I Heart Passwordless [webinar transcript]
On demand webinar: “I Heart Passwordless” with Strata Identity and HYPR, the Passwordless Company.
Stop crushing on passwordless from afar and crush your goal of leaving passwords in the past.
Mark Callahan: Welcome, everybody. We are excited to have you join us on this Valentine’s Day as we dig into the topic of Passwordless. Obviously, our theme today is I Heart Passwordless, and I know that a few y’all are seriously considering new passwordless initiatives right now. Curious about how would you go about accelerating deployment and what role might Identity Orchestration play in that?
Good news is we’re going to be discussing all of that with you. So, let’s look at what we’re going to be talking about today.
I know that this is a valuable use of your time, and we appreciate you all being here with us. As we think about what we’re going to talk through today, we’ll start with some quick introductions about the presenters. We’ll give a quick overview of who Strata and Hypr are.
Talk about this theme of Decoupling for Success, which you see all the hearts in the background. It seems a little out of place for Valentine’s Day, but I assure you it’s appropriate. We’ll get into a demo and then, of course, those questions that I mentioned.
So, in terms of your presenters today, I’m Mark Callahan. I’m the Senior Director of Product Marketing here at Strata. We’re joined by Ryan Rawcliffe, the field CTO from Hypr, and Steve Lay, a senior sales engineer from.
As we are getting ready to get going here. I’d love to have each of you maybe just do a quick introduction of who you are and a little bit of background about yourself. Hey Ryan, can we start with you?
[00:02:49] Ryan Rowcliffe: Hey, I’m Ryan Rowcliffe, field CTO over at Hypr for the last three years, been concentrating and spending my time focused on going passwordless and getting rid of passwords from the enterprises and from our consumer lives.
Prior to that, I was in the authentication space with adaptive authentication MFA. And if we go even further into history, there’s a lot of application performance management and network performance management in my background. But I’m really excited to be hanging out with you, Mark and with you, Steve, on a Valentine’s Day.
There’s no other group of individuals I’d love to be hanging out with on this day.
[00:03:20] Mark Callahan: And then speaking of it, I feel like there’s a theme here. I’ll let the audience figure out what that is. But yes, I did as well. And Steve let’s go to you. How about a little bit of your background??
[00:03:27] Steve Lay: Hey, thanks, Mark. Hi everyone. I’m Steve a I’m a senior sales engineer here at Strata.
I’ve been in the identity and access space for probably coming up over 20 years at this point. Spending a lot of time in the field doing consulting, field support, work and spending probably the last 10 years now on the pre-sale side, working with. Large enterprises across the us, south America, and in the EU.
Looking forward to the session today.
[00:03:51] Mark Callahan: Awesome. Awesome. I’ll tell you, Ryan as you mentioned, it’s Valentine’s Day, so I wanted to lead off with a question that I know is top of everyone’s mind right now, and that’s what is everyone’s favorite Valentine’s Day candy? Mine, I think way back when were those little candy hearts that I’ve got here, they always broke your tooth.
They were hard as a rock, but boy, they were. Ryan what was your favorite Valentine’s candy?
[00:04:12] Ryan Rowcliffe: I think we’re all going to age ourselves because that was the candy, right? If we go all the way back to our childhood, they were, what we put and stuffed in little cards in school and we shared.
And that’s a fun memory for me as a child, right? Like just. Being able to give those and as you received them, and then that was the one time in class that you were allowed to eat candy. At least for me, like you, you were just sitting there chomping on them nonstop and obviously there was always some good little words written on them.
So that, that’s a fond memory. And then you can always go down the path of just straight up chocolate, as a child, just grower.
[00:04:41] Mark Callahan
[00:04:45] Steve Lay: My favorite, Red Hots. No, I haven’t had those in a very long time. Begin being older. Now, stomach doesn’t handle Red Hots as well as it used to when I was a kid.
But I can remember just almost, quite literally stuffing my face with those with a mouthful of Red Hots munching away. And by the way, those if you’re getting the hard to chew hearts, that just means that those were last year’s boxes.
[00:05:06] Mark Callahan: That’s it. That’s it. mom got them on discount. That’s probably what happened.
Let’s go ahead and dig in. So obviously we’re here today to talk about passwordless and how to accelerate passwordless deployments and how Strata and Hypr are working together in this better together format. And I hit up upon a research report this morning that sort of set the stage a little bit and it just had some findings that said 17% of IT and identity.
