In fact, we cannot fully trust on that also, Mike, you already gave an example. Until, unless just bandwidth that it is really you and authorized the claims, actually authorized by a government agency and runtime like you are sharing with the other party. And that is what I see a merit over here. Otherwise, the device-based biometrics are still yet to basically recommend give a holistic zero trust until unless they are combined with the verified identity claims.
Mike Engle:
That's right. Right. So let's talk a bit about what the platform providers are doing in this space. So Harish, maybe you could comment a bit on how you're seeing some of your clients utilize, when I say platform, the SSO providers. I don't like to call them identity providers. I know that's the industry term because there's not verified identity on them, but they do a lot of single sign on and a lot of good biometrics, a multifactor. Maybe you could comment a bit on the flow here, but yet how complex it still is. Right?
Harish Bangalore:
It is. See, again, it goes back to what I was mentioning earlier because you have so many access management solutions in the environment today, customers using a different one for B2E, B2B and B2C. Essentially, if I were to adopt a passwordless journey, I will have to end up doing it three times with three different solutions. And again, as the standards are evolving, again, the maturity would be different for different products. I may have done it in one, but I may not have replicated a similar standard in another one.
Working on a solution like 1Kosmos where we could actually implement all the passwordless solution under one solution, catering to three different needs, especially the B2E, B2B and B2C. I think will help us be product agnostic and also be from a user experience as well as from a standards' perspective, I think we'll be much better. It's just our view. And I think customers are still going through this phase. How do you start this passwordless? They're still debating, do I end up doing it three times with three different solutions or do I look at it as one-stop solution that really caters to it and complies to the zero trust principles? So that's basically what I'm seeing. Mike.
Mike Engle:
Thank you. Yeah, there's some great questions in the Q&A section. We'll get to them at the end. I just popped a quick glance at them and we'll definitely hit a couple of them up. And you just brought one up that's in the question. So this is the current state at most organizations. You have your SSO systems, they do some stuff for you. They do tons of conditional access, which is great and takes a lot of passwords down from target systems. Salesforce.com or SaaS applications, but you still have this messy picture of different authenticators that need to be used. And the goal is to consolidate this as you mentioned. So this is how we think about it. And when people talk about the journey to passwordless, you want to use identity and the definition of identity being verified identity and passwordless controls on top of that to access all of your things.
So the beauty of this is once you have a proper identity layer in your IMM stack is you can change any one of these, either move to it or from it, swap out a VPN provider, move from product X to product Y. And you almost don't have to even tell the users. If there's no password in that VPN system, in the new one or the old one, you just change it. You could change half the users, you could change one user, as long as you are using the right identity layer to get into them.
Now, we talked about ROI briefly, and there's a question in the chat about ROI. Imagine if you could get rid of all of your hardware tokens that are used to get into VPN. Not only do you save the cost of the tokens, but the management overhead. So maybe imagine the impact, Harish, what kind of bottom line impact would you have if you could consolidate two or three of these or all of them, right?
Harish Bangalore:
Yeah, I think that's a great point, especially the hardware tokens are still used, especially if you really look at it across the industry. And some of the customers have been there for a long time. They continue to use, some customers. I think you're absolutely right because a lot of overheads to manage hardware tokens, software tokens because it's a separate process that needs to be defined and maintained. There's a procurement process and whole bunch of additional overheads that you've got to deal with.
Mike Engle:
Right. Exactly. So let's talk about the user experience. Let's assume that we have our strategy and on day one we need to roll this out to 10 users and then 100,000 users on day two. This is really important, the user experience for your end users and your IM administrators, because you don't want their life to get easier as well, it's to leverage the way that we roll out. If you go out and onboard yourself into any modern SaaS app, you take that same approach. Invite your users or have them go to a portal and click a link and self enroll.
So the way that we've had a lot of success with our clients is you take your existing authentication. Is it safe to say Nitin that most of your customers trust their existing authentication today? Say it's username, password, and a token?
Nitin Bajpai:
Yeah. Unfortunately that is what the state is as of now.
Mike Engle:
That's okay though, right?
Nitin Bajpai:
Yeah. And the more they-
Mike Engle:
Yeah. It's a layered approach.
