But you'll have those same organizations that have that doing draconian password reset rules, like change your password every. 90. Days and it's got to be 16 characters long, It's got to have upper and lower. It's got to, you know, it can't have been reused in the last 20 passwords. And it's like, man, you're not following like the NIST recommendations.
And if you think you can do it better than NIST, yeah, yeah, so. You know what drives me crazy is you've got, you know, a modern, very good authentication platform like an Azure or even an Octa, and you've got all the bells and whistles and you don't enforce MFA everywhere, right? You've got some other system that's like, ah, we don't have MFA on that one, but hey, we've got it on these other, you know, 80 systems. Guess where? Guess where the targeted attacks are gonna go?
This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Well, it's been a comedy of errors, technically, to get this episode started. So given all that, I'm, I'm good, I'm in a good mood. You know, next week we're going to be out in Las Vegas.
I guess by the time this episode drops, it'll be this week in Las Vegas for Advent reverse. It's feels like we've been talking about it for the last six months, right? I think we have been talking about it for the last six months, but yeah, it is finally here. I think let's see, it'll be Monday when people listen to this and we'll probably be running around somewhere getting set up and prepped and ready to do stuff.
But I think the the conference itself doesn't start till Tuesday. So yeah, we'll get forward to. It, yeah. I mean, I'm not trying to pat ourselves on the back or like congratulate ourselves. But you know, putting out a podcast requires a lot more work than the hour and 15 minutes that the podcast recording is.
The output is right and the conference is especially like we have to get there a little bit early, kind of map out where we're going to be, make sure we have power and all the things that we never had to worry about before. It's a different set of, it's a different set of problems. Like, you know, at home it's Internet, certainly power and just the weirdness that AV can have a different OSS and browsers and stuff like that. But yeah, it gets you a
conference. And the thing that I care about is that is there a power outlet within reach, right of where we're going to be recording so that we can do that. But yeah, it's it's going to be fun. I think we look forward to seeing a lot of, you know, friendly faces, new faces, meeting a lot of folks that had a lot of requests to, you know stop by different vendor booths
and things like that. So I will try to get to as many as I can, but apologies in advance if I'm not able to hit everybody, it'll be pretty busy for both of us. Did you get the request for Ron to come over to his booth and check out the Belden chocolates? No, I didn't see that one. OK, well, I'll share that one with you because anybody that's gonna have chocolates at their booth, I'm suffering by.
Yeah, yeah, that's a good one. I've had a lot of requests to meet for coffee, and I think if I met all the people for coffee that have asked, I drink a lot of more coffee than I was planning on drinking. What happens if you don't drink coffee like me? Drink a a soda or something like that. Yeah. Can we normalize like let's meet for a beverage rather than, you know, don't push her coffee agenda on me. Yeah, you're not a coffee guy or a. Tea guy. No caffeine. Soda. One or the other.
Yeah, no, not of the above. So, So what should people do if they want to, you know, reach out and kind of like either set up time or at least let us know that they'd like to meet. Because anybody who wants to meet me, I want to meet them. I mean, LinkedIn probably is the best way get messages that way. I mean, just walk up and say hello. Or even if it looks like we're busy, just at least walk up, say
hello. We'll try to make as much time as we can come stop by what's at Copper Leaf 7, where we're going to be recording and, you know, watch an episode and try to catch us. Maybe, you know, before or after an episode begins or ends, like, that's probably the best, the best spot. But seriously, you know, for anybody who wants to say hello or get a official fist bump of gratitude for listening, just literally just, you know, grab my arm or say hey Jeff or whatever, I'm happy to to stop
and chat. Absolutely, yeah. Someone, someone messaged me and you know the real listener when they bring up something you said on one of the episodes, and it was, I was in the Atlanta airport the other day and I it didn't smell like a bathroom to me. It didn't for me either. I gotta tell you, I had a terrible flight home from Chicago that lasted from Sunday into Monday because of weather in the actual area. And I had to exit the airport and I didn't smell anything.
So you know, if you listen to that episode, hope it sounds to me or it smelled to me like Atlanta had their their act together well. You know, I mean, you're like a pro traveler at this point. And I remember when I first started traveling, those kind of episodes would drive me badly. Like, you know you're supposed to be leaving at 4:00 and get there at 6:00 and then just just delayed, delayed. They cancel the flight at 1:00 in the morning.
