MFA Tried to Fix Passwords but How Do We Fix MFA?


Unlock video

Unlock On-Demand Webinar

Video Transcript
Mike Engle All right. Hi everybody. My name is Mike Engle. We'll be getting started here in just about one minute. The attendees are streaming in from the time we started here. So we'll just give him a second to get it going. All right. Let's jump in. So thank you everybody for joining. As I mentioned a minute ago, my name is Mike Engle, co-founder and head of strategy at 1Kosmos. And we're here to talk to about a whole bunch of things around identity and authentication. And I'm joined today by Jim McDonald. Jim, would you mind saying hello and tell people where you come from?

Jim McDonald Hey everyone, Jim McDonald, you may know me from the Identity At The Center podcast. And if you don't know what I'm talking about, go out to your favorite podcast app and search for Identity At The Center. We'd love to have you listen. We've had Mike on our podcast in the past. Actually, let me give you a specific episodes, so it was episode 96, back in June of '21, you talked about the convergence of identity proofing and passwordless. And also we had them on for episode 126 in November of '21, talking about venture capital in a digital identity space. My day job is that I am the Director Of Digital Identity Advisory at RSM US. I get to work with a lot of brilliant people, and work with a lot of great clients in terms of helping them develop their identity and access management strategy. So looking forward to talking through this topic today.

Mike Engle Yeah, and we have, this is exciting stuff, at least for identity geeks. So yeah, thanks so much for joining and yeah, I didn't realize, I think both of those podcasts that I was on, was during the pandemic. So maybe we'll do the next one in person. That'd be great.

Jim McDonald Yeah, that sounds good.

Mike Engle Okay, so just a little bit of housekeeping. There's a bunch of events coming up. We'd love to connect with real people in the real world. If it's in the cards for you, we'll be in New York, in Vegas, in all the traditional identity shows, we attend. So you can see a list here or on our website, feel free to reach out if you'd like to meet up. Then we have another webinar coming up in October focusing on how to onboard, a better onboarding experience that introduces identity. Really back at the talent acquisition process. Rather than doing things the way we've been doing them for 30 years, there's a better way.

So be sure to sign up for that again, right at the website, you'll see a link for it on 1kosmos.com. So let's jump in. Maureen, I believe we are kicking this off with a very simple audience polling question. So if you could fire that up, that's a pretty straightforward question about your implementation of MFA. These questions are anonymous. Those of you that are streaming live on LinkedIn won't be able to answer this obviously, but you'll be able to enjoy the results. We've got about three quarters participation doing great.

All right, I think that'll do it, Maureen. Right, so yeah, we have what we've expected. About three quarters of our attendees are using MFA in whatever context they thought of for this. And that's not surprising, MFA's been around for 20 years. We're going to talk about the nuances of that, and what's been going wrong in the industry here. So this will be a great segue to what's coming up next, including a bunch of recent issues in the industry. So it seems like we can't go another day without some major breach happening, sadly.

I've lived through these myself, personally, the company I used to run security at, Lehman Brothers, had its share of. Back then, it was more about worms rather than people hacking in. Nasty stuff getting in your environment. But the threat landscape has changed quite a bit, because now everybody works from home and the perimeter as we know is gone. So this is a snapshot of some of the higher profile ones here. We're going to get into the weeds on two of these in just a minute. But do any of these jump out at you, Jim, as just a signaling of the trend of the times?

Jim McDonald Yeah. I mean, I think what we're finding, is a couple of things here. One is that two, three, four years ago, password only as a control factor was much more seen. Now almost every organization is switching to having some form of MFA, but it's what type of MFA really plays a major factor. I think the other thing here, is that what we're starting to realize, and I brought one of my favorite books, this is another guest that we had on the podcast. Roger Grimes wrote a book called Hacking Multifactor Authentication, there, a little plug for his book. But the idea is that typically when we think of phishing, we think of somebody giving up their password. Well, now phishing is becoming more and more seen as people giving up their multifactor authentication, or with man in the middle attacks. Basically people thinking they're going through a normal authentication process, including their MFA, and coughing up their MFA code.