Nitin Bajpai:
Correct. That is another challenge when we are talking about the VPN. One of the most challenges, whatever the technology you want to bring in, there are certain areas like VPN organizations are still struggling how to make our VPN passwordless, the VPN authentication. They are still on the legacy radio based authentication and there are a few challenges around it. So some providers have come in to provide the passwordless experience, but the overall mechanism is something.
Mike Engle:
That's right.
Nitin Bajpai:
We need to see that. Yeah.
Mike Engle:
So we'll convert users from the current existing, which is okay, right? Because you have endpoint controls and all these other things in place, so you trust it, but it's a terrible user experience and it still is susceptible to being phished or coerced. That's why we want to move to a phishing resistant passwordless. So we will do this and I'll demonstrate what this looks like in just a second, and then you just use it. It's a pop-up, do your biometrics and you're done. And this literally takes less than one second.
And the way we deploy this is with something called coexistence. Coexistence means you're putting the old alongside with the new, so you don't have to impact all of your users on a big bang type of deployment. So this is a real screen from one of our clients where this was actually a plugin to PingFed where Ping does its thing on the right, username, password, 2FA. However, nine out of 10 people are using the passwordless experience on the left. So this allows you to do it in a phased approach.
But there's no one size fits all. So let's jump in and take a look if you guys are ready for quick demo of an identity onboarding first, and then using that identity to get into an existing application. So I'm going to show you, you mentioned Nitin, that some of your experiences with identity enrollment are fraught with peril. Can be quite challenging. So we've been doing this for quite a while and have refined the experience to the point where its users just do it themselves. And so the flow goes something like this where you'll start with a company app or a 1Kosmos app. And what's happening here is we're enrolling multiple factors and none of those factors are a password.
So we create a private key, we enroll a pin. Pin is really only used for backup purposes. And then we do your touch ID, your face ID. And then we will enroll something called live ID. And this is a game changer in how we can engage with our users. So that's me, no headset on. So what have I done here? I've enrolled four factors, they're in my control. I have not given them to anybody, they're with me on my device. Very important privacy consideration.
But now I can present it and use it whenever I need to. So how do I prove that I'm actually Mike Engle? Well, I'll just take the same application and introduce government credentials. We'll guide the user through scanning the front and the back, do security checks, match the face that I did previously and check all kinds of security features on the envelope to positioning the font and all that. Support for 200 countries, 1000s of document types.
And this will bootstrap your hiring process. Instead of HR having to go collect these documents manually, I can now transmit that data to HR with the press of a button. And we support passport, so this really gives great international coverage, and a secondary form of credential. With passports you can even go a step further and hold the passport to it and read the NOC chip.
This is a NIST 863-3 high level of assurance, what's called IL2 process. It's approved by the government to then consume government services. So you saw how easy it is, now I can take this identity and use it anywhere. There's a very simple linking process where I will come to that portal on the prior screen, put in my active directory credential or have it mailed to me or whatever. There's multiple steps that can be done there and then I just use it. So what are your thoughts on that, Harish? If you could start your journey at Infosys, I don't know how it is, when you onboard there. With a process like this, what do you think that might change for the company?
Harish Bangalore:
No, absolutely. This will be a game changer. So because firstly, you don't have to send a whole bunch of documents to somebody and who will spend enormous amount of time to get that verified and things like that. This is something literally, it's so simple and you can actually trust this, right?
Mike Engle:
Right. And then on day one of your new shiny Infosys job, you come up to your computer. And if you think about the traditional process, what do most organizations when the day one hire needs to log into remote access or Windows, what's that process if either of you have some experience with your clients?
Harish Bangalore:
Yeah, I think, again, there are multiple, each company has their own process on this, but generally it's a lot of manual process that's involved where somebody creates an ID, then they provides that initial user ID and password for them to log in and they'll have an instruction set to follow through in terms of how to go logging in. Yeah.
Mike Engle:
Yeah. So exactly. Your line manager calls you on the telephone, gives you your password, tells you how to use it, you change it on, and then every 90 days you're changing it again. So folks in the audience will appreciate, plan B, the new way is now simply click a link, take that same authenticator app that we just enrolled our identity, and authenticate into the workstation. And I can prove my identity with real biometrics or just use my touch ID, face ID. So what did that do? That is zero trust authentication into this computer, domain controller, whatever it is, nobody else can do that. There was no password involved in that process.
