PIAM - Why Authentication is Still Such an Issue

Show Notes

Matthew Lewis, Product Marketing Director at HID Global, and Richard Stiennon, Chief Research Analyst at IT-Harvest,  discuss why authentication is still such an issue. They address the significance of passwords in our daily lives, zero trust strategies, security, and SSO. They dig deep into the drive for usability and user experience. 

Transcript

Speaker 1 (00:01):

Powering trusted identities of the world's people, places, and things every day. Millions of people in more than 100 countries use our products and services to securely access physical and digital Places over 2 billion things that need to be identified, verified and tracked are connected through HID Global Technology.

Speaker 2 (00:23):

In today's episode, I'm joined by Matthew Lewis, who's director of product marketing at HID Global, and we're going to be talking about why authentication is still such an issue. Welcome Matthew. Hey, Richard. Great to be here. Thanks for having me. You bet. Matthew, tell us one about yourself, how you got to HID Global and two about HID , which apparently is one of the oldest cybersecurity companies around. Yeah, yeah, sure. So I'll start with myself. So yeah, director of product marketing for HID, specifically within our workforce identity, bu that's part of our I am division. So identity and Access management solution division, HID global, just generally part of the Oslo Company out of Sweden. But it is all security all the time. Everything from controllers and door panels to get into doors at a building all the way to the, the things we do, which are focused on ensuring trust for an employee or visitor or a contractor that you may be doing business with as well as consumers and devices.

Speaker 2 (01:32):

So that's kind of the thumbnail version of, of all of that. Yeah, lots of hardware I see on Oh yeah, the website. Yeah, absolutely. Big printers like for citizen identity type stuff, you've got card printers a lot of components for doors, so physical doors. So yeah, it's, it's, it's interesting being kind of the software arm of a manufacturer. Definitely kind of new space for me. Traditionally I've been more on the just pure place software side all the way back to my time at Entrust about 10 years ago, which is actually where you and I know each other from. That's right. And, and Intrust even is, you know, at least merged with somebody that took 'em down that passport path as well. Yeah, abs absolutely. They yeah, when I was there, data card bought em back in the day, so, yeah.

Speaker 2 (02:23):

So we've both been doing this for over 20 years. Yep. Doesn't the question ever arise? Why is authentication still such a problem? Why is, you know, the executive order from President Biden telling agencies to use two-factor authentication? I mean, I thought everybody was already there. <Laugh>, you, you know, it, it is funny when you take a step back and think about it, that the same things you and I were talking about a decade ago we're gonna talk about today. Yeah. And you know, I I, when you think, think about it a little I think some of it just goes to, I don't wanna say cultural inertia, but just our patterns and behaviors as, as individuals are just ingrained. And it's not like you, you put that aside when you walk from the kitchen to your office, which a lot of us are doing that nowadays.

Speaker 2 (03:19):

Mm-Hmm. <Affirmative> since we work from home, you know, you're not, you're not really just changing who you are and suddenly thinking, okay, I now need to make sure everything I do is infinitely more secure than it was 30 seconds ago when I was Matthew the consumer logging into my bank app. So I, I think there's a lot of that just passwords are part of our daily lives. They auto-complete in our browser, they auto-complete on our phone, and it's just there a lot of us don't think about increasing our security posture as a consumer, and I don't think that's gonna change unless there is some sort of external pressure changing that as employees and, and you reference the, the Biden administration's push kind of on the zero trust and pushing Fido and two factor authentication. And I think sometimes it's gonna take those sort of externalities to a company or to, to you and I as employees to get us to really move forward on that front.

Speaker 2 (04:16):

And what about regulation? Don't those usually either regulation or standards like ISO or something who, and they have plenty of standards for identity, but regulations have teeth in them <laugh>, and you have to do what they say kind of thing, and budget usually gets assigned to being in compliance. Do you see a regulation coming out of anything here in the US that we're doing on, on the advisory side? I guess? You know, I, I think that that's an interesting, when you think about how those things get rolled out and, and I think back to when H S P D 12 came out, you know, a while ago <laugh>, <laugh> you know, it got rolled out and then it got pushed and then people get, you know, extreme sort of circumstances and they get allowed a, a pass for a little while. And you know, I'm, I'm just learning through the years, things are more slow to evolve when you get into user behaviors and things like that.