We're also seeing things like MFA fatigue becoming much more of a real world issue, where organizations went to that, what at one time was the best practice for MFA, which was the out-of-band push to your device, and you have to approve it. Well, one of the more common methods is just to annoy the heck out of somebody until they approve it. And then you have, if you already have their password, which is the easy part, you can get through. One other thing, which I thought was interesting out of our poll question is that three quarters to the respondent said, "Yes, we have MFA everywhere." And I remember it was like two or three years ago where Gartner, probably an analyst firm that everybody is familiar with, said that level one, baseline maturity is MFA everywhere, which is a really big deal.

I mean, especially when you think about machine accounts, and everywhere that you have an authentication taking place, whether it's kind of seamless to the end user or not, to have MFA everywhere. And I think a way a lot of organizations accomplish that, is to leverage a single sign on system, that forces that MFA. But to me, that's a big deal, is that if three quarters of the IM practitioners who are on this webinar, are actually doing MFA everywhere, that's a really good indicator.

Mike Engle There's no doubt the MFA, it is going to stop in the high 90s of percentage of the attacks. So the question becomes then how do we strengthen that 99%, whatever it is. And of course close the gap on the remaining 1%. So we'll dive into that. What struck me here about all these, of course, we're going to talk about Uber and Cisco here. I'm going to break down the Cisco hack on my next slide. But this is a mix about a 50/50 blend of social engineering versus push fatigue that you already mentioned. So we'll get into the weeds a bit on how we can mitigate them. It's really about better ways to engage with the users. So let's talk about one. This was the attack just last month of what happened to Cisco. So it started out with some basic discovery. Who are all the Cisco employees? And then let's reach out to them and see what we can get from them.

In this example, they were able to get a hold of their VPN credentials, because they were linked to another account that was in their Apple Key Chain, or whatever their wallet was. So really when they co-mingled work credentials with personal credentials, all they had to do was get to wherever the personal credential was stored. That gave access to the work credential, and now they've logged into that, got into the front door. So maybe they obtained the VPN username and password, then all they needed was the 2FA code. So that was a matter of sending them push bombs.

So if I send you 1,000 push messages, first of all, the system shouldn't allow that. So whatever system was being used must not have had throttling, or just that basic gating. And then second, you wake up in the middle of the night, and you accidentally swipe up, and hit a green check mark. There needs to be a better user-initiated experience, and we'll talk about that as well. I'll do some demos of this towards the end of time permits. So once they got into there, now it's just a matter of lateral movement. Then talking about what's the most recent, was Uber and the Grand Theft Auto's related, but the Uber one's really been broken down. If you want to walk us through this a little bit, Jim?

Jim McDonald Yeah, and I think Uber attempted to be very transparent in terms of what they knew, and when they knew it. I think that's really great. I'd like to see more companies do that. I think one of the important things, when you think about just that transparency aspect, is every organization should be doing planning in terms of, "What are we going to do if this kind of thing happens to us? If we have a security incident, how are we going to communicate to our stakeholders and to the public? When are we going to get law enforcement involved?" Things like that. So that's on the planning side. But just the anatomy of this attack was started with, was attributed by Uber to Lapsuss and Lapsuss known for having these teenagers who are probably not PhDs in computer science, based on their age, 18 year-olds, who are what we call in the industry, script kiddies.

Well, a script kiddie means essentially they're using software and scripts that are available on the dark web, usually, to perform their attack. And being on the dark web is I think where this attack started, where the hacker was able to buy credentials. Then started, was able to authenticate as the user, found out that a push authentication went to a contractor, this contractor. And then they contacted the person via WhatsApp and said, "We're the IT department, don't worry, nothing's wrong, but we're going to be sending you a push message. Would you please approve it?" The person was fooled by that message. And I think as an information security person, if that came to me, I would say, "Okay, this is odd, right? My IT department's reaching out to me via WhatsApp." I'm going to not follow this. But again, that's looking at the world through the lens of an information security person. Your average user, they can be fooled by something like that.