Are, have started to eliminate passwords within their organization. Another 36% were testing and evaluating passwordless technologies in 2023. And a full third said that Passwordless was their number one IAM initiative in 2023. Passwordless is hot. And as we’re getting into this, I’m sure a lot of our audience is familiar with the technology, so we’re not going to go super remedial about what Passwordless is.
But Ryan if you would, tell us a little bit about Hypr and Hypr’s, approach to Passwordless.
[00:05:58] Ryan Rowcliffe: Yeah. And it’s a current report, that you just caught this morning. It’s something that we’ve been seeing historically over the last couple years at the momentum of Passwordless is starting to become a reality.
And for Hypr it has been our approach, which is. Completely eradicating the password from environments, which it’s not a passwordless experience, it’s truly passwordless by using different authentication methods built on standards using the same technology that’s been around for a little while with smart card authentication as well as Fido.
And I think those are key. Key components to how we do get passwords out of the enterprise. Not just leaving it, hidden in the background, and obscuring it or doing security through obscurity. It’s truly by, moving it to a more crypto based or cryptography based.
PKI or PKC based authentication events. And that is at the foundation and core principles of how Hypr looks at eradicating passwords. And we’re going to talk a little bit about decoupling. And it’s empowering, right? It’s about empowering your end users.
It’s about giving your end users that authentication control or what you know, if you will, authentication and dependence.
[00:07:08] Mark Callahan: And Steve, as we the event, today we’re talking about passwordless Strata Identity Orchestration. Can you give a little bit of background on, on Strata and what Identity Orchestration is?
[00:07:17] Steve Lay: Yeah, sure thing. You can think of Identity Orchestration most easily as a lightweight abstraction layer and allows an organization to extend existing or new identity services into their applications without ever having to do any kind of recoding or configuration of those applications to those identity services, right?
So Hypr as a leading Passwordless technology is a perfect example. So, if you have a landscape of legacy or non-standard applications that might have a directory for a backend it can be difficult to achieve full Passwordless completely and truly if you have applications that otherwise must be recoded to be able to support.
Modern authentication services. And so, through orchestration you could achieve and enforce that consistent user experience, that consistent security policy in terms of what services is being enforced, what identity data is being used, and how that ultimately is used for authorization and passing that user directly into that application. All while that experience in the orchestration layer being something that’s completely transparent to the users as well as to the applications themselves.
[00:08:30] Mark Callahan: I was looking at the registration list before we started today, and there’s a lot of representation from financial services and FinTech orgs from healthcare and big pharma or organizations higher ed and even some government sector attendees.
And I don’t know that’s a really a surprise by any stretch because those are such regulated. Industries that we’re seeing. And so, there was a question that came in prior to the event where people were asking a little bit about what the use cases and best practices for Passwordless are.
And Ryan you’re smiling, so I’m going to let you jump on that one for a minute.
[00:09:02] Ryan Rowcliffe: Yeah, it’s always interesting because I, wherever there’s a password is the, there, there’s a use case. I think it really comes down to the regulated environments are the ones in which either are early.
to allocate budget or initiate projects to take this on. And I’m thinking in 23 we’re going to see a, this becoming as your report was outlining that you’re, you were quoting that this is all now priority. We could say last year those regulated environments were the ones who were allocating budget and making projects.
Now everybody’s going to going to be doing it. When you look at the ones that probably. Or the quickest to move were financial because they had a lot of risk that they could define, that they could mi mitigate by removing passwords from their environments. That risk was, it’s a very tangible risk and I’m not I don’t want to play favorites for financials, but there’s a very hard dollar cost that can be very much through fraud or through other means, quantified very quickly.
Where when we get into other regulated in. There it may not be so obvious, and it is now becoming much more obvious. We can sit here and call out healthcare. We’ve had how many healthcare breaches and or challenges through history. Where it’s either ransomware or some fishing campaign or something else that has had some great success.
You can look at manufacturing and you can think about, other attack vectors that happen within manufacturing. You look at pharmaceuticals and you look at other, all these industries are all being attacked in some form or fashion. It’s just a level of where do you put your security budget?
Where do you allocate that time and where do I get the most bang for my buck? I’m going to tee it up a little bit back for you guys because a lot of the conversations we do have with those other maybe less regulated industries is we have an enterprise of legacy and the conversations are like if we can’t go a hundred percent passwordless today, then you know we’re not going to make that initiative.
And it’s because we have these older you. Applications that are legacy, they’re using L a P and there’s no way to leverage some Fed Federation framework. And that usually becomes a big kind of like, all right, we’re going to put the project on hold until we can solve that problem. Versus looking at the journey and saying, “We’re going to start taking these things down step by step”.