You go take a hotel, sleep for an hour, then come back for a 6:00 AM flight. It gets push, push, push. You finally wind up getting home at like two or three in the after. You're just like I probably could have walked home faster. I definitely could have I I could have driven home from Chicago faster than it took for me to get just from Atlanta to Asheville. I got to Atlanta, no problem from Chicago. It was just, you know, there's weather and I get it, clouds and
stuff like that. You know first what problems. You know my magical chair in the sky couldn't get me to where I needed to go in in the time frame that I expected. Oh well, what are you going to? Do Yeah. So you know, as far as the podcasting schedule, we've got two podcasts lined up on Tuesday morning. I know a lot of folks are flying in Tuesday morning. If you're flying in, it's probably, you're probably not going to get there in time to see us Podcast live Wednesday.
At this point, it's looking like we're not going to be podcasting on Wednesday. It's like a. Free day. Like we may pull random stuff to happen that day. We could, yeah. But we don't want to make any promises yet because they're not scheduled, right. But Thursday we should do three episodes, So mid morning through mid afternoon. Like you said, Copper Leaf 7 is the room where we'll be.
Hopefully we have like one of these style of, you know, placards in front of the room, but even if not, you know, Copper Leaf 7 is where we'll be and we would love to have you just drop in and listen. Yeah, come see the session. Also that I'm moderating around Cape, Continuous Access Evaluation profile, shared signals framework. That'll be fun and interesting. I had a prep session earlier today with the with the group to talk about what we're going to
talk about. I don't want to spoil the surprise, but there will be things for audience members to obtain. I don't want Sean to get mad at me, so I don't know and I'm not. I don't know if that's a secret or not, but I would just say if you attend there is the opportunity to receive something related to Cape and SSF and things like that. Hopefully that's cryptic enough to drive people in and I balance the line where Sean doesn't get out of me. Well, Sean is from Disney.
So when you said it was. I can tell you it's not anything Disney related. I was disappointed when you said it was related to Cape and not to Disney. It is, yeah. It's yeah, it's not the Iron Man outfit or anything like that. I would love to have like that. But no, it is. It is not that. But you know kind of a neat little thing to be to may be received. Definitely a limited edition,
Let's put it that. Way. Yeah. The other thing I'll mention is like if you if you're getting there and you haven't kind of like solidified your after hour schedule Tuesday night we are Co hosting an event, Identity the Center Podcast, RSM and Taos Group were having a happy hour at the Lift bar, which is in the Aria in my opinion is like the best bar in the area.
I've only been there and Jim would know 'cause one time, but you know, and I've already formulated opinion on the best, but I'll say that, you know, we'd love to have folks there. I'm not really sure where we are in terms of the list. I'm not managing it this year, but we might already be getting close to full. But either way, best way to to reach out is LinkedIn Direct Messages, and we'll keep an eye on that during the week. Yeah, there's a guest list and a
registration link. So I'm limited spots, so I know I've sent out a couple already. But if you're interested in attending, hit us up on LinkedIn. We can provide the link. And like you said, Jim, we're not in charge of the list, but you know, hopefully we can, you know, maybe influencer, we can get some listeners in as well. Yeah, you and I will probably be hanging out when we do have free time. We're not podcasting or you're
not facilitating. We'll be at the Taos Group booth, what they've allowed us to kind of like park ourselves there. So that's going to be a good way to to find us as well. Yeah, probably bounce around between sessions and stuff like that too. So yeah, you know, actually attending the conference and hopefully hearing from people and learning stuff. That's a foreign concept to me, man. It's like we've gone to the conferences so many times and like barely been able to go to sessions.
But every year I go determined that this this year is going to be different. I'm going to hit more sessions. And you know, this year, especially with Wednesday being kind of an open day for me, you have the the session, I'll be there for your session. But before and after that, I'm planning to hit as many sessions as possible. And always, as always, the keynotes are, you know, I'm always there for the cue notes, yeah.
