Identity-Based Authentication and The Journey to Passwordless with TAG Cyber
Unlock On-Demand Webinar
Thanks everybody for attending. My name is Mike Engle. Today we're going to be talking with Ed Amoroso from TAG Cyber about different concepts around passwordless and identity-based authentication, and really appreciate everybody taking the time to join us today. So, as I mentioned, my name is Mike Engle. I run strategy over here at 1Kosmos and I'm joined today by Ed. Ed, if you would say hi to everybody and tell them a little bit about yourself and TAG Cyber.
Ed Amaroso:
Well thanks, Mike. Nice to connect up. Appreciate you including me. This is such an important topic. I think for people who are listening, if they haven't really sat down and thought through the journey to passwordless, you definitely should. I think a few years ago, it wasn't entirely clear that this was going to be the way to go, but it definitely is. I think that hopefully people will get a lot of good information, learn a little bit about your platform, and we're happy to answer some questions that people may have. So again, thanks for including me looking forward to the discussion.
Mike Engle:
No, my pleasure. Thanks for joining me as well today. Just a little bit of housekeeping before we jump in. We'll be not only talking about this technology, but you'll be able to try it yourself if you want to. So on the screen, or right on our homepage, is a link. You can go grab an app and experience a passwordless exchange in about one minute after you sign up. So feel free to check it out. And also we're going to be selecting a lucky winner today. We're giving away a $50,000 software package after the webinar, and if the accepts it we'll post the results in the webinar when we post the webinar recording.
Mike Engle:
So let me jump in. I'm just going to let everybody know a little bit about 1Kosmos and where we are in our life cycle. We're entering our fifth year of operation. We have 80 employees now across four continents. We're venture-backed by ForgePoint Capital. They're the leading VC that focuses solely on cybersecurity. We have a phenomenal leadership team. We've built, scaled, and run successful companies in the past and come from Fortune 100 companies and so forth. So we're here to do it again in a big way, focusing on identity this time. And a great advisory board that speaks to the credibility of the company as well. So the former director of National Intelligence under Bush and Obama, the CIO for the DOD, the head of DHS, and about eight CIOs, CTOs and CISOs from Fortune 100 companies have joined us as well.
Mike Engle:
And what we're going to be showing you here today that's unique is a combination of strong identity proofing and passwordless technologies together. We're one of the only companies to have done this, certified passwordless and certified identity proofing coming together, combining real biometrics. And that's a key enabler for what we'll be talking about here today. We have all the analysts and research topics covered that you need to, to find out more about us as well. So check them out online. We've had over a dozen mentions in the last four months alone. And you'll see us partnering with global companies that just we've helped enable their platforms to do things around identity that they couldn't do otherwise without us as well. So plenty for us to check out there on the web in parallel.
Mike Engle:
So Ed, let's talk a little bit about how we got here, right? We all know passwords are bad. The holidays, I cringe at them coming, because all my family comes together and they bring their iPads, their iPhones and their computers, and I have to help them detangle the mess and hook up new devices and figure out 2FA on Apple and all this other nonsense. So I really like this slide that you put together for us that walks through a little bit of kind of where this started and where we are at today. So kind of give us your thoughts on this.
Ed Amaroso:
Well, this issue of validating some reported identity, and you can report your identity in a lot of different ways. It's not always typing your name into a login prompt. It can be your location. It can be some digital, some number that's provided through registration. It could be something you have in your hand. There's any number of different ways that you can present an identity, and then somehow validate that what you said is right. And you go all the way back and you find this initial use of passwords. The issue with passwords is that it's the ultimate interoperable technology, right? It definitely can be used in any context. So it's one of the reasons it's been so resilient that Mike, if you and I wrote some game or something, we wanted to put it out using a mobile app or something, the first instinct would be, "Well, let's just put a password on it." That's been the cadence.
Ed Amaroso:
It started in the sixties, in the seventies and eighties, Bell Labs where I worked, that was actually quite in advance to make sure that there were passwords on operating systems. There was nothing evil about it. And again, our instinct is to make somebody give the secret code. What's the secret phrase to get in? We've been doing that since we were all kids. In the kind of mid eighties into the nineties, we started to notice that you had to do something, where remember an early talk I went to at Bell Labs, a guy named Doug McElroy, one of the early fathers of Unix. He said they were giving a demo to a bunch of kids up in Canada showing them some tool they had been doing. And they basically were demoing this thing, and they found out there are all these logins afterwards. And they found that because they were using the phone number as kind of a way to log in, and that was sort of their password, that kids could just look up the phone number and get in.