They want to pause that project overall. And I think now, like in this conversation, it’s you don’t have to pause that project. This journey can accelerate even. because we have a solution to get you across the board for all your users. And that’s obviously why we’re partnered here with Strata.
[00:11:29] Mark Callahan: Exactly. And I know that in talking with you and your team in the past you talked about the idea that if one app isn’t protected, that no app is protected. And that can seem daunting, right? I’ve got so many old crusty line of business apps. I have all that bound apps I have things that I don’t even know.
Truthfully, and they only come up through audit or other scenarios. And we at Strata heard organizations who are making it keep or Sunset decisions about apps simply because they didn’t have access to the code and couldn’t protect that app. And it seems like the wrong decision to make their, you Steve is, we’re thinking a little bit about those older apps, and it’s Valentine’s Day -even senior apps need love- what’s Strata’s approach here,
[00:12:06] Steve Lay: This is a good conversation, right? Because if we talk about legacy applications, and I think probably a lot of our audience are experiencing this, is that often legacy applications aren’t these apps that a handful of people have access to, right?
A lot of times these legacy applications are. critical to the business, right? Whether that’s serving something on the backend, whether that’s oftentimes even nowadays still serving services directly to consumers. So that, that puts organizations in a rock and a hard place, especially when it becomes, or when it comes to adopting pass less, right?
Because the way that we see things is that no app should be left behind and therefore with orchestration, right? If or what, without orchestration rather a barrier right to going full Passwordless is we have these important applications that otherwise is going to require a huge lift to get out from under a bunch of technical debt, just so this application can speak among an authentication protocol.
So that you can then put it behind the modern authentication service like Hypr, right? Those are those barriers that until orchestration have been there, and now with orchestration in place, right? We provide that ability to abstract the enforcement of a service like Hypr and then be able to provide context for that user into that application and the way that application expects, especially for legacy application types, particularly apps that are like forms based with a database backend.
[00:13:35] Mark Callahan: And so, both of you talked a little bit about that consistent user experience and this idea of, abstraction and so that takes me to the next topic which we talked about, decoupling for success. This is a core theme that you’ll find in both Hypr and Strata’s messaging is this I idea of decoupling, whether it’s from authentication from the IDP, or identity from the apps themselves.
Ryan, tell us a little bit about what decoupling means at Hypr.
[00:13:59] Ryan Rowcliffe: For us, decoupling is, like I said, it’s empowering the user. It’s putting the authentication control back into the end user’s hands, but it’s also enabling the business, right? So, a lot of the enterprises that we have conversations with are not bound by one identity provider or, they have a collection of identity providers that they have acquired over the years.
How many registrations is that going to require for you to do an authentication event? How many different user interfaces is that going to produce for your end users? And what, if you were going to say, all right, now we need to do a merger and acquisition, and we’re going to bring in another IDP that has a whole other set of, different user interactions.
And by shifting the authentication into the power of the user’s hands, whether it be in their mobile device or through a pass key or something of that nature, that abstracts away what that user’s going to do for authentication. They are always going to have that same experience authenticating. So, if it’s going to be through Strata, if it’s going to be through anything, it’s going to be the same exact experience.
Once they’ve registered and they started with Hypr, there’s not, it doesn’t matter where you’re going. It doesn’t matter what your destination’s going to be. It doesn’t matter what you’re authenticating to. It’s always going to be that same authentication. So that is where the strength comes by. Once again, empowering the end user to have that great experience, that same experience.
And then it also enables that business to be able to bring things on, take things out. It does not impact that user.
[00:15:26] Mark Callahan: And Steve, thoughts on adding to that? So, we think about decoupling identity from apps, themselves.
[00:15:31] Steve Lay: This is just the other side of that coin, right?
That Ryan, you’re talking about in terms of that consistent user experience, which is so crucial. And then the other side of that coin is enforcing consistent security policies across your application landscape in a way again that is consistent in terms of the policies that are being enforced, as well as how that integration actually works with those applications so that you can rapidly adopt these types of services and make that a matter of simple configuration right in the orchestration layer rather than a lot of work working directly with application owners doing oftentimes development.
Integration work with those types of applications. So, one side of that coin being that consistent user experience, and then the other side of that coin being a consistent policy enforcement through the fact that with orchestration, you can completely decouple. Identity services from the applications themselves.