Speaker 2 (05:17):

And, and I think you, you bring up a good point of ensuring that those regulations have the teeth to actually push change within organizations and, and things like that. So I'm hopeful that, that some of what's coming out is, is gonna change that now we're actually starting to see some of those patterns change. In some of the sales conversations we're having customers asking some different questions than maybe they used to. And, and I suspect you're gonna ask some questions here in a minute around things like zero trust and password with all those phrases that are part of the zeitgeist at the moment. So I'll, I'll avoid diving tape too quickly on that. <Laugh> don't, don't jump ahead on me. Yeah, exactly. So you mentioned what, you know, the change of behavior from walking to the kitchen to your o your, your office in your home because we're, you know, over two years into a work from home kinda world, did you see any, you know, from your perspective at HID Global, did you see any changes?

Speaker 2 (06:20):

Because I, I've talked to people who do remote access types of things and they, they refer to March of 2020 as March Madness, cuz their connection requests went up by 600% in Yeah. In those two weeks. That's a very interesting phrasing of it since everyone knows March madness, usually for other things. Mm-Hmm. <affirmative>, yeah, it, it, it, it was, we, we saw a bump people rushing to put something in place because oh my gosh, suddenly our entire workforce is remote. You know, to me it was interesting because it accelerated, it feels like it accelerated what companies were wanting to do over 2, 3, 5 year timeframe. Like it condensed that into a matters of months. So I definitely think there was a change because suddenly I'm not on VPN by, you know, just the fact that I'm on the company land or wham. I'm now outside of that old school perimeter that you and I have talked about for years of kind of being beyond that and maybe maybe identity being central to a new variant of that.

Speaker 2 (07:31):

So it, it definitely was people trying to put in things to ensure the person logging into their device was Richard ensure that the person logging into either their VPN or their sales force or, you know, whatever their E R P might be was actually the C F O of the company. So we definitely saw a bump kind of right there at the beginning. And then, you know, what's interesting is I think a lot of CIOs and CISOs went, oh, we don't even have the basic building blocks for some of this infrastructure. We need to upgrade everything. And so for some I am seem to have taken a bit of a backseat for a bit, but we're starting to get that interest now again, now that they've come up for air and, and are thinking about how to, okay, now that this is a little more permanent, what are we gonna do?

Speaker 2 (08:17):

That's more than a bandaid Good. If only they continue thinking like that. Exactly. You know, if you've been in the business as long as we have, you start to see old ideas or at least names for old ideas come back again and again. Yeah. And it, it took me the longest time when all of a sudden Passwordless was the big thing, gotta get rid of the password. You still see that all over the place. I started talking to the people who do it and I realized, oh, you mean client side certificates, <laugh>, you know, the, the thing that, you know, probably Netscape was probably the first one that introduced those back in the day. And yeah, client site certificates that aren't necessarily just in the browser anymore. They push 'em all the way down to a secure enclave. So there's, they're better and they're really simple to deploy.

Speaker 2 (09:08):

Are you seeing that having an impact yet? Yeah, it's, it's funny when I, I was chatting with one of the technical team has been around the space for a while. We were talking about the whole password list kind of in the context of Microsoft's introduction through their public preview of Azure ad's, cba, certificate based authentication. And how what we were doing with them was related to our smart cards and our security keys. And it was very X 5 0 9 p k I related. But we started musing on exactly what you said. It's like the, the idea of passwordless has been around for a very long time. I mean, it's the entire kind of point of the CAC card, the common access card that the, the US government uses. So, you know, I I I think one of the biggest differences though from then, and you started to talk about usability and down into secure enclave on a phone and you know, we've had soft certs in our computers for years.

Speaker 2 (10:09):

We've had them in smart cards. There's derived credentials have been around for a while. I think it goes back to some of the point of Fido you know, if you move beyond P K I to something, what would it, what would an easier setup be from P K I? And I think that's the point of Fido. Without getting into the whole decentralization, philosophical debate these days and Web three oh and all of those things, yeah, please, please don't <laugh>. Yeah, exactly. You know, I I I think at the end of the day, what is old is new in some ways. I agree with that. But I think what's reinvigorating a lot of that is the newer technologies and that drive for usability and user experience because it goes back to the top of this discussion. If I make authentication really hard, no one's gonna use it.