Ed Amaroso:
Everybody went, "Wait, we need to find a better way." That's when we started to see two factor authentication. And it's not that two factor is some complex technology. It just was a layer on, an add-on, to a process that had already been pretty established. You need a password, then you did this other thing. So while it's more secure, it still was, you do a thing, and then you do another thing. And anybody who does marketing knows that if you're moving in the direction of asking customer to do more things, then you're not going to make that guy standing there holding that iPhone in the picture very happy because the idea is to remove friction, right?
Ed Amaroso:
So we all knew that it wasn't right. We're moving in the direction of making the user do more. And as you move to machine-to-machine, it was clear that something had to be done. The iPhone was important in the context of cyber, because when we first saw that, and I was involved in that launch. I was running security at AT&T at the time. It was a big deal because I don't know if anybody really was using technology before 2008 remembers that it wasn't a given that you had your mobile with you, that's for sure. It wasn't sort of burned to your hand. But once the iPhone came around, we just assumed that, "Well, what heck we can just use the mobile for anything." That's partially right. But it's certainly not right for machine-to-machine. And there's a whole host of different use cases that perhaps should be doing something more hidden, where the user doesn't have so much to do.
Ed Amaroso:
I watched carefully as the [inaudible 00:07:46] alliance emerged, and I know Mike, you and the team pay close attention to that alliance standard.
Mike Engle:
We do. Yeah.
Ed Amaroso:
Yeah, yeah, yeah. Watch very carefully. And, again, not that they ask me, but I full approve. The cadence makes sense. It's good computer science. The dictate, again you can call it a standard or an agreed upon specification, makes good sense. We'll talk a little bit more about it. And as you go through, Mike, a couple of things in and around the 1Kosmos approach, anybody who's familiar with [inaudible 00:08:19], will see that rhythmic back and forth. I think it's a really good approach. But here's what I like. I think that the idea that we should move in the direction of asking end users to do less, that makes sense to me. That's number one. Number two, any scheme that I can put in place that removes or reduces the likelihood that an end user can make a mistake, I love that.
Ed Amaroso:
And also anything that provides a more common experience between both human beings and workloads or software or machines or something, I really like that too. So I've become a very big proponent, in anything that we do as an analyst team at tag cyber, any of the keynotes that I'm giving or any discussion, even the courses I teach at NYU and Stevens, I've set aside quite a bit of time now to take people through the foundations of this journey toward passwordless. So again, if you're listening today, and it's part of your existing plan, say for '22, then that's great. Then maybe there'll be some nice tips that you'll hear today, or maybe this is a platform you haven't looked at before. But if you haven't done that yet, then down in your paper to make it a priority, because I really think that you'll be happy with the result.
Ed Amaroso:
If you do this carefully, you plan, you take the time to learn and coming to webinars like this. That's a very good idea. Getting your organization to establish some momentum towards a passwordless experience, both for your end users, if let's say your B2C, or for your partners, if you do B2B or sell to business, or for your employees. This is the right direction, and I think I know where the movie ends. It ends with everybody kind of working in this boat. It's just how long. I'm old enough now to know that even when something looks rational, it always seems to take longer than I think it should. But people will be in hybrid for a while. But I'm glad people have joined today. It shows that they're thinking about this area, Mike, and I know you guys talk to customers every day that are either committed or still deciding. And I hope people make the decision. This is a much better way to be validating identity. So, that's sort of that progression, Mike, from left to right to where we are now.
Mike Engle:
Cool. No, thank you. Yeah. And for those that don't know what [inaudible 00:10:47] stands for, t's Fast Identity Online. Their mission is to get rid of passwords. And so they have some standards they set up. We'll be talking about that here today quite a bit. So yeah, thanks for teeing that up. And passwords are really a symptom of a credential that is difficult to use remotely. And I got some pretty new stats from just over the last couple months. This is from the Verizon data breach investigation report. I don't like throwing stats around, but these are kind of fresh and new and take a little bit of a different spin on the ones that we've been seeing over the past couple of years. Social engineering, no surprise. One of the top ways to get into a system. It's what happened to Robinhood two weeks ago, how they dumped their whole database, they social engineered their way in to their systems.
