Identity and access management. Welcome to the identity of the center podcast I'm Jeff and that's Jim. Hey Jim hey Jeff. How's it going? I'm pretty good. How about yourself? Good. It sounds like you've got a new microphone that really improves your data. It's simple I think you should plug it, let everybody know about it. So Chris today I basically filters out your background noise or not a commercial. I think it's, you know, it's freeware.
Or it's free to start with anyway, not free, but you get 2 hours a week. I think is what their, what they start off with. But yeah, we don't, we don't currently have sponsors or commercials or anything like that. But yeah, like you said it's it's a pretty cool little program. Just runs a little app on Windows or Mac and seems to be do a pretty good job of reducing background noise and things like
that. You never want to be that person right on the on the zoom call, or teams or whatever it may be where you can kind of hear everything, right? In the background. So I thought was pretty cool. So, glad you're getting some juices out of. I've been that guy on our on our podcast for a long time. Where, you know, we set up rules around me which is keep your earpod case far away. So you can't click it and you know, don't squeak in your chair.
And so now I've got a good microphone, I've got the noise reduction software, I think I'm ready to go. There's so many layers of noise reduction, not even Sheriff. Pruitt, we're not even sure. Sometimes of like our voices will come out. All right. Exactly. So for today's topic we're going to talk about Fido and for those who aren't familiar, that's fast identity online, and there's no better person to talk about
that. Then and Russia are who is the executive director and chief marketing officer of the Fido Alliance. And we've got them today. We're very fortunate with for that. And thank you for joining. Welcome to the show. Andrew, and thank you. Thanks for having me guys. Really appreciate it. Great.
So, I know that Fido has really started to really kind of Of get a foothold out there but before we get to that one of the things that we like to start to talk about is when we have a guest on is their background in it and identity and access management. Can you tell us a bit about how you got into I am? Yeah sure so I'm not a practitioner per se but I know it was done a variety of kind of marketing and strategic development type roles in emerging technology.
And so I got into identity, I think before identity was All back in 2001. I went back to Sun Microsystems were previously, worked to help them launch, something called Liberty Alliance, and I'm sure many of your listeners are familiar with Liberty. This was the kind of first standards effort to standardize what became to be known as
Federated identity. So, a lot of the Liberty specs during into stable to specs and it was really interesting time to be in identity because frankly, it wasn't in the mainstream whatsoever. I'm a lot of my job at that point was to help me recruit the initial companies and Liberty Alliance. And so I defy, you know, around the world and talk to cxos and you my first part of the conversation would be, you know, what is identity, what does that
end? I mean, to your business, which side any means your employees, your customers, and is always kind of thought, provoking discussion with people hadn't, thought, about identity Beyond maybe for an identity. So, it really fun. To be get into that space, I subsequently then worked on Son's identity management, product set and did a lot of go-to-market work there as well.
So yeah, that's how I first got an identity as out of the space for a while, then I got back into it when I joined Fido lines around five years ago. And one thing that's kind of fun was to see that. A same concept, we're talking about the enter are relevant today. Be some of the standards actually, now being Used and seeing a lot of the people who have worked with back then are still in the space. In fact, a lot of them are
inside of Fido lines. So it's been nice to kind of reunite and get deeper in the identity Marketplace. That's great. Andrew. One of the things I think kind of the starting point we ought to start with, which is what is Fido, and why was it founded? Yeah, so if I do, Alliance was founded to address.
The data breach plague. You know, data breaches continue to grow and scale and a number of attackers are growing sophistication and tools and and the vast majority of data breaches are caused by passwords, right? So you two patterns being compromised stolen, Cask, passwords being stuffed, social engineering, taking password, go to someone stands up, Sports cars, you know, over 80% of data
breaches on an annual basis. And so, you know, passwords are very much acceptance of the spear to address. The database problem which is why the title is focused on that, right? So our mission is simply to reduce industry relies on passwords in favor as vital authentication. Fundamentally what Fido is doing is trying to shift the market and shipped industry. The way from being dependent on not as passwords.