It's like, "Hey, this is happening. I'm seeing, I'm already busy." I mean, I also know that with push authentications, I've seen the scenario where my laptop, I left my Outlook open. So my session timed out, I get a push authentication because they tried to sign me back in automatically. And I don't approve it, because, again, I'm an information security person. I wait until I get back to my laptop, and see that, "Yes, actually it did time out. It was legitimate. And had I approved it, it would've been okay." And so that starts to happen to people and they say, "This is probably okay, this is probably my laptop timed out. And I'm getting this message."

So back to this Uber workflow again, is now that the person was able to get through the door, having essentially social engineered this contract user, they had enough access, they were able to get to a network share. On the network share, there was a set of credentials that were used for a PowerShell script. So it was using a machine identity, not something that could go through a multifactor, but it was probably developed with the idea in mind, that, "We'll go back and fix this later. Maybe we'll use a shared secret server, or we'll go back and use a lower powered account."

But it turns out that account was an administrator account to their PAM system. So there's a situation where multifactor everywhere was really not the case, because their PAM system would allow this administrative account without multifactor authentication to get in. And when you have access to a PAM server, as a hacker, could you imagine the delight that you must be feeling as you log into the server, and see all the access to petabytes of data, the email system and things like that.

So this webinar is focused on the authentication. As you can see, that was where things broke down and gave the hacker the opportunity. But there's much more here that we can learn. So the purpose of this webinar, why we're focusing on this in particular. Well, it did just happen. That's number one, but number two, is not to beat up on Uber, because I think as an IM practitioner, we can all say that, "Okay, we can see how something like this could happen." I mean they had pushed multifactor authentication. They had a PAM server and yet this still was able to happen. So they're probably far beyond a lot of organizations, but what we can do, is learn from this, how can we get better as IM practitioners so in the future, this maybe doesn't happen to us?? So we keep setting the bar a little bit higher for the adversary to pull off an attack like this.

Mike Engle Absolutely. Yeah, so we've set the stage. It's a lot going on in the industry. Let's start to talk about how we got out here, and what we can do about it. Maureen, I believe we have the second polling question. So what type of MFA do you use? And we're really going to get into the weeds on this now. So there're four options, and obviously the most common used in the consumer world is SMS and email, but it's still pretty heavily used for workforce as well. And then we're seeing authenticator apps have been around for a few years. They're a step in the right direction, still very phishable. And then a push to your app, and biometrics raises the bar a bit even further. So just give this another second for people to answer. Got about 784 participants, just making that number up. Okay. All right. Great, thanks Maureen. So yeah, right across the board, pretty even blend of the first three, and then in line with expectations, is we're all over the place in the type of, there you go, thank you, Maureen, the types of authenticators that we're using.

So let's talk about these, and there's a lot of confusion around the terminology. 2FA, MFA, and we like to talk about two other forms of FA, that we'd really like to break down here as well. So 2FA as we know has been around for many years, and I'm going to show a timeline here in just a second. Then MFA is when you're starting to introduce more than two factors. And there's a lot of options at our disposal now, that we didn't have just a couple years ago. We refer to the use of these legacy factors as HBA, right? And I posted this on my LinkedIn last night. Some of you may have seen it on prior webinars, but this is a term we coined, that we refer to as hope-based authentication, because these things that you can go grab and put into a computer can be done by anybody. So you're hoping that it's the right person.

And you have some levels of assurance, but you really don't know. And so we're going to talk today about identity, identity-based authentication, where you can actually really look somebody in the face, for lack of a better way to describe it, and know that it's them at the other end of the connection. And this strong linkage actually has standards that Jim and I are going to break down here in just a minute, that are really starting to get popular in the CISO community. So the way we got here, unfortunately, it's taken a long time, going all the way back to 1960. We've had passwords and then hashing, and smart cards became a thing. And it was really hard to give somebody something. If you think about it, when you were logging in the '90s or the 2000s, what was the thing that you had, Jim? What do you remember the first employer, or maybe a system you worked on? What was the thing you gave somebody to go one step beyond username and password? I know what mine was.