You know, it's is it sad that one of the things I'm looking forward to is getting a new headshot done. So you know, pro, pro tip, if you don't have a headshot, go get one. Like conferences are a great time to do that. You stand in line for a couple minutes, you get a few, you know, high quality pictures taken, and boom, you've got a new headshot. Absolutely. So during the day when you decide to wear your business casual clothes. Right. Or at least not your Metallica
T-shirt crop, right? Or hey, if you want to wear Metallica sheet AT shirt, that's fine. I mean, that just more personality, right? Yeah, who knows, Maybe you know, Metallica's hiring and they want to look for an identity person to gatekeep. You know all their their secret recordings. Probably not, but yeah. Hey man, I can dream. Yeah. What? You know, I feel like this is our last chance to do a promo. Also, for it, should we mention our discount code?
Even though, like, at this point, man, you should, we really should have registered for you to show up at identivers, yeah? Yeah, if you're counting the discount code now, that will be a record. I don't think anybody's ever used it on the day before the conference, but right. Why don't you go ahead and give
it one more time? Yeah, and it'll be in our show notes too, but IDV 2, four dash, IDAC 25, if you like, just decide on a whim to hop on a plane or you're in the Vegas here and you're like, oh, I'm going to stop by identiverse and just casually do that. You know, that gets you 25% off and hopefully it works on the same day. Actually, I don't even know. Hopefully it works. But yeah, if if that's something that you that you forget to register, that has happened before.
I won't name names, but somebody did show up and it wasn't me. Showed up and realized that they did not register and had to pay same day rates to get in the conference. It's definitely not me this year. Usually I registered and then I checked with one of our folks on the inside at the conference to make sure that my registration, even though I had all the confirmation emails, it's just I
didn't want to be that guy. Yeah, so I know we planned on making this episode a little bit shorter, but we should probably talk about something identity related. There was a report, The 2024 State of Passwordless Identity Assurance that just came out produced by Hyper. Do you want to talk a little about that? Kind of just set the table for you.
Yeah, Yeah. I mean you know the the basis of the report is about organizations were surveyed in terms of you know what kind of identity related breaches they've experienced, what percentage of those organizations have experienced those breaches.
I think my biggest takeaways, I mean I I went through the document really quickly and just released yesterday, the take away was like what a high percentage of organizations are running into these breaches like something like 75% and of those like over 90% was either the credentials were fumble or the authentication was weak. So those are two things that really jumped out at me. Yeah, I what What jumped out at
you from that report? Well, I had three numbers that I had picked out and you picked one of them which was 91% of breached organizations basically said that authentication weaknesses were a leading cause of why they had an issue. So that's a lot to attribute to it. You mentioned this, it was 78% experience, some sort of identity based attack. I got two other numbers for you. Let's let's see if you can guess.
The average cost of authentication related breaches in the last 12 months was X million dollars. Solve for X. Oh, it's at least one million, though. You're giving me that hint. I am. All right. I was going to say 2 million. Nope. $5.48 million five and a half basically to solve for to fix you know authentication related breaches. So you know it's probably a decent qualification there. They're talking about not all breaches breaches that were based on authentication.
That's a lot of money you know. Hopefully that gives folks out there some some ammunition to basically say hey we probably should have MFA in place and conditional rules, adaptive rules, maybe go pass worthless or you know the alternative is this is something you might be looking at paying out in the future if you have fall prey to this attack.
Yeah, 544 million dollars is going to show up on your annual report, you know and that's to me kind of one of the litmus as of you know, how bad was it. It's not something you just kind of keep within your department and again we'll let that happen. Again, that's a potentially a career limiting type of event to take place, so. But I think. You know who's really surprised by that?
When you talk about like a breach taking place and data being exfiltrated from your organization or ransomware being planted on your systems, what What choice do you have really, but to pay the ransom or at least deal with the consequences of that? Or if your data is exfiltrated, providing services like identity protection services to the individuals affected. Plus your PR groups out there, like, you know, trying to make it sound like it's not as it
really probably was. Yeah. So this cost is trying to mount and mount and mount. Yeah. And if I had, if I had to add up all the credit monitoring stuff that I have for free because of breaches, I think I'm good for the next couple decades. It seems like the de facto thing. But let's see, there was another number. 89% of organizations believe passwordless authentication provides the
highest level of security. Now obviously you know this was hyper and they are a vendor that plays in this space, but that's a pretty decent number. I wonder what the other 11% think when it comes to why they don't consider passwordless the highest level of authentication. I wonder if it's maybe I can I have any insurance levels or they're thinking maybe you know some super Uber cryptography and you know or maybe it's the other. Way around maybe they think MFA
plus password is good enough. Could be. I mean, you know, it's I'm not going to pick on any organization specifically, but you see it happen so often where it's like they have a high end MFA tool like the Azure Authenticator where it'll throw a number on the screen. And it used to be like OK pick one of these three hacker, fig just get lucky. So but now it's like oh you see the number on the screen if entered in.