It really all server-side shared secrets and server side authentication in favor of an approach that leverages public-key cryptography and takes advantage of devices that are in use your scans every day, right. So our tagline is simpler stronger authentication, so it's stronger. Authentication using the public key cryptography, but also simpler because any side authentication activity is done with a single single gesture.
So whether that's touching my finger to a phone touching, a security key in certain security key, using face, ID, or Windows, hello. This is all just one gesture for me to authenticate myself. And I think that's really important because as we've all seen, If a second you know if if security is too hard, will won't use it. The option rates, go down especially with consumers.
Often rates for second Factor authentication, go down, the more complex, it is. So we think that, you know, decreasing friction while increasing security is the approach. We need to take to get people, to actually adopt stronger communication. Now, one other note, I want to make As I said all shared secrets on the sermon, right? So while any form of MFA or two, if a any second factor for authentication, is better than passwords loan and will protect people against scalable tax,
frankly. Anything on a server can will be stolen, so that includes otps. Otps are still shared secret, they're still on a server. I'll be it for a much shorter period of time, but they can be manipulated through a man in the middle attack. That replay attack and things like that. You know, that's how you know, a lot of spearfishing. It attacks are successful, people think are protected, but they're really not.
So, you know, half those are good at their jobs which is why over 40% of phishing attempts are successful. So we need to put tools in the hands of users, that help protect them from the bad guys and also from themselves because it's very easy to get fished, frankly, there's no shame in it because you're dealing with professionals. So we need to Implement fight authentication to help people, prevent prevent people from getting their cows, taking over other nefarious, things happening.
What I'd like to add to that. I think you should only really good point about phishing attacks. As you know, we run into the phishing attack. Where you think gosh person must be stupid to fall for those but I've seen some, you know, especially videos and Conference presentations from like black hat where these phishing attack, some of them are extremely sophisticated. They'll poses a site like Google have you log in and provide a one-time. Word really?
They're taking that then and in the background authenticating you and then, you know, changing your password while you're in the site and it's like I can see how people can can get duped into those. Now those are the more sophisticated ones is not your everyday phishing attack but you know when the risk is high it certainly there. Yeah. I mean I just want to come back the data point as a Google statistic 40% of well-designed
phishing attacks are successful. Arthur you had like you said, we're not talking about a Nigerian prince, you know, sloppy emails. But these are in a well-designed phishing attacks of a 40% success rate. Now, the click rate success rate, which is a staggering number which you know, it shows that fishing pays it really starts to outline the depth of this problem. At 40% is an astronomical number considering that usually, that kind of attack is, is talking about single digit success,
right? So if you can, I mean, that is just crazy. How many people fall for it, and sometimes it's, you know, obviously user education plays, a big part in to it. But, you know, even the best can get fooled. And, you know, we saw what recently happened with Twitter, right, where they got socially engineered and someone got in and you did some things. I'm thankful. IE.
They only care about Bitcoin but they could have done a world of damage like literally just based off of that that social engineering attack and then getting access to the inside tool. So I think it's important to understand that even though you have education, you need to back end it with good, strong methods to enforce and reinforce the security message. You're putting out there which
is why MFA is so important. So I'm glad your em not to get off track on the, on the, the direction I want to take this, but I'm glad You raised Twitter because I think you know what needs to be clear is that, that attack could not have happened. If those administrators were using Fido Securities.
Grab the social engineering attack, could not have been successful if those never gab menswear you who are obviously, you know, smart top of users, if they were using fight a Securities that that would not have been successful. It's probably one of the bigger things you could do in an organization. It still shocks me when when Jim and I are working with folks out there that MFA is not kind of standardized. I think, what's becoming more
prevalent? Is that MFA is put in place for what they consider privileged access typically but they're still not protecting normal users right from that kind of thing. So, I think at this point, you know, even Gartner think mentioned it. I don't know if his last year year before that MFA is Baseline at this point, password is not good enough and The easier you can make MFA the better experience it is.
You know, the easier Spears is going to be for the user, which means that your security increases and makes it a lot lot better for everybody. So that's why I think that Fido is is great because I can see the usability benefits of it. And you know some of the challenges that it typically solves around some of the more Legacy approaches to MFA.