Jim McDonald Yeah, actually-

Jim McDonald There was a place in time where I actually carried around the key chain RSA

Mike Engle Security's token? Yeah. I deployed that system at Lehman, I believe in '94, '95 time frames, it ran on a Linux server. It was the most awesome thing ever. I'd show all my friends at the water cooler. And of course we're still using that technology today, go get a six digit code. And we know all, there's a lot of problems with all of that. Then unfortunately we refer to the combination of these things that somebody else can have, HBA. Well, now what's happened in the past few years, is you can see how tight the progression has gotten, right? 2013, the FIDO Alliance was conceived. They've done yeoman's work for introducing public key cryptography that's available to the masses. We'll talk about that in detail, including Passkey, the most recent development.

And then between 2013 and really today, we now have more factors. There's more things we can do. So there's a better key that you can give somebody now, instead of a six digit code on a piece of plastic, we can use TPMS, trusted platform modules. And really since the advent of the iPhone 5 and the Android that came at around the same time, we now have billions of devices that can keep a key very safe. And when you combine that with what you see here in 2017, identity-proofing, we're going to break this down in some detail, you now have two really great factors that get you to true identity. So Jim, anything on this before we ... We're introducing the concepts of identity here, which is ironic, because we've all been managing IM systems for 20 years, but the I's been missing. So what do you think about all that?

Jim McDonald Yeah, I mean the starts with the identity proofing gets me thinking about verified identity, verifiable credentials, and combining that process, that workflow of capturing biometrics. Look, it's not the kind of process you'd want to have for somebody to buy the textbook online. It's something that you reserve for those scenarios where you need that higher level of assurance. But I think these advances, and the ability to get away from weaker versions of authentication, they're very important to what we do, and making sure that we really know who's on the other end of that device.

I think of the idea of having device-based management as something very important. And when you think about FIDO, it's really this shift from knowledge-based authentication, which is inherently weak, and really when you think about the history, it's we went from knowledge-based authentication to possession-based authentication, and FIDO has really been the leader for that. In terms of upcoming events that you were talking about in the beginning of the webinar, there's the Authenticate conference 2022 coming up in Seattle at the end of the month, or I'm sorry, in October. You guys are going to have a spot there. The Identity At The Center podcast will be represented there and we're going to be recording as well. So thank you to Andrew for making that possible.

Mike Engle That's great. Yeah, the FIDO Alliance conference is coming up in, I think it's October, I'm going to say 15th or 16th, is definitely one that you should be on if you care about these kinds of things. So yeah, let's talk a little bit about what some of these differences are. We talk about possession linkage to identity, and how easy it is it for somebody else to get their hands on. Obviously a one time code floating around email, text, or even on your authenticator app, can be coerced or intercepted. And that's been the root of the problem.

I like to think about it is, here's a very simple litmus test that I brought this up on our Zero Trust webinar a month or two ago. Can you give your authentication factor to somebody else where they can use it without you? And if the answer's yes, you don't have identity. It really gets that simple. So that's really, it's been hard to do up until recently. And again, we'll show you a live example of how this works. But what is good enough, Robert? I'm sorry, Jim, I got Robert sitting here to my left.

Jim McDonald Hi Robert. No. Yeah, I think that's the question on everybody's mind, is make this simple for me. What is good enough? And there's no stupid question, but that question lacks the context of, "Well, what are you trying to protect?" So if you look at one of the frameworks, and I think of a framework as it's a way to think about and approach a problem. So one of the frameworks that is really important in this space, is the NIST 800-63-3. So it's a document you can go out there and read, but essentially there are three outlined levels of assurance for authentication.

The first is for some level of assurance, level two is high level of assurance, and level three is the very high level of assurance. So this is the scenario where you're talking about giving somebody access into your corporate network. You need a very high level assurance. You need to be at that highest level. Now, does that mean that it's unbreakable, nobody could ever get through? The answer's no. I think you still need to plan MFA everywhere. So you still need to be setting up hurdles throughout your network, and you need to take a zero trust-approach. However, having said that, you still know there are certain points in your network that need that highest level of assurance.