[00:16:32] Mark Callahan: So, we’ve almost made like portable passwordless. If I were to coin a phrase, and I’m the product marketing guy, so I’m going to PM that you heard it here first, “portable passwordless”, but it’s true, right? Because I think, both of us in our organizations, we’ve seen this obstacle or this hiccup that you run into in a deployment where it goes smoothly when you’re talking about standards-based applications.
Something that natively speaks IDC and SAML, and then suddenly you get to those older legacy apps and it’s not, as you pointed out, Steve, just these little line of business apps that three or four people use. It could be a mission critical application that 30,000 users use every single day, and it’s still not a standards-based app.
And. What do we do there? I think that’s where we’re getting into the real meat of the topic today, which was how do we protect those interesting apps, those non-standards-based apps, those l bound app. That’s an interesting one right there. And, and do it in a way that is what we promised here, is that seamless user experience that just is a consistent look and feel for accessing your apps.
We’ve been talking quite a bit. If it’s okay with you, I’d love to. Steve put you on the spot for a moment. We’ve talked about doing a demo. Can I give you the screen here and you walk through, there’s not a lot of words. Let’s see this in action and see how it plays out.
[00:17:42] Steve Lay: Everyone try to figure out what we’re saying just with hand puppets. That’s right. That’s right. Yeah. Yeah. So, let’s just look at this real quick. Yeah. This will. Pretty quick, simple, right? As it really should be for user experience. So, what do I have here? I have, I’m an end user. I need to access my application, in this case, a web-based application that is a non-standards-based app, right?
Does not understand SAML, does not understand OIDC, and I simply need to get that an application, but I want to have a consistent user experience to be able to authenticate with Hypr to get to this application. Now, this is a good example where in this demo environment represents a reasonably accurate representation of what we see with a lot of our customers, where we also have Azure.
So, I have an Azure account, I also have an Okta account, right? So, I might have accounts and access across multiple cloud providers from authentication services, but I shouldn’t have to know or.
[00:18:33] Mark Callahan: Ryan, that’s what you were saying, right? You, over the years get these, whether it’s through M&A, different divisions, you name it, that’s just as a reality of that we’re facing.
[00:18:41] Ryan Rowcliffe: Correct. And at the same time, like I think Steve, you should put it the best. You shouldn’t care. You don’t know as an end user, like asking our end users to have to manage that thought pattern is just a terrible ask.
[00:18:52] Steve Lay: I’m steeped in this every day. I don’t want to have to know. I don’t want to. So, when I’m an end user and I click my link to get to this application, in this case, based on the pattern, this being a legacy application, that request hit the orchestrator first. Orchestrator has a simple policy that says, to get to this application, you need to authenticate with Hypr.
Now in this demo environment, I don’t really have any way to establish user context. And rather I’m not already authenticated with something else. So, in this case, I’m going to put in a username into a form. This should be something more like a QR code or a pass key that I put in to establish that first interaction of, okay I’m claiming to be who I say I am, but in this case, I hit submit. As that end user, I immediately get a push on my device to authenticate with Hypr, with biometric. I authenticate with my biometric on my phone, and then I’m in my application and that’s it, right? So, it’s not a flashy demo, and that’s intentional because it shouldn’t be flashy or complex for your end users.
I click my link to get to an application if I’m not authenticated or based on the rules that need to enforce authentication, I authenticate with Hypr and I’m in my application. What I don’t have to know, or I don’t have to care about is the fact that in this case, what the orchestrator did post authentication is that this application, in this case needs information about me, Sam, from Azure, also from Okta, but we’re using Hypr to authenticate.
So, in this case, the Orchestrator handles getting that relevant information about Sam from Azure, from Okta, and presenting it to the application in the way that app expects, in this case, a legacy application pattern. And in this case, that application right is not at all directly integrated with Hypr or with Azure or with Okta.
[00:20:40] Mark Callahan: Feel like I did a lot of lead up to this being an exciting demo and it’s going to like magic, right? But in the same token, it wasn’t supposed to be like this big, fractured experience and lights and flashing and all this. It was supposed to be, Dead simple. A seamless user experience.
And that’s what you just did. Is there a way that we can see a little bit more just about what happened behind the scenes since that was so seamless?
[00:21:02] Steve Lay: I’ll make this brief: When we talk about non legacy, or excuse me, non-standard or legacy applications, oftentimes what the orchestrator is doing is effectively proxying traffic to those apps.
So, I’ll take, I’ll be brief here, right? But effectively what happened is when I, as the end user on my browser hit my link to get to that application, that was a request to the orchestrator. Orchestrator is a policy enforcer, so it has policy either written in the orchestrator or policy written somewhere else that the orchestrator goes and retrieves and says, what does this user need to do to take this action in this case?