Right things like tokens and you know, SMS which are easy to Oops, relatively speaking, you know, from a security standpoint you know e.l. one-time passwords like all use all the stuff that you said around it being stored somewhere in a server, write that kind of thing. But also just the usability aspect of it is huge. Jeff. I'd also add to that, you know, that is the other angle.
So when you think about the statement passwords are dead or pastors should be dead, passwords are dinosaurs, it's not just the security aspect. It's also the usability aspect and for me, that's a big reason. Why Fido is so important and room wondering, if you could kind of talk about the usability angle and why that's so important? Yeah, fully. So, you know, as I mentioned before, you invited tagline is simpler stronger,
authentication. And I think their part and parcel, you know, if it's not easy, people use it and it needs to be easy for Mass adoption. So, if itís focused on a single gesture strong user authentication. So, let's take a different lean on this and look at traditional means of an effect. All right, so that multi-factor authentication is to a phase is not new. But it's had some challenges, right? And they have both security and usability challenges, all right.
So the traditional means, you know, what going way back is having like a token dedicated token with totp on it but a dedicated piece of hardware for Easter. So say you have I also talked about that he's ability for a second. One, is you have to know if you're doing a lot of sensitive work, you have multiple tokens. We have the token keychain problem to you need to literally juggle, you know, devices to enter in the code. Code to verify yourself with it with two new system.
Now compare that to find him, we're everything the tokens that you have. So, you're using external security key. But we call Roman authenticator, you know, that can support multiple services. And again, all you need to do is touch it or insert it is. All you're doing is proving possession of the advice. So there's a good example right there of how. If I do provides a superior user experience over the traditional token-based means the multi-factor Authentication.
Ocean. Additionally, if I do obviously supports Biometrics, which brings the same benefits of security and privacy at Fidos, public key cryptography, underlying architecture but you can use biometric to prove possession and to verify yourself also and that's even easier, right? Where you just literally again touching a device or you're looking at a camera, right? So, Any of our users, any of your listeners who use Windows? Hello. Are you seeing this every day?
But I logged into my PC looking at my camera I mean it doesn't get much easier than that or by touching my personal favorite are brain scanner or using a local pin. Now the key thing is that all this is local on the device and all very user-friendly single action to you know do things that are traditionally associated with a locking devices. Are now being used with Fido to
log me in, right? So that's kind of the smaller Little League. We need people to take is that unlock means login and the same easy mechanism you have for. That is actually doing a highly secure authentication process through the same exact action. I'm a big fan of Windows. Hello. I have been for years and, you know, I think Jim is mentioned before, but I'm kind of a tech geek tech nerd, some kind of on The Cutting Edge of the technology usually and you know, I saw Windows.
Hello several years back when it was first rolling out and I couldn't wait for that Hardware to become more prevalent in the Enterprise because typically Enterprise Hardware Cycles are somewhere in the two to four year range. You know if not longer and you know, it's going to be a couple of years before. The fingerprint reader. The, you know, the IR camera is standard Hardware right on most
Enterprise devices. So I'm excited to see that becoming more of an option in the Enterprise and I'm really excited to hear that Apple join the fight Alliance relative recently. Think it was maybe a couple months ago at this point and I'm hopeful that things like touch ID and the rumored face ID on the Mac books. For example, that might be coming out in the future, might be taking advantage of that and I know that you've got a lot of big Heavy Hitters in the industry.
Maybe In talk a little bit about folks like Microsoft and Apple and other organizations Google that. That might be part of the alliance and what that brings to the table. Yeah, absolutely. And so, Apple did join photos board of directors in January of this year and it's been really great. And I think once you have makes 50 unique and I've done a number of Standards, I mentioned, Liberty Alliance, I've done. Other kind of multi stakeholder organizations in my career.