And having a framework like that, I think, helps you start to set the guidelines for identifying first, "Where is our risk? What's most important? Where do we need various levels of assurance?" So if we're talking about letting a customer get to a dashboard to see their data, that lower level of assurance is probably appropriate, because the amount of risk to see one person's data fits into that model. So I think you also need to understand, "Okay, what are the levels of risk and what is the control that we're going to put in place for that?"

Mike Engle Yeah, no, well said. I really like how this slide ties things together. So these are the standards that I mentioned a couple slides ago. You do have government NIST sponsored 800-63-3, which has been well known in the identity verification-arena, but your corporate CISOs that protect the company assets haven't had to focus on this. Well, now that the bad guys can accept all of these authentication factors, it's really time to start coming back and linking these two together. And that's really, it is a match made in Heaven. And there's some certifying bodies that are really important. So the Kantara Initiative is what certifies your levels of assurance for that identity. FIDO has its certification process for how you use public key cryptography and a biometric factor. Once these two products are certified for this, you have an assurance that they do things the right way.

We're going to talk a bit about real biometrics, because that is one of the ways that you link your identity back to this authenticator. Without that, you can't give your phase to somebody else. And there's all kinds of ways to prevent from using a picture. Deep fakes and all that stuff is a topic that's really getting popular as well. So yeah, let's take to the next polling question, Maureen, because this is a nice segue up into passwordless authentication. So passwordless is being talked about by nearly every company that's in the identity space, and there's a lot of confusion around it. But it's removing that knowledge factor. So looks like we're seeing a ton of interest here from our audience, which doesn't surprise me, given the types of things we're talking about.

So yeah, about four out of five dentists recommend passwordless, it looks like. Yeah, we're sitting around 80%. So yeah, it's on everybody's mind, and the journey of a 1,000 miles starts with the first step. So what I recommend to companies here, is just pick one of the most commonly used systems, your Windows workstation, your remote access, and get rid of the passwords there. You'll learn a lot from those, the lessons that you get in that part of the deployment, and then figure out what are the other eight or nine areas were that you should focus on after that. Are you seeing passwordless in your practice? Do you have a lot of interest, Jim?

Jim McDonald Tons of interest. And I think what you pointed out, was a great point to start incrementally. But to me it's not only ... So it's one of the few areas in identity access management, where you can increase the usability, and at the same time increase security. One of the things that I wanted to point out, is that a lot of times the hackers, their mode of operation is to attack the unhappy path. So the unhappy path is, "Hey, I changed my phone number, or I forgot my password," and to go through that workflow to reset. If you can get rid of the password altogether, if you can go to a real form of identity verification, you start to break that weak point of, the weak link in the chain of being the unhappy path, the password reset, or change my phone number, so I can reroute my SMS tech. So yeah, I think from a groundswell perspective, people get it. I don't think that we're telling people things they don't know, that's why they're here on this webinar to begin PM with.

Mike Engle Yeah, exactly. And passwordless, as I mentioned, if you're following the FIDO Alliances guidelines, you'll be in good shape. One of the Achilles heels of FIDO over the past couple of years has been, it uses something like your mobile phone as a strong authenticator, and you can keep a key here, or keep a key in your Windows workstation or your Mac. But if you lost that machine, there was no way to back up that key that was reliable. So we have a platform that takes care of that. And so we've mitigated that, but the FIDO industry has an answer now, and it's called FIDO Passkey. And so I wanted to talk about this for a minute, because it's making passwordless much more usable in the consumer world. And I'll touch on my thoughts on the enterprise world and what the industry, in our working groups, are talking about.

So Passkey is the ability to back up your private key, which is in this secure area of your phone or workstation, into your cloud storage, your secure cloud storage. So for example, Apple has Keychain and now your FIDO passwordless keys can be stored there. Which means if you lose your phone or get a new Mac, you just have to go through the Apple Keychain restoration process, which Apple's pretty good at that, right? They have username, password, and a pretty solid 2FA process, where it pops up on one of your other devices, and you put in a six digit code. So it's really setting any remote website's lowest common denominator to how strong your Apple Wallet is, which is pretty good. It's very well encrypted. It's not like your passwords are stored out somewhere in some kind of unencrypted fashion. The challenge with it, and what the industry will be working to solve, is you wouldn't want your corporate VPN password replicable to multiple devices.