Mike Engle:
And of course the human element, right? Like you said Ed, getting rid of the human element so that you can't make a mistake, or you just can't be intercepted or whatever. 85% of breaches involve that. And of course, credentials and ransomware are top of mind. And then this is really the business impact from credentials. And I thought these were really powerful numbers. So if you're going to your board or the C-suite executives to make justification about spend in these areas, these numbers will help. This data breach investigation report is 114 pages of just phenomenal research from the industry. And you can see business email compromise, right? I got to you through your email is some very significant numbers. Ransomware is top of mind.
Mike Engle:
And I really like these stats from the Lockton group. They're a cyber insurance company. Five million average business impact. Right? So now you have the C-suite's attention when you fill numbers like that around. Right? So I'm sure when you were in your CISO role over AT&T Ed, these were the things that kind of kept you up at night as well, and there's all kinds of things that you did to try to mitigate.
Ed Amaroso:
The absolute numbers, like $5 million is average. It's more difficult to interpret. If you're a small business, then the interruption isn't there, but it's proportionate. So I think the way ransomware has been designed, the way ransomware ops has worked, is that good criminals know that you should be charging up to what your victim will pay.
Mike Engle:
That's right. Yeah. They know the market. Know your customer.
Ed Amaroso:
So if you're a bank, it's going to be more than a million bucks. If you're a little guy it'll be smaller. But either way, the hurt is the same. Now back to the earlier point about human, that's an important one because that's at the essence of this passwordless experience, certainly for B2C, or for any interaction with employees. On the one hand, I think we're all correct to be very frustrated when end users click on dumb things. But by the same token, it's sort of not fair to expect my mom, for example, she's a 80-something year old Italian lady. She uses email. She clicks on something. Come on, man, what are you going to give her a hard time? That's ridiculous. It doesn't make sense. So I think we're reaching the point where that human element and trusting users with passwords and stuff, all of that stuff I hope is in our rear view mirror at some point.
Ed Amaroso:
My mom should be able to use computing in much the same manner that she turns on the television set. My father-in-law passed away seven or eight years ago years ago, 96, my wife's dad. I remember one time he calls me, and he lived with us. We bought him this new TV and he goes, "Edward," he's holding the clicker. He goes, "Could I break this somehow?" I remember thinking "That's a profound question." And I was able to say, "No, you're not going to break the TV. Click away." But if he had been sitting in front of a computer and say, "Could I break this somehow?" I'd say, "You be, you can." There's a lot of ways you can break a lot of stuff here.
Mike Engle:
Could I break my identity from being stolen, right? Yeah.
Ed Amaroso:
You know what I mean, Mike? It just seems like we lag here and that's why I love passwordless because it mechanizes something that right now is such a pain point, and such a point of mistake. So I like the data here. I usually hate data from a lot of different groups, but I think that this stuff is valid. I don't disagree with these numbers.
Mike Engle:
Cool. Yeah. And the point you brought up: Can you make it as easy as your mom or your grandparents to get into a system? If you think about what a credential is in the physical world, you walk up to the TSA agent, or you get pulled over by a state trooper. It's easy. You whip out your wallet, you present it, they look at your face and you're done. It should be that simple to interact with systems online. And that's the technology that has enabled digital transactions over the past couple of years that we focus on. And specifically, there's two standards that I wanted to drill into with you and the audience here today that enable you to have a remote identity that is as easy to use as pulling out your driver's license for a TSA agent.
Mike Engle:
And these are a government standard that came out in 2017 called NIST 800-63-3 that proves your identity remotely by onboarding citizen credentials. There's two components to this. You see that little 3A. That's the assurance level. So I can have a high identity assurance level with this standard. And it establishes identity typically with two forms of identity. And it's how you would renew a driver's license. Very similar, except it's done in a digital capacity. And then combining that with the FIDO standards you mentioned earlier, and the B side of that, which is your authentication assurance level establishes authentication. How do you present that credential remotely? And it should be as easy again as pulling something out of your pocket and handing it. You shouldn't have to even touch the keyboard really to prove who you are remotely. That's when it becomes as easy to use as interacting with the television.