What makes 50 unique is that there isn't really an alternative standards Effort right. There is no betamax our VHS not to date myself, but if you're interested in standards based authentication, it's really quite oh and apple joining at the beginning of year really unified the industry around side of authentication. So I think it's really important but amongst our members, we have 250 something members in the alliance include have board
around 40 companies. And I think, what's really cool about our board of directors is a It has the right composition accompany the right composition companies to address this password problem. So first we have kind of loosely described these companies as device manufacturers. So people who are creating the devices and platforms that we use everyday. So companies on a ship's outside like Garnet Intel and Finney and groups like that but the
platform's right? So Microsoft Google Apple device manufacturers like Samsung Lenovo right? All these companies are involved with Fido making sure these platforms and devices support fight authentication. Secondly, we have experts in security and Biometrics so both stalwarts long time stalwarts like RSA and groups like that and once fan but also you know, emerging companies are really driving a lot of innovation and the authentication space like
you would go and hyper. And Knock-Knock and groups like that, what you're really getting a lot of traction. And last but not least, we have the service providers, grab these are the companies whose businesses are dependent upon their ability to deliver High Assurance services to billions of users worldwide on daily basis for estimating. They are dependent on Fido being successful or else you have to go in and on standards Direction.
And so these are the, you know, the big social networking companies like Facebook and groups like that. Converse companies, like Amazon payments, networks MasterCard, Visa American Express big banks. These are the companies that are helping steer Fido lines. So I think when you look at that kind of breadth of membership that we have at the top, which is also reflected throughout the rest of our membership, you know, I think it gives us a really good starting point to
help us be successful. In doing the three things that finalized does, which is a bill technical specifications based on Market. He's be, we Grant a certification programming building a really diverse ecosystem of products that are quite a certified, which companies can use to deploy fighter with indication the last. But not least, you know, develop best practices and help people be successful in understanding and driving adoption if I do authentication.
So, yeah, cover the question starting with the Apple, but I think it's really important to look at the full range of members that we have. Driving 50 Ford. Yeah, absolutely. I think that was a great overview. You know, one thing that I didn't really understand this until I started doing more research is what is the difference between Fido and Fido too? Yeah, well, so let's back up and talk about photos specification than 50 architecture. At a high level, but specifications.
So, as I mentioned previously, if I do authentication leverages public key cryptography, user-friendly public key cryptography, High vertical, be called pki evolved. But the key thing that we're doing is introducing, the concept of an authenticator. An authenticator is both a saying, in a concept, its base Ali where the private key stored. And so, instead of having being dependent on passwords on a server and study using public key cryptography, you have a unique key pair for each Fido
account. The private key saves the authenticator secure on the user's device and a public key sits on the server instead of a password as we all know public Keys, have no material value, the can't be reused. So when, if and when I do, you know, Happens. One thing it's not stolen is password, right? Which starts to break that credentials that cycle, which is plaguing so many companies. But if I do specifications, So the first intifada specifications are came out.
There are two. One is focused on a biometric use case. I've just called 50 uaf out a universal authentication framework. And a second one was based on a second Factor, use case you to F, which is popularized by gimmicky and all the other companies. Now making biosecurity keys, both of those have the same approach to underline with. Again, if I do public key cryptography, underlying architecture Supporting both to the differences. With uaf is basically password replacement.
The biometric and u2f it was using activating the private Key by verifying possession. That device Again by inserting your touching and interactions with security key. Whereas back in a second with uaf, use a biometric to verify yourself so that the private key could be activated. Those are the the first steps in spite of specifications. We saw strong take up with both uaf and you. Laughs, you two have had strong pickups a inside of Google and
is attached to Google services. It still supports Google services uaf was underpinning. A lot of native apps for I said to the average user uaf looks no different than if you have you a UF app on your iPhone, it look no different than your usual Touch ID experience but is using all the benefits of fight authentication, rather than just doing a kind of a password cut and paste, which is what the native. Biometric would do typically with with Touch ID.