Simply get to the front door of the application. The orchestrator redirected the user right to authenticate to Hypr for passwords. Upon successful authentication to Hypr, we consumed that token that we got back from Hypr, and then we went and retrieved additional stuff about that user, right? In this case, some attributes, some entitlements from a couple different cloud services.
Pulled that back into the orchestrator and then passed that to the application. In this case, a non-standard app, and the way that this application expected. So that this app did not have to be integrated with any of these services to do that. The orchestrator handled that upfront authentication, handled the upfront policy enforcement of what else does that user need to do, or what another context does the orchestrator need to go get and from where?
Did his thing passed that context of the application. And so that’s a lot of words, you saw in that demo how quick all of that is, right? And that’s what orchestration is meant to do and is again, be able to completely decouple these services from the application itself.
And I as a CIO, as a CISO, and as well, importantly too, as an application owner, I don’t have to, right? With directly modernizing these applications through code work and redevelopment. I can lead these applications as they are, and I can still secure them through an orchestration layer.
[00:23:04] Mark Callahan: So, Canary App could have been a 15-year-old app.
We have no idea who it belongs to. And you were still able to add Passwordless plus to it to Hypr.
[00:23:11] Steve Lay: Yeah, for sure. And in fact, we’ve done that almost the exact same thing for several other customers where they have apps that are over 20 years old that quite literally nobody at the organization even has source code to.
[00:23:24] Mark Callahan: So, we’re no app left behind standard. It’s not a scary thing, right? It’s one app unprotected. All apps are unprotected. There’s not an excuse now, and you even have a little bit here about this cloud with the signals is there a Zero Trust story here as well?
[00:23:37] Steve Lay: Yeah, a hundred percent.
So, the orchestrator is entirely runtime driven. The orchestrator doesn’t store data persistently about users. What it gets about users, it goes and gets when it needs it. It stores it in memory only for that user session. So, what that means is that because we don’t have to do a lot of complex time-based workflow synchronization work, we are built to either go retrieve data from a system or be the receiver right, of a signal from an external system to then take an action.
A common one nowadays is using things like webhooks, risk platforms, whether they’re off the shelf or custom, or services like continuous access evaluation. That provides some signal about a user.
That means an action should be taken right here, right now. And oftentimes what that results in is that the orchestrator receives a signal orchestrator, then within a couple milliseconds, finds those us that user sessions and kills their sessions immediately.
[00:24:31] Mark Callahan: Challenge for re authentication. And so, it almost sounds like there’s a story here for not just those non-standard legacy apps, but also modern apps that are, they’re speaking modern protocols as well.
[00:24:39] Steve Lay: That pattern is a little bit simpler, right? And in this case, the orchestrator itself is not proxying traffic to modern applications. You don’t want to be proxying traffic to cloud-based apps or particularly SaaS applications. So in this case, The what changes is the, or the application is changed to see the orchestrator itself as the identity provider, and then from that point, the orchestrator can do what it does for any other application type, like non-standard applications, which is because the app sees the orchestrator as the identity provider, then the orchestrator can then redirect and do whatever it needs to do to be able to go and make that user authentication experience co.
Be able to enforce that and then simply pass back the expected token type claims and so on to that modern application. Got it.
[00:25:25] Mark Callahan: And so really, we’re talking any app here with orchestration. We’re speeding up that deployment and accelerating it. And so, Ryan, for you all, that’s got to be great as well, to really speed up those deployments.
[00:25:34] Ryan Rowcliffe: Yeah, it. There are so many little value-add components to having an orchestration layer, which is also covering the ability to terminate sessions. You’re also adding in, what is the future of almost all our computing and identity, which is Zero Trust type of controls, right?
Buying a, being able to terminate a user session or force of re authentication event. The great part about that marriage or our Valentine’s Day partnership is that it is at least going to require the highest level of assurance authentication, right? So, it is a crypto authentication. It’s not a one-time passcode.
It’s not a seed, it’s not a secret. So, when we do take that approach, aligning with a very solid mantra within zero trust. And I do love how in, in our business as authentication, if our demos take longer than a minute, I, it’s a failed pro. It’s a failed product right at that point.
So, it’s always interesting when we spend more time talking about all the value of what authentication, what true path for this can. Because a demo shouldn’t be something that has a long running component. The technology sound and the exactly and authentication of engine needs to be within less than minutes anyways for users to adopt this.