So there's this balance of usability and security, like we talked about. What is good enough? And so I don't think we'll see a lot of enterprises or governments using Passkey, or allowing Passkey as one of the mechanisms. But the answer to that, would be to only be able to restore those backed up keys. If you show your face or going through some risk-adjusted process before that's allowed to be accepted back in, once you have a new device. There's also something called Device Public Key, where you can only let one particular device authenticate, and not others. So a lot's happening here, again, plug into the FIDO Alliance and you'll learn more about this as it matures. And we're seeing a lot of this in the news, especially from the big tech companies.

All right. So just wrapping up here, we've got a final polling question. If you're not polled out, then Maureen, if you fire this up, we'll just grab a couple more touch points here. So what is your user experience when you log into the infrastructure and other application experience? My experience in the consumer world is terrible. Apple seems to pop up, asking for my Apple password every time I go to install an app. And it's not using my FaceID. My bank puts me through the ringer. Sometimes my texts don't come in. So if you're answering the first question with the first answer, you love your experience, and we're seeing a pretty low ... What's your question, Rob?

Mike Engle All right. Great. So yeah, we're seeing about a 50% hit rate on this middle response here, where we've got it down to one mechanism at least we don't have multiple ways. So we'll share these results with the audience when we send our follow-up after this. So thanks for that, Maureen. All right. So I'm going to jump into two examples of those prior standards. So what I'm going to show you here, is the mechanism of what it takes to get a high level of assurance following that NIST 800-63-3, A side of the standard. A stands for the assurance, right? How sure am I that this is Mike Engle, for example. And then we're going to apply that to a passwordless experience.

So this takes just a minute or two, and I'm going to explain this as it breaks down. So imagine you're joining your organization, Robert, for the first day, you just went through talent acquisition, and we need to give you a credential. Actually, maybe you could explain, maybe not at your current company, but a recent company. How did you onboard, or how do your clients onboard today? I still see a lot of, "Email me your driver's license and passport, or you got to come into the office and hold it up." Are you still seeing that type of activity in the new employer contractor onboarding?

Jim McDonald You're talking about Jim or Robert?

Mike Engle I'm sorry. I got my Head Of Marketing here with me, and you're both named McDonald. That's the problem, right? So I got one-

Jim McDonald Yeah, that is problem.

Mike Engle Yeah, so I'll just call you McDonald.

Jim McDonald Yeah, there you go. I don't think anybody wants the marketing answer though. But yeah, I think people are certainly with this issue ... It's funny, Mike, you've talked about the consumer side, and even in some cases their user-experience is horrible. I was really glad to see 50% for at least that middle level, because here's what the problem is, nobody's trying to do a bad job, but a lot of times we're not funded. And I think as IM practitioners and as leaders in this space, we've got to get better about getting the funding that what we're doing deserves. I saw a great quote recently that was, "People don't want to buy a quarter inch drill, they want to buy a quarter inch hole." So in other words, they want the result, and we need to start putting what we do in terms of business results, business objectives, and how we achieve that with technology.

So to bring that back to this area that we're talking about, is I don't see a lot of people being there yet, because they're heavily under-invested in other areas. So I don't see them doing the onboarding with that. But more forward-thinking organizations? Yes. So where I like to be, is not on that bleeding edge, but on the cutting edge. So what you talked about earlier there with, could I see Passkeys being used for enterprise authentication onto a VPM? No, not until other people are doing that in, or it's on that tipping point, where it's about to go to the point of being viral, and we all get on board with it. I think the identity-proofing, identity verification is getting close to that tipping point. So I think now it's the time that if you've got your other ducks in a row, this is the time to really take this seriously, and look to make that investment.