Mike Engle:
When you put these together, this is what I said is unique about 1Kosmos, you have something we refer to as identity based authentication, right? Using identity, not credentials, not something you know or can be stolen. And there's two certifying bodies here that say "Yes, that vendor knows how to onboard an entity, and that vendor knows how to do a passwordless transaction." One is the FIDO Alliance. The other is the Kantara Initiative. So putting these together, we think becomes a real key enabler in a platform. And I'll show how these fit into your identity efforts in your organizations, whether they're for employees or customers. At the end of the day, does it matter, Ed, if you're an employee or a customer? Your identity's your identity, right?
Ed Amaroso:
It does. I mean, there're going to be some authority issues, certainly, but there's no question that the mechanism should be the same, right? The underlying mechanism. But it's funny this 63 document is less well known to a lot of cybersecurity pros as the 53 document. But this is one to take a look at. If you haven't gone through it, good one to download. And I think there's even some NIST videos on a YouTube or something you can watch.
Mike Engle:
There are. Yep. Yep. And it really gets very nuanced as to how the standard needs to be employed. But if you're opening a new bank account or a crypto account, or joining a new company, you have to fill out an I9 here in the US and pay taxes. You're basically going through an 863-3A IAL level of assurance to do those things, to do anti-money laundering checks, or to prove that you're a citizen that can pay taxes for certain employers. So you're already doing it today. You just didn't know that it had a label to it really, and now it can be done remotely because of this standard. So how do they fit into an IAM stack? Right? So here on the left, little cute graphic, right? So just a mixing of Rapunzel and Juliet. I thought this was cute.
Mike Engle:
But identifying yourself is no easy task online. That's why passwords and MFA, and one time codes and all these things exist. You're hoping that you can get the right person in through the front door. And then similarly, you have the authentication of that identity into a remote system. And we've all suffered with this. Go to your desktop, try logging into your bank. Why do you have a completely different experience than you do on your mobile with that bank? Because it's hard to tie together your mobile authenticator with a remote channel. And this is some of the things that we're going to talk about here today as well.
Mike Engle:
So jumping into a real architecture diagram, Ed we could probably spend a couple hours on the parts here, but there's a concept of know your customer, know your employee, or even know your entity, which is getting popular now. How do you know who you're doing business with on the other side? And this is where that IAL comes into play. In every IAM stack, there should be a way to prove who someone or something is. And the machine-to-machine is an interesting one. The FIDO Alliance is starting to work on that problem. That is a whole different ball of wax because your authoritative sources now are much different.
Mike Engle:
When I scan my driver's license, it's easy to match it to my face and prove it's me. So then you should be able to go ask your IT system: Is this Ed Amoroso? Yes or no? And there should be a cryptographic way to prove it. And then to authenticate you into a system, we have something we call next gen MFA. If you haven't seen the use of QR codes on websites, you're probably living in a cave. Even your Amazon TVs and your Tonals and Pelotons and all these kind of newer systems, you scan a QR code, you do something to prove who you are and you're in, right? They're really going a long way to bridging the usability gap of getting into a system.
Mike Engle:
And then on top of that, using your real biometrics is a key enabler. If you've used Clear in the airport, I'm a big fan of it. I walk up scans my eyes. I walk in through right past the TSA agent. I basically high five on the way. That same technology is now available in everybody's hand. Ed, when you mentioned the iPhone, not only did that put a phone in everybody's hand, but it put a high-res camera and a safe place to keep a private key. Those are two enabled that are enabling this onboarding and the proofing who you are using cryptography.
Mike Engle:
But to your point earlier is this is going to take a long time? Your platform needs to also handle all of the legacy functions, right? So we've been using secure ID tokens, and UBID keys now are getting popular. Pushing a message to an app is popular as well. And there's times when you still need to send a text message to somebody, or an email code to validate them. Depends on the user, what they're trying to accomplish, the risk profile. So your platform needs to support these next gen and the legacy components as well. And the interface between the end user and these various mechanisms is many times going to be a FIDO2 exchange, right? A passwordless exchange. Other times it may require one of these other legacy mechanisms as well.