And of course, user experience is important. You don't have to use real biometrics. So check out how you could unlock a workstation here instead of using the real biometric, which has a little bit of friction. You could just simply unlock and get a push message and tap okay on your Apple Watch, your phone, your Android, whatever it is. As long as you have the security controls on that device. So again, amazing user experience combined with amazing security. And there's some real ROI on the time saved in this versus having to go fetch a code and type in a password and reset it. So I'm guessing the ROI on this is quite a focus for a lot of your clients as well.
Harish Bangalore:
Yeah, I think this is more extremely helpful when you talk about, especially I can think of a scenario where if you're talking about retail customers where there's a huge turnovers that you typically see in the stores. So when you have something like this, it really, because they're getting paid by the hour, the amount of time they keep waiting to get their IDs and they get their access and everything else, it may take a lot of time and they're just paying for doing nothing. I think something like this will make them productive pretty much once they're onboarded, that's it, they would have access to all these application real time.
Mike Engle:
That's right. Right. And Nitin, you talked about the flexibility. So what happens if I lose my phone or I'm in California and the law says you can't make me use my phone? Or in Illinois I can't use biometrics. And here's where it's one of the five pitfalls when you go passwordless is avoiding a one size fits all and allowing many options, even support for things like Kuberos and Radius and those scary words that have been around since the 90s, but they're important because they're still here. So this is where we can really leverage multiple options in a well-built platform to give many options for the downstream systems. And so let your IGA do its IGA and your SSO do SSO. They should not have to worry about how to send a one-time code to a customer because that creates a fragmented user experience as well.
So I want to show one more example. So a lot of times one of the questions in the chat is, "How do I do this without a phone?" And well, let me show you one example. So this is something called... There we go. We're using something called homomorphic encryption here. Now you'll see that there's no app involved in this experience. So imagine another option for you to get into your system, where you just use your face and no app is involved. And the experience would involve simply clicking on your session or typing in just your user ID. And instead of having to go fetch an app, we can leverage the biometrics built into every device, which is a camera. This is called Live ID. I'm blocking it here because it happens really fast. That's the authentication.
And from a consumer perspective, this is the way of the future. Imagine if you log in to do your benefits once a year or pay your taxes, you forget your user ID, you change your phone number, whatever it is. This is now the way that you're going to be able to say, "I forgot my... I don't even know what my username is." Well, let me just look at you in the face and look that up. And it does that without any images going to the server. So there's a concept of a one-way facial image hash that goes out and that's it. And so it's really exempt from GDPR. Nitin, how important are privacy laws like Bipa, CCPA and GDPR to your clients?
Nitin Bajpai:
Extremely important. In fact, one of the customer experience that I was specifically having, and we were talking about biometrics based authentication, and they're right, the solution was saying that there would be a server and the raw data for the biometrics, I took fingerprints, it will be saved into that server, that kind a solution. It was totally rejected. So I think the countries and the organizations within the countries are very much concerned about that this data is not actually saved and misused to get their site.
Mike Engle:
Right. Yeah, exactly. So let's just talk about one more slide here where I know Infosys brings a lot of value to the table in a program. And so one of the questions in the chat, that's why I wanted to show this, is, "What is a strategy for the sequence of events to deploy identity-based and passwordless technologies?" And this is really it, and these are all important. There's really not one that's more important or can be done without the others. Well, you could. You could not measure success, the last step number six, but I don't think many successful IT programs would allow that today.
So step-by-step, setting it up, connecting to your SSO directories and then pragmatically picking the applications that have the most traction. So Harish, what do you think the top three applications would be across a Fortune 500 company that you would work with?
Harish Bangalore:
Yeah, I think definitely the applications would be more in terms of, again, depends on the end user. The type of user as well. So if you're talking about a B2E, you would have all those applications that are related to HR, which really matters of the application that I use every day, Office 365 and things like that. So those are the applications if you look at it from employee perspective. But if you look at it from a consumer perspective, if I take an example, let's say there's a retirement savings account, which I need to access or I could have a banking application or any of those kinds of things, getting those kinds of things could be another from a P2C perspective. So those are the type of application I foresee.
Mike Engle:
Yeah, absolutely. So yeah, let's hop on to a couple of questions here since we're hitting the 40-minute mark here and we want to give everybody time to grab a beverage between their back-to-back meetings today. So here's a good question. I touched on this already, but can biometrics be compromised as an unintended consequence of passwordless? So fair question, if you're using biometrics, everybody worries about their biometrics being stolen because if your biometrics are stolen, you can't replace them. My face is my face. So maybe Nitin, if you want to give a couple thoughts on this, are you worried about your biometrics being stolen?