Mike Engle Excellent. Well, let me show you how we can onboard some identities here in a way that embraces the latest technology. So this is a NIST 800-63-3 process, two strong forms of identification linked back to a real-world identity. The important part here, is this identity stays with the user and can only be used by the user. So I'll walk through this. Very simply launch an app or come to a webpage. Behind the scenes, we've got a private key, that stuff is transparent to the user now, and we can enroll other factors like a pin or your touch ID, face ID, very popular, but they don't prove identity of course. But we can prove identity or at least linkage to one with something we call LiveID. This is a real biometric, and you'll see me go through a very simple enrollment process here, where it's just, I'm proving that I'm a real person.

Now how you handle that biometric is really important. You need to encrypt it properly, only with the user. So they're the only one that has access to it. So a topic for another day. Now, once that's done, I have a couple of strong factors there. I just need to link them to my real-world identity. In this case, it's a driver's license. So we'll scan, using the high-res camera, front, back, verify the integrity, do fraud checks, validate it against the DMV. All the stuff happens in seconds, using really machine learning. And my face was matched to the live face on that driver's license. So the two had to match with a high level of assurance. Now I'm starting to introduce identity, and the NIST 800-63-3 standard calls to get to all the IL2, the higher level, two strong forms. So we'll introduce a passport.

We'll do the same camera induced OCR, validate the integrity, but then on some documents, we can even read the NFC chip. And that is a very high quality, hard to hack, high res photo comes off of this. And again, my face is matched, and I've triangulated the data between the documents, first name, last name, date of birth, all match. Three photos match my live, and the two document photos, et cetera. It is almost that fast, right? I'm really good at it, because I do it pretty regularly. But within a couple minutes, you can have a strong identity in your control. The final step in the process is to send it to the company. This could be a bank account you're opening. It could be your new employer. And it's as simple as initiating a request, unlocking the data.

You'll see that here, proving that you are who you are, the person on those documents, data's decrypted out of what we call digital wallet. So nobody else has access to it but you. And it's uploaded to the requesting party. And there it is. Now compare that to HR typing 37 fields in, or trusting that the documents are from the right person, and it's a whole different ballgame. Now that key that I mentioned in the first step, is what the user has as a strong, trusted identity. So there's no username or password in that process. Imagine now you come day one, and you're about to come to that first Windows workstation, the normal method for this, is your line manager calls you up and says, "Hey, Robert, I got your username and password, and I want you to type it in, and then you'll change it. And then every 90 days you'll change it again."

We don't need to do that stuff anymore. We've got a strong identity and a FIDO authenticator. So in this example, we simply click on, engage a channel, secure channel, do that same process instead of transmitting our corporate, our citizen documents, we're sending a FIDO authentication to real biometrics. Nobody else could have done that, but me, and I'm staring at my desktop in a matter of seconds. So there's a couple things that came together there. There's marrying of identity and authentication, and the introduction of a really phenomenal user experience. And that's what these standards are enabling today. So I'll pause there. I've been on a five minute rant. Any thoughts on this? I'm going to pause this here.

Jim McDonald Yeah, I mean, look, it's really clean. This is what we talked about with the user experience and security improvement at the same time. I think also what you've got, is that verified identity, verifiable credentials if they're available with the higher end driver's license, the passport. This is something that is just, it's growing. I think we're at the stage now where the technology exists, the credentials exist. It's not every single place yet, but I think it's now at the point, where the business value can be achieved by investing in a passwordless solution.

In fact, you get to that point, where if the tipping point takes place, and you're not there, then you're a lagger. I think even though it was like, when we were going through some of those more well-known hacks, I worked with a lot of companies. A lot of my clients had gone through a security incident, where they got exposed, and then it was like, "Hey, we need to spend a lot of money on security, and analyzing what happened." Rather than making that investment before they ran into that incident. So I guess, what I encourage is it like when you are being chased by a lion, you and three others are being chased by a lion, you don't need to be the fastest. You just need to not be the slowest.