All this is exciting stuff for me. I love it.
[00:26:46] Mark Callahan: We love it. And we did make a leap of faith in this one that the user was registered with Hypr at the beginning of this, there was a question that came in. I just wanted to point that out just to connect the dots there. Steve, you came the speaking of questions, I’m going to take the screen back from you for a moment here.
All right. And let’s go ahead and let’s get into those questions. And there’s a couple of questions, three questions that we already got coming in.
And I wanted to just jump into these. I know we’re going a little short on time, but I promise we’ll go quickly here. So, first question: how do you get people to change with newer, better, safer technologies?
Sometimes even when you build it, they don’t come. What do we do then? Ryan’s smiling again. I want to hear this story.
[00:27:19] Steve Lay: You take that one first man.
[00:27:20] Ryan Rowcliffe: It’s this is the adoption challenge, right? This is a new technology. It’s There’s plenty of examples that we could come up with.
All of us are dating ourselves with 20 years reference. There’s been a lot of businesses that have built amazing technology but never got adoption. For us, this is what we have concentrated on for the last couple years ourselves is in different use cases, whether it be a consumer flow or if it’s an enterprise in the context of enterprise.
It usually we find success with opt-in where the experience just ends up bringing users to wanting. This authentication event versus what they’re currently doing with a password today. And in some businesses that does not necessarily go over a hundred percent. And sometimes we must evolve that opt-in to having a leadership where the security team or the executive leadership makes a mantra.
That the business is going to make this change to passwordless. And they put little into initiatives out there, whether they enable management to hold their employees accountable, or they put some other fun initiatives like gift cards or gamify how many people can register at a certain time.
And that has seemed to be the most successful on. It’s also, it’s a, how do you get that wheel? How do you get that initial momentum? How do you get that initial small piece of a snow snowball to start falling down that hill to gain and grow?
And usually you get, some of your leaders in your company to start representing. We’ve had a couple leaders get on, their company kickoffs and basically showcase that they’re going past with us and how they as leaders are authenticating now. And that just bring. the rest of the company along with it.
There’s a lot of different approaches, but adoption is very key. And we’re also at this perfect time in 2023 with past keys and the industry all becoming very aware of past release that this isn’t a nuance anymore. This is now going to happen. Everybody’s going to find some way to start achieving this.
And I’m going to go back to that article or that, the statistics you brought earlier, it all shows, there’s projects that are all lining up. It’s initiatives, it’s high priorities. So, this is all going to happen.
[00:29:16] Mark Callahan: It is. And as we think about that adoption and the same question for you, Steve. Thoughts from Strata’s perspective.
[00:29:22] Steve Lay: Yeah I guess just to add on to Ryan, what you were saying I see this too as a perspective of, if I have to make it probably overly simplistic, organizationally, it almost always comes down to either this is something that’s being dictated right to the user population or something that is incentivized right by leadership to try to get people to come.
And with orchestration, you have the ability. Regardless of where your organization culture sits, is to be able to use orchestration to make that choice of where you want to start, whether it be with a single application, whether it’s with a specific user population. And that’s important parcel because of the technological architecture of the orchestration layer itself, is that you can make the orchestrator.
Does its thing for just a single application or a handful of applications to start, right? So, what that means, in terms of getting accelerating and broadening adoption of parcels means that if you have a user-friendly population. Because sometimes app owners are specific business units or populations and an organization can hold a lot of power and influence.
And to Ryan, to your earlier point, if. Necessary to get some buy-in. That can help a lot because then those folks in those parts of the organization or that application that half your users use can now begin to sell internally. And you can have people that are advocating for this within the organization itself, and it doesn’t really get a whole lot better than that. When it comes to a leadership’s perspective of being able to truly extend and enforce a service that’s new to users.
[00:30:59] Ryan Rowcliffe: Yeah. There’s one I left out in that in the heavily regulated environments that have MFA requirements sometimes. No, you’re doing this.
[00:31:06] Mark Callahan: We saw the, these, there’s these worded memos from the White House and the CISA and others where it’s guidance now.
This is going to be regulation.
[00:31:14] Ryan Rowcliffe: Yeah. It will eventually be regulated in and, or I would expect by 24 we’re going to start seeing it. Probably pushed even.
And I’m sure a lot of the attendees also are facing cyber insurance requirements to, to have a hundred percent coverage of Fishman resistant MFA across the board.
So, yet another reason right there, I can handle this question. There were a couple questions that came in about our hairstyle and wanted to know if we all used the same barber. Yes, we do. And thankfully, we were going to color coordinate today, so you could all just know us by our colors. But yes, I digress on that one.