So even though we have good uptake with both both two of those, what photo realizes up to gain scale, and to truly be in position position to address. A password problem, we needed to Target the platforms starting with the web, right? So if I do was working on something called the phyto 2.0,
web, apis inside the alliance. We made a strategic decision to Contribute. These to the w3c and that became the web authentication working group The Wave off and working group instead of w3c started in the beginning 2016 and that's how, you know, 50 decided to Target the web. Right. So in Coop and cooperation with w3c and it'll often working group got a lot of stakeholders and both Fido and w3c working on that. That's part of the fight, a to specification.
The other part of the part of to specification was an extension of u2f called CPAP clients authenticator protocol which you stand in the you to Fu stays to do a couple of things. One, it allows for pasture was Suffocation by enabling resident credentials in a security key but secondly it also extends the use case to allow devices to be authentic are so now your handset could be a security key in addition to security key. So that starts to broaden the address.
It'll basically users who can leverage provide authentication on the client side. Those two things together, web off then and CCAP comprised by De to. So you see a lot of talk wife, I do too because that's where a lot of Enterprises are starting to really move towards because phyto to is supported in the windows environment and in a lot of kind of Enterprise infrastructure. So that's one reason why there's a lot more adoption.
I think an Enterprise with photo to then May have seen with just u2f, but frankly, it's that kind of platform support and the web support. That's really reassuring in a huge wave of adoption for fight authentication. So specifically, if I do to supporting in a couple important platforms, one is the web graph so that benefit one of the benefits of working in w3c is that as soon as we want families done as part of the pilot to spec we had support out of the
box from leading web browsers. From Microsoft Mozilla and Google and later on Apple has been supporting about, then in Safari. So that's what that's a platform and of itself separately as we talked about earlier Windows, hello is if I do certified authenticator basically. So Windows 10, is it supports phototube inherently? So any built-in biometric on a Windows, 10 machine can be used in lieu of a password for your login on sites, that Part. Well I said well, identified Authentication.
So what some windows tenza is a fight, a certified environment. Additionally, Android is if I do certified environment. So any Android 7 or later, handset can support by do authentication and likewise use the local biometric instead of a password both for Native apps and for, for web based authentication. All right, so good example. This, for those of you who have an Android device, visit, ebay.com, and go to login with your Android device, and it will
prompt you. To use your biometric instead of using the password. And then most recently, Apple announced support for Fido and their update to iOS and Mac OS that will allow web Safari. Also explicitly, support, fight authentication with Native Biometrics on iPhones, and macros. So that really starts to extend
the addressable user base. So all told, you know, over the past year and a half, is you seen this platform has a If I do through phyto to you know there's billions of added devices that can Now consume 500 authentication. So I think that that expansion of the addressable Market by default is one reason why we're seeing so many companies now, ramp up their plans to support fighting. So, yes, you know, that is going back to your question that is
Phi 2 on those platforms. But ultimately, to us, you know, is I see it all as fight authentication because it all has the same exact benefits as the initial. So specifications brought to the table and, you know, but it's in general, it's good to see this ground movement to support many. What are some of the Fido or Fido to Enterprise?
Use cases that people should be thinking about if they're sitting in AC so chair or maybe as a member of an I am program or I am architect, because I know a lot of the, the focus is typically paid on the end user experience. What if I'm trying to implement something like this as, you know, Just a normal corporate environment. What are some of the things that you could offer to those types of folks? Well, I think talk about a
couple of things. So, one, you know, you need to think about your use case and your infrastructure. I said, no environments, every environments, little different. We talk about Microsoft support for Fido. Right? So if your Microsoft shop moving towards Fidos is somewhat straightforward. All right? So, add your ID, for example, has a lot of support for, for users and then, of course, the desktops all support, Fido as well.