So like, I think that MFA tool is really strong, but you'll have those same organizations that have that doing draconian password reset rules like change your password every. 90 days and it's. Got to be 16 characters long. It's got to have upper and lower. It's gotta, you know, it can't have been reused in the last 20 passwords. And it's like, man, you're not following like the NIST recommendations.
And if you think you can do it better than NIST, yeah, yeah, so. You know what drives me crazy is you've got, you know, a modern, very good authentication platform like an Azure or even an Octa, and you've got all the bells and whistles and you don't enforce MFA everywhere, right? You've got some other system that's like, we don't have MFA on that one, but hey, we've got it on these other, you know, 80 systems. Guess where? Guess where the targeted attacks are gonna go?
Yeah. Yeah. So I think that could explain some of the other 11%. I think there's also just a portion of the population that probably doesn't know. Yeah, because pastoralist is like on the multi, wouldn't call it like multiple choice. They might just say. That's not a real thing. You can't get rid of passwords. It's not a real thing. They're not keeping it up and it's like no, this is real.
It's really your now. But I so from what I've been reading is that one of the things that we're going to have Andrew Shakyar as one of our guests at Identiverse and so supposedly he's going to announce some news right here. So make sure you're downloading episodes over the next two weeks
as we're dropping them. But what I've I've read somewhere was that Fido is starting to say, OK yeah we we kind of like come so far with the past years and it's the best form of authentication for web applications like possession based authentication. But now, what's the next? What's the next? Generation of improvement and it's like the identity verification process, you know, doing a validated or verified credential, I'll say you're not
proofing. Like non web apps is also too like that's always a challenge is like I don't think like SSO and MFA is a challenge if you're already online, but what if you have like a legacy app or an on Prem app or something like that where it's not web-based right? You say like proxies and stuff like that. Sometimes that could be an interesting use case to try to figure out how to put passwords
in front of that. I know there's third party vendors that that do some of that work, but that could be an interesting evolution too. Right. Yeah. But I think like the identity proofing is really, I mean that resonates with me. Like if you have the identity right and you're doing an identity proofing process where you're maybe picking up some factors that can be used for either the authentication or for resetting the credentials if you will.
So in other words, you're doing that live selfie test, and so rather than just having a pass a magic link sent to your e-mail when you need to reset your password or reset your credential, you have to go through the live selfie test again. And are you the same person? Every single time. Maybe that's when you start getting into human repention. Oh, here, I know.
Here's what's next. We just what we should invent, a tiny little camera that sits at the top of your screen and it's just always watching you to make sure that it's always you. Big Brother. Yeah, Anything else from the report that you want to talk about, 'cause we're gonna have a we'll have a link in our show notes for people to go out and
get a copy of it themselves now. You know, here's like even though in the end again you mentioned like how this report came from Hyper and the conclusion that it came to around Pastor Lewis, definitely, you know, matches up with their marketing message, I still think it's very beneficial when organizations are out there and providing real world research to
the community. So I think that's something I wanted to highlight like when we get an opportunity to to find these reports, share the information, share the link and for folks to go out there and download the report, read up on it. You know, sharpen yourself. Sharpen your own soul. Yeah, I mean he's little like, you know, numbers and little Nuggets of information are great at parties, right? Hey, what's going on era world.
Well, did you know that 75% expect AI to provide an advantage over over cybercriminals? I need to read the report and see what that means. But I mean, certainly AI is everywhere, but you know, now it's obviously the identity in that security space too. Yeah, you can tell them. Really fun at parties. AI And we're gonna be using AI, so it's. Telling really fun at parties because I'm bringing up facts like this. Oh yeah, identity parties in any way. Yeah, exactly.