Speaker 2 (11:01):

But yeah, it, it, it is interesting. Passwordless in some ways is, is kind of a, a modern twist on a, an idea that's existed for quite some time. I agree. And then, you know, if you dig into it, it well that's not really passwordless, you're just talking about a really, really strong password. Cause it's the certificate is, is large and another thing like that is zero trust network access. So in the umbrella of zero trust strategies, you've got Z T N A and I start watching how that's supposed to work and I'm going, oh, so you mean web single sign on? Right. I'm gonna log in once and then I'm gonna see all the apps I've got access to and I can log in directly from there. And the apps are kinda stealthed from the rest of the internet. So only authenticated people see it.

Speaker 2 (11:52):

That's what people are talking about with at least the ZT n a access to applications that they're talking about. Yeah. It, I was reading an article recently where obviously Zero Trust kind of being Kinder Vogue's coining you being from Gartner, you, you, you know, they like their acronyms. They'd kind of come up with the, I think they call it Carta, but the person that coined Z T N A was, was talking about in retrospect, he might have preferred calling it zero trust. I think it was application access, which is exactly what you're saying. I I think it's interesting when you think about zero trust in some of what you're talking about and whether it's passwordless or not. Yeah. One of the points of s SSO from back in the day was reusing that initial authentication that you have and, and I don't wanna say replay cuz that then goes to different side of the, the world.

Speaker 2 (12:46):

Yeah. But it was relying on a trusted brokerage for that authentication. And I think one of the things that is really coming about is what does a password play in that? And, and I think it's what you said, if I can get rid of that password on the initial one and then I'm using standards that exist, Sam, L O A D C, whatever and it's more ephemeral in nature, then I've reduced the attack surface considerably, but also required that initial login to, to be a little more elevated. As long as you're getting rid of some of those passwords where it makes sense you're moving the overall discussion forward. I think that's the biggest thing to me is when people talk zero trust, it's, it's like this panacea and you're gonna be there and you know it, it's not just silver bullets. You've got to take steps.

Speaker 2 (13:41):

And so SSO and its modern variants I think are are crucial to that. But that initial authentication into that s SSO exchange is, is I think highly important. And kind of back to the topic of passwordless, if there is a password anywhere even saved, is it truly passwordless at the end of the day? So yeah, in interesting topic that we could go very far down the rabbit hole of Yeah, we could. Yeah, we could. And then, you know, maybe this is more consumerish, but I hear a lot about adaptive authentication and that's this whole concept like you were just bringing up once you're logged in, somebody could be piggybacking on your connection and start abusing the connection and the things you do around that. Is there a play for that kind of thing in the enterprise as well? You know I think there's gonna be increasingly, especially since we are remote cuz if you think about, a lot of times when you're talking adaptive, you're looking at risk factors.

Speaker 2 (14:43):

Where is Richard logging in from? How fast has Richard logged in? Wait, why is he now logged in twice? And the the fingerprint of those devices is now suddenly different, including, I won't say I P G O locations since that's easily spoofed, but you know, there's other, there's, there's characteristics that don't make sense anymore. Yeah. I, I I think that's gonna increasingly become part of the paradigm for kind of a zero trust strategy of which identity is a key portion of that. And I, and I think that's also a way of potentially extending it to into the physical realm a little bit. Again, Richard's now logged in, but Richard's physical badge was used halfway across the world and Germany, why is he logging in from his home? Or, you know, vice versa, whichever way that goes. So I think it's something that, you know, I think Microsoft is starting to do some of that with, with Azure ad and adaptive access that they call it.

Speaker 2 (15:40):

I think a lot of the Ping and Okta are looking at that. I know we do it on the consumer side for sure. So I, I think that'll be a topic that is going to increasingly become important. But I also think it is a part of a multi-pronged approach, which is why partnerships in the space are so important and being standards based and being open to fitting into a very kind of heterogeneous landscape that a customer may have that is fit for their risk. So different organizations will have different risk profiles, means they may need different things, but one of which may be adaptive. Yeah. And those, and those risk profiles are changing every day so they to adjust to them. So this has been great. Matthew, I, I suggest we get together again and do it over in 10 years, <laugh> and we'll, we'll use, we'll use the same topic. So we might be talking about what will be quantum identity then. Oh boy. <Laugh>. We'll think of something. And I just wanna thank you for your insights on today's topic.