Nitin Bajpai:
Yeah, that is always a concern, but if you basically know the history of the FIDO Alliance, the standards, first they came up with the FIDO1 and then FIDO2, and there is another level is going to come up soon. So it is something the device and the operating systems itself are talking about. They are not actually recommend, it's a jail mechanism where your biometrics, the templates are going to get stolen. It cannot typically go away from the device. So that is something known one.
But the issue is that if somehow the device is in hand with someone else, a device is stolen in a loss, what are the concerns? It's not about my raw data actually is stolen, but the problem is there's the inconvenience, and that is something a big advantage over here in 1Kosmos. So Mike, if you can actually recommend about in case the device is stolen, what will happen?
Mike Engle:
Yeah, exactly. When the iPhone 5 came out, they released something called a secure element or a trusted platform module, and it's a safe place to keep data on a phone or computer now. Your windows, your Mac, your Android, and your iOS, so my biometrics on this device are stored in a very safe place on the phone. And you'll remember, whoops, you'll see some of the federal law cases here in the US, there was the San Bernardino shootings many years ago, and they had the bad guys' phone, but the Apple could not give the ability for them to extract data out of that secure element. There was a fight between the FBI and Apple. And Apple and Google make some really bold claims about the security of that TPM. So if your stuff is on the phone, it's pretty safe. Is it 100%? Uncrackable? No, of course not. There's still computers at the end of the day.
Now when your biometrics go to a server, that is something that you need to worry about. For example, when you do driver's license verification and you're matching the front and back, typically those images go to a server because that's where all the processing power is there and they do all the checks. Now, typically then that data is discarded within seconds of the activity being done. So it's the privacy policy and the controls that are in place that make it safe or not safe. And I just say finally, if you do server side biometric verification, it should be done with irreversible hashes. So if my hashes get stolen from a server somewhere, it's a bunch of numbers that cannot be turned back into something else and can be recreated in another way if they had to press the button and start over again.
Harish Bangalore:
And I think you're right. See, I think when you look at it from a privacy perspective, Mike, if you start doing a server side processing and then not just that, you may have to start calling multiple APIs from different vendors and things like that as well. If you start bringing in a custom solution. I think with these information being stored on the device, it has basically those privacy concerns are almost eliminated to a great extent because you're not really processing. All this processing has happened on the device owned by the customer or the user himself or herself. I think that tremendously helps with the adoption.
Mike Engle:
Right. Absolutely. No, thank you for that. We have a question here. "Logging without a device is great, but how do we prevent deepfakes? How do we prevent what's called presentation attacks?" So if I become Tom Cruise and put the rubber mask over my head and I become Nitin, can I fool this authentication system? That's a very common concern. And with the advent of AI and now being able to just take all of my video footage or stills from Facebook and recreate my likeness, we know that this is a real concern.
I'll say there's a couple of compensating controls. One is what's called liveness. So you can tell when somebody is injecting a stream into say a USB webcam. There's patented technologies to detect this type of thing. There's also technologies on a phone that will reflect light colors images on somebody's face, and that can mitigate the fact that I could be holding a piece of paper or something that's morphed up and give you an indicator.
So combination of liveness and the types of liveness are active and passive. So active liveness, imagine Nitin, if I do the Tom Cruise, Mission Impossible thing, but then I ask you to say something that only you would know along with that, a phrase that's been prerecorded. Or if it is a video deep fake, I could just say, "All right, Nitin, would you just please say, "The sky is blue, you have five seconds."" And right there on the screen, "The sky is blue."
So you can combine different modalities to create a much higher level of trust in those images. So it's a cat and mouse game. The bad guys are constantly trying to fool the systems and the good guys like us are having their systems tested on a regular basis and adding more controls with trying to add as little friction as possible along that way.
Nitin Bajpai:
That is something called theological biometrics and the biometrics behavior. So this is another advanced level. That is something I was basically I'm trying to come as the next age of the FIDO last standards. So as you rightly actually, I stated some examples.