What else do we want to talk about? We were trying. We're trying to make this a little bit of a shorter episode. I think making a shorter episode makes a lot of sense because we can see if you know, people like the shorter episodes or if the long format that we've been doing for the last five years, I think we've been trying to do shorter episodes for five years and it's like this is going to be a shorter episode. It winds up being an hour and 15
minutes. Yeah. I'd be curious to hear from folks if they'd rather have something that's more like half an hour or an hour or we generally try to shoot for 45 minutes. But sometimes conversation is just so good and sometimes it takes a little bit to get to the actual conversation that we run a little bit long. But I'm curious to see what people think and take that feedback and maybe do.
Something we're also like now that we've been doing more video of, people are enjoying the video or sticking to the audio. I think we're going to do both, regardless of what people's opinion is, right your opinion. Doesn't matter. We're going to do both the. Video opinion doesn't matter, but please share it with us anyway. No, but I mean, I've listened to mostly audio podcasts, so I do watch some podcasts on video that are more like TV shows. But podcasts like ours I listen to on audio.
We're not doing anything like crazy in the video. Yeah, I don't listen to podcasts. Those are stupid. What else? Anything else? Or should we wrap it up? Let's wrap it up, man, I was. Trying to think of a lighter note question, and I didn't really think of anything, so it's gonna be just kind of off the cuff here. What is the worst thing that you can think of to do in Vegas next week? What do you absolutely not want
to do? So don't want to stay out and party till like the sun comes up because you're probably not going to go to any of the sessions the following day. I'm not trying to be like poo poo old grandpa get off my lawn. I'm just giving some advice. The same advice I think we've given a million times is like pace yourself and I think that both. There's always going to be parties to go to. There's always going to be like craft stables to go to do those things for doing in moderation.
And then I would say like the to flip the script on that question. Some things that are fun to do. I think the shows in Vegas are like, incredible. Every show I've been to is awesome. We're doing two different shows that I haven't done before. One's called Shim Lim. He's a magician over at The Mirage. The Mirage is only going to exist for another two months and then we're going to the sphere. So that's cool. We're just, yeah, I'm really excited about that. I mean, it just seems like such
a great experience. So how are you? I don't have any fancy plans like that. My brother's going to be in town, so we'll probably get some dim sum off strip or something like that. But I'm the same way. I think, you know, staying up all night, that is a a young man's game and I am no longer that. So I need my beauty sleep to try and take care of this ugly mug. But I think not taking advantage of the city of Vegas is something that I don't want to not do. Great food, great people
watching. This is an opportunity, one of the best conferences in the year for identity, to talk with people in the space, get their opinions on things, stuff like that. So I'm trying to take full advantage of it can hopefully I can attend more sessions than I normally do. So I'm hopeful that I will not be in Copper Leaf 7, just straight editing the whole time. Yeah. No, I mean, there's so much, there's so much to experience. So take it all in. Just pace yourself. All right.
This might be a record for us. The clock that as I'm watching this is 25 minutes, almost 26 minutes. We'll go ahead and wrap it up for this week. We are at Identiverse. If you're listening to this, come say hello, say hi. We'll be walking around. Jim got his beard done. He's got a special jacket that he's going to be wearing. We'll be on Copper Lead 7 doing podcast recordings. At different points throughout, I'll be hosting a panel on Cape with some new friends.
Let's see, that's Wednesday at 11:40. So come out and check that out. And what else on the web? idacpodcast.com, youtube.com/IDAC or slash at IDAC Podcast. We'll get you right there. We have Wink also on our web page. And let's see what else Macedon IDAC Podcast At Infosex Exchange, they sent a trend here. Like IDAC Podcast. You know, wherever. X You didn't say X or we still doing XI Don't. Know if I Yeah, we're still there. I just hadn't decided not to promote it.
But I guess we will as well at IDAC Podcast. I love that. There you go. All right. Connect with us on LinkedIn. If you want to meet up, drop us a note. We'll do our best to try and do that. We need to walk up, say hello. We're always happy to meet folks. Jim's going to have stickers. I think I'll probably have some as well where I'll resupply as I see you, Jim, for the first time in a while.
And yeah, like subscribe to all the fun things, you know, share it with a friend, share with an enemy, don't care as long as someone's listening or watching. So we'll leave it there. Thanks everyone for watching or listening and we'll talk with y'all on the next one. You've been listening to Identity at the center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at
identity@thecenter.com. See you next time on Identity at the center.