Mike Engle That's right, send them somewhere else, right? Yeah. No, thanks for that. That's great. And we're really wrapping up here. Hopefully this is helpful. We'll be sending a link to all of the registrants. For those that missed it, they'll be able to replay it. As I mentioned, we have a bunch of other ways that we can stay in touch. Here I found your homepage for your Identity At The Center podcast, and I'm sure Jim and Jeff are always looking for industry participants. So if you think you'd be a good candidate, reach out to him, his email will be on my next slide.

And one other identity tool that I wanted to share, I'm involved with an identity-focused venture fund called 1414 Ventures. And identity means a lot of things. We've identified about 50 different elements of identity, and each one of these talks about the market size. So a lot of our friends on that are watching this here today are involved in some part of this. KYC or various forms of authentication, or identity proofing, et cetera. So it's a pretty cool little tool that you can use to justify how a market's going to grow, or just look at the types of things you're working on. Then finally just wanted to leave it with, please reach out if you're going to be at any of these upcoming events. And either Jim or I will be able to meet up with you, or somebody from one of our organizations. I think we've done it. Jim, what do you think? I won't call you Robert anymore.

Mike Engle You can call me Al if you want. Yeah,

Jim McDonald You can call me Al. There you go.

Mike Engle Great. But really thanks so much for joining, and here's our contact information. You'll be hearing from us from a follow-up on today's session as well. There's been a bunch of questions here. I think we wanted to answer one live before we go here. Do you want to answer this one?

Jim McDonald Yeah.

Mike Engle So one of the questions is how do we see FIDO being incorporated into continuous authentication? And so continuous authentication is one of the CAT, is one of the latest Gartner trends that they're focusing on. It's being able to know at the other end of the digital connection, that that person is still there, continuous. And it's really a combination of how much you bug the user. I mean, if you ask the user every five seconds, "Are you there, scan your face," you're going to know without a doubt. But they'll probably throw their phone out the door, and go work somewhere else.

So it's a balance. What we're seeing is now that being able to know that this is my phone, it's in my hand, my behavior on this phone is an important factor, my FaceID on that phone, or my LiveID, when you need real biometrics. It's getting easier and easier to engage with the users. I've seen technology now where you can authenticate as fast as going by a camera like this on a computer or a phone. So again, it has to be done with the right level of implementation. So more to follow on that as the industry matures. And we have our final question here being answered live by-

Jim McDonald If can throw in for something there on the continuous authentication, I think.

Mike Engle Yeah, please do?

Jim McDonald It comes down a lot to the specific use case. I mean, in some use cases, you might be able to get by with just time-outs. In other use cases, or monitoring is their activity. And then time-out, if there's inactivity. Other cases, you may need something more advanced, then there are solutions in the marketplace. I think the FIDO angle is how do you then switch it to a FIDO-based authentication if that's what's required in that use case? So the typical consulting answer, is it depends. But it really does, really depends on the use case.

Mike Engle Yeah, it is about risk and the level of assurance that you need. Yeah. All right. Great, well, Jim, thanks so much for joining and I really had a good time.

Jim McDonald I did too.

Mike Engle Let's do it again soon. I'll see you on the podcast circuit.

Jim McDonald Oh, absolutely. Thanks a lot.

Mike Engle Thanks everybody for attending. We'll see you online.
Michael Engle
Mike Engle
CSO
1Kosmos
Jim-McDonald
Jim McDonald
Director, Digital Identity Advisory
RSM US LLP
rsm-logo
idac-podcast-logo

In this webinar, 1Kosmos Chief Strategy Officer, Mike Engle, and RSM US Digital Identity Director, Jim McDonald, covered:

  • How to use biometrics in a private and secure way for authentication
  • The trick to efficiently onboarding users to a more convenient MFA experience
  • How to verify identity, ensuring biometrics match authorized users
  • What this means for a zero trust deployment

For years MFA has served its purpose, but in 2022 do you really want to use a 1965-era approach to secure your network? … especially given the glaring weaknesses in text messages, e-mail, hardware / software tokens, and push notifications? Modern devices equipped with cameras, biometric readers and TPM chips offer a path to new, more convenient and secure MFA that allow you to ditch the codes and let users use themselves as the authentication factor.

×