So, I’m going to combine a couple of questions here because they are related. But one was around the idea of what happens about somebody who hates passwords, but they leave their device at home and there’s, this thing where they’ve left a, when I say their device, they’ve left their phone at home.
And so, they, they don’t have the solution. You just showed that biometric login. Steve what about that and then also this idea of what about, you have two-factor authentication on, on campus, but you’re using passwordless when you’re working remotely in the coffee shop at home. Is there a place where these things can coexist?
[00:32:14] Steve Lay: Yeah, I, yeah, I’ll take a first stab at that then. And these are related, so on that first one, right? If I forget my phone at home, right? My single registered device, there, there are a lot of ways to address that. And these are things that right need to be part of that upfront design. So, with, without being too self-hurting with the answer or trying not to be anyway with orchestra.
You guys have probably already seen the fact that it doesn’t really matter whether you have one authentication service or a hundred in your organization, right? One directory or a thousand doesn’t really matter with orchestration, right? In terms of specifically using the right data at the right time, from the right places to enforce policy to SSO applications and so on.
So, because of that, right? If you as an organization have fallback service. For example, simply active directory, and you are willing to accept the kind of risks that come along with we’re going full pass all this, but if you forget your device, you get to use a password right there.
That’s a whole another part of the conversation. I’d love for you to comment on that. But the bottom line right, is with orchestration, you can provide a resiliency in terms in continuity of authentication services. So, if you have additional authentication services that are available, then you could use the orchestration layer to contextually enforce an alternative authentication experience, for example, if someone forgot their device.
And last thing I’ll tie the bow on the university question. That’s almost exactly similar with one twist. the twist being there that the orchestrator can use any data as context to decide in terms of how that user needs to authenticate. If they need to authenticate again, whether they’re going to even be allowed to access an application at all.
So that context can be information that’s provided from edge networking, for example. So, if I am on campus, then I do not need to step up to this MFA provider, but if I am off the campus, right? And I’m still accessing that same application. The orchestration player can be the enforcement point to say, okay, I’m going to use that data to say, in fact, you do need to step up to this other factor.
Based on this context that you are not attempting an authentication from on-prem. And this comes back to some fundamental things around advanced authentication that have been around a while. But with orchestration you now have that choice of where you want that to be enforced, whether it’s at the edge or whether you want that to be enforced close to the application, which is where organization would.
[00:34:48] Mark Callahan: And Ryan, I’m sure that question does come up a lot. Forgotten device or that thoughts about that?
[00:34:53] Ryan Rowcliffe: Yeah, that’s a, in every conversation that’s being introduced around Passwordless is okay, what happens when I forget my phone or my fingerprint doesn’t work, or, whatever.
Yeah. It’s strange enough if we followed the guidance under Fido, it’s like, hey, have a second device. This is where a Fido two authenticator, whether it be your platform authenticator on top of having your phone. Would be very beneficial in these deployments. The other question I usually ask back is, all right, how many times have you left your phone at home?
Or how often do you like recovery is a different story. I’m just like the forgot device., is something that has been so common over the last couple years that when we started looking at the studies behind it generationally the phone is less likely to be left behind than your car keys.
Yeah. Believe so it’s still a valid question and usually it requires, depending on what organization we’re talking with, to, to of do a little bit of a study with that organization to see how much of a concern it’s going to be with that mobile device. There are other recovery paths and as Steve was talking about, like the orchestration, you guys can help enable that.
What if the only thing I bring up is, as you said Steve, like that level of risk that you’re willing to. If you fall back to something other than a strong authentication with passwordless, that’s your lowest level of security, right? That recovery flow is going to be what’s going to be your exposure, and that’s going to be your risk tolerance.
So that becomes a, not obviously, that’s a conversation when usually with CISOs and with security and. What is going to be your posture and what’s your threat model tell you that you can accept?
[00:36:20] Mark Callahan: And we talked about decoupling and so we’re talking about putting Passwordless on the application itself.
So that decision could be done on an app-by-app basis based on risk tolerance per application in that scenario.
[00:36:30] Ryan Rowcliffe: Correct. You could add that, you could easily put a policy together. It says, all right we do a lot of transactions here. It’s old it’s our old line of business that we’re never going to touch, but it is our cash cow.
It is all, everything that we use from our revenue stand. Passwordless is only going to be allowed in there. Everybody else is go get a device recovery, go buy a new phone, go whatever, and go through a new registration before we’re going to let you back in there? Makes sense. Those are all decisions.