Mike Engle:
And now once you have this established, proving who it is, getting them in the front door, it's really going to change the way that identity is handed off to your other systems. So imagine, Ed, tomorrow you're starting to work at GE and they say, "Ed, just go grab an app, scan your driver's license and your passport, and then press a button and send it to us, and it goes right into Workday." There's very few organizations doing that today. We're having a phenomenal amount of success in getting that to market, because we've been doing that for the same way for 30 years. Take a picture of your driver's license and mail it to me, right? Which is a PII nightmare, right? Who wants your driver's license and passport floating around in email.
Mike Engle:
So if you start somebody's journey into an organization using this digital onboarding concept, it really is a game changer. A user won't even need to have a password to get into all of these other downstream systems. They'll just scan a QR code and enter the front door. And then conversely, feeding that identity down to these other endpoints is a natural progression of where this is going to go. So Ed, would love your thoughts on this.
Ed Amaroso:
Well, I think it's funny it shows GE because from a KYE perspective, they're splitting into three companies, right? So, perfect illustration of what can happen if you're reliant on a legacy, perhaps even a manual process for that identity life cycle step. So, automation and providing a foundational system that can give you the flexibility to do things like split the company up or track as people come and go, is pretty important. You've got the right sort of components here, IGA, actually identity governance access a little different than IGA. SSO definitely is an absolute requirement, the kinds of things that a typical employee is dealing with given multi-cloud, it's essential because it used to be when you sat in an enterprise with the reverse of zero trust with full lateral east west trust, single sign was not such big deal because you could hit whatever you needed to hit.
Ed Amaroso:
But now if your day is scattered through a bunch of different workloads and apps that are scattered into multiple locations, SAS, cloud, whatever, you really do need to think through how you're going to deal with the authentication component of that. So that's very important. And PAM has always been an issue simply because the threat model dictates that you go where the high privilege is, no question. And remote access, part of the new SASy push to cloud-based secure business networking.
Ed Amaroso:
So at the root of all of this has to be some this decision that you're going to make about passwords and about authentication. If you decide to go passwordless, and if you buy into the FIDY and FIDO2 with web authen and so on, that's a wise move because you're probably riding a wave there that will reduce the friction as you try to integrate, as you work with partners, as you onboard new employees or consultants. I'll tell you, Mike, it's funny. I do quite a bit of consulting. At TAG it's part of our advisory practice. Can't tell you how many companies still mail you a laptop for access to their network. Talk about the other end of the spectrum from passwordless, that's the other end of the galaxy.
Ed Amaroso:
So, these are things that have to be fixed. It's one of the reasons why we continue to get hacked. Industry, every couple of weeks, somebody gets hacked, some big company or small company, makes the news. And I think passwords are at the root of an uncomfortably high percentage of these attacks. So sort of like the reference diagram here, I think you got a lot of the right ideas here, including reference to the right standard. So this would be a good one for people to screenshot, right?
Mike Engle:
Yeah, absolutely. Absolutely. Yeah. And there's just an example of this in the wild. What does it look like to apply passwordless to a website? Citibank recently deployed this out where now you can simply scan a QR code and get into a website. As I mentioned, this is something that anybody online can try today. So this is my live phone. This is either brave or foolish, depending who you ask, but coming to 1kosmos.com, experience it, and simply launch our app, scan a code. And this is what it would be like to authenticate into Citibank using that experience. Right? And there it is. I'm in. It has some information about me depending on what was in my wallet. That's a real game changer.
Mike Engle:
And behind the scenes what's happening there is I presented proof of whatever my level of identity was, and I did a passwordless exchange right there. It happened so fast. You probably didn't even notice what was going on behind the scenes. And that same exchange works really on any of these target systems, getting into your Windows, your Mac, or your remote access or whatever. So there's no credential involved. You noticed I didn't even have to touch the keyboard. And that's the promise of FIDO combined with strong identity. So you're going to see a lot more of this in the future, and your old stomping grounds, even at AT&T, is doing passwordless login into a lot of their web properties. So have you had a chance to see what the ZenKey looked like since you left there?