But also, you know, another thing, I think that a lot of soot surgery are dealing with and security. Folks are worried about are the new entirely remote Workforce. You know, how these people accessing system resources? We were talking about fishing before you Fishers and are targeting new remote workers. And so you need to make sure that they're accessing systems as as securely as easily as
possible. So we encourage Just doesn't think about deploying security keys after the remote Workforce and get them moving that direction soon as possible or using other kind of device Biometrics either on device, or using a phone as a log in to protect their Workforce as well. So I think those are the key things to think about is what's your use case, it was for a sexier look like and there certainly are products that can be brought to bear to protect
you. The workers and system resources, alike somehow that something else that Fido Alliance is doing as a body. I mentioned before, you know, we do three things, one of those being establishing best practices, for implementations of fight authentication, we have a working group Focus, only exclusively on Enterprise deployment, use cases. So we just actually release the
white paper. Cxo considerations for moving to a patroclus Enterprise. It's actually going to be the first in a series of papers that get into more granular. Death on exactly how to implement if I do decide Enterprise. So I'd encourage people to check it out. Won't include some links as part of this podcast but can check out that serious. You get more details on these best practice recommendations which are being developed by actual Enterprise practitioners
inside if I do lines. So, Andrew, we talked a lot about the security benefits, the usability benefits, there's obvious benefits to the organization thinking of from the standpoint of the, the money people, you know, moving the, how does it? How does doing Fido move? The needle mean, I can think from a cost perspective, you know, there's avoidance of data breaches, but you know, can you kind of address that we're within an organization? And who cares? How do I get something like this
approved? And how do I show that? I can get an Roi and move the needle for the organization? Yeah. Yeah that's a great question and it's interesting that I think opinions on this have shifted a little better at least from gotten kind of broader. So initially you know all the focus is on cost avoidance. As you mentioned like avoiding a data breach like the cosmic data breach, first of all that's actually enough avoiding data
breach from a cost standpoint. Point and a reputation standpoint, and it should be a large enough imperative to move away from passwords and towards something like photo, but with other costs associated with in Enterprise associated, with not using fighter, having complex authentication, right? So password resets, you know, you see estimates for that ranging from 100 to 1000 dollars per reset. Once you factor in the cost of downtime and systems and things
like that. So, password resets are expensive. Lost productivity, bad. If someone can't get into a system or can access the system because it's too complex or they forgot a password or whatever it might be, you're losing that money being spent on employee. Not actually working the other costs are four different depending on token. So I so the actual hardware cloth associated with the in deploying. So many tokens, the more advanced tokens are very
expensive. So I think inside the Enterprise if I do a prevent data breaches Has b gets rid of password, resets and see makes it easier to log in Google did a case study. Couple of years ago, which is we site often because is you tens of thousand employees over a multi-year study using u2f security Keys, what they found. First of all, generally talk about the fact that the study found that not one of them got fished right?
Which is super important and goes to the core security message and the bottom line benefits associated with that. But other part that study points to the fact that call center support desk calls Way down and productivity went way up and the also got some sentimental feedback from people that they like that login experience better. So we're talking about there is you know those are three cops battery juice. Plus happy employees is beneficial to the company as well.
So I think there's a lot of ways to look at how Fido creates cost savings and those are just some of them. Additionally, there's Top Line benefits. So, for companies that are selling to Consumers, you know, around fast of shopping, cart abandonment, sardu to password issues, people can't log in. They can't do that impulse. Buy they decide not to buy. That's a huge opportunity cost. Additionally, we think that there's brand benefit associated with the better login experience.
So we've recently actually introduced a consumer logo that we anticipate service providers using or power bank account info button that we anticipate service providers using to express their consumers that they are providing a, you know, a industry blast, safer Superior simpler logging experience, we think there should be a halo effect associated with that, but even without the Fido, No, do you know a better logging experience is good for good, for one Springs.
Utah, so what are we saying before about? How I think that opinions have evolved on this is that whereas, initially, most of the focuses on cost avoidance, we're seeing a lot of companies have focus on usability escort service, this is better for my customers is making me have happier. Customers stick your customers and things like that. So a lot more Focus out from decision-makers on the top line benefits. In addition, To the bottom line across the widest. Yeah, I really like that idea.
So you have my stamp of approval on the powered by Fido logo or bad, just kind of like the Intel inside, but I wanted to go back to another point that you made, or maybe it was you agreeing with my point around the data breaches.
Because I think when, you know, Jeff and I were talking about data breaches, you know, five years ago It felt more to Executives like we were spreading fear and uncertainty and doubt and I just I feel like we've come a long way since then anybody who thinks that is just you know, not tuned in I mean the cost of a data breach, I think we saw a statistic recently that the constitute a breach at least in the u.s. is like over eight million dollars globally.