Mike Engle:
Yeah, exactly. So the certification that 1Kosmos puts their biometrics through is from a company called iBeta. They're an independent testing lab, and you can get different levels, PAD 1, PAD 2. So always check your vendors out to make sure that they have that type of testing as well as NIST FRVT, which stands for Facial Recognition Vendor Testing. So they test 100s of different algorithms from dozens of companies, and they will post the scores of how they were able to hold up to different types of testing, including bias and things like that. So bias is another big concern that we didn't talk about here today.
Harish Bangalore:
So Mike, I have a question. So I know we touched upon it across through the presentation. I think as the customers are embarking zero trust today, it'll be good for you to share how can passwordless help with that journey, because customers are almost struggling today in terms of where to start and how to start. Everybody wants to do it, and identity is obviously a good starting point, but I think it'll be good for you to share.
Mike Engle:
Yeah. No, great question. So I'll pull this slide up because while it looks very complicated, it's very simple. If you implement two controls into an organization, easy ways to onboard into passwordless and easy ways to identify. So when you need to, I have a contractor from another part of the world, and sometimes contractors sell their access, or sometimes employees even sell their access and let a contractor do their work for them. If you have some identity in your process and call it that wallet that I showed you earlier, before you let them into your top system, you can look them in the face and know that it's the same person that was on that government credential when they joined on day one. That is a zero trust as identity can get. And it also can, so that's called collusion proof, not just phishing resistant, but I'm preventing collusion of my identity being used. Of course, phishing isn't covered in that as well.
So when you do this one function, which is not that hard to deploy, you're just putting some other processes in place, you're not having to change much infrastructure here. Why? Because all these systems can be engaged with common federated authentication protocols. So that's one of the recommendations is you get a lot of bang for the buck by just implementing identity. And then second is when it comes to authentication, everybody does some of these things. We do app pushes, we've got tokens and all these things. We want to consolidate them to the ones that are the most phishing resistant and the best user experience.
So you pick the top three systems for your first year of deployment. It's that simple. And what are they? They're your operating systems. I'd say I typed 90% of my passwords into a Windows machine or a Mac. It's your remote access. Your Citrix, your Zscaler, your VDI, and then it's your SSO system. If you get a passwordless experience into those three, you are over 80% of the way on a passwordless journey. And then of course you can go find the other esoteric ones over time and you can use other tools to make the journey into them much easier as well. So great question, Harish, and that's really been something that's resonated well with our clients.
So I think we've about done it. We've addressed the questions here. Thanks for the team, our solutions team has been answering a couple of questions in the background. And any closing thoughts from you guys before we call it a day?
Harish Bangalore:
No, I think Mike, again, this has been a great discussion. Again, this is just a beginning for a lot of our customers, and I think I see a need for moving towards this. There've been a lot of discussions that have been happening. Some of them already have started the journey. With coming days and months, I think we'll see more of these customers moving towards this. And I believe the 1Kosmos solution is definitely right up there. From a standard, from a user experience, from a zero trust perspective. And I think the collaboration that we have should definitely help our customers in implementing this solution more effectively.
Mike Engle:
Excellent. Well, thank you you so much for joining me here today, gentlemen. I think we've done it. It's been fun as well. And let's do it again soon. Enjoy the rest of your summer.
Harish Bangalore:
Yep, sounds good. Have a great day.
Mike Engle:
Take care.
Mike Engle
Harish Bangalore
Nitin Bajpai
This webinar covers:
- How to modernize MFA and the user experience to close security gaps
- How to overcome the blind spots in identity verification
- Ways to secure access to systems that can not support passwordless authentication
- How to determine which authentication methods are best for your organization’s risk tolerance
According to the latest Data Breach Investigations Report – weak passwords, phishing, and ATO attacks are still the key factors leading to attackers breaching cyber defenses. It’s clear that following Zero Trust guidelines while blindly assuming a user’s identity is a flawed strategy putting the need for identity verification for every access request on the Zero Trust roadmap.
But, modernizing MFA across diverse IT environments encompassing Microsoft, Mac, Linux, Unix, and more still has many organizations struggling and settling for the path of least resistance.
During this session, Mike Engle (1Kosmos CSO) along with Harish Bangalore (Head of CyberSecurity Practices for East Americas & Canada) and Nitin Bajpai (Digital Identity Consultant and Cyber Security Practitioner) from Infosys discussed how organizations are implementing strategies to drive business improvement through passwordless MFA. And, specifically how to establish high identity assurance with low friction to deliver strong, identity-backed authentication as the platform supporting a move toward Zero Trust and a significantly improved user login experience.