Ed Amaroso:
Yeah. I mean, all of these different initiatives are following the same basic cadence. And it's what we were talking about before. Can we take advantage of the attributes, the context, the information that's available, or that's put there through provisioning? You referenced employees and customers. The big difference there being that with an employee, you're going to have very rich provisioned information, deep information, about the employee, including about their device. But they all follow the same thing, including ZenKey. And even I think most of the companies supporting two factor or multifactor come to the same conclusion. Can we reduce friction? And that's what the marketing teams want. And that's what you and I, Mike, that's what we want. When I'm going to buy tickets to a game I'd like to be able to go online and get them, and I don't want to be fumbling around with this or that in terms of what your password.
Ed Amaroso:
We all know that nightmare when you're trying to stream a movie and all of a sudden it says, "What's your password?" And you're sitting on your couch with your feet up and you're like "Password? What?" You've got a clicker and you're, "What?" It's just this crazy friction and impedance to doing business. So in in the telcos, this ZenKey, that Alliance and the work you guys are doing, and just about everyone who's trying to reduce friction, you're serving two masters. One is the marketing team trying to make things less onerous for users. So that's clear.
Ed Amaroso:
And then people like myself who are focused on threat. And I've learned over the years that it's rarely a weakness in a protocol that causes a significant hack. It's usually the infrastructure around it, the difficulty in registering, the administration, some sloppy workaround, some special cases that are made for people who, for example, may not have the ability to provide the information like that. So it always surprises me when people are relying on things like fingerprint and thumbprint, when you say, "Well, sadly, there's a percentage, the population that may be missing that index, the finger. What do you do then?" And then they'll the workaround, and you know intuitively that that's now the strength of your system, because the workaround might be just absolutely terrible. So, yeah in our advisory practice and in our research at TAG Cyber, definitely see any group in this area, anybody working in this area, focused on those two primary use cases.
Mike Engle:
Awesome. Well, let's run through a little bit deeper dive of the proofing concept that some people may not have seen, or really understand how this works. If you've opened a crypto account in the past year, you've had to go through some form of this. A lot of companies still have you taking a picture, mailing it in, and then day or two later you get a yes or no. But you're seeing a lot more of this be automated. So the platform that we roll out will do these scans in real time, validate the authenticity, the document, match your face in real time, guide you through the proper picture, taking and so forth, and even check it with the DMV to prove that it's a valid driver's license or check the signature on the passport with the Department of State. So now in a minute or two, you can create a new account, you can onboard into an employer.
Mike Engle:
Support for 150 countries, right? Because multinationals, you have to worry about where just pretty much everybody is. And even validating using that human element when you have to because things always go wrong. So you have to handle the exception process. So you had mentioned fixing the broken user experience or preventing the edge cases. This is one way to do it. And in real time, because we're using such a capable mobile phone to do these things, validate the location of the person you're hiring or the customer you're onboarding, make sure it's not a fraudster trying to take over somebody's account. Validate the authenticity of the SIM, right? So we can actually reach into the phone now and say, "Does this SIM belong to the person it's registered to?" And then that live ID can be used not only to compare against the documents, but then over and over, you can ask them for that whenever you really need to know, "Are you changing a routing number? Is this you Ed? Just let me scan your face quick." Right?
Mike Engle:
It's becoming more and more trusted, and we're going to see a lot more adoption of this over time. So we're pretty excited about this, and our customers are as well. And the reason we're doing this stuff, you've already touched on most of these Ed, but I wanted to hit a little bit more on the ROI of passwordless. Right? So getting rid of a password fixes a broken user experience. Do you remember, in your capacity as CISO at AT&T, ever doing customer satisfaction surveys for the login experience into Windows or your remote access or your VPN? "Hey, John, tell me how much you like using the 16 character password and the 2FA system."
Ed Amaroso:
Well, most companies don't have to do a survey. They have a pretty good idea.
Mike Engle:
One out of 10, right?
Ed Amaroso:
Yeah. This is not the companies at their highest level of serving customers, that's for sure.