It's over 3 million dollars and that's made up Of, you know, a lot of it is the companies have to run around and make good for the fact that they fumbled people's data right in that they now maybe the victims of identity fraud. So it's not fear, uncertainty and doubt and those numbers I threw out there. Those are averages, right? That includes a lot of a smaller pieces and you get hit by a really big breach, it can cost you much more in terms of
dollars as well. As what I think you pointed out in terms of brand reputation, which is a little hard to quantify. But it's not fear, uncertainty and doubt, and hopefully that message is is getting out there. No, it's quite real you know. And in this comes back to the question you asked earlier in Wi-Fi, do what's your Wi-Fi to exist? And this is what we're trying to solve, right? So we were trying to solve
database problem. So, you know, we're often Associated is rightly with the reducing Reliance on passwords. But we're doing that to solve a data breach problem because that is the, you know, those are expensive and problematic and it really just erodes the Integrity of the network economy itself and that's not good for anybody. Yeah, I think from a strategy standpoint, if your insecurities the two vectors that I would pay attention to and there are so many vectors right?
But the first one is the password and being able to get rid of that and secure it in a better way, right? Using Technologies like MFA which combined with Fido make it easier to use and then being able to mitigate against ransomware attacks and the news today is Canon, got hit by a ransomware jacket. So, you know, and that's, that's a pretty big one, right? And they're not sure if images.
Stolen. So that's adds another wrinkle to it. So having the appropriate stance toward security, not only making it available, making it easy to use. I think is critically important to the adoption and improving security as a whole because what you don't want to have is and you spend a bunch of money on and getting something in place. And if it's unusable, no one's going to use it, you know, what's the point? Yeah. Right. They're just going to find ways around it so, so I think I love
what's happening. If I do Oh, and I hope and pray that, you know, other organizations will start to kind of see the light and consider security as a end-user experience as much as possible. And by that, I mean taken to the fact that usability of it. So I think it's I think it's super important you know, on those lines. But you know, I think the changing that, you know, with with covid and everything. You know, this remote Workforce Your employees are not your consumers to, right?
So you even an Enterprise, you think, what? How are these employees going to log into systems securely and and your people will find workarounds first person for security, what when they can, you know, we're not everyone, but a lot of employees will taste want to log in. There is trying to do their job, you know? So you need to think about usable secure methodologies for granting. The remote access to systems and that's where I think another area.
We're 50 does. Yeah, and this is and that and that kind of stuff, right? Leads to things like, you know, forwarding emails to a personal email address. Well, I can't get to my baby, you know, regular work account or it's too hard or whatever it is, right? There's all kinds of excuses but it's, you know, it's they're solving a usability issue around that, right?
If you make it easy for people to do their work and make it secure, you start to eliminate some of those examples of reasons why people would try to look for ways around the security posture is it that people put in Place to make the organization more secure, you know, is that I'm in favor of it which is which is a great thing. And I know you mentioned that white paper, we definitely will have a link to that in our show notes I guess from a elevator pitch, right?
Why should someone read that white paper and what do you think they'll take a take away out of it in 30 seconds or less? Well, it's really this getting people started. I'm focusing on the Enterprise benefits of moving towards pastoralists authentication for users, right? So it's squarely focused on that. It's an Enterprise paper that, you know, from Cicero on down, in that organization can look at it as succinctly. Summarizes key considerations and the house and why why?
And how to be play Fido. And as I mentioned in the beginning of a series that will get into more and more deaf, in fact we'll have a blog post on this shortly.
Kind of starts to outline the series and of itself so people can see the key steps associated with deploying fight, own Enterprise One thing, this is a little inwardly focused I suppose, but one thing we realized our goal is to get people to move to Fido. All right, we're unique in the sense that we're a nonprofit organization working, not
pitching products. We're just trying to get people to use their application but we have a lot of good high level information on our website and we have some a lot of specs, you know, all the specs Europa and we have some very detailed white paper. Is what we're trying to find The Sweet Spot to make Final Act. Well for practitioners. So I think this series of papers will really be helpful though.