And this comes back to threat modeling, right? This comes back to what’s your level of risk. What’s your mitigation? And once again, I, you we’re all going to be passwordless and by 2024 I just see it that way.
[00:37:03] Mark Callahan: That’s a bad, I’ll take I’ll put on you on that as well. And so, we talked about standards a few times and there was a couple of questions.
One was if you could just give like the TLDR on what Fido is and then secondarily. Has NIST given us any recent guidance around Passwordless?
[00:37:16] Ryan Rowcliffe: Yeah, it’s always fun cause we can see here, say Fido fast identity online. We are part of the Fido Alliance. We’re on the board as well as we participate in a lot of the working groups, but it is a standard in which has built Multiple different, I should say there’s multiple standards of authentication frameworks.
The one thing that we hear a lot in the market today is we’re conflating Fido and Fido 2. This is what passkeys are. This is what, apple used the marketing engine of their power and pushed out passkeys. But this is Fido 2 authentication. Hypr is built on both Fido UAF and Fido 2, so that you can have some flexibility in how you want to go through your deployment.
And through that, that being an open specification means that it’s standards and if you are going to take an initiative to go passwordless standards, I think are the key to making that a successful adoption across the inter the industry. We’ve all seen in the past proprietary attempts at doing things and you end up with these vendor lock-ins and you don’t see mass adoption.
Great examples are like open id. SAML, all of these are open standards in which drove huge changes to the market. And then in reference to NIST even in the old version, so NIST is working on 863-4, which is a finally they’re putting a revision. They’re asking for comments on their paper.
In the previous iteration, under Fido authentication, it was ranked as an AAL Authenticator assurance level three, which is the highest-level assurance of that authenticator because it’s using PKC, that was adherent. So, if you deployed Hypr today, you would be at a AAL three level assurance when users authenticate against your services.
In the revisions, they’re calling out the flow. So, I was reading it just to make sure I was prepping for this. This is time together today. And I was reading, they outlined the actual flow, which aligns with pass keys for the future, what that authentication flow is. So, by using your biometric on your mobile phone, unlocking the private key to make a signature.
In doing a public key authentication that defines a multi-factor authentication, right? So, your biometric unlocks and then the actual crypto key for signing and doing that transaction. So, without NIST saying Fido equals everything you should ever do in life. They in essence outlined what the process should be.
And it pretty much aligns with how Fido has built out the authentication schemes. There is the future under NIST in compliance that you’ll see that Fido will achieve those goals.
[00:39:44] Mark Callahan: Great. I was just looking at the time. I, we got lost here, which is wonderful because we have so many questions that are still coming in.
We would love to, to talk with everyone and we’ll take a stab at answering all those and get those back in the emails after the event.
So, I wanted to wrap with just a couple of quick things. I promise, some treats at the end. And one of those is here at Strata, we created a new password, this eBook that talks about what we discussed today and features obviously Hypr very prominently throughout.
And so, we’ll be sharing that eBook at the end of this with all registrants. And we also, I personally happen to have three full passes to Gartner IAM at the end of March. I would love to offer those to the first three organizations that reach out and start a no risk POC with us because a lot of what we show today is trust us, it works, watch it. See, it works. But you must see it in your own environment to believe it and realize how easy this truly is. So, if you use this email address here, [email protected], [email protected] We’ll capture all those requests and like I said, the first three who start our POC with us, as in this joint delivery that we’ve got together we can offer those three full passes, one each to those organizations.
I would like to thank everybody for joining us today. Ryan, you, and Steve, thank you so much for your time. But more importantly, our audience. Thank you all for spending part of your Valentine’s Day with us. I know it’s a valuable use of your time and we appreciate you; you are spending that with us.
We’ll be answering these questions, we’ll get the email out more to follow, but we really do hope to hear from you. So please reach out [email protected] And with that wish everyone a very happy Valentine’s Day.
[00:41:16] Steve Lay: Happy Valentine Day. Thanks, Ryan. Thanks, Mark. Thanks everyone.
[00:41:18] Ryan Rowcliffe: Thank you. Thanks, Steve. Thanks, Mark. Happy Valentine’s Day everybody. Thanks
Protect your sensitive data in the cloud
We’re in a multi-cloud world that presents new opportunities as well as new security risks to your sensitive data. Consistent identities and policies are the key to protecting your cloud-resident data. And that’s where Strata’s Identity Orchestration platform comes into play.
Connect with an Identity Orchestration expert