Mike Engle:
So that's right. Yeah. So we, we do this and it's kind of almost like a gamified or a loaded question when we go to them and ask them that. But we do encourage that customers do this as they're rolling out passwordless, because it's rare to have a high five moment from the security group about efficiency and productivity and customers feeling good about the security that you're imposing on them. So once you do this, ask them today, "Hey, do you like typing in your 16 character change every 90 days Windows password?" "Yeah Ed, I love it. It's a one out 10. Thanks." Ask them on day two of using passwordless and they're going to give you a 7, 8, 9 out of 10 every time. And so that's again, another number you could take upstairs with the scary ransomware stats.
Mike Engle:
And then the side benefit is there's no more credential to be stolen, right? So it's kind the way we think about it. We do focus on the user experience. It's as important as fixing the password vector. And then today's system is being cloud first, SAS enabled, amazing admin experiences that you can ease into them very gently as part of a holistic approach, like a three-year journey to go completely passwordless. And this one is really important to me. By consolidating your 2FA and all these legacy infrastructure that we've been putting on, as you mentioned Band-aids on top of passwords over the years, and getting that down to one system that can say yes or no, you're going to save a ton of money in deprecating those old systems. And then the industry stats on help desk costs are very quantifiable.
Mike Engle:
So we will ask our customers, "How much do you spend last year on password resets?" They have it at their fingertips. They know it's $1.8 million, and we can target 40, 50, 60% savings on that. And doing back of the napkin math, we can save about a hundred thousand dollars for every thousand employees, depending on the industry, right? Your mileage will vary. But have you thought about the ROI of passwordless Ed?
Ed Amaroso:
All the time. And like I said, it's nice to have the numbers to back it up. This is one of those areas, Mike, where you rarely have to make the justification. Again, it's good to have, but not too many people question the ROI values here. Maybe whether the actual numbers are a little higher or a little lower might be different in different enterprise contexts, but I think the ROI is always positive. One question while we're sort of on this question or the advantages disadvantages. One of our attendees is asking a little bit about QR codes, and I have seen QR codes used in the enrollment process, and there's this intimacy between using QR codes in the cert and enrollment. Have you guys had much luck with QR codes in the user experience at 1Kosmos? Is that something you guys have played with?
Mike Engle:
We have, yeah. It might be because of the pandemic, but QR codes are getting widely accepted. Even though they've been around on for 20 years, you didn't see them catching on except maybe kids scanning a poster because it's easier than typing a URL. But even now, youngsters and oldsters alike have been scanning menus because of COVID for the past 18 months. And now you see Citibank doing it, you see every Roku-like channel using QR codes is a better way to establish a relationship between that remote device and the mobile where you have the strong credential. So we're seeing a ton of traction there. We've put it on to Windows workstations and Unix and Mac and webpages and so forth. So, when that experience that I showed on our homepage, it's the way to go.
Mike Engle:
But it's a not the only way. Sometimes you just want to send a push message to an app, right? We're all used to that. And you have to give all of your users options in that journey because some people won't like or can't scan a QR code for some reason. On the authentication question, yeah the QR codes are timebound, they're digitally signed by the issuing source. And there are protections in place to make sure you couldn't copy them and use them in a man in the middle capacity.
Ed Amaroso:
Makes sense. There's sort of a follow-up question around biometrics. I know for me, I've often thought biometrics went from these awkward kind of ergonomic things that you do with finger and eyeballs, crazy stuff, to something that's much more frictionless, much more invisible that uses observation and uses data collection. But what's been your experience using biometrics in the overall ecosystem here for authentication?
Mike Engle:
Well, your touch ID and face ID have been commercialized by Apple and Google, and it's been phenomenal, right? So now at least you have a device bound authenticator. Scan your face, website logs in it. It doesn't identify you, right? It's only as good as the face that was scanned when you set up your iPhone, or even your Apple password is kind of now a vector a little bit. So we mitigate that with a live ID, which is a real biometric, right? So if you were to grab my phone and try to log into my 1Kosmos mail today, you couldn't get in because you don't have my real face. But there is a problem with device biometrics in that my phone has my wife and my kids' identities on there. So they could go launch my trading service or my bank app.