I'll be around five pages. Each very actionable in lawsuit formation so I think that's what this paper signals and is a good starting points again so I'd like to beat a dead horse here we because I think everybody probably agrees that the passwords are not a good enough control but just as a practitioner myself I think to myself I'm relying on passwords that can be pretty. Be sure those passwords have already been hacked for a large number of users.
I had to sign up for a little league website the other day and create an account with a password. I thought there's no way through enough technology on the back end of this little league website to secure my password, remove, picking on Little League. I'm picking on all the hundreds of websites that we use every couple of years to create accounts and whether or not, you know, those of us The I am industry, use a password Locker,
that's fine. The average average Joe on the street doesn't and that's why you can be pretty sure that if you're, if you have a system that relies on, you know, email address and password age, going to get compromised Yeah, absolutely. Set up before password is not modern authentication. So that's all you're offering
your way behind already. Okay. So I think, you know, I'm looking forward to the next series of the papers and we'll put a link to the final Alliance website as part of the show notes Here. I like that. The, the one you just put out it is definitely an easy read and I think it's a good way for people to start to think about how to position the cell within your organization of why we should start to move towards that
direction. So, if You're interested in getting started with Fido or learning more about. I think that's I think you've hit it right on the nail and I had with that with that paper so definitely check that out. On the fight Owens website and also in the show notes that will have here which will have a direct link to it. Andrew certainly, appreciate your time and I know you're a busy guy. Any last words of wisdom that you want to throw out there for the folks who are listening?
I think we hit on all the key points, and I hope people, you know, enjoy enjoy listening to us today and, and take something away from this. Look for that paper. One other thing that we're doing, we have an industry conference that we were going to launch us here in person. We're going to be virtually virtually instead called authenticate. So this was going to be a two-day conference focused on all the ins and outs of authentication, not just Fido authentication best practices.
You know, we had maybe a dozen cases, Studies plans, some kind of case study track its technical track, the standards track, all that's being rolled up into a virtual event so you can find information on that on our website, but also on authenticate conduct Cam, that is going to be taking place in the middle of November. I strongly encourage people to sign up to attend that if they want to learn more as well and that's going to be free free to attend.
Great content was submitted for this paper, just a little anecdote on authenticate. Eight. We thought we're gonna have a hard time pulling together. The agenda we had around six times as many papers submitted as we had agenda slots, which may be super exciting because they help us put together awesome set of content. But also it shows that this is really gaining Traction in the
marketplace. We had submissions from all corners of the world talking about different implementations applications of Fido. So all that's being brought forward into this event. I strongly encourage people to to make sure to sign up to attend. That's great. Yeah, I'll definitely put a link to that it's for the website its aesthetic aesthetic. 8 con.com and I'll have a link in the show notes as well and I think that's
fantastic, isn't it, free? I think we saw a lot of good uptake with identifiers, for example, which I believe wrapped up last week or maybe it's wrapping up this week. It's weird because it's stretched out over several weeks, right? But yeah, I'm definitely going to be registering for that and looking forward to it. So so great deal Jim. Anything else that you want to close out with before we answer Ergo.
No, I just wanted to sit and drove really appreciate your time and knows the CEO of 500 that you are extremely busy person and just appreciate you taking the time to educate our listeners. Thank you for having me. How many people you could be talking to you? And I appreciate it and, you know, our goal is to get the word out and get people engaged and thank you for this opportunity. Great. Preciate it Andrew. And with that we're going to go ahead and close it out for this week.
Don't forget you can follow us on Twitter at idac podcasts and you can check us out on the web at identity at the center.com. We're in your favorite podcast app. So feel free to subscribe. Follow like whatever the thing is that your podcast app. Does that helps us immensely and helps us get great guests like Andrew in the future. So with that, we'll go ahead and close it out for this week and we'll be talking with you all in the next one.
Thanks for listening. You've been listening to the identity of the center podcast for more episodes of visit identity at the center.com.