Mike Engle:
So I have to either go erase their faces off my phone, or use real biometrics. We're seeing a lot of adoption there. And that's global. Countries are all looking at real biometrics. The risk of real biometrics is: Are they properly protected and protect against somebody stealing out of essential database, right? Once those biometrics get stolen, you have a real potential problem. And that's where we use blockchain technology to keep that biometric only unlockable by the user with their private key, which is pushed out to the edge. So I know that's a long way to say yes.
Ed Amaroso:
That's great. That's very helpful. That's helpful.
Mike Engle:
Yep. And just unpacking the QR code and enrollment experience. If you go to your bank and you see an option to enroll with QR code, this is kind of what it'll look like. Same thing for your employer, is you're going to get invited into a system. You either click a link or scan a QR code from the app, and then you'll authenticate one last time. Or you might already be authenticated and you can even skip this step. And then going forward, you'll just scan your face and go into a system. So really, it's that simple. And it's almost gets to be a boring demonstration after the first time, like what I showed you. So I'm not even going to bother showing any more examples of it live on the web because it gets anti-climatic after the first one. It's like, "Oh, it scanned your face again? Okay."
Ed Amaroso:
If the authentication demo is not boring you did it wrong, right?
Mike Engle:
That's right.
Ed Amaroso:
Since when is there excitement during authentication? And again, for people who are listening, that is a problem. Right? You go off and you engage with a vendor, you put something in place. It's a big deal. It's always so anti-climatic that when you're ready to go show the boss what you've done. It's like, "Okay, that's great." Now they'll love it over time because they realize they're not doing something they were doing before, but I always I've had that experience of figuring out how you make the demo interesting when you've done something that takes a step out of the process. How do you demo that?
Mike Engle:
Right. There's the famous quote that says "Any good technology should be indistinguishable for magic." Right? So it looks like magic, you authenticated. Some people ask, "Did you even do anything?" Yeah, yeah, no, trust me. There's all kinds of cryptography and biometric checks going in behind the background, but it does look like magic.
Ed Amaroso:
It should be invisible to users. That's that's the goal.
Mike Engle:
That's right. That's right. Well, I know we're about 45 minutes in and I think we've about done it here in terms of telling the story a bit. And I really appreciate you coming on board. I don't know if you have any closing comments here.
Ed Amaroso:
Just that I admire what you got are doing. In all of our writing at TAG Cyber, we've been very clear that this area is one of the few where there's not too much question that companies should... They're not going to do it immediately. And I get it. I know. I worked in complicated places. I know sometimes you can't just flip a switch. I got that. But developing a roadmap, I think is essential. November is the time when you start thinking about your budget, planning the specifics. I know you probably already submitted your budget in October, but more or less starting to think, "What are the priorities going to be next year?" If you don't have this on there, I think you should. I think even if minimum, you get a team of some of your SMEs together and start planning how you might move in this direction, whether with POC or one of the business units or some portion of the business at minimum. At maximum, this should be urgent. So, I'm just trying to be kind here, because I do know what it is to have a complex legacy.
Ed Amaroso:
But again, Mike, love what you guys do and keep up the good work. Keep us nice and safe, will you?
Mike Engle:
Will do. We'll do our best. Well, thanks everybody for attending. Any questions, hop on the website, shoot us an email and we'll see you online, hopefully without passwords.
Mike Engle
Edward Amoroso
In this webinar Mike and Edward cover:
- How leading organizations are engaging new hires directly after the talent acquisition process – before they even hit the HR system.
- How they ensure that the person they are hiring is truly the person they say they are. This goes for “day 2” logins, preventing what is known as “paycheck jacking”.
- How to enhance existing passwordless strategies such as Windows Hello by addressing the “TOFU” (Trust on First Use) and remote desktop challenges that they present.
During this webinar, TAG Cyber Founder and CEO Edward Amoroso and our very own CSO Mike Engle shared insights on how the key vulnerability in passwords is not the password, but rather not knowing who is on the other side of the digital connection. Biometrics help solve that problem, but it’s not enough to eliminate passwords.
Organizations need to move toward a zero-trust architecture and prove identity at each claim of identity.
Mike and Edward discuss how the user experience, HR processes, and IGA account creation mechanisms can all be digitally transformed by leveraging the latest capabilities in digital onboarding. As part of this journey, the user will never need to remember a password for any downstream system – even on their first day.